- May 28, 2014
- Posted by: Seth Heyman
- Categories: Business Law, Internet Law, Startups
Scope: Include a paragraph explaining what the policy covers. State whether it is limited to online data collection or also covers offline use, and state which entities (i.e., subsidiaries and affiliates) that the policy covers.
Availability: Make certain your policy is readily available and accessible. Incorporate a conspicuous link somewhere on the home page, and on every page that collects personal information, and be certain to format it so it can be printed in legible format. If you’re collecting PII via a mobile application, post a link the policy on the base platform page so users can review it prior to download.
Plain English: Draft your policy so it can be read and understood by the average consumer. This means you should avoid technical language and legalese wherever possible. Use graphics and icons, and try using tooltips ?
Disclosures: Be certain to prominently disclose all of the following:
– How you collect PII on users or visitors, and the technologies behind them (i.e., cookies, web beacons).
– How you respond to Do-Not-Track (DNT) requests. First, start by stating whether you track your users online activity. If you don’t track, you probably don’t respond to DNT requests, so be certain to let your visitors know that. If you do employ tracking technology, describe how it works. Do you track users’ activity over time? If so, provide the time frame. Do you track both before and after they visit your site? What do you do with the tracking information you collect? Regardless of how you deal with DNT requests, be certain to provide a prominent link to a program that offers consumers a choice about online tracking, and describe how the program works. If you don’t respond to DNT signals, ake and then state whether you honor DNT requests.
– Let visitors know whether third parties may be collecting PII while they visit your site, and how you work with those parties.
– Inform vistors on how you use and share data: Describe(a) what PII you collect from users; (b) how you use it; and (c) how long you retain that information. List the categories of companies with which you share customer personal information (i.e., service providers, marketing partners, affiliates, etc.) Explain any uses of PII not related to fulfilling a customer transaction, or other basic function of an online service. If possible, provide a link to the privacy policies of third parties with whom you share PII.
Describe Choices: Describe the choices visitors have regarding the collection, use, and sharing of their personal information, and how you comply with them. At the very least, you should offer your visitors an opportunity to correct or even delete the information you’ve collected.
Security: Describe the safeguards you employ to secure PII.
The fact that the California AG has provided these guidelines should serve as a warning that she is and will continue to be highly aggressive in the enforcement of CalOPPA