California’s Attorney General Kamala D. Harris has issued a new document that includes recent changes to the state’s privacy law and follows an earlier report on cyber-attacks and data breaches.

The new guide, “Making Your Privacy Practices Public,” gives businesses information to provide a privacy policy for consumers, she explained in a statement.

“This guide is a tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions,” Harris explained in the statement.

The privacy guide includes such recommendations as:

  • Prominently label the section of a policy on online tracking, such as: “California Do Not Track Disclosures.”
  • Say how a business responds to a browser’s Do Not Track signal.
  • If third parties collect personally identifiable information, say that in the privacy policy.
  • Say what personally identifiable information a business collects from users, how it is used and how long it will be retained.

The state’s work on privacy was praised by companies, such as HP. “HP commends the work of California in establishing expectations-based guidance for privacy as it strikes the right balance between innovation and the protection of legitimate consumer rights,” Scott Taylor, vice president and chief privacy officer at Hewlett-Packard, said.

The guide was also praised by privacy experts. “Their common-sense recommendations are clear, readable, useful, and mercifully short.  Companies will understand how to comply with the letter and spirit of California transparency laws. In particular, I am delighted to see a light-touch legislative approach for transparency around Do Not Track,” Aleecia McDonald, director of Privacy at the Center for Internet and Society based at Stanford Law School.

“Publication of ‘Making Privacy Practices Public’ is an important step toward helping consumers understand what companies do with the data they collect about them,” John Simpson, director of Privacy Project at Consumer Watchdog, added. “Too many privacy policies are incomprehensible legalese.  The best practices spelled out by the California Attorney General if adopted by companies would put privacy policy statements in straightforward, understandable language.”

Last year, the California Online Privacy Protection Act was enacted. It was the first U.S. law that requires operators of commercial websites, including mobile apps, to conspicuously post a privacy policy if they collect personally identifiable information from state residents. Privacy policies also need to include how the operator responds to Do Not Track signals. Privacy policies need to say, too, if third parties can collect personally identifiable information about the site’s users.

The state’s Privacy Enforcement and Protection Unit was set up in 2012 to enforce federal and state privacy laws regulating the collection, retention, disclosure and destruction of private or sensitive information by individuals, organizations and the government. The unit also works to educate consumers and recommend best practices to businesses on privacy-related issues.

Earlier, Harris’ office issued recommendations to California businesses to protect against malware, data breaches and other cyber risks. The guide, “Cybersecurity in the Golden State,” provides recommendations for small- to mid-sized businesses. That size businesses needs such a guide, given that in 2012, 50 percent of all cyber-attacks were aimed at businesses with fewer than 2,500 employees and 31 percent were aimed at those with less than 250 employees.

“Technology has created new opportunities and new risks for California businesses, including cyber-attacks,” Harris said in a statement about the cyber-security guide. “This guide offers specific, straightforward recommendations to help businesses continue to thrive by reducing cyber security risks to employees and customers.”

Examples of recommendations in the guide include:

  • Develop an incident response plan.
  • Encrypt data that a business needs to keep.
  • Regularly update firewall and antivirus software on all devices, using strong passwords.

Last year, the Attorney General released another guide, “Privacy on the Go: Recommendations for the Mobile Ecosystem,” which gives recommendations to app developers for privacy practices, and steps to increase transparency. In 2012, Harris sent letters to about 100 mobile app developers and companies that were not in compliance with the California Online Privacy Protection Act and gave them 30 days to post a conspicuous privacy policy. Her office later took action against Delta Airlines for failing to comply with privacy rules.

Now, the increasing use of mobile devices has also led to new threats.

“Many of us now carry devices in our pockets that are more sophisticated than we ever could have imagined just a decade ago,” Harris said in the cyber-security guide. “Downloadable applications can render us vulnerable to fraud, theft, and other privacy concerns and mobile devices that are constantly connected to the Internet or local Wi-Fi networks face persistent security issues.”


Further reading:


A step-by-step guide to addressing corporate data privacy and security (Part 3)

Companies agree to app privacy rules

California sues JPMorgan over debt collection practices