Your Privacy Policy Needs Updating: The California Online Privacy Protection Act and Its Implication Your Privacy Policy Needs Updating: The California Online Privacy Protection Act and Its Implication

Your Privacy Policy Needs Updating: The California Online Privacy Protection Act and Its Implications for Your Business

If your company’s website or app does not include certain disclosures about users’ privacy and how their information is used, you may be in violation of the law. The California Online Privacy Protection Act (“CalOPPA”), Cal. Bus. & Prof. Code §§ 22575-22579, requires that businesses that collect any personally identifiable information (“PII”) from a consumer residing in California (name, address, email address, phone number, social security number) must make certain privacy policy disclosures. Businesses must also state whether third parties can collect PII.

California has always been on the leading edge of online privacy practices. In fact, online privacy policies did not exist until CalOPPA went into effect in 2004. And thanks to a 2013 amendment to CalOPPA, California is the only state that requires websites to disclose whether they will honor Do Not Track signals, which signal websites when visitors indicate they do not wish to be monitored. California also has a unique law called the “Shine the Light” law, Cal. Civil Code §§ 1798.83-1798.84, which requires companies to disclose details of the third parties with whom they have shared users’ personal information, at the request of the individual. The “Shine the Light” law is attractive to plaintiffs’ attorneys because it provides for statutory penalties of $500-$3,000 per violation. Although the Ninth Circuit threw out three related class actions[1] because the plaintiffs had failed to allege they submitted requests for the disclosure information, companies should not become complacent. Indeed, “Shine the Light” has encouraged businesses to be thorough in their record-keeping in case they do receive such a request. Now, California has again stepped to the forefront of privacy protection.

On October 14, 2016, California Attorney General Kamala Harris implemented processes by which consumers themselves can report websites or apps that are noncompliant. The Attorney General hopes this new system will improve the ability of the California Department of Justice to enforce the provisions of CalOPPA. To make a report, consumers need only visit this website and fill out a simple online form to report violations of specific websites or apps they encounter. These potential violations include: (1) a missing privacy policy; (2) a privacy policy that is too difficult to locate; (3) an incomplete privacy policy; (4) a failure to provide a notice of a material change to a privacy policy; (5) a company not abiding by the representations it made in its privacy policy. The online form asks a few simple questions about the alleged violation, and a consumer does not have to volunteer his or her personal information. It takes just a few moments to fill out; a screenshot of the process appears at the end of this article. This initiative is effective immediately.

Many websites and app developers such as Apple, Google Play, Facebook and Amazon have already taken steps to ensure compliance with the law. In 2012, they voluntarily agreed to principles articulated by Harris in order to improve the privacy protections for consumers who use apps and websites. These safeguards include ensuring a consumer has an opportunity to read the app’s privacy policy before, rather than after, downloading the app, and standardizing the location in which a consumer can locate the privacy policy on the app’s download screen. The agreement also ensured that apps and websites disclosed to consumers how they used certain information. This new reporting process builds on the 2012 agreement by including consumers in the reporting process.

What does this mean for website operators and app developers? It is more important than ever to be certain that your website or app complies with all relevant state and federal laws. Note that even if your business or website is not based in California, it is subjected to CalOPPA and the “Shine the Light” law if any of your consumers or users reside in California. This essentially includes all websites and apps. These disclosure requirements are of particular concern with health and fitness apps, as they collect certain sensitive data about users’ health, including weight, blood pressure and other measures of wellness. A Future of Privacy Forum study, which was cited in the California Attorney General’s press release, notes that these types of mobile apps are less likely to have privacy policies than other types of apps.

Any business that violates CalOPPA is sent a notice and has thirty days to bring its website or app into compliance. Although there is no private right of action under CalOPPA, the California Attorney General has enforcement powers. A violation of CalOPPA carries a penalty of $2,500 per violation, which, given the number of users any given website or app may have, can certainly add up. In 2012, the California Attorney General sued Delta Air Lines for its failure to include a privacy policy with its mobile app, though that suit was eventually dismissed on federal law preemption grounds. Now, with California’s new online reporting system, coupled with a recent partnership with Carnegie-Mellon University to identify mobile applications that violate CalOPPA, such scrutiny is likely to continue. Compliance programs ensuring proper documentation of appropriate privacy policies are absolutely essential nowadays. A company’s privacy policy cannot be a mere afterthought or footnote, and cookie cutters just won’t work anymore, because the consequences for violating CalOPPA can be so steep. And with the public enlisted as reporters, it’s “all hands on deck” for enforcement. Times have changed, and new online privacy laws are “shining the light” on your business.

For more information, contact Nick Merker, Stephen Reynolds, Martha O'Connor, or another member of our Data Security and Privacy practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.


[1] Miller v. Hearst Communications, Inc., 554 Fed.Appx. 657 (9th Cir. 2014); King v. Conde Nast Publications, 554 Fed.Appx. 545 (9th Cir. 2014); and Baxter v. Rodale, Inc., 555 Fed.Appx. 728 (9th Cir. 2014).

View Full Site View Mobile Optimized