Attorney General Kamala D. Harris Issues Guide on Privacy Policies and Do Not Track Disclosures

Wednesday, May 21, 2014
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

SAN FRANCISCO – Attorney General Kamala D. Harris today issued a series of recommendations for businesses that directly address recent changes to California privacy law. The guide, Making Your Privacy Practices Public, provides businesses with an up-to-date resource to craft a useful, transparent privacy policy for consumers.   

“California has proven that robust and balanced privacy protections are consistent with a thriving innovation economy,” Attorney General Harris said. “This guide is a tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.”

In 2003, California established the landmark California Online Privacy Protection Act, which was the first law in the nation to require operators of commercial websites, including mobile apps, to conspicuously post a privacy policy if they collect personally identifiable information from Californians. In 2013, the Act was amended by Assembly Bill 370, which requires privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether third parties can collect personally identifiable information about the site’s users.

In 2012, Attorney General Harris created the Privacy Enforcement and Protection Unit to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. The unit also works to educate consumers and recommend best practices to businesses on privacy-related issues.

After receiving requests from the business community regarding privacy policy requirements, Attorney General Harris’ Privacy Enforcement and Protection Unit consulted with numerous stakeholders from the business sector, academia and privacy advocates in developing these recommendations.

The guide is available here: http://bit.ly/RUh7Do

Key recommendations from the guide include:

  • Prominently label the section of your policy regarding online tracking, for example: “California Do Not Track Disclosures.”
  • Describe how you respond to a browser’s Do Not Track signal or similar mechanisms within your privacy policy instead of providing a link to another website.
  • If third parties are or may be collecting personally identifiable information, say so in your privacy policy.
  • Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or app.
  • Describe what personally identifiable information you collect from users, how you use it and how long you retain it.
  • Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
  • Use plain, straightforward language that avoids legal jargon and use a format that makes the policy readable, such as a layered format. Use graphics or icons instead of text.

“HP commends the work of California in establishing expectations-based guidance for privacy as it strikes the right balance between innovation and the protection of legitimate consumer rights,” said Scott Taylor, Vice President and Chief Privacy Officer, Hewlett-Packard.

"I applaud the California Attorney General's publication of best practices for communicating with citizens about privacy. Their common-sense recommendations are clear, readable, useful, and mercifully short.  Companies will understand how to comply with the letter and spirit of California transparency laws. In particular, I am delighted to see a light-touch legislative approach for transparency around Do Not Track," said Aleecia McDonald, Director of Privacy, Center for Internet and Society, Stanford Law School.

"Publication of Making Privacy Practices Public is an important step toward helping consumers understand what companies do with the data they collect about them.  Too many privacy policies are incomprehensible legalese.  The best practices spelled out by the California Attorney General if adopted by companies would put privacy policy statements in straightforward, understandable language,” said John Simpson, Director of Privacy Project, Consumer Watchdog.

Attorney General Harris has been a staunch advocate for policies that both protect consumers’ personal information online and foster the continued growth of California’s robust technology economy.

Most recently, Attorney General Harris issued recommendations to California businesses to help protect against and respond to the increasing threat of malware, data breaches and other cyber risks. The guide, Cybersecurity in the Golden State, provides recommendations focused on small to mid-sized businesses, which are particularly vulnerable to cybercrime and often lack the resources to hire cybersecurity personnel. In 2012, 50% of all cyber attacks were aimed at businesses with fewer than 2,500 employees and 31% were aimed at those with less than 250 employees. (http://bit.ly/1p9DGiA)

In 2013, Attorney General Harris issued a guide, Privacy on the Go: Recommendations for the Mobile Ecosystem, which provided app developers with recommendations to develop strong privacy practices, translate those practices into mobile-friendly policies, and coordinate with industry actors to promote transparency. (http://bit.ly/1lZIZAC

In October 2012, Attorney General Harris sent letters to approximately 100 mobile app developers and companies that were not in compliance with the California Online Privacy Protection Act and gave 30 days to post a conspicuous privacy policy. (http://bit.ly/1lZIEOv) In December of that year, the Attorney General filed the first legal action against Delta Airlines, Inc. for its failure to do so. (http://bit.ly/1k2y6Pb)

In February 2012, Attorney General Harris reached an agreement among the seven leading mobile and social app platforms - Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft and Research in Motion (now Blackberry) - which required that mobile apps provide privacy policies that users could find in a consistent location in the platform store and review before downloading an app. (http://bit.ly/1nkfUiF)

# # #