The amendment to the California Online Privacy Protection Act (CalOPPA) that established the state’s “do not track” disclosure requirements became effective on January 1, 2014. It requires web site privacy policies to include certain do not track disclosures. However, because do not track is not a finalized standard, and it is unclear what even qualifies as a do not track signal under CalOPPA, compliance has been a challenge.

In an effort to resolve this uncertainty, the California Attorney General recently released a guide titled Making Your Privacy Practices Public (the Guide). The Guide provides long-awaited guidance on how to comply with the CalOPPA do not track requirements, among other recommendations. The following is a summary of some of the recommendations that go beyond what is actually required by CalOPPA.


Online Tracking and Do Not Track

  • CalOPPA only requires that the tracking disclosures introduced by the amendment (i.e., regarding do not track responses and third-party tracking) be included somewhere in the privacy policy. However, the Guide recommends that these disclosures be clearly identified with their own header, such as “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.”
  • If a web site follows a consumer tracking choice program or protocol, CalOPPA permits an alternate way to comply with the do not track disclosure requirement by including a link to a description of that program or protocol within the privacy policy. However, the Guide recommends that, in addition to the link, the privacy policy also provide either a description of the web site’s response to do not track signals or a brief, general description of the applicable program or protocol and what it does.
  • The do not track disclosure should describe whether the website treats consumers whose browsers send a do not track signal differently from those that do not. The disclosure should also describe whether the web site still tracks users, even if it receives a do not track signal and, if so, how that information is then used.


  • In addition to the CalOPPA requirement to “conspicuously post” a privacy policy, a web site should also include a link to the privacy policy on every web page where personal information is collected.
  • For online services, such as mobile applications, the privacy policy should also be posted or linked to on the application’s platform page, so that users can review the privacy policy before downloading the application, as well as from within the application.


  • While CalOPPA does not have any requirements regarding readability, the Guide recommends that a privacy policy should be formatted in a way that makes it readable, especially on smaller screens such as mobile devices. One such format is a layered format that highlights the most relevant privacy issues.

Data Collection, Use and Sharing

  • The Guide recommends that a privacy policy go beyond CalOPPA’s requirement of merely identifying general categories of personal information that a web site collects, by being reasonably specific about the kinds of personal information being collected and identifying the retention period for each. In addition, a privacy policy should generally describe how a web site collects personal information, including specifying if any information is collected from other sources (e.g., offline or from third parties) or through technologies such as cookies or web beacons.
  • If a web site collects any personal information from children under the age of 13, the Guide cautions that the Children’s Online Privacy Protection Act (COPPA) has additional obligations for the web site operator, including the requirement to obtain verifiable parental consent prior to collecting any information from children.
  • With regard to sharing, the Guide clarifies that when a privacy policy describes the different types of third parties with which the web site operator shares personal information, affiliates and marketing partners should be mentioned if applicable, and links to the privacy policies of those third parties should be included.
  • Lastly, if a web site uses personal information beyond what is necessary for fulfilling a transaction or providing an online service, the privacy policy should explain this.

Individual Choice and Access

  • The Guide recommends that a privacy policy describe any choices an individual may have regarding the collection, use and sharing of his or her personal information (in addition to the review and correction of such information), if a web site operator maintains such a process.
  • In addition, if an individual requests to review or correct his or her personal information, then the web site operator should first ensure that the individual’s identity is properly verified and any access rights are authenticated.

Security Safeguards

  • While CalOPPA does not require that a privacy policy explain the web site’s security safeguards, the Guide recommends that a privacy policy explain how the web site protects its users’ information from unauthorized or illegal access. It is important that the security statements do not misrepresent or “over-promise” the web site’s actual security, as the US Federal Trade Commission (FTC) has been taking action against companies that do not live up to their security promises.

While much of the Guide is voluntary, its recommendations reiterate and align with several of the key recommendations from other similar publications, including those from the FTC, and provide a good basis for companies to use when drafting or revising their privacy policies to provide more transparency to users.