California Online Privacy Protection Act (CalOPPA)
Who does CalOPPA apply to?
CalOPPA applies to any person or entity that owns or operates a commercial website or online service that “collects and maintains personally identifiable information from a consumer residing in California who uses or visits” said website or online service. CalOPPA does not apply to Internet service providers or similar entities that transmit or store personally identifiable information for a third party.
In 2012, the California Attorney General’s Office specifically applied CalOPPA to mobile applications for smartphones and tablets that collect personally identifiable information. Hundreds of apps providers were notified that they were in violation of CalOPPA, and they were given 30 days to submit compliance plans or face fines of up to $2,500 for each time their app was downloaded.
What is “personally identifiable information”?
As legally defined, “personally identifiable information” refers to details collected on the Internet about an individual consumer, including an individual’s first and last name, a physical street address, an email address, a telephone number, a Social Security number, or any other information that permits a specific individual to be contacted physically or online. The term extends to details such as a person’s birthday, height, weight or hair color that are collected online and stored by an operator in personally identifiable form.
What is required under CalOPPA?
- A list of the categories of personally identifiable information the operator collects;
- A list of the categories of third parties with whom the operator may share such personally identifiable information;
- A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by the operator;
AB 370 Requires New Privacy Disclosures
AB 370 was in part driven by the advent of “Do Not Track” computer coding, which can signal websites when visitors indicate they prefer not to be monitored. AB 370 is intended to bring greater transparency and consumer scrutiny to website practices, but it does not limit tracking.
Under AB 370, privacy policies for websites or online services used by California residents (includes mobile apps for smartphones and tablets) are required to:
- Disclose how a business’s website or online service responds to Do Not Track signals from Web browsers.
- Disclose whether third parties may collect visitors’ personally identifiable information on a business’s website or online service.
What are the consequences of noncompliance?
CalOPPA does not contain enforcement provisions. It is expected, however, that CalOPPA will be enforced through California’s Unfair Competition Law (UCL), which is located at Business and Professions Code §§ 17200-17209. Under the UCL the California Attorney General’s Office, district attorneys, and some city and county attorneys can file suit against businesses for acts of “unfair competition,” which are considered to be any act involving business that violates California law. As a result, violations of CalOPPA may be considered violations of the UCL. Government officials bringing suit for violations of CalOPPA may seek civil penalties and equitable relief under the UCL. In addition, the UCL provides that private plaintiffs may assert private claims for violations of CalOPPA under the UCL.