Alert
January 10, 2014

Amendments to CalOPPA Enter Into Force Imposing New Requirements for Online Privacy Policies

Recent amendments to California’s Online Privacy Protection Act may have implications for all commercial online operators given the geographically limitless scope of the Internet. The amendments, effective Jan. 1, 2014, include disclosure requirements for online operators. Operators of commercial websites and mobile applications should review their practices and privacy policies to determine whether changes are necessary in light of the CalOPPA amendments.

Operators of commercial Web sites and mobile applications should review their privacy policies for compliance with a recent amendment to the California Online Privacy Protection Act (“CalOPPA”), which became effective on January 1, 2014. The amendment requires online operators to disclose (i) how they respond to “Do-Not-Track” settings on browsers, and (ii) whether they allow third-party tracking on their Web site or online service.

CalOPPA applies to any operator of a commercial Web site or online service that collects personally-identifiable information through the Internet about consumers who reside in California. Given the geographically limitless scope of the Internet CalOPPA may effectively apply to all commercial online operators. California Attorney General Kamala Harris has also publicly declared that CalOPPA applies to mobile applications that collect personally identifiable information from California consumers.

Prior to this recent amendment, CalOPPA had required that online operators of Web sites or online services conspicuously post a privacy policy that contained the following disclosures:

  • a description of types of personally identifiable information collected by the operator(including, for example: (1) a first and last name; (2) address; (3) email address; (4) telephone number; (5) social security number; (6) any identifier that enables one to contact a specific individual; and (7) information collected online that could be combined with other information to allow identification of a specific person) and identification of the categories of third parties that may have access to such information;
  • a description of the process used by the operator for an individual consumer to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service (provided that the operator maintains such a process);
  • a description of the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator's privacy policy for that Web site or online service; and
  • the identification of the Privacy Policy’s effective date

The amendment to CalOPPA requires two additional disclosures in online operators’ privacy policies. First, if an online operator collects personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, the operator must disclose how it responds to Web browser Do-Not-Track signals or other mechanisms that enable consumers to exercise choice regarding the collection of such information. An operator may disclose this information in its applicable privacy policy or may provide a hyperlink to a Web page that describes any program or protocol followed by the operator that offers consumers choice about online tracking.

Second, the amendment requires online operators to disclose whether third parties may collect personally identifiable information about a consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service. This amendment would thus require disclosure of whether an online operator allows third-party behavioral tracking through an online operator’s Web site or online service or any other third-party data collection through its service.

Implications

Operators of commercial Web sites and mobile applications should review their practices and privacy policies to determine whether changes are necessary in light of the CalOPPA amendments.

As has been the case prior to the amendment, operators who fail to provide the requisite disclosures will be given a warning and thirty (30) days to comply before being deemed in violation of the law and subject to an enforcement action. The California Attorney General’s office has taken the position that violators of CalOPPA can be fined up to $2,500 per violation under California’s Unfair Competition Law.[1] Furthermore, noncompliance can also lead to negative publicity and can have a negative impact on business.

*  *  *

If you have any questions regarding this recent amendment or its implications on your business, please contact your primary Goodwin Procter attorney, who can direct you to the appropriate attorney at Goodwin Procter.



[1] Sections 17200 et seq. of the California Business and Professions Code.