OneTrust_Square Banner_300x250_DD_ROS_01_19

By Brian Hengesbaugh, CIPP/US, and Amy de La Lama

The current privacy regulatory environment can be characterized as a "perfect storm" of more data, more regulation and more enforcement. A microcosm of the confluence of these trends is illustrated in the recent Do-Not-Track amendments to the California Online Privacy Protection Act (CalOPPA). The law requires the operator of a website or online service to display a privacy policy that meets certain content requirements. It has been in effect for about 10 years and obliges a privacy policy to disclose the categories of personally identifiable information (PII) collected through the site, the categories of third-party persons or entities with whom the operator may share that PII and other content. Operators have generally been able to meet these obligations without too much difficulty.

The amendments to CalOPPA introduce two new content obligations for the site operator to:

  • Disclose how the operator responds to web browser’s Do-Not-Track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about an individual consumer's online activities over time and across third-party websites or online services, if the operator engages in such collection, and
  • Disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service.

CalOPPA further specifies that an operator may satisfy the first requirement above by providing "a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice." CalOPPA does not mandate that such choice mechanisms must be established or followed but rather requires transparency (notice) about how the site responds to such signals. Personally identifiable information is defined to include name, physical address, e-mail, telephone, Social Security number, another identifier that permits the physical or online contacting of a specific individual and other information that the site collects online from the user and maintains in personally identifiable form in combination with an identifier described above. The amended version of CalOPPA becomes effective on January 1.

CalOPPA Amendments Pose Implementation Challenges

The CalOPPA amendments pose implementation challenges on several levels. First, from a straight definitional standpoint, it may be difficult for sites to determine what actually qualifies as a “Do-Not-Track signal” or similar mechanism that is covered by CalOPPA. An international working group of web experts under the World Wide Web Consortium (W3C) has been working for two years to define what "Do Not Track" means and how it should work, but that work is not done and may not be completed anytime soon. The most recent W3C Working Draft from September 2013 identifies numerous open issues on scope, definitions of "tracking," "collection" and other terms, exemptions for fraud detection and security defense. These are critical issues that need to be resolved to provide sites and others with clarity on commonly accepted definitions and standards.

Second, the Internet ecosystem is complex and rapidly evolving, such that thoughtful disclosures in privacy policies have the potential to be inaccurate for certain browsers or outdated over time. Browsers have come under considerable pressure in recent years from the Federal Trade Commission, European data protection authorities, state attorneys general and other authorities to build in Do-Not-Track mechanisms for users. Major browsers now include such functionality, but the implementations are different. Some set a default that tracking is OK unless the user chooses to configure the browser to send Do-Not-Track signals to the requesting site. Others have established Do-Not-Track as the default setting, such that unless a user must affirmatively opt in to tracking, the browser will send Do-Not-Track signals. And, a few browsers are already revising their original approaches to Do-Not-Track and establishing "selective Do Not Track" as the default and making other modifications. This changing landscape poses significant challenges for site operators to maintain accurate and legally sufficient practices and privacy policy disclosures over time.

Perhaps the most challenging issues relate to consumer expectations. What does a consumer expect when they configure their browser to Do Not Track, and how do site operators draft their disclosures to either meet or dispel such expectations? Does the consumer think that means the site itself will no longer collect any PII at all, or that certain PII collection or use—for advertising, for example—will cease? Or, would the consumer think that means that the site itself will continue with PII collection and use but will not allow any third-party ad network to capture PII or use it for advertising? What about the site operator's capture of PII on operator-hosted applications on social media platforms or third-party sites and the combination of such data with PII captured through the site? Consumers will invariably have wide-ranging and diverging expectations, particularly in the absence agreed and widely publicized W3C or other standards. Disclosures with regard to Do-Not-Track signals and similar mechanisms will need to be carefully drafted to try to provide enough transparency to manage such expectations.

Five Key Questions

In the midst of this uncertainty, and in the absence of a clear legal obligation for sites to follow Do-Not-Track signals, studies suggest that many sites currently do not follow browser’s Do-Not-Track signals. CalOPPA may push some operators to reconsider those positions and explain how they respond to Do-Not-Track signals and other mechanisms.

