If you operate your business from California or have a customer base in California, you're required to comply with the California Online Privacy Protection Act (CalOPPA), which requires websites to notify users how that website responds to "Do Not Track" settings.

This article will look at this requirement and what you need to do to comply with it today.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is Do Not Track

What is Do Not Track

"Do Not Track" - shortened as DNT - is a preference that users can set on their browsers (if supported) to opt out of online behavioral tracking done by various companies, such as Google AdWords.

The DNT requirements come from the California Online Privacy Protection Act (CalOPPA), which requires websites to notify users how that website responds to the "Do Not Track" setting by doing one of the following:

  • The website responds to the DNT setting of a user's web browser, or
  • The website doesn't follow the DNT setting

It's important to note that companies are only required to notify users if they follow the response of a user's Do Not Track setting. Companies are not required to actually follow the response, only to notify if they follow the setting or not.

Even if your company isn't operating from within California, it still may have users from California. In fact, it very likely and almost certainly does.

As a result, you'll need to comply with CalOPPA and update your Privacy Policy to include information about the Do Not Track setting almost regardless of where you're operating from.

Sample Do Not Track Clause for Privacy Policy

Sample Do Not Track Clause for Privacy Policy

You can comply with the DNT requirements by adding a disclosure to your Privacy Policy that informs users whether or not you respond to the "Do Not Track" browser setting.

Best practices by most online companies recommended that you don't respond to the DNT header until you're 100% sure that all third parties that your website is using, i.e. Google Analytics, will also respond in the same way.

Examples:

  • Your simple website is following the Do Not Track setting, but you use Google Analytics. Google Analytics in return doesn't follow the DNT setting.

    You disclosing that you do follow Do Not Track in your Privacy Policy would be incorrect because even if you follow the response, Google Analytics, a third party that you're using on your website, isn't.

  • If your website is following the Do Not Track setting, but your use of Google AdSense to show ads isn't following the setting. Your Privacy Policy will incorrectly inform users that you follow their web browser's setting.

Examples of Do Not Track Clauses

Examples of Do Not Track Clauses

Here's how Apple includes a Do Not Track disclosure within its Privacy Disclosure specifically for California customers:

Apple California Privacy Statement: Do Not Track clause

Tribune Publishing has a clause in its main Privacy Policy titled "California Do-Not-Track Disclosure Requirements" so users know it's specific to California residents. It notes that it does not recognize or respond to DNT signals:

Tribune Publishing Privacy Policy: California Do Not Track disclosure requirements clause

LinkedIn includes its DNT information within a very short clause that also addresses direct marketing:

LinkedIn Privacy Policy: Direct Marketing and Do Not Track Signals clause

While the clause itself is short, which is fine, LinkedIn does link the clause to an additional page for its California Online Privacy Protection Act Notice where it goes into much further detail about what DNT is, in general, and more specific information about the company's handling of such things:

LinkedIn CalOPPA Privacy Notice: DNT page

Summary

If you fall under the scope of CalOPPA, you will need to disclose whether or not you follow Do Not Track signals.

You aren't required to follow them or not. You simply need to disclose whether or not you do.

You can easily satisfy this requirement by putting a short, simply clause in your Privacy Policy that discloses this information for your users who wish to know.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy