Say What You Do and Do What You Say: Guidance for Privacy Policies, and for Life
Last Wednesday, California Attorney General Kamala Harris issued much anticipated guidance on public-facing privacy statements - "Making Your Privacy Practices Public" (the "Guidance"). The result of months of discussions with stakeholders, the recommendations are largely common sense. They are "intended to encourage companies to craft privacy policy statements that address significant data collection and use practices, use plain language, and are presented in a readable format." Many of the recommendations are nothing new - and our readers are likely to find that their privacy policies already incorporate many of the suggested approaches. But some of the recommendations are new and/or might not be appropriate for certain kinds of organizations. In that respect, it is important to point out that the AG's recommendations "are not regulations, mandates or legal opinions. Rather, they are part of an effort to encourage the development of privacy best practices." Further, with respect to the significant portion of the Guidance focused on the new Do Not Track disclosure requirements, the AG is quick to note that "[t]here is no legal requirement for how operators of web sites or online services must respond to a browser's DNT signal." Like so many things in privacy, the best approach is the one you would teach your kids. To quote the AG: the California Online Privacy Protection Act ("CalOPPA") requires operators of commercial web sites and online services that collect personally identifiable information (PII) about Californians to "say what they do and do what they say." Following is a brief overview of the highlights of the Guidance itself, and (perhaps more interestingly) more insight on some of the telling language in the AG's Introduction.
Highlights from the Guidance
First, the Guidance itself. None of this should come as a surprise :
- Scope: What does your privacy policy cover? Online? Online and offline? Which corporate entities and websites/online services are included?
- Availability: Make sure the policy is conspicuously available. Use the word "privacy" in your link. CalOPPA already requires this (Cal. Bus. & Prof. Code section 22577(b)). Observation: For those of you who have been paying attention, the law still requires this, and the AG highlights it, despite arguments from some legislators and privacy advocates that using the word "privacy" is deceptive. (See, e.g., CA AB 242, that died earlier this year.) It is not deceptive. It is the law.
- Readability: Use plain English and lots of headings. Consider using a layered policy and graphics or icons, especially for mobile formats.
- Data Collection: Describe how you collect PII, including if you collect it from third party sources. If you collect PII through "technologies such as cookies or web beacons, describe how you do so." Also, take note - "[b]e reasonably specific" in describing the kind of PII you collect.
- Data Use and Sharing:
- Explain how you use and share PII, especially (but not only) how you use it "beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service."
- When you discuss your sharing of PII, make sure to include affiliates and marketing partners. Observation: I get the question about affiliates a lot. It is a good idea to describe what you are sharing with affiliates, and separately what you are sharing with non-affiliated third parties. Financial institutions regulated by the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act (FCRA) are required to do this in their privacy statements. It is not a bad idea for everyone else, too.
- The AG says that "[a]t a minimum," you should list the different types or categories of companies with which you share PII. Observation: this suggests that the AG might expect even more detail in certain circumstances.
- Apropos of the immediately preceding point, the AG even says that, "[w]henever possible," you should provides links to the privacy policies of third parties with whom you share PII. Observation: I am not sure this is always a consumer-friendly practice and it may even increase risk of misrepresentation for some organizations. Many large organizations (and even some smaller organizations) share with a number of third parties for various purposes (even if we are just talking about service providers, never mind third party marketers). And those third parties and affiliates are often constantly changing. That means that a privacy policy that links to lots of third party privacy policies may become obsolete or even inaccurate very quickly. And we all know how difficult it is to make material retroactive changes to a privacy policy (more on that below). This linking practice is likely to require constant updates, something that most organizations don't have the time or resources to support. More importantly, it is extremely confusing to customers.
- The AG also lumps data retention under this category, stating that organizations should provide the retention period for each type or category of PII collected. Observation: This is not required by CalOPPA, but it is required in certain circumstances if your organization is subject to the laws of EU member countries or certain other non-US jurisdictions. Again, you need to very carefully determine your actual practices, and your data retention needs (for business and legal purposes - think, for example, litigation holds) before you memorialize this in writing on your website. Talk to your litigators and outside counsel.
- Individual Choice and Access:
- Describe the choices users have regarding collection, use and sharing, and provide instructions on how individuals can exercise those choices.
- Keep records of preferences and implement them within a reasonable time.
- Much like the requirements of FCRA, EU member countries and certain other non-US jurisdictions, consider offering customers the opportunity to review and correct their PII. Explain how they can get access, make sure to authenticate them to mitigate security risks, and document changes to PII.
- Security Safeguards:
- Explain how you protect PII from unauthorized or illegal access, modification, use or destruction. But don't say so much that you compromise your security. Observation: This second piece is a critical point not covered by CalOPPA.
