California AG Issues Privacy Recommendations To Better Protect Consumers
Tuesday, June 10, 2014
Late last month, the Office of the Attorney General for the State of California issued a guide with privacy recommendations for companies about how to present privacy policies and do-not-track disclosures to consumers. The recommendations are based upon changes in California law (emphasis added):
"...in 2003, California established the landmark California Online Privacy Protection Act, which was the first law in the nation to require operators of commercial websites, including mobile apps, to conspicuously post a privacy policy if they collect personally identifiable information from Californians. In 2013, the Act was amended by Assembly Bill 370, which requires privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether third parties can collect personally identifiable information about the site’s users."
Previously, many mobile app developers failed to include usage term and privacy policies with their apps, both before and after purchase. Most Web browsers have Do Not Track (DNT) features, but the effectiveness of that feature depends upon the website operator's compliance, which is not mandatory. The California AG's guide included a summary of Do Not Track and web browsers (emphasis added):
"... the [U.S. Federal Trade Commission] staff in 2010 proposed a Do Not Track (DNT) browser signal as a uniform and comprehensive way for consumers to choose whether to allow the collection and use of data regarding their online searching and browsing activities. The Commission noted in its 2012 final report that a number of browser vendors had announced that their latest versions permitted consumers “to instruct websites not to track their activities across websites.” In a 2012 paper on consumer privacy, the White House noted that “privacy-enhancing technologies such as the ‘Do Not Track’ mechanism allow consumers to exercise some control over how third parties use personal data or whether they receive it at all.” By 2013, the major browser companies had all implemented a DNT mechanism in their browsers. In May 2014, the White House once again commented that consumers “have a valid interest in ‘Do Not Track’ tools that help them control when and how their data is collected. There is no legal requirement for how operators of web sites or online services must respond to a browser’s DNT signal. The World Wide Web Consortium (W3C), which facilitates collaborative efforts to develop web standards, created a Tracking Protection Working Group, which has been working since 2011 to develop standards for the technology and meaning of Do Not Track. As of the end of 2013, the W3C group had not agreed upon what an operator or an advertising network should do when they receive a DNT browser header."
The guide includes the following key recommendations:
"Readability
- Use plain, straightforward language. Avoid technical or legal jargon.
- Use a format that makes the policy readable, such as a layered format.
Online Tracking/Do Not Track
- Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example: “How We Respond to Do Not Track Signals,” “Online Tracking,” or “California Do Not Track Disclosures.”
- Describe how you respond to a browser’s Do Not Track signal or to other such mechanisms. This is more transparent than linking to a “choice program."
- State whether other parties are or may be collecting personally identifiable information of consumers while they are on your site or service.
Data Use and Sharing
- Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.
- Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.
Individual Choice and Access
- Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
Accountability
- Tell your customers whom they can contact with questions or concerns about your privacy policies and practices"
Personally identifiable information (PII) includes the following data elements:
- Your name: first, middle, last
- Your residential or home address, including the street name, town, and ZIP Code
- Your e-mail address
- Your telephone number (mobile or land-line)
- Your Social Security number
- Any other identifier that enables somebody to contact you online or offline in the physical world
- "Information concerning a user that the web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier..."
The last two items are critical because they includes several things that can be used to identify only you, such as a user name, user ID, license number, member number, policy number, record number, the IP address assigned to your computer device, and so forth. The last item probably includes your physical movements (e.g., GPS coordinates with time stamps from your mobile device or car), since this data could be used to uniquely identify and track you.
Download the "Making Your Privacy Practices Public" guide (Adobe PDF) by the California Attorney General's Office. It includes detailed recommendations, which are a good start. Assembly Bill 370 makes it clearer for consumers to understand what a website and mobile app operator promises to do about privacy and handling consumers' sensitive personal information. Obviously, there needs to be a standard about how advertising networks respond to DNT signals from a browser.
I look forward to seeing more privacy improvements in California and in other states. What are your opinions of the "Making Your Privacy Practices Public" guide? Is it good? Does it go far enough?
Comments
You can follow this conversation by subscribing to the comment feed for this post.