In 2012, Attorney General Harris created the Privacy Enforcement and Protection Unit to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. The unit also works to educate consumers and recommend best practices to businesses on privacy-related issues.
In 2014, Attorney General Harris’ Privacy Enforcement and Protection Unit consulted with numerous stakeholders from the business sector, academia, and privacy advocates, and developed the recommendations described in this alert.
- scope of policy
- data collection
- online tracking/do not track
- data use and sharing
- individual choice and access
- security safeguards
- effective date, and
The guide sets forth detailed recommendations on how to create meaningful privacy policies that do more than simply meet legal requirements.
Scope of Policy
Companies should explain the scope of their privacy policies. For example, a policy may apply only to online data collection and use practices, or it may also apply to a company’s offline practices. The explanation of the scope should also clearly set forth the entities covered by the policy, such as any subsidiaries or affiliates.
For Web sites, policies should be posted conspicuously. So visitors can easily locate the policy, the link should be on the homepage and every page where personal information is collected; the link should be in a larger font, perhaps in a contrasting color; and should contain the word “privacy.”
For online services such as mobile applications, links to the policy should be on the platform page as well as within the actual application (such as a settings page or “information” page). Users must be able to view the policy before they download an application.
In general, privacy policies should be written in plain language. This means: (1) minimizing technical or legal jargon; (2) using short sentences; (3) using the active voice; (4) using titles and headers; (5) possibly providing the policy in multiple languages; and (6) considering the format of the policy on the screens on which it will be read.
In general, personally identifiable information is any information relating to an identified or identifiable natural person. It includes any piece of information that can be used to uniquely identify or trace an individual’s identity, alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.3
Online Tracking/Do Not Track
Online tracking is invisible to consumers. Consumers whose browsers send a DNT signal cannot easily determine how a site or service responds to the signal. Thus, the guidance recommends:
- Describe how the Web site responds to DNT signals or similar mechanisms. The description may explain whether the Web site treats visitors whose browsers send DNT signals are treated differently or whether the Web site responds at all to DNT signals.
- If a policy does not describe a Web site’s response to DNT signals, it should contain a conspicuous link to a program that offers consumers a choice about online tracking, along with a brief, general description of what the program does.
- Disclose the effect of the program. For example, does participation result in the cessation of collection of personally identifiable information across Web sites or online services over time?
- Make sure that the linked page clearly identifies steps consumers must take to exercise the choice offered by the program.
- Disclose whether other parties collect personally identifiable information on the Web site or service, if any. If so:
- Are they only approved parties?
- How does the company verify that authorized third parties are not bringing unauthorized parties to the company’s site or service to collect personally identifiable information?
- Can the company ensure that authorized third-party trackers comply with its DNT policy?
Data Use and Sharing
- a list of the different types or categories of companies with which the company shares personally identifiable information
- links to privacy policies of third parties with whom the company shares personally identifiable information, and
- the retention period for each type or category of personally identifiable information collected.
Individual Choice and Access
Additionally, consumers should be provided with an opportunity to review and correct their personal information. Of course, prior to granting access to personal information, companies should verify identities and authenticate access rights, particularly with respect to sensitive information. Companies should then carefully document any changes or corrections to personal information through audit logs or transaction histories.
1 To view the full publication, please see http://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf.
2 To review a copy of the guidance, please see http://www.business.ftc.gov/documents/0493-Complying-with-COPPA-Frequently-Asked-Questions.
3 For a detailed definition of “personally identifiable information” in California, see California Senate Bill No. 46 (can be viewed at http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB46).
Sharon R. Klein and Melissa L. Nuñez