California AG Releases Long-Delayed DNT Guidelines

The DNT law, AB-370, has been in effect since Jan. 1 (CD Jan 2 p4). It requires websites and mobile apps accessible to California residents to state in their privacy policy whether they honor a DNT request. Some, like Fox Rothschild privacy lawyer Mark McCreary, believe the law is “largely irrelevant to the consumer.” Compliance has been “light at best” and without a DNT standard, those that have complied have “overwhelmingly” chosen to say they don’t comply with DNT requests, McCreary said. Others, like Dorsey & Whitney privacy lawyer Melissa Krasnow, said the guidelines reveal useful information about the AG’s interest in the mobile ecosystem. “If they were to begin enforcement, it would not surprise me if it involved a mobile application,” she said.

The guidelines evolved over two drafts, six months, and myriad comment periods. “I think that the final end product is somewhat of a compromise amongst the various interests in it,” said Vedder Price lawyer Bruce Radke. During the process, the AG’s office removed language recommending companies that don’t collect personally identifiable information (PII) disclose that in a privacy policy (CD Jan 24 p7).

The original draft also said companies could -- as “an addition” to disclosing their DNT response -- provide a link to a program like the Digital Advertising Alliance-backed AdChoices program (http://www.youradchoices.com/). The second draft -- and Wednesday’s final document -- changed the language to suggest companies can provide a link to something like AdChoices as “an alternative” to disclosing how they respond to a DNT statement, a move industry groups such as e-commerce association NetChoice favored. “The attorney general perhaps didn’t want to stake a position as to absolute requirements that website operators had to adopt, but provide some flexibility for them,” said Vedder Price intellectual property lawyer Michael Waters. Krasnow, part of the working group on the document, said “a lot of feedback involved” the DNT issue.

"I worry that this report encourages businesses to say they comply with the not yet defined ‘Do Not Track’ header,” said NetChoice Policy Counsel Carl Szabo. The World Wide Web Consortium recently moved a DNT technical preference expression document to last call, but has not settled on anything final in its almost three years of work (CD Dec 27 p4). “Such a statement exposes these businesses to legal repercussions,” Szabo said.

Enforcement to Come?

Although the law requires companies to disclose their DNT response, the guidelines clarify: “An operator must make the first disclosure only if the operator engages in the collection of personally identifiable information about a consumer’s online activities over time and across third-party websites or online services.” The report defines PII in a way that stresses the mobile ecosystem, Krasnow said. It lists seven types of information it considers PII, most of which are standard -- phone number, Social Security number, email address, etc. On the final two -- related to identifiers that allow online contacting and information collected online -- the document added: “The last two types listed above can be understood to include information that is collected passively by the site or service, such as a device identifier or geo-location data.” The phrases “device identifier” and “geo-location data” are “clearly, clearly mobile concepts,” Krasnow said.

With the document out, “I think enforcement is fair game,” said Krasnow, and others agreed. This concerned Szabo. “Even if you comply with these guidelines, that does not protect you from legal liability,” he said. After the AG’s office last released a privacy report on mobile privacy (http://bit.ly/1cVjDTH) in 2013, it “began cracking down on apps that had insufficient or nonexisting privacy,” he said. “I hope the AG’s office doesn’t turn these ‘best practices’ into new mandates for businesses."

"We have encouraged the AG’s office to focus on helping businesses comply with the law that has been in effect for over five months rather than working on additional ‘best practices,'” Szabo said. That has been the AG’s focus, said VedderPrice’s Waters. The office seems “more interested in education and cooperation,” he said. Krasnow thought the document’s delay might even have been a result of the AG’s office waiting to see what questions businesses had about compliance.

Few companies have complied, experts said. “The reasons have been varied, from the advertising interest groups taking and advocating that position, to technological confusion, to simply not being willing to tie their hands unnecessarily,” said Fox Rothschild’s McCreary. “The few clients that I have seen pledge that they will comply with browser do not track requests are those that have no need or interest in tracking.” All agreed the guidelines would spur additional compliance. Krasnow said the majority of compliance is on the West and East coasts, with a concentration in New York City.

As long as there continues to be no DNT standard and companies comply with AB-370 by saying they don’t honor DNT, the law won’t affect the market, said several lawyers. When AB-370 was passed, “there was an impression” that “you would almost have businesses attempting to distinguish themselves in the marketplace by how they handled a person’s desire to keep info confidential,” said Waters. That hasn’t happened, he said. It will take a cultural shift for it to change, McCreary said. “Until there is a significant movement in this country away from exchanging privacy for free services, consumers will continue to not read privacy statements and make decisions based on the contents of privacy statements.”