In 2014, California updated CalOPPA to require an operator to disclose how it handles Do Not Track signals. In this guide, we will explain what is Do Not Track and help you understand the following:
- What is Do Not Track under CalOPPA?
- How to comply with CalOPPA’s Do Not Track requirements.
What is Do Not Track under CalOPPA?
What are DNT signals?
When someone visits a website or mobile application, there may be numerous parties tracking the user. First, the website itself may be tracking users for various reasons, such as recording an IP address for security monitoring. Additionally, third parties may track users through the online service that a consumer is visiting.
Online providers often integrate third-party services into their websites and mobile apps. Third-party “trackers” represent an ecosystem of data collection agencies that compare all the places on the Internet that a user visits.The tracking mechanism notifies the third parties each time the user visits the website or app. The more the user surfs the web, the more trackers learn about the user. Examples of third parties include advertising networks and traffic analyzers.
Frequently, operators track the personally identifiable information (PII) of consumers as they interact with a website or mobile app. The main purpose of tracking is to make web surfing more efficient for consumers. Websites and apps collect the browsing data of visitors to:
- Improve security
- Generate statistics
- Provide customized content
- Make recommendation to users
Over the years, as tracking became more common on the Internet, consumers wanted to have a way to opt-out of being tracked. In 2007, public interest groups asked the Federal Trade Commission (“FTC”) to create a Do Not Track List (“DNT List)” for online marketers. To gain acceptance, the advocates used the same phrasing as the widely popular Do Not Call Registry (“DNC Registry”). The DNC Registry is a database of phone numbers maintained by the federal government that telemarketers cannot call.
DNT List advocates wanted advertisers to implement a Do Not Track method instead of putting the responsibility on consumers to opt-out of tracking. The proposal required marketing firms to submit domain names to the FTC that use persistent identifiers to track consumers. The FTC would compile the domain names into a machine-readable list. Then, web browser applications could subscribe to the list. As a result, a consumer’s browser could access the list to block tracking.
The FTC did not implement the DNT List. A reporter at CNET criticized the FTC proposal and argued that users could protect themselves from being tracked without federal intervention. The reporter suggested that consumers should be able to use a browser plug-in that tracks marketing-related servers and blocks them automatically.
A few years later, browsers began to include a way to send Do Not Track signals. In 2011, Firefox 4 became the first browser to adopt a DNT option. Soon after, Internet Explorer, Apple Safari, and Google Chrome added this option as well.
CalOPPA requires operators to disclose if they respect Do Not Track
To prevent online tracking, users activate a DNT option in their web browsers. When a browser sends a Do Not Track signal, it requests that the online service stop tracking the user.
Many online service providers do not stop tracking users when they receive a request from the consumer asking not to be tracked. Further, many browsers don’t provide details of which online services acknowledge these requests.
ZDNet rated Google Chrome as the top web browser in early 2020. Google Chrome has an option to turn “Do Not Track” on or off in the browser settings. By default, the feature is turned off, and the user has the option of turning it on. However, Google states in its help files that “most websites and web services, including Google’s, don’t change their behavior when they receive a request not to be tracked.” Further, Google states that “Chrome doesn’t provide details of which websites and web services respect DNT requests and how websites interpret them.”
CalOPPA aims to have operators of websites and apps in California disclose to consumers if they do not respect a DNT request. The California Legislature passed Assembly Bill 370 in 2013 that added new tracking disclosure requirements to CalOPPA. The intent of the law’s update was to increase consumer awareness of online tracking. Importantly, the update would allow consumers to make an informed decision before using an online service.
On January 1, 2014, the tracking provisions of CalOPPA went into effect. When California amended CalOPPA, the goal was to address the use of online methods that track personal information about consumers.
- How it responds to browser “Do Not Track” signals
- If there is a presence of third-party tracking through the online service
- Other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about their online activities over time
The reach of CalOPPA’s DNT disclosure requirement goes outside of California’s borders. CalOPPA includes operators in other states that track residents of California.
DNT is not a clear standard, so the disclosure requirement creates some confusion for online operators. Consumers use different browsers that implement a DNT signal in different ways. Some browsers have a default setting for DNT and other browsers may require the user to configure the signal.
How to comply with CalOPPA’s Do Not Track requirements
To prevent being in non-compliance with CalOPPA, an operator should clearly disclose its practices with Do Not Track signals. To comply with CalOPPA, an operator must offer consumers a “choice” to proceed with the online service by disclosing how it handles DNT signals.
Although CalOPPA requires an operator to disclose how it responds to DNT signals, the law does not require a website to respond to these signals in any particular way. However, the law requires you to state how your website responds.
The California Attorney General released a guide to help operators understand the requirements of CalOPPA titled Making Your Privacy Practices Public. The guide provides insight on how to comply with CalOPPA’s Do Not Track requirements. However, the guide is not legally binding, and it offers suggestions that are beyond the scope of CalOPPA.
- Whether the operator collects PII with tracking mechanisms
- How the operator responds to Do Not Track signals
- If third-party trackers are collecting data on the online service
- Do you collect PII about a consumer’s browsing activities over time?
- How do you use the tracking information for your business?
- Can you disable tracking if requested to do so?
- How long does it take to respond to these signals?
- Do you collect PII across third-party services if you receive a DNT signal?
- Can consumers opt-out of third-party tracking?
- Are consumers treated differently that send a DNT signal through their browsers?
Alice has a Juris Doctor from the Stetson University College of Law and is a licensed attorney in Florida. She is a Certified Information Privacy Professional (CIPP/US), a Certified Ethical Hacker (C|EH), and has the CompTIA Security+ certification. She currently serves on The Florida Bar Journal/News Editorial Board.