Second Draft of California DNT Guidelines Makes Improvements But Lacks Legal Protection, Stakeholders Say
The California Attorney General second draft of recommendations for complying with the state’s Do Not Track (DNT) law makes improvements over the first draft, but doesn’t address some central concerns, said lawyers and industry representatives in interviews Thursday. In effect since Jan. 1 (WID Jan 2 p1), the law requires websites and mobile applications to state in their privacy policies whether they respond to a DNT mechanism and include notice of “the possible presence of other parties conducting online tracking,” according to the draft. But with no agreed-upon DNT definition (WID Dec 27 p1) , companies have struggled to understand exactly what they are responding to and how to explain that in their privacy policies, said lawyers and an e-commerce representative. The second draft -- emailed to stakeholders Wednesday night -- helps elucidate some of these concerns, but didn’t include legal protections some would like to see.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Joanne McNabb, director of privacy education and policy in California’s attorney general’s office, in an email to stakeholders highlighted several changes. The office removed the language: “If you do not collect personally identifiable information [PII] about the online activities of users or visitors after they have left your site or service, say so in your privacy policy statement.” It maintained the language describing it as “preferable” to explain the website’s response to a DNT signal over providing a link to a program “that offers consumers a choice about online tracking” -- a program like the Digital Advertising Alliance-backed AdChoices program (http://www.youradchoices.com/). But the draft now characterizes that choice “as an alternative rather than as an addition to a description of the response,” according to the email.
"That’s an improvement,” because it gives businesses more ways to comply with the law (AB-370), said Carl Szabo, policy counsel at e-commerce industry group NetChoice. But the draft might confuse businesses, he and several lawyers said. It concurrently goes too far and not far enough, they said. By trying to provide broad privacy recommendations, the draft delays answers on specific questions concerning AB-370 compliance that businesses nationwide are looking for, several Internet privacy lawyers told us. Because nearly every U.S. website or app has California visitors, AB-370 is essentially a national law (WID Jan 3 p1). Szabo told us the AG “first should be working to create compliance with existing laws, especially AB-37. Once they're up to the minimum, we can begin looking to go beyond.” In comments filed to the AG’s office, he said, “adding these ‘best practices’ on top of AB-370 clouds an otherwise clear law."
The best practices also offer no promise that following their recommendations ensures the website is in compliance with AB-370, Szabo said. Because there is no DNT standard, “businesses asserting that they honor a Do Not Track browser request may not actually do so in all cases for all browsers,” he commented to the AG’s office. Companies could adhere to all of the AG’s recommendations and remain open to lawsuits alleging deceptive trade practices, he said. Complying with the best practices “exposes [businesses] to potentially greater liability,” he said. The draft said its guidelines “are not regulations, mandates or legal opinions. Rather they are part of an effort to encourage the development of privacy best practices.” McNabb and the AG’s office had no comment.
"There’s no carrot associated with this,” Szabo told us. With no protection from suits guaranteed in the draft, companies have no incentive to comply, which Szabo said is his “chief concern.” He said he would prefer to see the guidelines represent “a legal interpretation” of AB-370. NetChoice will file comments recommending this be included in the final draft.
Stakeholders have to Jan. 29 to comment on the draft, said McNabb’s email. McNabb’s Privacy Enforcement and Protection Unit -- began in 2012 to help provide guidance on California’s privacy law (http://1.usa.gov/1cPhLc0) -- released its first draft on Dec. 20 after meetings with stakeholders and accepted comments until Jan. 6, lawyers told us. Several lawyers helping companies comply with the law had been expecting a final draft by the end of January, but it seems that timeline has been pushed back an undetermined amount, they said. (cbennett@warren-news.com)