The amendment added two new requirements to Californias so called CALOPPA:
- the operator’s response to a browser DNT signal or to “other mechanisms,” and
- the possible presence of other parties conducting online tracking on the operator’s site or service.
Now the Attorney General’s office of California has released another guide for website owners and developers (yes mobile app owners as well). This time the guides covers the Do Not Track requirement and how to make sure you comply with it.
You can read and download the Do Not Track guide “Making your Privacy Practices Public” here.
The key takeaways of the guide can be summarized like this:
- Prominently label the section of your policy regarding online tracking, for example: “California Do Not Track Disclosures.”
- Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or app.
- Describe what personally identifiable information you collect from users, how you use it and how long you retain it.
- Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
- Use plain, straightforward language that avoids legal jargon and use a format that makes the policy readable, such as a layered format. Use graphics or icons instead of text.
As you can see only the first two takeaways are about Do Not Track itself. That’s because the underlying goal is quite simple. Tell your visitors what Do Not Track does on your site, or what it doesn’t.
I’m pasting in the larger recommendations regarding Do Not Track in their entirety for you below:
Make it easy to find the Do Not Track section of your policy.
Clearly identify the section in which you describe your specific policy regarding online tracking or how you respond to consumers’ DNT signals. Use a header, for example “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.”
Describe how you respond to a browser’s DNT signal or to another such mechanism.
In our policies we have a statement that per default assumes that you do not honor or react to Do Not Track requests.