Privacy Policy 201 – Online Tracking

I recently posted Privacy Policy 101, discussing some basic elements of a website’s privacy policy. Now that the California Attorney General’s office has released an important policy statement on website privacy practices with respect to Do Not Track (DNT) technology, it’s time for Privacy Policy 201.    

More than 10 years ago, California passed the California Online Privacy Protection Act of 2003 (CalOPPA), the first law in the country that set out requirements for website privacy policies.    CalOPPA applies to the operator of any commercial website or online service (which includes mobile apps) that collects personally identifiable information through the internet about individual consumers residing in California. It would be a mistake for the reader to say, “my company is in Ohio, so this California law doesn’t apply to me.” Chances are, your website has California users. In addition, considering the size of the California market (the most populous US state) and the borderless nature of the internet, it is sound policy for any commercial website operator to comply with CalOPPA, no matter where located.

In Privacy Policy 101, I described three basic requirements:

1.     Notify visitors as to the kinds of personally-identifiable information collected,
2.     Notify visitors as to how the information will be used, and
3.     Advise visitors as to how they can opt out of the collection and use of information.

In 2013, the California legislature amended CalOPPA to deal with the issue of online tracking – the collection of personal information about consumers as they move across web sites and online services. DNT technology is now widespread, and every major web browser incorporates a DNT option in its privacy settings. The CalOPPA amendments require website operators to inform consumers of how they respond to DNT signals and requests. Note that there is no requirement that a website operator actually honor DNT signals or requests. CalOPPA merely requires that the website operator be honest and transparent about how it responds. For example, if a particular website does not honor DNT requests, it should disclose this fact. By doing so, the website enables the consumer to make an informed decision about whether he or she wants to continue to use that website.

The CalOPPA amendments also require the website operator to disclose the possible presence of other parties conducting online tracking on the operator’s website or online service.

The California Attorney General recommends the following practices regarding online tracking and DNT:

First, include a separate, clearly-labeled section about online tracking in your privacy policy

Second, describe how your website responds to DNT signals – whether you honor DNT signals, whether you treat consumers that request DNT differently from consumers that don’t request DNT, and how you use any personally identifiable information collected from consumers that request DNT.

Third, disclose whether any third parties collect personally identifiable information on your site, whether they are or may be conducting online tracking, and whether such tracking conforms to your tracking policy.

As with any significant change, this is a good opportunity to review your practices with respect to online tracking, including an evaluation of how informed consumers will react to your practices.

Follow me on Twitter @PaulHSpitz