Privacy policies. They're a thing of beauty, aren't they?
Most are jargon-filled nonsense that you'd need a law degree and intimate familiarity with the latest data privacy and tracking trends just to get the overall gist. Then again, nobody reads them anyway, nor do they read companies' Terms of Service or other shrinkwrap licenses. And almost nobody knows about data mining and the failed "Do Not Track" (DNT) standard.
The truth is, most online companies play some part in data mining for advertising purposes, either directly (Google) or indirectly (embedded third-party advertising networks). There's a saying: you either pay for the product, or you are the product.
California doesn't want to support such ignorance, however. The state's privacy laws require companies to disclose their data practices, including, as of January 1, 2014, how the company treats DNT. And this past week, the state's Attorney General's Office released materials that will help companies comply with the new rules.
As California Goes ...
California has some of the strictest privacy legislation on the books, and it began with the California Online Privacy Protection Act of 2003 (CalOPPA), a broad law that requires privacy policies to address what personally identifiable information is being tracked, with whom the information is being stored, and whether there is a process for reviewing and requesting changes to that data.
Last year, the law was amended by AB 370 to require a site to disclose how it treats a browser DNT signal and whether other parties might be conducting online tracking on that site or service (the third-party trackers). DNT is a signal, sent by a browser, that tells a site not to track the user's activity. Unfortunately, almost no sites comply with the voluntary standard, as they rely on advertising revenue.
For many online companies, the best legal practice is to comply with the strictest laws, which means CalOPPA and AB 370 should be accounted for through updated privacy policies. Fortunately, the state is offering help.
'Making Your Privacy Practice Public'
Though the manual is neither a regulation or law, it does provide insight into how the state will interpret and enforce the law. Accoridng to The New York Times, Harris's office will review companies' polices and help them comply with the law. Those who don't will receive 30-day warnings before litigation becomes an option.
- 'Do Not Track' is a Bust, So EFF Debuts 'Privacy Badger' (FindLaw's Technologist Blog)
- Speaking of Data Breaches, How About That eBay Disaster? (FindLaw's In House Blog)
- In-House Attorneys' Game Plan for Data Breaches and Cybersecurity (FindLaw's In House Blog)