California Sets Expectations for Online Behavioral Tracking Disclosures
Seller Beware: Consumer Protection Insights for Industry
In a recently released guidance document, Making Your Privacy Practices Public, the issuance of which was anticipated for almost six months, the California Attorney General has provided guidance on how websites and online services should disclose their practices regarding the collection and use of personal information, in particular with respect to behavioral tracking. The plan for the guidance was announced in December 2013, shortly after the enactment of amendments to the California Online Privacy Protection Act (CalOPPA). Under those amendments, as explained in our prior blog on a group of privacy-related bills enacted in California last fall, as of January 1, 2014, operators of websites or online services (including mobile applications) must include in their privacy policies disclosures of (1) how the operator responds to a browser "Do-Not-Track" (DNT) signal or to other mechanisms under which consumers may indicate they do not want their online activities followed, and (2) whether third parties may conduct online tracking on the operator's site or service.
These amendments generated considerable discussion about precisely what needed be stated in online privacy policies to ensure compliance. In response, the California Attorney General, whose Privacy Enforcement and Protection Unit both enforces federal and state privacy laws and engages in educational outreach to consumers and businesses, consulted with privacy advocates, stakeholders from a variety of business sectors, and academics about how the amendments should be interpreted and implemented, as well as more general "best practices" for online privacy protection and disclosures consistent with the mandates of CalOPPA.
The resulting guidance covers not only the behavioral tracking amendment disclosure requirements, but also other aspects of CalOPPA, including its scope. As the Guidance confirms, CalOPPA is not limited in application to businesses located in California; it applies to any operator of a commercial website or online service that collects "personally identifiable information" through the Internet about individual consumers residing in California.And by defining "personally identifiable information" broadly, the statute has a reach considerably more extensive than other privacy statutes in the United States. Under CalOPPA, the term includes not only an individual's name, address, e-mail address or phone number, but also:
- Any other identifier that permits the physical or online contacting of a specific individual, or
- Information concerning a website or online service user that the site or service collects online from the user and maintains in personally identifiable form in combination with another enumerated identifier.
The guidance emphasizes this breadth, specifically stating that "[i]t should be noted that the last two types [of information] listed above can be understood to include information that is collected passively by the site or service, such as device identifier or geo-location data."
This has some significance for websites whose privacy policies appear to treat Internet Protocol (IP) addresses as not being personally identifiable information, particularly because the new requirement for disclosure of a website or online service operator's response to DNT signals is required whenever the operator engages in the collection of "personally identifiable information" -- as defined in CalOPPA -- by tracking a consumer's online activities over time and across third-party websites or online services. Operators who might have interpreted this requirement to exclude some "anonymous" tracking of Internet users are now on notice that, to the extent an IP address might be used to locate an individual through his or her computer, collection of that address would be deemed to be collecting "personally identifiable information" for purposes of CalOPPA.
What about tracking a website or online service user's activities "over time" but only on your own website or online service? Does that trigger a DNT disclosure requirement, or is the disclosure required only when personally identifiable information is collected about an individual's online activities "over time and across third-party Web sites or online services"? The guidance appears to confirm that the statute's reference to "and" means only operator that track across others' websites or online services must provide the disclosure: it describes the "practice of online tracking" as "collecting personally identifiable information about consumers as they move across different websites or online services over time."
But, as in many consumer protection contexts, requirements for website and online service operator disclosure requirements set the bar higher for satisfying consumer demands. In the context of online behavioral tracking, the disclosures prompted by the new CalOPPA amendments are likely to encourage specific standards for responding to DNT signals. In the meantime, online operators that engage in tracking will benefit from a close review of the Guidance for purposes of determining their own "best practices" in this area.
© Arnold & Porter Kaye Scholer LLP 2014 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.