By Brian Hengesbaugh, CIPP/US, and Amy de La Lama
The amendments to CalOPPA introduce two new content obligations for the site operator to:
- Disclose how the operator responds to web browser’s Do-Not-Track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about an individual consumer's online activities over time and across third-party websites or online services, if the operator engages in such collection, and
- Disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service.
CalOPPA Amendments Pose Implementation Challenges
The CalOPPA amendments pose implementation challenges on several levels. First, from a straight definitional standpoint, it may be difficult for sites to determine what actually qualifies as a “Do-Not-Track signal” or similar mechanism that is covered by CalOPPA. An international working group of web experts under the World Wide Web Consortium (W3C) has been working for two years to define what "Do Not Track" means and how it should work, but that work is not done and may not be completed anytime soon. The most recent W3C Working Draft from September 2013 identifies numerous open issues on scope, definitions of "tracking," "collection" and other terms, exemptions for fraud detection and security defense. These are critical issues that need to be resolved to provide sites and others with clarity on commonly accepted definitions and standards.
Perhaps the most challenging issues relate to consumer expectations. What does a consumer expect when they configure their browser to Do Not Track, and how do site operators draft their disclosures to either meet or dispel such expectations? Does the consumer think that means the site itself will no longer collect any PII at all, or that certain PII collection or use—for advertising, for example—will cease? Or, would the consumer think that means that the site itself will continue with PII collection and use but will not allow any third-party ad network to capture PII or use it for advertising? What about the site operator's capture of PII on operator-hosted applications on social media platforms or third-party sites and the combination of such data with PII captured through the site? Consumers will invariably have wide-ranging and diverging expectations, particularly in the absence agreed and widely publicized W3C or other standards. Disclosures with regard to Do-Not-Track signals and similar mechanisms will need to be carefully drafted to try to provide enough transparency to manage such expectations.
Five Key Questions
In the midst of this uncertainty, and in the absence of a clear legal obligation for sites to follow Do-Not-Track signals, studies suggest that many sites currently do not follow browser’s Do-Not-Track signals. CalOPPA may push some operators to reconsider those positions and explain how they respond to Do-Not-Track signals and other mechanisms.
To prepare for these CalOPPA amendments, every site operator should ask five key questions about the site's practices and approach to these issues.
1) What methods does the site implement to track users? The site operator should confirm what tracking the site employs and what PII or other data those methods capture. Much of the attention with Do Not Track has focused on traditional HTTP cookies, but examples of other technologies include web beacons, clear GIFs, log files, userData stores, document object model storage, and Flash cookies and other locally shared objects (LSOs). Special attention should be applied to user controls over these methods to make sure that promises are accurate. For example, LSOs generally persist even if a user clears cookies from the browser and therefore may require different controls and disclosures.
2) Does the site combine tracking data with PII gathered across other sites? The site operator should consider whether it combines any tracking data with other PII, including data capture about users through its own hosted applications on social media or other third-party sites, widgets, mobile applications, data shared by affiliated sites or data captured from other online sources. CalOPPA's disclosure requirements for the site's own tracking are limited to certain circumstances involving PII collection over time and across third party sites, but if the site's practices are to develop a profile of its users based on its own first-party tracking as well as the users' activities on other sites, it should consider how it might respond to Do-Not-Track signals and whether there are any CalOPPA disclosure obligations.
In all of this, there are risks on both sides. Failure to make the required CalOPPA disclosures can, after a 30-day notice period, give rise to actions by the California Attorney General for $2,500 per violation and other consequences, as well as potential plaintiffs’ actions under unfair competition theories. On the other hand, unqualified statements about not responding to Do-Not-Track signals could give rise to plaintiffs’ actions for exceeding authorized access to computers, trespass and other theories.
As with many privacy issues, it will ultimately require a balanced risk assessment, taking into account the site's activities and risk tolerance.
Brian Hengesbaugh, CIPP/US, is a principal with Baker & McKenzie in Chicago and a member of the firm's Global Privacy Steering Committee. He focuses on domestic and global data protection and privacy, data security, online, mobile, social media, and e-commerce issues.
Amy de La Lama is Of Counsel in the Chicago office of Baker & McKenzie. She focuses on global and domestic data protection and privacy, including on cross-border, mobile and health privacy issues.