Website privacy policies are a ubiquitous fact of web life, intended to allow users to easily understand the personal information being collected by a website and how that site uses and shares that information. Over time, however, privacy policies have gotten longer, denser and exceedingly complex—a seeming embodiment of the "Go Big or Go Home" ethos. Consequently, privacy policies have become less useful, and few consumers understand or even try to read them. However, with the publication earlier this year of Making Your Privacy Practices Public (the Guide), the Attorney General of California (CAG) tackled this issue head-on, seeking to reverse the trend and make privacy policies more meaningful.
The State of California has long been the leader in promoting privacy on the Web. With the California Online Privacy Protection Act of 2003 (CalOPPA), California was the first state to require websites to post privacy policies, and later confirmed that this obligation applied to mobile sites as well. The CAG formed a Privacy Enforcement and Protection Unit to educate consumers, provide guidance to businesses and enforce both federal and state privacy laws. Most recently, the California Legislature passed AB 370, which amended CalOPPA to require disclosures regarding online tracking. While, on their face, the privacy laws of California apply only to companies collecting personally identifiable information of California residents, the CAG's aggressive focus on privacy, coupled with, as the Guide notes, California's "economic importance and the borderless world of online commerce," makes California law required reading for all website operators.
The Guide provides a full set of recommendations for drafting privacy policies, and much of what it presents are common sense explanations of the text of CalOPPA. The real advancement fostered by the Guide, however, is two-fold. First, it provides guidance on the newly required disclosure of online tracking under CalOPPA. Second, and more importantly, the CAG used the Guide to focus on how to make privacy policies more meaningful to users. This focus ushers in, what I call, "Privacy Policies 2.0"—a realization that in drafting privacy policies, much like a meal at a 4-Star restaurant, presentation is just as important as substance.
Disclosure of Online Tracking Activities
The issue of "online tracking" has generated much confusion. The term refers not to the relatively harmless tracking of a site user as he or she moves around a particular site, but rather to the collection of data over time regarding an individual's Internet activity as that person moves from site to site. Such information is used to deliver targeted advertisements. Such tracking is seen as particularly invasive of one's privacy and, as a result, most web browsers allow users to set their preferences such that the browser can send a signal to sites that the user does not want to be tracked. While industry groups have proposed "do not track" (DNT) rules or standards for the technology and meaning of DNT, no consensus has been reached and currently there is no legal requirement for how websites or advertising networks must respond to a DNT signal.
California's AB 370 sought to fill the void by requiring website operators that collect personally identifiable information from citizens of California to make two disclosures regarding online tracking:
- disclose how the operator responds to web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party websites or online services, if the operator engages in that collection; and
- disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service.
While it is clear that the amendment does not prohibit online tracking or mandate how an operator should respond to a DNT browser signal, the wording of the required disclosures is less clear. The CAG has now provided clarification. As for the first disclosure requirement, the Guide makes clear that an operator must disclose the operator's response to a browser DNT signal, but only if the operator engages in online tracking. As for the second requirement, disclosure should be made as to "the possible presence of other parties conducting online tracking on the operator's site or service."
Additional recommendations for disclosure beyond that required by the statute are provided as well. For example, where a site responds to a DNT signal, the CAG encourages disclosing whether (1) consumers whose browsers send a DNT signal are treated differently from those whose browsers do not and (2) personally identifiable information about a consumer's browsing activities across the Internet is still collected notwithstanding that a DNT signal is received.
The CAG recognizes that many companies do not fully understand the scope of third-party data collection on their site. This may result from a company's marketing function contracting with outside parties without involvement from its technology or legal departments or because authorized third-party trackers may bring unauthorized parties to the site. The Guide therefore suggests that operators "confirm your tracking practices with those responsible for your site's or service's operations to ensure that your practices correspond to what you say in your policy."
Privacy Policies 2.0 – A Focus on Presentation
- Use plain, straightforward language. Avoid technical or legal jargon.
- Use short sentences. Use the active voice.
- Use titles and headers to identify key parts of the policy. For example, it is suggested that operators should make it easy to find the section describing the online tracking policy by labeling it, for example: "How We Respond to Do Not Track Signals," "Online Tracking" or "California Do Not Track Disclosures."
- Consider providing your policy in languages other than English.
Formatting is also addressed with the following suggestions:
- Use a layered format that highlights the most relevant privacy issues.
- Use graphics or icons to help users easily recognize privacy practices and settings.
- Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.
As a result of these suggestions, it appears that the old adage for privacy policies to "say what you do and do what you say," may not be enough anymore. Now the regulators will increasingly look at how you say it.
Balancing Substance vs. Form
What to do then? The answer is to create two or more notices: a long form and supplemental "simpler, shorter privacy notices to alert consumers to potentially unexpected data practices." As the Guide explains:
"Rather than describing the full range of data practices, such a [supplemental] privacy notice would be delivered in context and ‘just-in-time,' and would address a specific practice. For example, mobile device operating systems that use location data often deliver a notice just before collecting the location data and give users an opportunity to allow or prevent the practice."
The Guide is a valuable resource and offers "best practices" for the drafting of privacy policies but they are not, as the CAG admits, regulations, mandates or legal opinions and "in some places offer greater privacy protection than required by existing law." The CAG believes that following the Guide will make privacy policies "more effective and meaningful than a policy that simply meets minimum legal requirements." Still, one does not have to be too paranoid to feel that enforcement efforts will seek compliance with these best practices, leaving to website operators the unenviable task of arguing that the recommendations go beyond the law.
But if the goal is to make privacy policies more meaningful, I believe the lasting value of the Guide will be in ushering in the next generation of Privacy Policies.