California Attorney General Offers Guidance On Do Not Track, Third-Party Sharing Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Laura Mahoney  

May 21 --California Attorney General Kamala Harris (D) May 21 released best practices recommendations for businesses that must comply with changes to the state's privacy laws requiring them to notify consumers about their do not track policies and procedures.

The guidance advises businesses on how to craft their general privacy policy statements to include information about do not track procedures and whether third parties can collect information about a website's users. The attorney general released the guidance after circulating a draft and taking comments from industry groups and attorneys .

“This guide is a tool for businesses to create clear and transparent privacy policies that reflect the state's privacy laws and allow consumers to make informed decisions,” Harris said in a May 21 statement.

The guide says it isn't a regulation, mandate or legal opinion, but it is a resource that can help businesses comply or go beyond privacy requirements under California law.

New Do Not Track Notice Law

The attorney general developed the guide in response to A.B. 370, signed into law in September 2013 and effective Jan. 1. The bill, which Harris sponsored, amended California's Online Privacy Protection Act, Cal. Bus. & Prof. Code §§22575-22579.

The law requires operators of websites and online services that collect personally identifiable information about consumers to explain their do not track policies and procedures. It doesn't require the sites to honor do not track requests, but it requires websites to inform consumers if they disclose consumer data to third parties.

Melissa Krasnow, a partner with Dorsey & Whitney LLP in Minneapolis, told Bloomberg BNA May 21 that the guidance makes it clear that if businesses follow the recommendations they will meet minimum legal requirements, and possibly exceed them.

Important Recommendations

According to the attorney general's statement, the guide recommends that businesses collecting personally identifiable information about consumers:

• prominently label the section of their privacy policies regarding online tracking, for example: “California Do-Not-Track Disclosures”;

• describe how they respond to a browser's do not track signal or similar mechanisms within their privacy policies instead of providing a link to another website;

• say in the policy if third parties are or may be collecting personally identifiable information;

• explain their uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or application;

• describe what personally identifiable information they collect from users, how they use it and how long they retain it;

• describe the choices a consumer has regarding the collection, use and sharing of his or her personal information; and

• use plain, straightforward language that avoids legal jargon and use a format that makes the policy readable, such as a layered format, and use graphics or icons instead of text.


Updating Privacy Policies

Although some companies have updated their privacy policies since A.B. 370 took effect in January, many were waiting for the attorney general to release the guide, Krasnow said. Now that it is out, companies should take a close look at updating their privacy policies, she said.

The guidance clearly applies to mobile applications as well as websites, and Harris has shown an interest in enforcing privacy laws against mobile applications through her case against Delta Air Lines Inc. , Krasnow said.

In January 2013, the attorney general issued guidance for mobile app software developers on how to comply with the state's privacy laws .

Although it isn't a binding regulation or legal opinion, the guidance could play a role in future enforcement actions from the attorney general's office, Krasnow said. Enforcement could focus on companies without privacy policies, or on companies that have policies the attorney general considers to be inadequate.


To contact the reporter on this story: Laura Mahoney in Sacramento, Calif. at

To contact the editor responsible for this story: Heather Rothman at

The guide, “Making Your Privacy Practices Public,” is available at

Request Bloomberg Law Privacy and Data Security