- The AG also says organizations should give a description of the measures they use to control the information security practices of third parties with whom they share PII. Observation: Many state laws, including California (Civil Code section 1798.81.5) and Massachusetts (201 CMR 17.00 et seq.) require that organizations have in place contractual provisions with third parties with whom they share PII to make sure those third parties maintain reasonable security safeguards. But be careful (especially if you are not a regulated financial institution or a HIPAA covered entity or business associate, or if you are not covered by one of the relevant state laws). Do all of your vendor contracts spell out how those third parties can use the PII? Do you really require all third parties to maintain reasonable safeguards? Can you prove it?
- Online Tracking:
- When the CA AG uses the term "online tracking," it means the collection of PII about consumers "as they move across different web sites or online services over time."
- The AG recommends that you make the section of your policy that addresses AB 370 (the Do Not Track disclosure law that amended CalOPPA) easy to find with a header such as "How We Respond to Do Not Track Signals," "Online Tracking" or "California Do Not Track Disclosures." Observation: if you don't engage in online tracking, but third parties on your site might do so, consider using a slightly different header like "Online Tracking by Third Parties" so as not to confuse your users. In other words, if you don't track, don't use a header that suggests you might be doing so.
- The AG wisely counsels that you confirm your tracking practices "with those responsible for your site's or service's operations to ensure that your practices correspond to what you say in your policy." Observation: You should be doing this with respect to every single aspect of your privacy policy. Don't say anything that you don't know to be true. (See below re the potential for a violation of Section 5 of the FTC Act.) Talk to your marketing department, your IT and IS representatives, and your business stakeholders. Find out what your website and mobile app developers and other vendors are doing. Lawyers and privacy professionals cannot do this alone.
- If You Track
- If you do engage in online tracking, describe how you respond to a browser's DNT signal or to "another such mechanism." The AG states that it is preferable to describe your response in lieu of simply providing a link to a related "program or protocol" (even though the law allows this) because providing the description is more transparent. That being said, if you do use the link instead, the AG expects you to identify the program with a brief, general description of what it does. The AG suggests that you consider the following questions in describing your response:
- "Do you treat consumers whose brosers send a DNT signal differently from those without one?
- "Do you collect [PII] about a consumer's browsing activities over time and across third-party web sites or online services if you receive a DNT signal?"
- "If you do continue to collect [PII] about consumers with a DNT signal as they move across other sites or services, describe your uses of the information."
- If you choose the linking approach:
- "Do you comply with the program?" The AG is explicit that "Your answer should be, 'Yes.'' Say so in your privacy policy."
- "Does the page to which you link contain a clear statement about the program's effects on the consumer, i.e., whether participation results in stopping the collection of a consumer's [PII] across web sites or online services over time?"
- "Does the page to which you link make it clear what a consumer must do to exercise the choice offered by the program?"
- If you do engage in online tracking, describe how you respond to a browser's DNT signal or to "another such mechanism." The AG states that it is preferable to describe your response in lieu of simply providing a link to a related "program or protocol" (even though the law allows this) because providing the description is more transparent. That being said, if you do use the link instead, the AG expects you to identify the program with a brief, general description of what it does. The AG suggests that you consider the following questions in describing your response:
- If Third Parties Track
- State whether third parties "are or may be" conducting online tracking of consumers or visitors to your site or service (emphasis added). Observation: Do you know whether third parties are tracking on your site or service? Find out. But whatever you do, don't say it is not happening if you don't know for sure.
- Consider the following issues:
- "Are only approved third parties on your site or service collecting [PII] from consumers who use or visit it?"
- "How would you verify that authorized third parties are not bringing unauthorized parties to your site or service to collect [PII]?"
- "Can you ensure that authorized third-party trackers comply with your Do Not Track policy? If not, disclose how they might diverge from your policy." Observation: If you yourself don't track, you don't have a Do Not Track policy, so this consideration may not apply to you. But you still need to consider whether you can control the activities of these third parties.
- Effective Date (Also Material Changes):
- Give the effective date of the privacy policy. Observation: This is a no-brainer and required by CalOPPA, but it is amazing how many privacy policies still don't do this.
- As required by CalOPPA, explain how you will notify users of material changes. And - take note - "[d]o not rely on merely changing the Privacy Policy on your web site or online service as the exclusive means of notifying customers of material changes in your uses or sharing of [PII]." Observation: I get this question all the time. Per the FTC's longstanding guidance (see Gateway and the FTC's 2012 staff report: Protecting Consumer Privacy in an Era of Rapid Change), organizations need to provide notice and obtain affirmative express consent for material retroactive changes to their privacy policies. The AG's Guidance here appears to seek more than just posting on the website even if material changes are not retroactive. Food for thought.
