CA AG Releases Web Privacy Guidelines

Online companies in California should ' but are not required to ' clearly explain on their sites how they respond to a browser's do-not-track signals, according to privacy practice guidelines released on May 20 by Attorney General Kamala Harris.

The best practices report says that, while a direct do-not-track disclosure is “preferable,” website operators can opt instead to provide users with a link to a separate program that offers consumers a choice about online tracking.

The guidance, included in a 28-page report titled “Making Your Privacy Practices Public,” reflects the struggle pitting tech and e-retail industries, which have fought transparency mandates, against privacy groups seeking regulatory teeth. The same battle was fought over AB 370, Harris-sponsored legislation that started out in March 2013 as a bill simply requiring website operators to disclose whether they honor do-not-track signals. The bill that was eventually signed into law ' and went into effect in January ' permits an operator to meet that requirement by linking to a site giving consumers online tracking options.

Harris' privacy enforcement and protection unit crafted the voluntary recommendations on tracking and data collection disclosures after months of meetings with business groups, consumer advocates and academics.

“California has proven that robust and balanced privacy protections are consistent with a thriving innovation economy,” Harris said in a prepared statement. “This guide is a tool for businesses to create clear and transparent privacy policies that reflect the state's privacy laws and allow consumers to make informed decisions.”

It's the same approach the attorney general took with her recent “Privacy on the Go” report, which offered recommendations, but not rules, for mobile app developers. See, http://bit.ly/1bX3ecD.

The report offers the legal wiggle room some compliance lawyers were seeking by specifying that the recommendations in “some places offer greater privacy protection than required by existing law” and “are not regulations, mandates or legal opinions.” Some attorneys had warned that plaintiffs attorneys would treat the attorney general's guidelines as minimum legal standards without such a caveat.

The guidelines also urge online companies to disclose whether third parties are collecting users' personally identifying information and what the site itself does with customer data that goes beyond what's needed just to complete a transaction.

Harris' office issued statements from Scott Taylor, chief privacy officer from Hewlett-Packard, and John Simpson, the director of Consumer Watchdog's privacy project, praising the recommendations.

“Too many privacy policies are incomprehensible legalese,” Simpson wrote. “The best practices spelled out by the California Attorney General if adopted by companies would put privacy policy statements in straightforward, understandable language.”

Cheryl Miller writes for The Recorder, the San Franciso-based ALM sibling of Internet Law & Strategy. She can be reached at [email protected].

Online companies in California should ' but are not required to ' clearly explain on their sites how they respond to a browser's do-not-track signals, according to privacy practice guidelines released on May 20 by Attorney General Kamala Harris.

The best practices report says that, while a direct do-not-track disclosure is “preferable,” website operators can opt instead to provide users with a link to a separate program that offers consumers a choice about online tracking.

The guidance, included in a 28-page report titled “Making Your Privacy Practices Public,” reflects the struggle pitting tech and e-retail industries, which have fought transparency mandates, against privacy groups seeking regulatory teeth. The same battle was fought over AB 370, Harris-sponsored legislation that started out in March 2013 as a bill simply requiring website operators to disclose whether they honor do-not-track signals. The bill that was eventually signed into law ' and went into effect in January ' permits an operator to meet that requirement by linking to a site giving consumers online tracking options.

Harris' privacy enforcement and protection unit crafted the voluntary recommendations on tracking and data collection disclosures after months of meetings with business groups, consumer advocates and academics.

“California has proven that robust and balanced privacy protections are consistent with a thriving innovation economy,” Harris said in a prepared statement. “This guide is a tool for businesses to create clear and transparent privacy policies that reflect the state's privacy laws and allow consumers to make informed decisions.”

It's the same approach the attorney general took with her recent “Privacy on the Go” report, which offered recommendations, but not rules, for mobile app developers. See, http://bit.ly/1bX3ecD.

The report offers the legal wiggle room some compliance lawyers were seeking by specifying that the recommendations in “some places offer greater privacy protection than required by existing law” and “are not regulations, mandates or legal opinions.” Some attorneys had warned that plaintiffs attorneys would treat the attorney general's guidelines as minimum legal standards without such a caveat.

The guidelines also urge online companies to disclose whether third parties are collecting users' personally identifying information and what the site itself does with customer data that goes beyond what's needed just to complete a transaction.

Harris' office issued statements from Scott Taylor, chief privacy officer from Hewlett-Packard, and John Simpson, the director of Consumer Watchdog's privacy project, praising the recommendations.

“Too many privacy policies are incomprehensible legalese,” Simpson wrote. “The best practices spelled out by the California Attorney General if adopted by companies would put privacy policy statements in straightforward, understandable language.”

Cheryl Miller writes for The Recorder, the San Franciso-based ALM sibling of Internet Law & Strategy. She can be reached at [email protected].