California AG Preps Best Practices Guidelines For New Web Privacy Law

California's new do-not-track law, which went into effect this year, can be boiled down to a simple guiding principle: “Say what you do, and do what you say.” That's according to Joanne McNabb, director of privacy education and policy with the California Attorney General's office.

“The story line here is transparency,” McNabb said on Friday at an online seminar about the measure.

Despite being referred to as the do-not-track law, the measure doesn't force companies to honor people's do-not-track requests. Instead, AB370 amends a 10-year-old California privacy statute by requiring some Web companies to state how they respond to do-not-track requests, including ones sent by browser-based headers. 

The measure also requires companies to state in their privacy policies whether they allow third parties to collect tracking data -- or information about users' “online activities over time and across different Web sites.”

Observers have said that complying with that portion of the law could present challenges, given that many publishers appear unaware of all of the intermediaries that collect data on behalf of ad networks and advertisers.

The measure only applies when companies collect “personally identifiable information” -- defined as names, addresses, email addresses, phone numbers, social security numbers, or “any other identifier that permits the physical or online contacting of a specific individual.” That definition appears broad enough to cover companies that engage in a host of online behavioral advertising techniques.

Attorney General Kamala Harris plans to soon release final guidelines to best practices for compliance. On Friday, McNabb discussed a preliminary draft of the upcoming guidelines, which offer some specific recommendations for Web publishers. One of the most significant is that publishers consider how they police ad networks and other third parties that collect data about visitors.

The draft guides advise publishers to consider how they will ensure that only “approved third parties” collect data. Publishers also should consider how they will verify that authorized third parties don't bring unauthorized parties onto the sites in order to collect personal data. Web site publishers also should think about how they will ensure that their do-not-track policy is followed by third-party trackers.

McNabb said on Friday that the Attorney General plans to enforce the new law against apps and mobile companies, as well as online publishers. Other participants in Friday's online seminar included the Better Business Bureau’s Genie Barton, Todd Ruback of Evidon and Heather Sussman with the law firm McDermott, Will, and Emery.

Recommend