California has led the way in many privacy-related laws, including the now ubiquitous data breach notification laws, as well as in online privacy. In 2003, California enacted CalOPPA, one of the only laws in the country that requires websites to have an online privacy policy.[1] In 2013, this law was amended to require disclosures regarding online tracking, specifically disclosures regarding:
- The operator’s response to a browser DNT signal or to “other mechanisms”, and
- The possible presence of other parties conducting online tracking on the operator’s site or service.[2]
The California Attorney General’s office has been extremely active in providing guidance regarding a variety of privacy issues, and the Office recently issued guidance regarding the newly amended CalOPPA, Making Your Privacy Practices Public, Recommendations on Developing a Meaningful Privacy Policy, which offers suggestions to businesses about what they can do to, in the Attorney General’s view, be more transparent about privacy. The Attorney General’s office had also issued previous guidance in the mobile space, In Privacy on the Go: Recommendations for the Mobile Ecosystem,[3] in which it recommended a “surprise minimization” approach, where a mobile app company would supplement its longer, more comprehensive privacy policy with shorter, special notices related to: the collection of PII, if the PII was not necessary for the basic functionality of the app; or if it was sensitive PII.
Understanding CalOPPA’s Requirements
CalOPPA applies to “operators” of commercial websites or online services, and requires that a privacy policy must be “conspicuously posted”, if the site collects PII[4].[5] Among other requirements, the website must:
(1) Identify the categories of personally identifiable information that the operator collects through the website about individual consumers who use or visit its commercial website, and the categories of third-party persons or entities with whom personally identifiable information is shared;
(2) Provide a description of the process the operator uses, if any, for consumers to review and request changes to any of his or her personally identifiable information that is collected through the website;
(3) Describe the process that is used to notify consumers who use or visit the site of material changes to the privacy policy; and
(4) Identify its effective date.[6]
The Issues Identified in Making Your Privacy Practices Public (“the Guidance”)
The Guidance starts by stating the Attorney General’s view that “meaningful privacy policy statements safeguard consumers by helping them make informed decisions about which companies they will entrust with their personal information.” While transparency is a noble goal, research by the Lares Institute shows that statements in a privacy policy might not be as important for consumer trust as the Guidance suggests. When asked in a 2013 survey about the reasons for trust regarding privacy, consumers did not rank disclosures in a privacy policy as being that important. Indeed, what people read in a privacy policy was seventh out of the ten top reasons people trusted companies with their information, with only 5% of respondents citing reading the policies as the reason for trust.[7]
In short, while transparency is a noble goal, it is not clear that increasing transparency will dramatically impact consumer trust.
The Guidance also notes that there is research showing that people do not read privacy policies, or at least understand them when they do read them. Research by the Lares Institute also provides additional guidance on this point, which shows that people with higher education levels and income are less likely to read privacy policies.[8] Examining research regarding who reads privacy policies provided by Internet Service Providers, including examination of their demographics, provides a good example of this issue.
Ultimately, the Guidance notes that its purpose is to “encourage companies to craft privacy policy statements that address significant data collection and use practices, use plain language, and are presented in a readable format.”[9]
The Guidance provides an executive summary, as well as a bullet point format with more detail, which is a good structure to understand the details that follow.
Readability
- Use plain, straightforward language. Avoid technical or legal jargon.
- Use a format that makes the policy readable, such as a layered format. This also includes making the policy readable on smaller screens.
Data Collection
- If you collect personally identifiable information on users or visitors from other sources, describe how you do so.
- If you collect personally identifiable information through technologies such as cookies or web beacons, describe how you do so.
- Be reasonably specific in describing the kind of personal information you collect.
- At a minimum, list the categories of personal information that you collect from users and visitors.
Online Tracking/Do Not Track
- Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example: “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.”
- Describe how you respond to a browser’s Do Not Track signal or to other such mechanisms. This is more transparent than linking to a “choice program.”
- State whether other parties are or may be collecting personally identifiable information of consumers while they are on your site or service.
Data Use and Sharing
- Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.
- Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.
Individual Choice and Access
- Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
Security Safeguards
- Explain how you protect your customers’ personal information from unauthorized or illegal access, modification, use or destruction.
- Give a general description of the security measures you use to safeguard the personal information in your care, but not in such detail as to compromise your security.
- Give a general description of the measures you use to control the information security practices of third parties with whom you share customer personal information for any purpose.
Accountability
- Tell your customers who they can contact with questions or concerns about your privacy policies and practices.
Conclusion
While the guidance presents interesting issues for discussions, and some best practices that companies could adopt, not all of the suggestions will be relevant, or helpful, for all companies. In many cases these suggestions go well beyond the statutory requirements of CalOPPA, and in some cases might be difficult for companies to implement. For example, the suggestion that websites provide links to third-parties with whom they share information suggests a practice that is not statutorily required, and that might increase a company’s risk exposure (for a potentially deceptive statement either under Section 5 of the FTC Act, or § 17200 of California’s Business and Professions Code) in a way that it will find difficult to monitor, particularly if the third-party policies change over time.
inally, one question that always must be asked when a regulator issues guidance is whether this could be the basis of enforcement down the road. While there is no indication that the Attorney General intends to use this as an enforcement tool either under CalOPPA, or Business & Professions Code § 17200[10], this possibility cannot be eliminated. In any case, this guidance does present the Attorney General’s views and it should be considered, where appropriate, if companies are trying to implement best practices regarding online disclosures.
For further information about this Guidance, please click here.
[1] Other states with laws that can impact disclosures in online privacy polices include Nebraska, Pennsylvania, and Utah. For complete coverage of this issue, see, Serwin, Information Security & Privacy: A Guide to Federal and State Law and Compliance, Chapter 2, (West 2013).
[2] Making Your Privacy Practices Public, Recommendations on Developing a Meaningful Privacy Policy, (May 2014), available at: https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf (last visited May 23, 2014).
[3] Available at: http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf? (last visited May 23, 2014).
[4] The term “personally identifiable information” means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) Afirst and last name. (2) Ahome or other physical address, including street name and name of a city or town. (3) An e-mail address. (4) Atelephone number. (5) Asocial security number. (6) Any other identifier that permits the physical or online contacting of a specific individual. (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision. Cal. Bus. & Prof. Code § 22577(a)(1)-(7).
[5] See, Information Security and Privacy, § 2:51.
[6] Id.
[7] These responses were part of a survey which was sent to 482 individuals in the United States, and 425 responses were respectively received, for a response rate of 88%. The margin of error of this survey is 5% at a 95% confidence level.
[8] The Demographics of Privacy, The Lares Institute (2011), available at: https://laresinstitute.com/wp-content/uploads/2011/09/Demographics-Study.pdf.
[9] Making Your Privacy Practices Public, Recommendations on Developing a Meaningful Privacy Policy (May 2014).
[10] Cal. Bus. & Prof. Code § 17200 is California’s version of the FTC Act, and it has a five-prong disjunctive definition of conduct that can violate the law, including unfairness and unlawfulness (which includes the violation of another statute).