It is imperative that companies examine their data privacy and security policies and practices to make sure that they are compliant with recent changes in federal and state laws, regulatory guidance and evolving enforcement priorities affecting consumer data protection. In addition, privacy policies that are legally required to be posted on websites, mobile applications and other online services must be reviewed from time to time to ensure their continued accuracy. Your company’s practices may have changed during the past year or so, and your policies may no longer be complete or accurate – and thus may need to be updated to avoid misrepresentation and deceptive omission claims.
As of January 1, CalOPPA now also requires the operator to disclose: (6) how the operator responds to “Do Not Track” signals or other mechanisms giving consumers the ability to exercise choice over the collection of personal information over time and across third-party websites or online services, if the operator engages in the collection of such information; and (7) whether other parties may collect such information over time and across different websites when a consumer uses the operator’s site or service.
On May 21, California Attorney General Kamala Harris issued a guidance titled “Making Your Privacy Practices Public” for businesses on how to comply with recent updates to CalOPPA. The guidance is intended to encourage companies to draft transparent online privacy notices. The guidance recommends, among other items, that website operators’ online privacy notices should:
- Prominently label the section of their privacy policies regarding online tracking, for example: “California Do Not Track Disclosures
- State in the policy whether third parties are or may be collecting personally identifiable information
- Explain uses of personally identifiable information beyond the uses necessary for fulfilling the basic functionality of the online service
- Provide links to the privacy policies of third parties with whom the website operator shares personally identifiable information
- Describe the choices a consumer has with respect to the collection, use and distribution of his or her personal information
- Use plain, straightforward language that avoids legal jargon and a format that makes the policy readable, such as a layered format
The guidance is only the most recent illustration of the need for organizations to carefully vet their privacy policies. Misrepresentations in privacy policies can lead to investigations, not only by the California Attorney General, but by the Federal Trade Commission (FTC) under Section 5 of the FTC Act. We expect to see continued enforcement against companies who have inaccurate privacy policies or policies that fail to meet the requirements set forth in various privacy laws and regulations.
Jesse Brody is a Certified Information Privacy Professional (accredited by the International Association of Privacy Professionals) and a partner in the Advertising, Marketing and Media division of Manatt Phelps & Phillips LLP, based in the firm’s Los Angeles office. He can be reached at [email protected] or (310) 312-4173.