The first state law in the nation to require commercial websites and online services to post a privacy policy, the California Online Privacy Protection Act (CalOPPA) went into effect in 2004. It was amended in 2013 to require new privacy disclosures regarding tracking of online visits.
CalOPPA applies to any person or company in the United States (and conceivably the world) whose website collects personally identifiable information from California consumers. CalOPPA requires the website to feature a conspicuous privacy policy stating exactly what information is collected and with whom it is shared; it also requires the operator of the website or online service to comply with the site’s privacy policy. Those who fail to do so are at risk of civil litigation under the state’s Unfair Competition Law.
Who does CalOPPA apply to?
CalOPPA applies to any person or entity that owns or operates a commercial website or online service that “collects and maintains personally identifiable information from a consumer residing in California who uses or visits” said website or online service. CalOPPA does not apply to Internet service providers or similar entities that transmit or store personally identifiable information for a third party.
In 2012, the California Attorney General’s Office specifically applied CalOPPA to mobile applications for smartphones and tablets that collect personally identifiable information. Hundreds of apps providers were notified that they were in violation of CalOPPA, and they were given 30 days to submit compliance plans or face fines of up to $2,500 for each time their app was downloaded.
What is “personally identifiable information”?
As legally defined, “personally identifiable information” refers to details collected on the Internet about an individual consumer, including an individual’s first and last name, a physical street address, an email address, a telephone number, a Social Security number, or any other information that permits a specific individual to be contacted physically or online. The term extends to details such as a person’s birthday, height, weight or hair color that are collected online and stored by an operator in personally identifiable form.
What is required under CalOPPA?
The operator of a commercial website or online service must conspicuously post a privacy policy on its website. According to CalOPPA, conspicuously posting a privacy policy means:
CalOPPA also requires website operators to adhere to their stated privacy policy. As May 2014 guidance from the California Attorney General’s Office says, “It requires them to say what they do and do what they say – to conspicuously post a privacy policy and to comply with it.”
To be considered in compliance with CalOPPA, the website’s privacy policy must contain the following:
An operator will be considered in violation of CalOPPA if it fails to post a privacy policy within 30 days after being notified of noncompliance. An operator who fails to comply with CalOPPA or with the terms of its privacy policy will be found to be in violation of CalOPPA only if its noncompliance is either knowing and willful or negligent and material. This means that a non-material (i.e., minor) but deliberate breach can give rise to liability. As a result, minor technical defects in the posting or the contents of a privacy policy could be a basis for liability.
AB 370 Requires New Privacy Disclosures
Assembly Bill 370 (Muratsuchi), signed into law in 2013, amended CalOPPA to require new privacy policy disclosures for websites and online services’ tracking of visitors, defined in the legislative analysis of the bill as “the monitoring of an individual across multiple websites to build a profile of behavior and interests.”
AB 370 was in part driven by the advent of “Do Not Track” computer coding, which can signal websites when visitors indicate they prefer not to be monitored. AB 370 is intended to bring greater transparency and consumer scrutiny to website practices, but it does not limit tracking.
As the bill’s author, Assembly Member Al Muratsuchi (D-Torrance) explained, “This bill would increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps. AB 370 will allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal. This will allow the consumer to make an informed decision about their use of the website or service.”
Under AB 370, privacy policies for websites or online services used by California residents (includes mobile apps for smartphones and tablets) are required to:
What are the consequences of noncompliance?
CalOPPA does not contain enforcement provisions. It is expected, however, that CalOPPA will be enforced through California’s Unfair Competition Law (UCL), which is located at Business and Professions Code §§ 17200-17209. Under the UCL the California Attorney General’s Office, district attorneys, and some city and county attorneys can file suit against businesses for acts of “unfair competition,” which are considered to be any act involving business that violates California law. As a result, violations of CalOPPA may be considered violations of the UCL. Government officials bringing suit for violations of CalOPPA may seek civil penalties and equitable relief under the UCL. In addition, the UCL provides that private plaintiffs may assert private claims for violations of CalOPPA under the UCL.
Operators who violate CalOPPA may also be susceptible to actions by the Federal Trade Commission, which may bring enforcement action against businesses whose posted privacy policy is deceptive – that is, where a business fails to comply with its posted privacy policy.
Read more:
