Your Privacy Policy Must Include a "Do Not Track" (DNT) Clause

If your website collects any personal information from residents of the state of California, you must comply with the California Online Privacy Protection Act (CalOPPA).

One of the main requirements of CalOPPA is that you have a Privacy Policy. CalOPPA also requires that you include a Do Not Track (DNT) clause in this Policy.

A DNT clause is where you let your users know whether or not you respond to their DNT requests. You aren't required to respond to requests, but you're required to disclose whether you do or not.

In fact, the current school of thought is to not respond to a user's DNT browser setting because even if you do, you cannot control the DNT handling of third parties interacting with your site, such as Google Analytics, AdWords and others.

With no legal penalties for not responding to user DNT settings, there is virtually no advantage to offering to acknowledge Do Not Track requests.

It's important to understand that even if your website or business is not located in California, you must meet CalOPPA requirements if your site attracts visitors who reside in the state (which it likely does).

This article discusses the definition and background of DNT, as well as the broader implications of CalOPPA and the DNT rules for websites attracting California residents.

What is Do Not Track (DNT)?

In 2010, the US Federal Trade Commission issued a privacy report challenging internet browsers to provide a "do not track" feature. Also called DNT, this feature allows consumers to avoid having their online actions monitored. Apple, Microsoft, Mozilla, Google and eventually all others responded with a DNT user setting, allowing consumers to keep their browsing data private.

Conflicting schools of thought arose between consumers and technology providers. Consumers had been demanding greater privacy controls while at the same time, advertisers and analytics organizations had been creating more ways to collect data from consumers online. However, with no federal mandate requiring DNT controls, providing them remained voluntary.

Web browser companies established individual policies with regard to DNT controls, determining whether to establish default DNT settings to "on" or "off."

With the release of Windows 8 in 2012, Microsoft made the bold move of defaulting the DNT setting to "on," with tools allowing users to change the setting to "off." This protocol created controversy because it put online advertisers at a disadvantage.

However, the company said its first obligation was to protect the privacy of its users, and stood by its decision.

Later, with the release of Windows 10 in 2015, Microsoft bolstered maintained its privacy-first position and issued an online statement explaining:

"IE10 continues our focus on helping consumers protect their privacy, which started in IE9 with features such as Tracking Protection. In Windows 8, 'Do Not Track' (DNT) is 'on' in the Express Settings at time of set-up, and IE10 in Windows 7 also sends a 'Do Not Track' signal to websites by default. Microsoft's customers have been clear that they want more control over how their personal information is used online."

The tug-of-war with technologists continued. Windows users with DNT set to "on" were beginning to miss out on some of the many advantages of allowing browsing data to be collected. Tailored ads, customized browsing experiences, browsing history and other user-friendly features that greatly improve and personalize the web experience were missing for users with DNT set to "on."

Microsoft began to search for solutions to meet the privacy concerns of consumers while also working proactively with technologists eager to collect data from Windows users.

Microsoft introduced a feature that would allow websites to send a request to users to disable DNT for their site in the form of a popup or other message delivered during the user's browsing session.

This solution allowed the default DNT setting to remain in place, while also reminding users when certain sites could provide a better experience with DNT allowed for the site. The user Windows setting could remain "off," while allowing a specific site to override it.

Mozilla's approach to DNT settings in its Firefox browser is the opposite of Microsoft's. Firefox defaults to the "off" setting for DNT and provides instructions for changing this.

Google's DNT protocol for Google Chrome browsers and Android mobile devices is similar.

Even though laws do not currently enforce acknowledgment of user DNT settings, CalOPPA does require websites doing business with California residents to include a DNT clause in a conspicuously posted Privacy Policy.

The CalOPPA rule governing DNT is fairly simple, unrestrictive and includes recommendations for how to effectively disclose your DNT policy:

• Include a description of your website's online tracking practices in your online Privacy Policy.
• Include a detailed description of how third parties may be tracking your website visitors.
• Make it easy for site visitors to find the sub-section of your Privacy Policy that addresses online tracking.
• Clearly identify your DNT clause by using a header to mark the sub-section. Examples include, "How We Respond to Do Not Track Signals," or "California Do Not Track Disclosures."
• Describe how you respond to a browser's DNT setting so users understand if you do or do not respect their settings.

While the CalOPPA DNT requirement is not stringent, it is mandatory.

If you own or operate a website that collects personal information from residents of the state of California, you must have a Privacy Policy conspicuously posted on your site and the policy must include a DNT clause.

Why Do Not Track (DNT)?

Federal, state and international laws require increasingly stringent privacy protections for consumers. While the laws vary in scope and enforcement, they share a common concern for protecting consumer information from data breaches and misuse.

The laws protect both personally identifiable information and non-personally identifiable information.

