California Attorney General Kamala Harris released a long-awaited report entitled Making Your Privacy Practices Public (Report) on May 21, 2014. The Report recommends “best practices” for compliance with the California Online Privacy Protection Act (CalOPPA). It was originally intended to answer critical questions about exactly what website, online service, and mobile application operators (collectively, “site operators”) must do to comply with CalOPPA’s new do not track (DNT) disclosure obligations, which took effect on January 1, 2014. It does not accomplish that goal. Unfortunately, the Report leaves important questions unanswered and raises new questions.
The Report explains that “its recommendations . . . which in some places offer greater privacy protection than required by existing law, are not regulations, mandates or legal opinions.” It fails, however, to clarify what the law actually requires, and we expect that trade associations will continue to seek guidance on important compliance issues. In the meantime, site operators may wish to comply with at least some of the Report’s recommendations to the extent possible because such “recommendations” tend to harden into regulatory “expectations” over time.
DISCLOSURE OF CROSS-SITE TRACKING AND RESPONSES TO DNT CHOICE MECHANISMS
In order to assess the Report’s recommendations, it is important to first understand CalOPPA’s DNT disclosure obligations. As amended by AB 370, the law requires a site operator to make disclosures with respect to:
- Its collection of personally identifiable information (PII) about its users’ activities over time and across third-party sites or online services, if it engages in such cross-site tracking. (We note that the California Attorney General appears to broadly define PII to include not only names, physical addresses, email addresses, phone numbers and social security numbers, but also device identifiers and geo-location data.)
- Any “other party’s” tracking of the site operator’s users over time and across third-party sites or services.
The law applies to cross-site tracking for any purpose, including, for example, analytics and advertising.
We discuss each of these obligations, as well as questions that the Report raises with respect to them, in turn as follows.
A. Disclosures relating to a site operator’s own cross-site tracking.
The law requires that a site operator disclose how it responds to browser DNT signals or other tracking choice mechanisms, if it engages in cross-site tracking. As the Report notes, “[t]he new provisions do not . . . depend on a standard for how an operator should respond to a DNT browser signal or to any mechanism that automatically communicates a consumer’s choice not to be tracked.” The law requires only disclosure, not substantive practices, and it can be breached by a failure to disclose, or to disclose accurately, the required information.
What does this mean in practice and in light of the Report? And what questions does the Report raise?
- If a site operator engages in cross-site tracking, it must disclose how it responds to either browser DNT signals or another tracking choice mechanism.
- If a site operator engages in cross-site tracking and honors DNT signals, it should explain precisely what it does in response to a DNT:1 header. Note that it may be a mistake to represent simply that a site operator “honors” DNT signals, as that representation could be interpreted to mean more than the operator’s actions warrant.For example, there is not yet consensus among stakeholders across the spectrum of industry, academics, and advocates on whether honoring an opt-out means that the site operator ceases the online tracking or merely ceases using the information collected through such tracking.
- If a site operator engages in cross-site tracking and honors some other means for users to express choice with respect to the tracking, it should say so. The law permits a site operator to satisfy the DNT disclosure requirement by “providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.” The Report makes it clear that a site operator may disclose either how it responds to a browser’s DNT signal or link to another program or protocol that provides choice. The Report notes, however, that “[d]escribing your response in your privacy policy statement is preferable to simply providing a link to a related ‘program or protocol’ . . . because it provides greater transparency to consumers.” It also recommends that site operators “[p]rovide the link in addition to identifying the program with a brief, general description of what it does.” While following these recommendations would promote transparency, both go beyond the law’s requirement of providing a link.
The Report further recommends that a site operator consider whether “the page to which you link contain[s] a clear statement about the program’s effects on the consumer . . . [and] what a consumer must do to exercise the choice offered by the program.”
This begs a couple of questions about linking to third-party choice programs:
- Must the link bring users directly to the program’s opt-out page, or is a link to the program’s website sufficient? The Report does not make this clear and, again, may go beyond the law, which requires only a link to “an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”
- The Report is silent as to which, if any, external choice programs are adequate. In our judgment, industry self-regulatory programs such as those run by the Digital Advertising Alliance (DAA) and Network Advertising Initiative (NAI) should meet the law’s requirements. But this is unsettled, and the AG has expressed concerns about whether either program meets the definition. We expect the NAI and DAA will seek further clarification on this point.
