Guidelines for Privacy Policies and Do Not Track Signals

A pamphlet with guidelines for privacy and do not track policies for websites and mobile apps is available from the California Attorney General (AG).

While the guidelines focus on California law, it is helpful for websites based outside of California that collect personal data of California residents.  In the past, California has been at the forefront of data privacy policies, so the guidelines are useful for all websites and mobile apps.

“A meaningful privacy policy statement addresses significant data collection, and use practices, uses plain language, and is presented in a format that enhances its readability,” the “Making Your Privacy Practices Public Recommendations on Developing a Meaningful Privacy Policy” pamphlet states.

“As the use of personal information in commerce has expanded in scope and complexity, comprehensive privacy policy statements have tended to become lengthier and more legalistic in style, yet often fail to address data handling practices of concern to consumers or offer them meaningful choices about the collection and use of their data.  The typical policy’s ineffectiveness as a consumer communication tool has been borne out by research findings that consumers do not understand, and many do not even read, the privacy policies on the web sites they visit,” the AG wrote.

In addition to privacy policies, the pamphlet also outlines what developers should disclose regarding how they treat Do Not Track (DNT) browser signals from consumers.  The Federal Trade Commission has recommended a uniform DNT signal for browsers.  In 2013, California passed legislation requiring disclosure of how an operator responds to DNT signals as well as how third parties, who have access to the site, react to DNT signals.

The AG pamphlet recommends that a privacy policy:

• Explain the scope of the policy, such as whether it covers just online data collection and use practices or both online and offline practices.
• Make the policy recognizable by giving it a descriptive title.
• Make the policy conspicuously available to users and potential users by using a conspicuous link with larger type than the surrounding text, contrasting color, or symbols that call attention to it.
• Use plain, straightforward language, avoiding technical or legal jargon.
• Use short sentences.
• Describe how you collect personally identifiable information.
• Describe how you responded to a browser’s DNT signal or to another such mechanism.
• Explain how you use and share personally identifiable information.
• Explain how you protect your customers’ personal information from unauthorized or illegal access, modification, or use or destruction.

Companies that have not updated their website privacy policies recently might want to review them in light of the California AG’s guidelines.