Personally identifiable information includes but is not limited to data that can be tracked to an individual such as name, address, phone number, SSN, license number, date of birth, etc.

Non-personally identifiable data is data that can be tracked to a device but not a specific individual, such as browser history, location data, shopping cart contents, user preference settings, etc.

The potential misuse, loss or theft of consumer data can create significant problems for consumers. Because of this, jurisdictions around the world have been giving privacy laws greater emphasis.

CalOPPA was introduced in 2003 as the first US law to impose broad requirements for the creation of and adherence to Privacy Policies for online businesses. It affects all website owners and operators that collect personal information from Californians during browsing sessions.

CalOPPA requires these websites to provide details about the types of information they are collecting from Californians, how they manage the information, how they share information with third parties, how those third parties may use the information and more.

In 2013, CalOPPA was amended to address the issue of online tracking, which is the commonly used term defining the collection of personally identifiable information about consumers as they browse from one website to another, including online services.

Do Not Track (DNT) technology is a feature provided to consumers by browsers and mobile devices. It allows consumers to allow or prevent websites from collecting information about their brower activities.

The 2013 amendments to CalOPPA acknowledge that while DNT is readily available, consumers generally lack an understanding of what it is, how to enable it and limitations in its protections.

CalOPPA now requires all websites attracting California residents to disclose their DNT procedures for acknowledging or not acknowledging user DNT settings. It does not require websites to acknowledge user DNT settings, but merely to plainly state whether they do or do not.

Disclosing Your Do Not Track in Your Privacy Policy

Let's take a look at how some popular websites handle the DNT requirement from CalOPPA.

Some websites take a conservative approach to demonstrate compliance with CalOPPA.

In this example from Target, separate links are provided the "CA Privacy Rights" and "Privacy."

In doing this, Target exceeds generally accepted best practices in making access to its privacy policies conspicuous, plain and simple, while broadcasting loud and clear that the organization respects the specific mandates of CalOPPA.

The "CA Privacy Rights" link navigates to a dedicated page detailing Target's adherence to CalOPPA and provides users with a succinct, clear and easy to understand statement on the privacy rights of Californians.

At minimum, your Privacy Policy should:

1. Be easy to find - Provide one or more easy-to-find links to your Privacy Policy throughout your website.
2. Be easy to understand - Use plain and simple language your typical website visitor can understand.
3. Be organized in a user-friendly structure - Use headers throughout your Privacy Policy to boldly identify each clause, including your DNT clause.
4. Include a dedicated sub-section for DNT - Create a specific DNT clause in your Privacy Policy.

Additionally, you might also consider:

1. Including a link in your DNT clause to a detailed explanation of DNT, your policies for handling DNT, and the practices of any third parties who might be interacting with your site.
2. Including links to various browser instructions for enabling or disabling DNT to assist your website visitors in understanding and controlling their DNT preferences.

Apple provides an excellent example for meeting and exceeding the CalOPPA recommendations. It maintains a boldly titled page dedicated to 'Your California Privacy Disclosures," which includes sub-sections specifically addressing DNT:

The Policy provides a simple explanation of DNT, Apple's procedures for not tracking customer activity, and Apple's third-party partners that may be tracking customer activities. It also offers a link to instructions for enabling DNT on its Safari browser.

Google's Privacy Policy includes a sub-section for controlling a user's privacy settings on a dedicated Privacy Checkup Page:

Google's Privacy Checkup Page gives users simple on/off control of a host of privacy settings across Google's many platforms as well as additional ways to personalize the Google data sharing experience.

Etsy, a global handcrafted goods online retailer, takes a relatively unstructured approach in its Cookies Policy. Its Policy includes educational information about adjusting individual browser settings for opt-in and opt-out of information sharing, and informs users that lower restrictions will improve user experience.

In a clause titled "Opt-in and Opt-out for Browsers," (shown above) Etsy provides links to adjust browser settings in order to opt out of information sharing.

However, it does not specifically address DNT, leaving it up to the users to navigate through the documentation and figure it out for themselves.

Amazon Silk, the web browser for Kindle, takes a more straightforward approach by posting a simple statement regarding its position on handling DNT requests:

eBay's Privacy Policy includes a robust sub-section for "Cookies, Web Beacons and Similar Technologies," in which it provides helpful details and guidance by explaining the types of information that may be collected from site visitors, why it may be needed, how it is used and how to control settings.

A sub-section titled "Do Not Track" provides a simple statement on the company's policy for not responding to browser DNT settings:

With the legal standard for DNT being relatively low, websites enjoy considerable latitude in how they handle DNT requests and in how they phrase their policy.

However, the mandate to post a Privacy Policy in a conspicuous location and include a DNT statement inside that policy is clear and absolute for all websites attracting users from California. Your DNT clause doesn't have to be long or complex. It just needs to state whether or not you honor DNT requests to be compliant.