California Governor Jerry Brown Signs Bill Amending California Online Privacy Protection Act

September 25, 2013

On September 23, 2013, California Governor Jerry Brown signed a bill that adds a chapter on “Privacy Rights for California Minors in the Digital World” to the California Online Privacy Protection Act (“CalOPPA”).1 The new measure will prohibit certain online marketing or advertising to minors (defined as anyone under age 18), and will require operators of websites, mobile apps, and other online services to honor requests by minors who are registered users to remove content posted by the minor. This development, as well as recent statements from the FTC and other enforcement agencies, confirms once again that child privacy is a key area of concern and a potential target for enforcement.

CalOPPA requires an operator of a website or online service that collects personally identifiable information from California consumers to post a conspicuous privacy policy. This law is designed to apply to out-of-state entities, so long as they are collecting covered data from California residents. CalOPPA does not contain an enforcement provision, but the state Attorney General has made efforts to enforce CalOPPA through California’s Unfair Competition Law, which permits penalties of up to $2,500 per violation.

While CalOPPA has seen little activity since it went into effect in 2004, that has changed recently with several actions by California Attorney General Kamala D. Harris. These actions include the creation of a Privacy Enforcement and Protection Unit within the state Department of Justice,2 and notifications to mobile application companies regarding potential noncompliance with CalOPPA.3 Earlier this year, the Attorney General brought suit against Delta Airlines, alleging that Delta violated CalOPPA and the state’s Unfair Competition Law by failing to “conspicuously post a privacy policy in its Fly Delta app” and failing to comply with its own privacy policy. The suit was dismissed on preemption grounds, so it generally remains to be seen how enforcement may proceed and how the act will be interpreted by courts.4

The new provisions signed into law this week by Governor Brown, which will take effect January 1, 2015, prohibit online marketing or advertising of certain products to minors, including alcoholic beverages and firearms. This restriction will also apply to an advertising service notified by an operator that the site, service, or application is directed to minors (in which case the notifying operator “shall be deemed in compliance” with this provision). The new law will also prohibit an operator from marketing or advertising such products when the operator has “actual knowledge” that a minor is using the site, if the marketing or advertising is “specifically directed to that minor” based on information such as the minor’s profile, activity, address, or specific location. Operators will be required to provide minors who are registered users with notice and instructions explaining their right to remove content they posted to the site, and to honor requests for removal. This requirement does not appear to apply where a requesting minor is not a registered user of the site. The new law also enumerates several circumstances in which an operator will not be required to erase or eliminate information, including when the information is anonymized or was posted to the site by a third party.

In addition to state laws such as CalOPPA, the federal Children’s Online Privacy Protection Act (“COPPA”) imposes other requirements for operators of commercial websites and online services, including mobile apps. Among other things, entities covered by COPPA must generally provide direct notice to parents and obtain verifiable parental consent before collecting personal information from children, as well as provide parents access to their child’s personal information and the right to request deletion of personal information.

Some of the concepts addressed in the amendments to CalOPPA – including whether a site is directed to children and whether an operator has “actual knowledge” that a user is a minor – are similar to concepts addressed by the Federal Trade Commission in its FAQs regarding COPPA.5 However, it is important to carefully review both laws and the aforementioned FAQs, as the two laws apply these concepts in different ways.

Businesses should also carefully review their privacy policies and practices — as well as those of third parties such as ad networks and plug-ins — to ensure compliance with CalOPPA, COPPA and other applicable privacy laws.

1 The Online Privacy Protection Act of 2003, Cal. Bus & Prof. Code § 22575 et. seq. (2004).






This article was originally published by Bingham McCutchen LLP.