- Use good version control "to ensure that your Privacy Policy is uniform through the organization." Observation: Multinationals with dozens or even hundreds of privacy policies know how challenging this can be. Harmonization can be a major undertaking.
- Accountability:
- Tell users whom they can contact with questions or concerns, and give "at minimum" a title and e-mail or postal address of a company official who will respond. The AG also would like to see a telephone number, "perhaps toll-free." Observation: it is fairly unusual to see a title or anything more than an e-mail or postal address. Consider whether it is feasible to do more, per the Guidance.
- Train, train, train on responding to inquiries and on how users can get a copy of the policy.
More Insight
Aside from the Guidance itself, the document issued by the AG begins with an Introduction that sheds some light on the AG's expectations of privacy policies. This part I find more interesting. A few notes are of particular interest:
Don't trash your long form privacy policy. The AG is interested in short, contextual privacy notices, but not to the exclusion of longer, more detailed privacy policies:
[T]here is still an important role for the comprehensive privacy policy statement that provides a fuller picture of an organization’s practices regarding the collection, use, sharing, disclosure and protection of personally identifiable information. Having to provide a comprehensive policy statement promotes data governance and accountability, requiring an organization to consider its data practices and then to ensure that its policies are complied with internally. In addition, like other transparency measures, a privacy policy that must be made public can serve as a catalyst, stimulating changes in practice. Comprehensive privacy policies also inform policy makers and researchers, whose findings often reach the general public through the media. And, as discussed below, a comprehensive privacy policy may be required by law.
Given the pressure from privacy advocates, some legislators, and even the FTC to reduce privacy policies to bullet points or nutrition labels, the AG's emphasis on this point is telling. The practical result is that we are still having to draft privacy policies for two audiences - for the consumer, keeping it as simple as possible, and for the more sophisticated audience that wants all the messy details. Simplicity and transparency do not always go hand and hand, especially when technology is so rapidly evolving. Thus the age-old dilemma continues and the only practical solution, as recognized by the AG, may be to prepare layered policies.
This is not your grandma's PII. CalOPPA includes a non-exhaustive list of types of information that can be personally identifiable, including "[a]ny other identifier that permits the physical or online contacting of a specific individual" and "[i]nformation concerning a user that the web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision." The Guidance notes that these two types of information "can be understood to include information that is collected passively by the site or service, such as a device identifier or geo-location data."
Such a definition of PII represents another move away from the traditional definition of PII in the US and in the direction of the European model, one that we have already seen evidenced in recent changes to the Children's Online Privacy Protection Act and in guidance from the FTC.
If you don't collect PII across websites or over time, you don't have to disclose how you respond to DNT signals. This is clear on the face of CalOPPA itself as amended by AB 370, but with all the noise out there that preceded the enactment of AB 370, it may have been lost in the shuffle. The Guidance is clear that an operator must disclose its response to a browser DNT signal or to other mechanisms that provide consumers the ability to exercise choice "only if the operator engages in the collection of [PII] about a consumer's online activities over time and across third-party web sites or online services" (emphasis added).
Despite the media focus on organizations that are engaged in online tracking, there are a lot of organizations out there that are not engaged in that activity - especially SMEs, but also some large organizations whose business models don't require such activity. Those organizations should take a step back and make sure they are not attempting to make disclosures in their privacy policies that would make no sense or, even worse, be false. DNT signals may not be an issue in your organization's life, and that's OK. Be grateful, and move on. You have plenty of other things to worry about, right?
What's missing? Shine the Light. This Guidance purports to be a consolidation of several previously published recommendations on aspects of privacy policy statements, including the California Office of Privacy Protection's Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements. That document, however, went into considerable detail on how organizations could incorporate into their privacy policies language that complies with California's Shine the Light law (Cal. Civil Code section 1798.83) by stating a policy of giving California residents the opportunity to opt in or opt out of PII-sharing with third parties for those third parties' own marketing purposes. Without such a statement in a privacy policy, organizations must comply with Shine the Light by identifying third parties with whom they share PII for such purposes, and the categories of such shared PII, in response to such a request from a California resident. The AG's choice to exclude such Shine the Light guidance from this most recent document is interesting, especially in light of the proliferation of Shine the Light class actions over the last three years.
Conclusion
Organizations should take heed of the California AG's Guidance, but should bear in mind throughout that misrepresentations or omissions could land them in hot water not only with the AG, but also with the FTC for a potential Section 5 violation. So, yes, say what you do - but make sure you really know what you do before you say it.