DPI16_Banner_300x250 WITH COPY

By Lei Shen, CIPP/US

Determining how to comply with California’s “Do Not Track” requirements has been a challenge. The amendment to the California Online Privacy Protection Act (CalOPPA) became effective on January 1 and began requiring privacy policies to include certain Do Not Track (DNT) disclosures. However, there has been some uncertainty as to how to comply. Because DNT is not a finalized standard, it is unclear what even qualifies as a DNT signal under CalOPPA. In addition, different browsers implement their Do Not Track mechanisms differently—some set it as the default setting, while others require the user to configure it—so it’s difficult to determine what the user’s actual expectation is.

In an effort to curb this uncertainty, the California Attorney General (AG) recently released a guide titled Making Your Privacy Practices Public. The guide provides long-awaited guidance on how to comply with the CalOPPA Do Not Track requirements, among other recommendations. The AG, Kamala Harris, stated that the guide is intended to provide a “tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.”

While the guide provides recommendations on how to comply with CalOPPA, they are not legally binding. In fact, several of the Guide’s recommendations going beyond the requirements of CalOPPA. This article summarizes the Guide’s recommendations and compares them to CalOPPA’s actual requirements.

Online Tracking and Do Not Track

The CalOPPA amendment added two tracking disclosure requirements for privacy policies. First, website operators must disclose in their privacy policies how they respond to web browser “do not track” signals or to similar technologies that provide users with an ability to exercise choice regarding tracking. CalOPPA does not require a website to respond to such signals, but simply disclose how it responds. An alternative way for a website operator to comply is to provide a “clear and conspicuous hyperlink” in its privacy policy to an online location containing a description and the effects of a program or protocol that the operator follows that offers users a choice regarding online tracking. Second, in addition to the Do Not Track disclosure, CalOPPA also requires that privacy policies disclose whether third parties conduct tracking on the website.

The guide’s recommendations go beyond these CalOPPA requirements in a number of ways. For instance, CalOPPA only requires that these tracking disclosures be included somewhere in the privacy policy. A number of website operators have been complying by including the disclosures within other similar provisions. However, the guide recommends that these disclosures be clearly identified with their own header in the privacy policy, such as “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.”

If a website follows a consumer-tracking choice program or protocol, CalOPPA permits compliance with the Do Not Track disclosure requirement by including a link to a description of that program or protocol within the privacy policy.

However, the guide recommends that, in addition to the link, the privacy policy also provide either a description of the website’s response to Do Not Track signals or a brief, general description of the applicable program or protocol and what it does, to provide greater transparency to consumers. The guide also recommends that the disclosure describe whether the website treats consumers whose browsers send a Do Not Track signal differently from those that do not.

It also recommends that the disclosure describe whether the website still tracks even if it receives a Do Not Track signal, and if so, how that information is then used.


CalOPPA requires that a privacy policy be “conspicuously posted” on a website. A privacy policy can be “conspicuously posted” if the website’s home page contains an icon or text link that includes the word “privacy” and is linked to the privacy policy. Another way a privacy policy can be “conspicuously posted” is if the text link to the privacy policy is either written in capital letters that are at least the same size as the surrounding text or is otherwise written in way that calls attention to the link (e.g., written in a larger type than the surrounding text, in a contrasting type, font or color, or set off from the surrounding text by symbols or other marks).

The guide recommends that, in addition to these requirements, a website also include a link to the privacy policy on every webpage where personal information is collected. For online services, such as mobile applications, the privacy policy should also be posted or linked to on the application’s platform page so that users can review the privacy policy before downloading the application as well as from within the application.


While CalOPPA does not have any requirements regarding readability, the guide reiterates prior guidance regarding readability from the Federal Trade Commission (FTC) and the California AG. For example, a privacy policy should be formatted in a way that makes it readable, especially on smaller screens like a mobile device. One such format is a layered format that highlights the most relevant privacy issues. Websites can also use graphics and icons in their privacy policies to help users more easily recognize privacy practices and settings.

Data Collection, Use and Sharing

CalOPPA requires that a privacy policy identify both the categories of personal information that a website collects and the categories of third-party persons or entities with whom the website operator may share that personal information.

The guide recommends that a privacy policy go beyond merely identifying general categories by being reasonably specific about the kinds of personal information being collected and identifying the retention period for each. In addition, a privacy policy should generally describe how a website collects personal information, including specifying if any information is collected from other sources (e.g., offline or from third parties) or through technologies such as cookies or web beacons.

If a website collects any personal information from children under the age of 13, the guide cautions that the Children’s Online Privacy Protection Act (COPPA) has additional obligations for the website operator, including the requirement to obtain verifiable parental consent prior to collecting any information from children.

With regard to sharing, the guide clarifies that when a privacy policy describes the different types of third parties with which the website operator shares personal information, affiliates and marketing partners should be mentioned if applicable and links to the privacy policies of those third parties should be included.

Lastly, if a website uses personal information beyond what is necessary for fulfilling a transaction or providing an online service, the privacy policy should explain this.

Individual Choice and Access

If a website operator maintains a process for an individual to review and request changes to his or her personal information that was collected through the website, CalOPPA requires that the privacy policy provide a description of that process.

The guide expands on this by recommending that a privacy policy also describe any choices an individual may have regarding the collection, use and sharing of his or her personal information, rather than limiting that process to the review and correction of that personal information.

In addition, if an individual requests to review or correct his or her personal information, then the website operator should first ensure that the individual’s identity is properly verified and any access rights are authenticated.

Security Safeguards and Accountability

CalOPPA does not require that a privacy policy explain the website’s security safeguards or provide a contact for questions. The guide, however, recommends that a privacy policy explain how the website protects its users’ information from unauthorized or illegal access, as well as provide contact information if users have any questions. It is important that the security statements do not misrepresent or “over-promise” the website’s actual security, as the FTC has been taking action against companies that do not live up to their security promises.

While much of the guide is not mandatory, its recommendations reiterate and align with several of the key recommendations from other similar publications, including those from the FTC, and provide a good basis for companies to use when drafting or revising their privacy policies to provide more transparency to users.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»