In the wake of numerous high-profile breaches of user privacy and complaints about sites that track the online activity of users, California Attorney General Kamala Harris has released a 28-page set of recommendations for how website operators communicate about their privacy, information collection and data-sharing practices.

While not carrying the force of law, the guidelines spelled out in Making Your Privacy Protections Public are recommended best practices that expand on California's Online Privacy Protection Act of 2003 (CalOPPA). That Act was amended in 2013 specifically to address the issue of online tracking, which enables websites to personalize user experience, deliver targeted advertising, and make other uses of the data.

The policies are intended to reform the common practice among website operators to post lengthy privacy policies that "often fail to address data-handling practices of concern to consumers or offer them meaningful choices about the collection and use of their data."

Here are highlights of the recommendations:

  • Availability: Make your privacy policy conspicuously available, such as a "privacy" link on your home page that is in larger type than surrounding text.
  • Readability: Use plain, straightforward language and avoid technical or legal jargon. Use a format that makes the policy more easily readable by consumers.
  • Online Tracking/Do Not Track: Make it easy for consumers to find your policy regarding online tracking by labeling it. The report gives examples such as "How We Respond to Do Not Track Signals," "Online Tracking" or "California Do Not Track Disclosures."
  • Tracking Disclosure: Describe how you respond to a browser's Do Not Track (DNT) signal or to other such mechanisms.
  • Third Party Tracking: State whether other parties are or may be collecting the personally identifiable information of consumers while they are on your site or service.
  • Data Use and Sharing: Explain your uses of personally identifiable information beyond what is necessary to fulfill a customer transaction or for the basic functionality of an online service.
  • Third Party Policies: Provide a link to the privacy policies of third parties with whom you share personally identifiable information.
  • Consumer Choice: Describe the choices a consumer has regarding the collection, use and sharing of their personal information.
  • Contact Information: Tell your customers whom they can contact with questions or concerns about your privacy policies and practices.

The recommendations also note that "personally identifiable information" includes passively collected information, like device identifiers and geo-location data.

The new guidelines expand on and consolidate previously published recommendations from the Attorney General's Privacy Enforcement and Protection Unit in the publications Privacy on the Go: Recommendations for the Mobile Ecosystem, and the California Office of Privacy Protection's Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements.

In addition to the guidelines, the document also includes Sections 22575-22579 of California's Business and Professions Code, which specifically address the obligations of website operators to protect the privacy of user data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.