To prepare for these CalOPPA amendments, every site operator should ask five key questions about the site's practices and approach to these issues.  

1) What methods does the site implement to track users? The site operator should confirm what tracking the site employs and what PII or other data those methods capture. Much of the attention with Do Not Track has focused on traditional HTTP cookies, but examples of other technologies include web beacons, clear GIFs, log files, userData stores, document object model storage, and Flash cookies and other locally shared objects (LSOs). Special attention should be applied to user controls over these methods to make sure that promises are accurate. For example, LSOs generally persist even if a user clears cookies from the browser and therefore may require different controls and disclosures.

2) Does the site combine tracking data with PII gathered across other sites? The site operator should consider whether it combines any tracking data with other PII, including data capture about users through its own hosted applications on social media or other third-party sites, widgets, mobile applications, data shared by affiliated sites or data captured from other online sources. CalOPPA's disclosure requirements for the site's own tracking are limited to certain circumstances involving PII collection over time and across third party sites, but if the site's practices are to develop a profile of its users based on its own first-party tracking as well as the users' activities on other sites, it should consider how it might respond to Do-Not-Track signals and whether there are any CalOPPA disclosure obligations.

3) Does the site allow ad networks to set cookies or collect data? The site operator should confirm whether it allows ad networks to collect data. In theory, CalOPPA only requires a disclosure about such third parties if the ad networks collect PII. Such definition should not be triggered if the ad networks merely set a cookie that captures preferences tied to the user's device without linking the data to names or other CalOPPA identifiers. In practice, however, the site may not know with certainty whether the ad networks combine device data with PII or otherwise collect PII. The site may therefore wish to consider identifying these parties in its privacy policy. The site should consider only using ad networks that participate in the Digital Advertising Alliance or other programs that maintain robust standards for providing users with opt-out and other mechanisms to control the use of their data for behavioral advertising purposes.

4) Does the site allow social media platforms or other third parties to host plug-ins or widgets on the site (e.g., share buttons) or otherwise collect data? The site operator should confirm whether it allows social media platforms to host share or like buttons that collect data and the specifics of those collections. Although this does not appear to be the focus of the legislation based on the legislative history, the site operator should consider identifying these parties in its privacy policy and providing disclaimers that the social media platform's data collection and handling practices are defined by that platform and not by the site. In addition, the site operator should also consider whether any other third-party data collections may attract application of CalOPPA, such as any third-party analytics that may track users over time and across multiple sites.

5) How will the site balance the competing factors to arrive at a suitable CalOPPA disclosure? The challenge will be bringing together these various threads to arrive at a suitable CalOPPA disclosure. Sites that only set cookies and use tracking for internal purposes without any sharing or combining of PII from other sources and without any third-party data collection on the site should not have any new CalOPPA disclosure obligations. Sites that plan to follow Do-Not-Track signals will need to confirm alignment of practices with browser settings, maintain that alignment over time in light of changing settings and practices, address interoperability issues across browsers and confirm alignment and updates to their privacy policy disclosures. Some sites may choose to make good faith efforts to describe their practices in the privacy policy and otherwise disclaim any responsibility for responding to other web browser signals.

In all of this, there are risks on both sides. Failure to make the required CalOPPA disclosures can, after a 30-day notice period, give rise to actions by the California Attorney General for $2,500 per violation and other consequences, as well as potential plaintiffs’ actions under unfair competition theories. On the other hand, unqualified statements about not responding to Do-Not-Track signals could give rise to plaintiffs’ actions for exceeding authorized access to computers, trespass and other theories.

As with many privacy issues, it will ultimately require a balanced risk assessment, taking into account the site's activities and risk tolerance.

Brian Hengesbaugh, CIPP/US, is a principal with Baker & McKenzie in Chicago and a member of the firm's Global Privacy Steering Committee. He focuses on domestic and global data protection and privacy, data security, online, mobile, social media, and e-commerce issues.

Amy de La Lama is Of Counsel in the Chicago office of Baker & McKenzie. She focuses on global and domestic data protection and privacy, including on cross-border, mobile and health privacy issues.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»