California AG Issues Guidelines For New Online Privacy Law, Pushes Mobile-Friendly Formats

Web site operators and mobile app developers should offer privacy policies written in short, jargon-free sentences, California Attorney General Kamala Harris says in a report released on Wednesday.

The document, “Making Your PrivacyPractices Public,” also advises companies to make their policies easy to read by using “titles and headers” and offering mobile-friendly formats. “Graphics or icons can help users easily recognize privacy practices and settings,” the Attorney General advises in the 28-page report.

The guidelines are aimed at helping companies comply with California's new do-not-track law (AB370). That measure requires some Web companies to state how they respond to do-not-track requests -- including ones sent by users' browsers. The law also requires all Web site operators to state in their privacy policies whether they allow third parties to collect tracking data -- or information about users' “online activities over time and across different Web sites.”

The do-not-track portion of California's law only applies to companies that collect “personally identifiable information,” but the term is defined fairly broadly. It appears to include data long thought of as personal -- such as names, email addresses and phone numbers -- as well as information that some companies consider “anonymous,” like device identifiers (usually an alphanumeric string) and geolocation data.

All of the major browser companies now offer a do-not-track setting, which was designed to enable consumers to opt out of online behavioral advertising. But those headers don't actually prevent anyone from tracking users. Instead, the headers send a signal to publishers and ad networks, which are free to honor them or not.

Harris' office suggests that Web site operators (and mobile developers) consider specific issues when explaining their do-not-track policies. The report says that one key question that Web site operators should think about is whether they treat visitors who send a do-not-track signal differently than people who don't.

The guidelines suggest that operators also should address what information is collected from people who who send do-not-track signals. The Attorney General's office specifically suggests that Web site operators who ignore do-not-track signals should describe how they use the “personally identifiable information” they collect.

Site operators who don't want to address do-not-track in their privacy policies can instead comply by offering a “clear and conspicuous” link to a program that gives consumers a choice about online tracking. But the new guidelines say it's “preferable” for Web site operators to describe how they handle do-not-track requests, because doing so “provides greater transparency to consumers."

The online industry hasn't yet reached a consensus about how to interpret do-not-track requests that are sent by users' browsers. The Web standards group World Wide Web Consortium -- which has been trying to answer that question for three years -- tentatively decided that a “do not track” request will communicate that users don't want data about themselves collected by ad networks. Despite the proposed definition, the organization also anticipates that ad networks will be able to comply with the do-not-track standard and still collect certain types of data about users. The W3C hasn't yet come to any agreement about what type of data can be collected.

Jason Kint, incoming CEO of the Online Publishers Association, calls the Attorney General's guidelines “a nice start towards more transparency.” He adds that the OPA welcomes “anything that simplifies privacy policies and builds trust in the digital ecosystem.”

 

Recommend (9)
1 comment about "California AG Issues Guidelines For New Online Privacy Law, Pushes Mobile-Friendly Formats".
  1. Mike O'Neill from Baycoud Systems , May 23, 2014 at 5:58 a.m.
    The Tracking Preference Expression document this article links to defines the technical aspects of Do Not Track, i.e. how the signal is communicated and the API used to reflect a user consent to a exception to it, but not how servers should respect it. The TPE document does contain a definition of tracking but this does not only apply to ad networks but to any party that collects tracking data (such as the sites a specific user visits) across multiple domains. The TCS document describing compliance is still in progress, though nearing completion. The draft envisions that there may continue to be some user specific data collected when a user has set DNT, but this must only be used for a limited permitted set of purposes such as fraud detection.