No business owner enjoys opening the mail and finding a letter from the Attorney General notifying them they are in violation of the law – and threatening civil penalties. However, in 2012, this is what hundreds of mobile app operators received from the California Attorney General’s Office. It’s understandable that the operators would be surprised. Business in the digital age is a minefield of state and federal online laws. In this case, those operators were accused of violating the California Online Privacy Protection Act of 2003 (“CalOPPA”). (Cal. Bus. & Prof. Code § 22575-22579).
CalOPPA
In 2003, California became the first state to pass a mandatory disclosure law for online privacy policies. Its goal was to inform consumers about the online collection and use of their personal information – termed “personally identifiable information” (“PII”). The law requires all commercial operators of websites and online services that collect PII from California residents to conspicuously post a privacy policy.
Is your businesses affected by CalOPPA?
CalOPPA’s broad coverage means it could potentially affect millions of businesses across the world.
First, the law protects all California residents. Any operator in the country (and possibly internationally) that collects PII from a Californian is subject to the law. A website operated from Maine that collects the name of a customer from San Diego is liable under CalOPPA. So, operators have a choice: disclose their online privacy policy per the law or ignore millions of potential consumers within the state.
Secondly, the types of online businesses covered under the law are extensive – all commercial operators of “websites” and “online services” that collect PII. And “online services “have been interpreted by the California AG to include mobile apps. So, if you are a Californian, any commercial website that collects your email or a mobile app that collects your name is now subject to CalOPPA’s requirements.
Finally, the law applies to those who collect “personally identifiable information”. PII is defined broadly within the statute. It means any “individually identifiable information” from the user collected and maintained, including: name, email address, or phone number. Obviously, this casts a wide net over online commerce; affecting even websites that simply collect email addresses of potential customers.
CalOPPA’s extensive reach means that even those businesses with a limited online presence are now required to draft and post online privacy policies or face the threat of fines.
What disclosures are required under CalOPPA?
A commercial operator under CalOPPA should be concerned with two requirements when drafting and posting their privacy policy online: (1) what the policy contains and (2) where the policy is posted.
The privacy policy must have certain disclosures. The policy must: (1) identify categories of PII collected; (2) any third parties the operators shares PII with; (3) the process for review and change of consumers’ PII; and (4) the process of notifications for material changes to the privacy policy.
Next, the policy must be “conspicuously” posted online. This can mean placing it on the homepage or “first significant page” when entering the website or posting a “privacy” hyperlink to the policy on one of those pages. However, the statute should be consulted for specific details such as size and location of the policy.
In addition, the law was recently amended to require all new disclosures regarding the use of “do not track” signals (as discussed below).
Do Not Track (DNT) disclosures
In 2013, CalOPPA was amended to require disclosure regarding “do not track” (DNT) signals. DNT was created as a response to websites that collect personal information about their visitors, usually used for target advertisements. In reaction to privacy concerns of consumers, browser and software manufacturers began creating DNT signals to inform those collectors that a user wished not to be tracked or to “opt out” of tracking. California now requires that operators post a policy of what they do when they receive a DNT signal.
CalOPPA’s DNT disclosure has two requirements: (1) disclose how the operator responds to DNT or other similar signals and (2) disclose whether third parties track the activities of the user. As an alternative to the operator’s disclosure, they can also place a “clear and conspicuous” link to a description of any program or protocol that’s followed regarding tracking.
Of course, like the original requirements of CalOPPA, the law only requires disclosure. There are no requirements that an online operator honor a visitor’s DNT request, only that they disclose their response to the signals (whether they will or won’t honor it).
Enforcement of CalOPPA
Alleged violators of CalOPPA will first receive a non-compliance letter. If the operator fails to post its policy within 30 days they could face fines of up to $2,500 per violation (e.g. per download of an app).
However, prevention would be the better course of action. A privacy policy should be drafted well before a website is operating. A business should know what information is being collected from its consumers and whether third parties collect similar information. This will avoid the rush to draft a privacy policy after receiving a non-compliance letter and avoid being hit with thousands of dollars in potential fines.