Online Privacy Laws Take Effect in California

Two amendments to the California Online Privacy Protection Act (“CalOPPA”) impose new disclosure requirements on the operators of commercial websites and online services—including mobile apps—that collect personal information from consumers.

See generally Cal. Bus. & Prof. Code § 22575 et seq.

Disclosure on How Company Handles Do-Not-Track Signals

Operators of commercial websites and services that collect personally identifiable information (“PII”) must disclose in their online privacy policies how they will respond to “Do-Not-Track” signals sent from consumers that reside in California. For purpose of this law, PII means information about individual consumers that is collected online by an operator, including:

1. A first and last name
2. A home or other physical address
3. An e-mail address
4. A telephone number
5. A social security number
6. Any other identifier that permits the physical or online contacting of a specific individual.

Cal. Bus & Prof. Code § 22577. PII also includes other data collected in combination with the above listed information.

An operator may satisfy these new requirements by providing a “clear and conspicuous hyperlink in the operator’s privacy policy” to an online location that contains: (a) a description of any program or protocol the operator follows concerning Do Not Track signals; and (b) its effects on consumers. In order to comply with the law, operators must disclose how specifically they respond to Do Not Track signals. Merely saying that they do or do not respond to DNT requests is not sufficient. Note, however, that the law does not require operators to respond to Do Not Track signals, only that they disclose how they will respond (or not).

These disclosure requirements are enforced by the State of California and through private actions (including class actions) under unfair business practices law. Failure to comply with the law may result in penalties up to $2,500 per violation. However, operators will not be in violation of the law if they post the required disclosures within thirty days of receiving a notice of noncompliance.

Disclosure of Whether Third Parties May Collect Personally Identifiable Information

Also effective as of January 1, 2014 is the requirement that operators must disclose whether third parties may collect PII about a consumer’s online activities “over time and across different websites when a consumer uses the operator’s web site or service.” Under current law, operators are required to identify the categories of third parties with whom consumers’ PII may be shared. Under the new law, this disclosure is expanded to require operators to disclose whether other parties collect PII directly from an operator’s website.

However, it does not seem that the amended law requires operators to disclose whether they allow third parties to place “tracking pixels” and other such technologies on their website in order to collect user data on a “no name” basis (e.g., for purposes of behavioral advertising).