A guide to Do Not Track under CalOPPA

California passed the California Online Privacy Protection Act (“CalOPPA”) in 2004 to protect the personal data of its residents. CalOPPA requires operators of online services that collect personal information to post a Privacy Policy.

In 2014, California updated CalOPPA to require an operator to disclose how it handles Do Not Track signals. In this guide, we will explain what is Do Not Track and help you understand the following:

  • What is Do Not Track under CalOPPA?
  • How to comply with CalOPPA’s Do Not Track requirements.

What is Do Not Track under CalOPPA?

What are DNT signals?

When someone visits a website or mobile application, there may be numerous parties tracking the user. First, the website itself may be tracking users for various reasons, such as recording an IP address for security monitoring. Additionally, third parties may track users through the online service that a consumer is visiting.

Online providers often integrate third-party services into their websites and mobile apps. Third-party “trackers” represent an ecosystem of data collection agencies that compare all the places on the Internet that a user visits.The tracking mechanism notifies the third parties each time the user visits the website or app. The more the user surfs the web, the more trackers learn about the user. Examples of third parties include advertising networks and traffic analyzers.

Frequently, operators track the personally identifiable information (PII) of consumers as they interact with a website or mobile app. The main purpose of tracking is to make web surfing more efficient for consumers. Websites and apps collect the browsing data of visitors to:

  • Improve security
  • Generate statistics
  • Provide customized content
  • Make recommendation to users

Over the years, as tracking became more common on the Internet, consumers wanted to have a way to opt-out of being tracked. In 2007, public interest groups asked the Federal Trade Commission (“FTC”) to create a Do Not Track List (“DNT List)” for online marketers. To gain acceptance, the advocates used the same phrasing as the widely popular Do Not Call Registry (“DNC Registry”). The DNC Registry is a database of phone numbers maintained by the federal government that telemarketers cannot call.

DNT List advocates wanted advertisers to implement a Do Not Track method instead of putting the responsibility on consumers to opt-out of tracking. The proposal required marketing firms to submit domain names to the FTC that use persistent identifiers to track consumers. The FTC would compile the domain names into a machine-readable list. Then, web browser applications could subscribe to the list. As a result, a consumer’s browser could access the list to block tracking.

The FTC did not implement the DNT List. A reporter at CNET criticized the FTC proposal and argued that users could protect themselves from being tracked without federal intervention. The reporter suggested that consumers should be able to use a browser plug-in that tracks marketing-related servers and blocks them automatically.

A few years later, browsers began to include a way to send Do Not Track signals. In 2011, Firefox 4 became the first browser to adopt a DNT option. Soon after, Internet Explorer, Apple Safari, and Google Chrome added this option as well.

A DNT signal is a voluntary request that is sent to an online service, and operators don’t have to respond to the request. Many consumers are not sure how online services respond to their Do Not Track signals sent from their browsers. The only way for consumers to be sure that an operator respects their request is for the operator to explain its practices in a Privacy Policy.

CalOPPA requires operators to disclose if they respect Do Not Track  

To prevent online tracking, users activate a DNT option in their web browsers. When a browser sends a Do Not Track signal, it requests that the online service stop tracking the user.

Many online service providers do not stop tracking users when they receive a request from the consumer asking not to be tracked. Further, many browsers don’t provide details of which online services acknowledge these requests.

ZDNet rated Google Chrome as the top web browser in early 2020. Google Chrome has an option to turn “Do Not Track” on or off in the browser settings. By default, the feature is turned off, and the user has the option of turning it on. However, Google states in its help files that “most websites and web services, including Google’s, don’t change their behavior when they receive a request not to be tracked.” Further, Google states that “Chrome doesn’t provide details of which websites and web services respect DNT requests and how websites interpret them.”

CalOPPA aims to have operators of websites and apps in California disclose to consumers if they do not respect a DNT request. The California Legislature passed Assembly Bill 370 in 2013 that added new tracking disclosure requirements to CalOPPA. The intent of the law’s update was to increase consumer awareness of online tracking. Importantly, the update would allow consumers to make an informed decision before using an online service.

On January 1, 2014, the tracking provisions of CalOPPA went into effect. When California amended CalOPPA, the goal was to address the use of online methods that track personal information about consumers.

CalOPPA requires an operator to explain in its Privacy Policy how it handles DNT requests. Under CalOPPA, an operator must disclose:

  • How it responds to browser “Do Not Track” signals
  • If there is a presence of third-party tracking through the online service
  • Other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about their online activities over time

An operator may satisfy the DNT requirement by posting “a clear and conspicuous hyperlink” in the operator’s Privacy Policy to explain tracking by the online service or third parties. The hyperlink should take the reader to an online location that contains “a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”

The reach of CalOPPA’s DNT disclosure requirement goes outside of California’s borders. CalOPPA includes operators in other states that track residents of California.

DNT is not a clear standard, so the disclosure requirement creates some confusion for online operators. Consumers use different browsers that implement a DNT signal in different ways. Some browsers have a default setting for DNT and other browsers may require the user to configure the signal.

How to comply with CalOPPA’s Do Not Track requirements

To prevent being in non-compliance with CalOPPA, an operator should clearly disclose its practices with Do Not Track signals. To comply with CalOPPA, an operator must offer consumers a “choice” to proceed with the online service by disclosing how it handles DNT signals. 

Although CalOPPA requires an operator to disclose how it responds to DNT signals, the law does not require a website to respond to these signals in any particular way. However, the law requires you to state how your website responds.

Operators should be cautious to follow the promises they make in their Privacy Policy. If an operator claims to respect these signals but really ignores the requests, they are violating CalOPPA. Further, the FTC considers misrepresentations in a Privacy Policy to be a deceptive practice, so an operator could face an FTC investigation for misleading consumers.

The California Attorney General released a guide to help operators understand the requirements of CalOPPA titled Making Your Privacy Practices Public. The guide provides insight on how to comply with CalOPPA’s Do Not Track requirements. However, the guide is not legally binding, and it offers suggestions that are beyond the scope of CalOPPA.

The California Attorney General recommends that an operator should use its Privacy Policy to clearly label its DNT practices. A label is more transparent than simply linking to a “choice program” that the CalOPPA statute allows. To inform consumers, the operator should describe its policies in sections that explain:

  • Whether the operator collects PII with tracking mechanisms
  • How the operator responds to Do Not Track signals
  • If third-party trackers are collecting data on the online service

In the Privacy Policy, an operator should inform consumers about the effects of sending a request not to be tracked. When you create your Do Not Track disclosure, consider the following:

  • Do you collect PII about a consumer’s browsing activities over time?
  • How do you use the tracking information for your business?
  • Can you disable tracking if requested to do so?
  • How long does it take to respond to these signals?
  • Do you collect PII across third-party services if you receive a DNT signal?
  • Can consumers opt-out of third-party tracking?
  • Are consumers treated differently that send a DNT signal through their browsers?

Including a Do Not Track disclosure in a Privacy Policy is mandatory for operators of websites and mobile apps that target California residents. Termageddon is a Privacy Policy generator that you can easily use to meet the CalOPPA tracking disclosure requirements for your website or mobile application.