Drafting a Privacy Policy? Cal. Attorney General's Helpful Guide
Privacy policies. They're a thing of beauty, aren't they?
Most are jargon-filled nonsense that you'd need a law degree and intimate familiarity with the latest data privacy and tracking trends just to get the overall gist. Then again, nobody reads them anyway, nor do they read companies' Terms of Service or other shrinkwrap licenses. And almost nobody knows about data mining and the failed "Do Not Track" (DNT) standard.
The truth is, most online companies play some part in data mining for advertising purposes, either directly (Google) or indirectly (embedded third-party advertising networks). There's a saying: you either pay for the product, or you are the product.
California doesn't want to support such ignorance, however. The state's privacy laws require companies to disclose their data practices, including, as of January 1, 2014, how the company treats DNT. And this past week, the state's Attorney General's Office released materials that will help companies comply with the new rules.
As California Goes ...
California has some of the strictest privacy legislation on the books, and it began with the California Online Privacy Protection Act of 2003 (CalOPPA), a broad law that requires privacy policies to address what personally identifiable information is being tracked, with whom the information is being stored, and whether there is a process for reviewing and requesting changes to that data.
Last year, the law was amended by AB 370 to require a site to disclose how it treats a browser DNT signal and whether other parties might be conducting online tracking on that site or service (the third-party trackers). DNT is a signal, sent by a browser, that tells a site not to track the user's activity. Unfortunately, almost no sites comply with the voluntary standard, as they rely on advertising revenue.
For many online companies, the best legal practice is to comply with the strictest laws, which means CalOPPA and AB 370 should be accounted for through updated privacy policies. Fortunately, the state is offering help.
'Making Your Privacy Practice Public'
This month, California Attorney General Kamala Harris's office released a guide that provides information on the two laws, as well as tips and recommendations for drafting your own privacy policy. The guide seeks to help companies to "craft privacy policy statements that address significant data collection and use practices, use plain language, and are presented in a readable format," which should help the nobody reads this anyway issue.
Making Your Privacy Practices Public
Though the manual is neither a regulation or law, it does provide insight into how the state will interpret and enforce the law. Accoridng to The New York Times, Harris's office will review companies' polices and help them comply with the law. Those who don't will receive 30-day warnings before litigation becomes an option.
If you are an online company, is your privacy policy CalOPPA and AB 370 compliant? Does DNT need more teeth? Join the discussion on Facebook at FindLaw for Legal Professionals.
Related Resources:
- 'Do Not Track' is a Bust, So EFF Debuts 'Privacy Badger' (FindLaw's Technologist Blog)
- Speaking of Data Breaches, How About That eBay Disaster? (FindLaw's In House Blog)
- In-House Attorneys' Game Plan for Data Breaches and Cybersecurity (FindLaw's In House Blog)