California Attorney General Kamala D. Harris
Consumers that have spent more than a few seconds attempting to decipher an online privacy policy tend to agree that most privacy policies are overly long, difficult to read, and fail to offer any meaningful choice to the consumers with how their personal information is tracked and shared. Indeed, most consumers do not understand, and many do not even read, the privacy policies on the websites they visit.
Earlier this year California’s Attorney General issued the “Making Your Privacy Practices Public” guide (the “Guide”) to offer recommendations to support companies in providing privacy policy statements that are meaningful to consumers. The Guide is intended to encourage that State’s companies to craft privacy policy statements that address significant data collection and use practices, use plain language, and are presented in a readable format for consumers that comply with California’s Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code §§ 22575-22579 (2004) (“CalOPPA” or “the Act”).
CalOPPA was the first law in the nation with a broad requirement for privacy policies. The Act applies to operators of commercial websites and online services that collect “personally identifiable information” (“PII”) about Californians, requiring such companies to conspicuously post a privacy policy and comply with it. The Act was amended in 2013 to address the issue of “online tracking” including the collection of PII about consumers as they move across web sites and online services.
Visit the TLSS Blogs for more posts on other topics
The 2013 amendments to CalOPPA require website operators and online services to inform consumers that “Do Not Track” (DNT) technology exists and disclose whether the website or online services operator honors a user’s request not to be tracked using such technology. The 2013 amendments further require website and online services operators to disclose whether third parties are able to collect PII about a consumer’s online activities over time and across third-party websites. The recent Guide recommendations address these newer provisions in a detailed, straight-forward fashion that the California Attorney General hopes will spur meaningful and effective privacy policies and practices.
An overarching theme of both the 2013 amendments to CalOPPA and the Guide in general is for companies to use plain, straightforward language and avoid technical or legal jargon to make privacy policies readable and understandable to consumers. Similarly, the Guide provides that companies should make it easy for a consumer to find the section in which the company describes its policy regarding online tracking and label it as such.
More specifically, the Guide requires that websites and online services operators describe how the company responds to a browser’s “Do Not Track” signal or to other such mechanisms and whether other parties are or may be collecting PII of consumers while the consumer is on or using the company’s site or service. With respect to data use and sharing, companies should explain the uses of PII beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.
Whenever possible, the Guide provides that a link to the privacy policies of third parties with whom the website shares PII should be provided. The Guide finally sets forth that company privacy policies should describe the choices a consumer has regarding the collection, use, and sharing of his or her PII and provide contact information for further information about a company’s privacy policies and practices.
The recommendations set forth in the Guide promote the stated mission of the California Attorney General and intent of CalOPPA and recent amendments to safeguard consumers by assisting certain companies to craft meaningful privacy policy statements to help consumers make informed decisions about which companies they will entrust with their personal information. While the Guide does not have the force of law, it does provide clarity and practical recommendations for businesses to comply with CalOPPA, while also providing an opportunity for companies to develop goodwill and trust through transparency.
Stuart A. Panensky practices in Traub Lieberman Straus & Strewsberry’s Construction Defect, Professional Liability, Environmental, and Technology practice groups. He primarily defends architects and engineers from third party claims of professional negligence. Stu also represents contractors, subcontractors as well as owners/developers in all aspects of construction litigation. He also handles environmental litigation including CERCLA and Spill Act claims, cyber claims (including coverage issues), as well as complex litigation management and insurance coverage litigation. He also lectures on technology and the law, cyber claims and co-authored a chapter in Data Security and Privacy Law – Combating Cyberthreats.