- If a site operator engages in cross-site tracking but does not honor browser DNT signals or any other choice mechanism, it should say that it does not honor browser DNT signals. With respect to such site operators, the Report recommends that “[i]f you do continue to collect personally identifiable information about consumers with a DNT signal as they move across other sites or services, describe your uses of the information.” While such a disclosure may be prudent—as a failure to make it could conceivably be deemed a material omission and thus deceptive under Federal Trade Commission law where such use may be unexpected by an ordinary user under the circumstances—the disclosure is not required by CalOPPA.
B. Disclosures relating to another party’s cross-site tracking.
CalOPPA requires that a site operator disclose “whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.” The law does not require the operator to make any disclosure regarding such “other party’s” response to a DNT mechanism.
What does this mean in practice and in light of the Report? And what questions does the Report raise?
- Is a service provider an “other party”? Because neither the law nor the Report clarify the meaning of the term “other party,” it is not completely clear whether it includes a site operator’s service provider or whether, on the other hand, a service provider stands in the site operator’s shoes for purposes of the law. During a December 10, 2013 call with industry representatives, consumer advocates, and other interested parties, a representative of the AG’s office suggested that a service provider is not the same as a site operator but instead should be treated as an “other party” for purposes of the law. This position is consistent with the law’s definition of an “operator,” which appears to exclude service providers. In our judgment, it follows that a site operator does not have to disclose a DNT response or choice mechanism with respect to the cross-site tracking activities of its service providers, but it does have to disclose whether any service provider or other third party is engaged in the cross-site tracking of the site operator’s users. As a practical matter, this distinction may be of no consequence: a site operator that uses a service provider for cross-site tracking (e.g., for analytics or behavioral advertising services) is typically contractually required by the service provider to both disclose the tracking and tell its users how they can opt out of it, such as through the DAA or NAI.
- The Report recommends that a site operator explain how a third party’s practices may diverge from the site operator’s DNT policy. This recommendation goes beyond the law’s requirements. As discussed above, the law requires only that a site operator disclose whether third parties engage in cross-site tracking. It does not impose any requirement to address the third party’s response to DNT signals or other choice mechanisms. The recommendation, however, raises the question of whether the AG believes there is a duty under the law for a site operator to vet the practices of third-party trackers on its site and to disclose whether such practices diverge from the site operator’s own.
OPPORTUNITY TO CURE?
The Report acknowledges that CalOPPA includes a 30-day notice and cure period for noncompliance, but it does not squarely address whether that 30-day period applies to companies that have posted a privacy policy that fails to include required DNT disclosures but otherwise complies with the law. In a December 2013 call with interested stakeholders, a representative of the AG’s office stated that the 30-day period does not apply in this situation, and this interpretation seems to be supported in the Report, which notes that “[t]he law provides an operator with a 30-day period to post a policy after being notified of failure to do so. An operator subject to the law is in violation for failing to comply with the legal requirements for the policy or with the provisions of its policy either knowingly and willfully or negligently and materially.” The AG’s apparent interpretation is that the notice and cure provision applies only if there is no policy whatsoever, but that if there is any policy—even one that is almost completely compliant—then no notice and cure period is required. As a matter of public policy, this position makes no sense: the operator who did nothing should not be entitled to greater protection than the operator who tried hard and just missed the mark.
ONLINE TRANSPARENCY “BEST PRACTICES”
Finally, the Report recommends other “best practices” aimed at ensuring that a site operator’s privacy policy is transparent to its users. While many of these go beyond the law’s requirements, it is worthwhile to consider them, as “best practices” tend over time to harden into regulatory expectations. They include the recommendations to:
- Prominently label the section of your policy regarding online tracking. For example: “California Do Not Track Disclosures.”
- Disclose whether third parties collect PII from your users.
- Explain your uses of PII beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or app.
- Describe what PII you collect from users, how you use it, and how long you retain it.
- Describe the choices a consumer has regarding the collection, use, and sharing of his or her PII.
- Use plain, straightforward language that avoids legal jargon, and use a format—such as a layered approach—that makes the policy readable. Use graphics or icons instead of text.
CONCLUSION
When it comes to compliance with the new CalOPPA DNT disclosure requirements, the Report raises more questions than it answers. It acknowledges that its recommendations are not necessarily legal requirements, but, in so doing, fails to clarify what the law itself requires. In light of this uncertainty, a site operator may wish to implement the Report’s recommendations to the extent possible.