No business owner enjoys opening the mail and finding a letter from the Attorney General notifying them they are in violation of the law – and threatening civil penalties. However, in 2012, this is what hundreds of mobile app operators received from the California Attorney General’s Office. It’s understandable that the operators would be surprised. Business in the digital age is a minefield of state and federal online laws. In this case, those operators were accused of violating the California Online Privacy Protection Act of 2003 (“CalOPPA”). (Cal. Bus. & Prof. Code § 22575-22579).
Is your businesses affected by CalOPPA?
CalOPPA’s broad coverage means it could potentially affect millions of businesses across the world.
Secondly, the types of online businesses covered under the law are extensive – all commercial operators of “websites” and “online services” that collect PII. And “online services “have been interpreted by the California AG to include mobile apps. So, if you are a Californian, any commercial website that collects your email or a mobile app that collects your name is now subject to CalOPPA’s requirements.
Finally, the law applies to those who collect “personally identifiable information”. PII is defined broadly within the statute. It means any “individually identifiable information” from the user collected and maintained, including: name, email address, or phone number. Obviously, this casts a wide net over online commerce; affecting even websites that simply collect email addresses of potential customers.
CalOPPA’s extensive reach means that even those businesses with a limited online presence are now required to draft and post online privacy policies or face the threat of fines.
What disclosures are required under CalOPPA?
Next, the policy must be “conspicuously” posted online. This can mean placing it on the homepage or “first significant page” when entering the website or posting a “privacy” hyperlink to the policy on one of those pages. However, the statute should be consulted for specific details such as size and location of the policy.
In addition, the law was recently amended to require all new disclosures regarding the use of “do not track” signals (as discussed below).
Do Not Track (DNT) disclosures
In 2013, CalOPPA was amended to require disclosure regarding “do not track” (DNT) signals. DNT was created as a response to websites that collect personal information about their visitors, usually used for target advertisements. In reaction to privacy concerns of consumers, browser and software manufacturers began creating DNT signals to inform those collectors that a user wished not to be tracked or to “opt out” of tracking. California now requires that operators post a policy of what they do when they receive a DNT signal.
CalOPPA’s DNT disclosure has two requirements: (1) disclose how the operator responds to DNT or other similar signals and (2) disclose whether third parties track the activities of the user. As an alternative to the operator’s disclosure, they can also place a “clear and conspicuous” link to a description of any program or protocol that’s followed regarding tracking.
Of course, like the original requirements of CalOPPA, the law only requires disclosure. There are no requirements that an online operator honor a visitor’s DNT request, only that they disclose their response to the signals (whether they will or won’t honor it).
Enforcement of CalOPPA
Alleged violators of CalOPPA will first receive a non-compliance letter. If the operator fails to post its policy within 30 days they could face fines of up to $2,500 per violation (e.g. per download of an app).