TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | The Reality of Issuing Guidance on Privacy Policies Related reading: Data brokers: A preview of the new edition of 'California Privacy Law'



The California Attorney General’s Office (AG) recently issued guidance regarding the newly amended CalOPPA, Making Your Privacy Practices Public, Recommendations on Developing a Meaningful Privacy Policy, which offers suggestions to businesses about what they can do, in the Attorney General’s view, to be more transparent about privacy.

The AG previously issued guidance in the mobile space, Privacy on the Go: Recommendations for the Mobile Ecosystem, in which it recommended a “surprise minimization” approach, where a mobile app company would supplement its longer, more comprehensive privacy policy with shorter, special notices related to the collection of Personally Identifiable Information (PII), if the PII was not necessary for the basic functionality of the app, or if it was sensitive PII.

While transparency is a noble goal, research by the Lares Institute shows that statements in a privacy policy might not be as important for consumer trust as the Guidance suggests.

The Issues Identified in Making Your Privacy Practices Public

Making Your Privacy Practices Public starts by stating the Attorney General’s view that “meaningful privacy policy statements safeguard consumers by helping them make informed decisions about which companies they will entrust with their personal information.” However, in a 2013 survey by the Lares Institute about the reasons for trust regarding privacy, consumers did not rank disclosures in a privacy policy as being that important. Indeed, what people read in a privacy policy was seventh out of the ten top reasons people trusted companies with their information, with only 5% of respondents citing reading the policies as the reason for trust.




In short, while transparency is a noble goal, it is not clear that increasing transparency will dramatically impact consumer trust.

The guidance also notes that there is research showing that people do not read privacy policies, or at least understand them when they do read them. Research by the Lares Institute also provides additional guidance on this point, which shows that people with higher education levels and income are less likely to read privacy policies. Examining research regarding who reads privacy policies provided by Internet Service Providers, including examination of their demographics, provides a good example of this issue..


Ultimately, the Guidance notes that its purpose is to “encourage companies to craft privacy policy statements that address significant data collection and use practices, use plain language, and are presented in a readable format.”


While the guidance presents interesting issues for discussions, and some best practices that companies could adopt, not all of the suggestions will be relevant, or helpful, for all companies. In many cases these suggestions go well beyond the statutory requirements of CalOPPA, and in some cases might be difficult for companies to implement. For example, the suggestion that websites provide links to third-parties with whom they share information suggests a practice that is not statutorily required, and that might increase a company’s risk exposure (for a potentially deceptive statement either under Section 5 of the FTC Act, or § 17200 of California’s Business and Professions Code) in a way that it will find difficult to monitor, particularly if the third-party policies change over time.

Finally, one question that always must be asked when a regulator issues guidance is whether this could be the basis of enforcement down the road. While there is no indication that the Attorney General intends to use this as an enforcement tool either under CalOPPA, or Business & Professions Code § 17200, this possibility cannot be eliminated. In any case, this guidance does present the Attorney General’s views and it should be considered, where appropriate, if companies are trying to implement best practices regarding online disclosures.

For further information about this Guidance, please click here.


If you want to comment on this post, you need to login.