Attorney general releases guidance on website privacy policies

California’s attorney general recently issued guidance on amendments to the California Online Privacy Protection Act (CalOPPA) that may have an impact on dental practices.

These amendments were prompted by the passage of AB 370, effective Jan. 1, 2014. CalOPPA now requires any operator of a commercial website or mobile application that collects the personally identifiable information (PII) of California residents to disclose how the website responds to “do not track” (DNT) browser signals.

Most of the major web browsers now offer a DNT service, which users can enable via the browser or mobile device’s settings. When enabled, the mechanism sends a signal to visited websites letting them know that the user does not wish to be tracked over time and across third-party sites. In other words, DNT signals let websites know that users do not wish to receive targeted advertisements based on their prior online activity.

CalOPPA does not prohibit online tracking and does not outline how websites should respond to DNT signals. It simply requires that websites that collect PII inform consumers of whether or not they honor DNT signals.

Dental practices should determine whether CalOPPA applies to their website. Dentists can do this by figuring out if their website collects consumer PII. PII is information about an individual consumer collected online by the website operator and maintained by the operator in an accessible form, including any of the following:

  • First and last name.
  • Home or other physical address, including street name and name of a city or town.
  • Email address.
  • Telephone number.
  • Social Security number.
  • Other identifier that permits the physical or online contacting of a specific individual.

Second, if the website does collect PII, how does it respond to DNT signals? Practices should work with their IT provider and/or website vendor for the answer to this question. Again, CalOPPA does not prohibit online tracking, it simply requires website operators to be transparent about how their sites respond to DNT signals.

The attorney general’s guidance, “Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy,” provides background on CalOPPA, clarifies its applicability and recommends best practices for updating website privacy policies to comply with the requirements of AB 370. The document addresses general best practices regarding readability, data use and sharing, individual choice and access and accountability.

More specifically, the guidance addresses best practices for disclosing a website’s online tracking practices. Recommendations include:

  • Make it easy for a consumer to find the section of the policy that describes how the site responds to DNT signals (for example, using a header such as “Online Tracking” or “California Do Not Track Disclosures”).
  • Describe how the website responds to a browser that has turned on DNT signals or other such mechanisms.
  • State whether other parties are or may be collecting the PII of consumers while they are on the website.

The California attorney general has been active in investigating and enforcing penalties against companies with commercial websites or apps that have nonexistent, inadequate or misleading online privacy policies (a 2012 enforcement action against Delta Airlines can be found here.) A dental practice would be in violation of AB 370 if it failed to post its tracking practices within 30 days of being notified of noncompliance.

The attorney general’s guidance can be found here.