If you don’t live, work, own a business, or host a website in California, you may be breaking CalOPPA, a California law intended to protect the online privacy of the state’s residents.
This act was amended in 2013 to add specific details about how the website responds to “Do Not Track” signals sent from the user’s web browser, and the law now applies to all commercial websites and online services, including mobile apps.
This affects you
If your website or mobile app can be accessed by California residents, and it collects any of the following information, then this law affects you:
- First and last name
- Home or other physical address (street name and name of city or town)
- Email address
- Telephone number
- Social Security number
- Any other identifier that permits physically or electronically contacting a specific individual
You are probably in violation
If you answer “no” to any of these questions, then you are probably breaking the law:
- Describe all of the personally identifiable information your website/mobile app collects?
- Describe how a consumer can access and request changes to their information, if available?
- Contain its effective date?
- Disclose all third party data collection tools and policies in use?
- Explain how your website responds to browser Do Not Track (DNT) signals?
Don’t start panicking yet, though. Operators are only in violation if they fail to comply within 30 days of receiving notice of non-compliance.
Non-compliance could cost you
Penalties for violation are currently categorized under the California Unfair Competition Law, which allows for a penalty of up to $2,500 per violation.
Maybe you are thinking to yourself “That doesn’t sound like very much.” Keep in mind that each copy of the “unlawful” mobile app that was downloaded by California consumers is considered a violation. The calculus behind the number of violations for website usage is more of a gray area, but every individual on which your website has collected data for could be considered a separate violation.
Here’s how to fix it
- Consult a lawyer with experience in internet privacy concerns
- Include a section about DNT signals, and make it easy to find (like with the heading “Online Tracking”)
- Disclose whether third parties may be collecting personal information, and how to find their policies (provide a link whenever possible)
- Explain how you use personal information (beyond what is necessary for the clear customer transactions)
- Explain what options they have for changing their collected personal information or controlling how it is used
- Provide a contact phone number or email address in case they have questions or concerns
Do this now
- Learn about that “Do Not Track” thing: http://donottrack.us/
- Read the official client guidance alert related to this bill: https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf
- See the letter you might get from the California Attorney General: http://oag.ca.gov/system/files/attachments/press_releases/CalOPPA%20Letter_0.pdf