California has been busy passing a multitude of new internet laws as we’ve outlined in a few previous blog posts. The most recent law made us pause here at NMR because it directly affects the individuals we help everyday both in understanding and writing terms of use and privacy policies for internet users, creators, and tech startups. Privacy policies are critical tools for website creators to protect themselves from liability and try to set consumer expectations for privacy on their website.
Under A.B. 370, all commercial websites that collect personally identifiable information are now required to disclose how they respond to “Do Not Track” (DNT) signals in their privacy policy. Before we get into the practical application of this law, it’s important to understand what DNT is and what it isn’t.
DNT is the idea that users should be able to tell websites that they would not like tracking cookies used to track their movements on any given website. While we applaud DNT in theory as a way for users to stand up for their right to privacy, in practice DNT isn’t yet an effective means of putting consumers in control of their data. In fact, although discussions have been going on since 2007, industry, NGO’s and other stakeholders have been unable to agree on a standard implementation or even a definition of DNT. This lack of a DNT standard is highlighted by California’s new law. Even when a service wants to promise to respect DNT in their privacy policy, technological limitations may mean they only partially respect DNT or worse doesn’t respect it at all. Even services that aim to respect the privacy of their users still have to be careful that they aren’t misleading users about how they respond to DNT in their privacy policies.
Admittedly, the law tried to address this lack of standardization, it just did so poorly. 370(7) allow website operators to define DNT for themselves by providing a conspicuous link to a description of the DNT standard that the website follows. This essentially dumps the ongoing debate about the DNT standard into the laps of web service operators. It leaves it up to services to find, understand and adopt another group’s standard. In theory, this could lead to the widespread adoption of a DNT standard by a popular choice.
But that process takes time, and during that time the environment for small services is uncertain. Even if small web service operators put in the time at the beginning to make this choice, DNT options on various platforms are ever-evolving.
We’re concerned that in practice 370(7) does not work as planned. Unless a service specifically wants to adopt a certain standard and has the capacity to ensure they keep their compliance with that standard up to date, we will likely see a lot of sites simply disclaiming DNT entirely.
In an effort to come up with DNT language that is accurate without being a PR nightmare, many sites that are good actors might want to express desire for a DNT standard, but not be able to promise to comply with the current amorphous standard of DNT. This will lead many sites to potential language that would comply with the law, but avoid making promises they can’t keep. Here’s an example:
Do Not Track (DNT) is a privacy preference users can set if they do not want web services to collect information about their online activity. However, there is currently no universal standard for sending and receiving DNT signals. Due to this lack of universal standard, it would be impossible for us to promise that we comply with all known and unknown DNT standards.
Therefore, we do not in any way monitor or respond to DNT signals or other mechanisms that provide a choice regarding the collection of personally identifiable information about activities over time and across different Web sites or online services.
If a universal standard for DNT becomes available we may revisit our DNT Policy.
There’s probably at least one privacy advocate reading this thinking that disclaiming everything is not a solution. In the long term hopefully this will be true, but the current reality is a small tech startup is much better off promising nothing and delivering more rather than promising to observe DNT but not actually living up to their promises. Given the amorphous DNT standard services have to be careful not to put themselves in a situation where they might be subject to an action by California’s new privacy enforcement unit. Services always need to explain to users clearly what information is being collected and how that information is being used.
We look forward to seeing a clearer DNT standard, and methods of complying with these standards. We also think sites can differentiate themselves in the marketplace by providing superior privacy to their users.
Until then we support the work of organizations like the Electronic Frontier Foundation and the Electronic Privacy Information Center who are fighting for a universal DNT standard. However, we do not think it’s fair to put the weight of this complicated debate on the backs of small entrepreneurs.
There’s also an access to justice problem here. This law assumes that all people who operate websites that collect personally identifiable information will have access to an attorney to help them write their privacy policy and help them understand this law. The reality is there are only a handful of groups like New Media Rights in the state of California who can write privacy policies for start-ups for a price they can afford, a price that is often zero dollars. Quite frankly, this is one of the areas where most attorneys in private practice are simply out of reach for the average website operator. We’ve heard one too many of stories about websites who couldn’t afford an attorney copying and pasting another website’s privacy policy as their own. These are exactly the type of websites that will be especially vulnerable to this new law.
Overall the idea of implementing Do Not Track legislation at the state level is a bad idea. In the short term it only helps create an inconsistent standard for DNT and places an undue burden on small entrepreneurs. There are so many problems that the State of California is facing that don’t involve the internet. We hope that in the new year the State of California will focus on those local issues.
If you’re worried that your website might not be compliant with the new DNT law feel free to contact us and we’ll see if we can help out.
Special thanks to NMR interns Elisabeth Morgan and Siamak Hefazi for their help on background research for this blog.