The key elements of such guidelines are as
Website operators should clearly identify the section of their privacy policies that cover online tracking and DNT signals. The California Attorney General’s mission is to make it simple for consumers to find this section of privacy policies since consumers whose browsers send DNT signals cannot otherwise easily determine how a website or service responds to the signals.
Website operators should describe how they respond to DNT signals. The guidelines suggest that this is preferable to simply linking to a program that offers a consumer a choice about tracking in the absence of such description. The California Attorney General’s commentary also suggests specifying (1) if treatment of consumers whose browser sends a DNT signal is any different from those whose browser does not and (2) if PII is still collected over time and across third party websites or other online services despite a consumer’s browser sending a DNT signal. If PII is collected despite a DNT signal, the guidelines recommend that website operators describe how such information is used.
These guidelines present new challenges for
website operators. Describing current
PII collection mechanisms may seem rudimentary at first blush, but given the
wide variety of browsers and websites and their respective functionality,
disclosing such mechanisms in sufficient detail requires a thorough
understanding of both the features employed by the latest versions of browsers
and the technical/operational characteristics of DNT signals. These descriptions will need to be regularly
updated as well, adding another layer of complexity to website operators’
compliance efforts. Indeed the lack of
consensus among browser developers and website operators on how to send out and
respond to DNT signals lends strong support for the notion that a fulsome
disclosure should invariably account for any new standards or features that may
be developed and employed in the future, such as new anti-tracking tools.
Website operators may find themselves on the
wrong side of a claim asserted by
opportunistic plaintiffs attempting to capitalize on a new type of DNT signal
or some widely perceived ambiguity in the law.
Therefore, it is critical for operators of websites and other online
services to review their privacy practices and policies immediately in order to
assess whether revisions are necessary in order to comply with this latest
amendment to CalOPPA. It is also highly
recommended that website operators closely monitor and scrutinize novel DNT
signal developments such as the World Wide Web Consortium’s Tracking Protection
Working Group’s call for comments on a newly proposed definition of DNTsignals. The DigitalHHR team will continue
to monitor the latest developments surrounding CalOPPA and online privacy
issues generally. Please feel free to
reach out to us with any questions or concerns.