Even with the publication of draft “best practices” by the California Attorney General (AG), website operators remain uncertain as to their obligations under the new do-not-track disclosure requirements of the state’s Online Privacy Protection Act (“CalOPPA”), which took effect on January 1, 2014.
The new provisions require privacy policy disclosures with respect to: (1) a site operator’s tracking of its visitors when they are on third-party sites (if it engages in such tracking) and (2) any “other party’s” tracking of site visitors when they are on third-party sites.
In the first case only, the law requires that the operator disclose how it responds to browser do-not-track signals or other do-not-track choice mechanisms. It does not impose the same disclosure obligation with respect to “other parties”—rather, it requires only that the operator disclose whether other parties engage in such tracking.
During a December 10, 2013 call with industry representatives, consumer advocates and other interested parties, the AG’s office took the position that a service provider is not the same as a site operator but instead should be treated as an “other party” for purposes of the law. (This position is consistent with the law’s definition of an “operator,” which appears to exclude service providers.) It follows that the site operator would not have to disclose a choice mechanism with respect to any such “other party.”
As a practical matter, this should be a moot point for an operator that uses third parties that are members of the Network Advertising Initiative and/or Digital Advertising Alliance, as such operator should already be contractually required to disclose how site visitors may opt out of cross-site tracking for online behavioral advertising purposes. Site operators should keep in mind, however, that CalOPPA’s provisions cover any type of cross-site tracking—which may also include tracking for analytics or other purposes.
On December 20, 2013, the AG’s office circulated a draft of its best practice recommendations for online tracking transparency. The draft notes that the recommendations are not intended to tell a site operator what disclosures are necessary to comply with CalOPPA. Rather, they will, “in some places offer greater privacy protections than required by . . . law” and are intended to “encourage the development of privacy best practice standards.” The draft reflects this, by recommending disclosures that go beyond those required by the law. For example, they:
- Urge a site operator that does not engage in cross-site tracking to tell its users that it does not engage in such tracking. The law requires no such affirmative disclosure; and
- Encourage a site operator that engages in cross-site tracking to both: (a) disclose how it responds to a browser’s do-not-track signal or similar communication from a site user and (b) provide a link to a program that offers choices in connection with online tracking. The law requires that such a site operator disclose how it responds to browser do-not-track signals or other mechanisms that provide users with choices (not both), and it permits the operator to comply by providing a link to an online choice program.
The AG accepted comments on its draft until January 6, 2014, and it intends to issue final guidance during the second half of January 2014.
Although site operators need to proceed with great caution, our sense is that the AG’s office is unlikely to bring any actions for violations of the amended statute prior to issuing its final guidance. If the AG’s office does bring such an action, we suspect that the action would most likely involve a “slam dunk” situation—i.e., where a site operator engages in cross-site tracking but makes absolutely no mention of do-not-track, third parties or an opt-out in its privacy policy.
Socially Aware will provide an update after the AG publishes its final best practice recommendations.