In 2012, Attorney General Harris created the Privacy Enforcement and Protection Unit to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. The unit also works to educate consumers and recommend best practices to businesses on privacy-related issues.
In 2014, Attorney General Harris’ Privacy Enforcement and Protection Unit consulted with numerous stakeholders from the business sector, academia, and privacy advocates, and developed the recommendations described in this alert.
The guide sets forth detailed recommendations on how to create meaningful privacy policies that do more than simply meet legal requirements.
Scope of Policy
Companies should explain the scope of their privacy policies. For example, a policy may apply only to online data collection and use practices, or it may also apply to a company’s offline practices. The explanation of the scope should also clearly set forth the entities covered by the policy, such as any subsidiaries or affiliates.
For Web sites, policies should be posted conspicuously. So visitors can easily locate the policy, the link should be on the homepage and every page where personal information is collected; the link should be in a larger font, perhaps in a contrasting color; and should contain the word “privacy.”
For online services such as mobile applications, links to the policy should be on the platform page as well as within the actual application (such as a settings page or “information” page). Users must be able to view the policy before they download an application.
In general, privacy policies should be written in plain language. This means: (1) minimizing technical or legal jargon; (2) using short sentences; (3) using the active voice; (4) using titles and headers; (5) possibly providing the policy in multiple languages; and (6) considering the format of the policy on the screens on which it will be read.
In general, personally identifiable information is any information relating to an identified or identifiable natural person. It includes any piece of information that can be used to uniquely identify or trace an individual’s identity, alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.3
Online Tracking/Do Not Track
Online tracking is invisible to consumers. Consumers whose browsers send a DNT signal cannot easily determine how a site or service responds to the signal. Thus, the guidance recommends:
Data Use and Sharing
Individual Choice and Access
Additionally, consumers should be provided with an opportunity to review and correct their personal information. Of course, prior to granting access to personal information, companies should verify identities and authenticate access rights, particularly with respect to sensitive information. Companies should then carefully document any changes or corrections to personal information through audit logs or transaction histories.
1 To view the full publication, please see http://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf.
2 To review a copy of the guidance, please see http://www.business.ftc.gov/documents/0493-Complying-with-COPPA-Frequently-Asked-Questions.
3 For a detailed definition of “personally identifiable information” in California, see California Senate Bill No. 46 (can be viewed at http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB46).
For further reading, please see:
Sharon R. Klein and Melissa L. Nuñez
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.