Privacy & Security Alert
June 5‚ 2014
Making Privacy Practices Public: the California Attorney General’s New Guidelines Keep the Focus on the Consumer’s Perspective and New Disclosure Requirements
By Cynthia Larose, CIPP and Jake Romero, CIPP
Do Not Track Disclosures. Although considerable space is devoted to addressing the new DNT disclosure requirements, the guidelines are unlikely to satisfy those seeking additional clarity regarding how to formulate a description of a web site’s DNT response. Since there is no universal standard for DNT, any online service provider that makes an unqualified promise to honor DNT takes on a substantial risk of breaking that promise. Instead, the guidelines recommend that service operators provide consumers with a description of the tracking programs being used in connection with the service, in easy-to-locate sections with a clearly identifiable heading. DNT disclosures should describe all tracking of users that is done over time and across third-party web sites, either directly by the service provider or by a third party. If tracking programs are in place, the policy should disclose how, or if, users whose browsers send a DNT signal are treated differently from other users. Where tracking is conducted by third parties, the guidelines recommend that the service provider consider whether the third parties it authorizes to track users will follow the service provider’s DNT policy. If an online service provider cannot ensure that its third-party trackers comply with its DNT policy, then the consumer should be informed. Although CalOPPA permits linking to an online tracking consumer choice program as an alternative to making certain disclosures, the guidelines make it clear that the online service provider must follow the program that it links to, and still retains the risk that an outside link is not sufficiently clear to permit users to control tracking online.
Collection and Sharing of Data; Security. Requiring descriptions of the categories of personal information collected and any third parties with whom information is shared is not new. The guidelines reiterate the minimum requirements for describing collection, use and sharing, and also recommend certain best practices that are not strictly required under the statute, such as providing links to the privacy policies of third parties with whom information is shared and specifying retention periods for each type of personally identifiable information collected. The guidelines also recommend including a general description of security measures used to protect consumer information.
Individual Choice and Access; Accountability. As we recently discussed in connection with the Federal Trade Commission settlements with Credit Karma and Fandango, issues related to consumer control of information, including access to provide feedback and request information, are key considerations in enforcement actions. Online service providers should provide easy-to-follow instructions for updating or deleting account information, and give consumers a direct point of contact to request changes to the handling of personal information to ensure responsiveness. Rather than relying on a general customer service number, online service providers should consider using a designated line that specifically addresses security concerns and feedback as well as information requests from consumers.
Although they do not address some of the recent issues created by the new regulations, the guidelines are an excellent resource for seeing the thought process and focus that the Attorney General’s office brings to enforcement actions. In particular, the guidelines continually emphasize the consumer perspective and ensuring readability and access. There is no time like the present to take a step back and review your policies and practices with a fresh set of eyes and from the outlook of your product’s users.
* * *
View Mintz Levin’s Privacy & Security attorneys.
Read and subscribe to Privacy & Security Matters blog.