California Attorney General Kamala Harris today released guidelines to help websites comply with a state law that went into effect on January 1, 2014, pertaining to online tracking disclosures.
Many web browsers provide users with a “Do Not Track” preference tool, which can send a signal to websites informing them that the user does not wish to be tracked. In recent years, regulators, lawmakers, and consumer groups have attempted to require websites to honor these browser-based “Do Not Track” signals, but neither regulatory agencies nor Congress have enacted such requirements; and, to date, industry groups have been unable to agree on a uniform Do Not Track standard.
California, for its part, has been unique in that it enacted a law that went into effect on January 1, 2014, that requires websites to, among other things, explain whether and how they respond to Do Not Track requests. But because the law itself does not provide many details about how website operators can comply with this requirements, Attorney General Harris today released guidelines that contained the following recommendations for compliance with this requirement:
- Are consumers treated differently if their browsers send Do Not Track signals?
- If the website receives a Do Not Track signal from a browser, does the website still collect personally identifiable information about a consumer’s browsing activities over time and across third-party sites and services? If so, describe the use of this information.
- Does the page to which the site links contain a “clear statement about the program’s effect on the consumer, i.e., whether participation results in stopping the collection of a consumer’s personally identifiable information across web sites or services over time?”
- Does the page make clear how a consumer can exercise the choice about online tracking?
- Disclosure of Third Parties that Track Online Behavior: The website should state whether other parties are or may be tracking visitors to the website or service. Harris writes that website operators should consider the following questions when making this disclosure:
- Is the personally identifiable information only available to approved third parties?
- How would the website operator verify that unauthorized third parties are not collecting personally identifiable information?
- Can the website operator ensure that third parties comply with the site’s Do Not Track policy?
Jeff Rabkin, California’s special assistant attorney general on technology and privacy matters, told the New York Times that if Harris’s office determines that a website does not comply with the new law, the site will have 30 days to become compliant.