On May 21, 2014, California Attorney General Kamala D. Harris issued recommendations regarding recent revisions to the California Online Privacy Protection Act (“CalOPPA”).1 CalOPPA requires an operator of a website or online service that collects personally identifiable information from California consumers to post a conspicuous privacy policy, and was recently amended to include new transparency provisions.2 While CalOPPA does not contain an enforcement provision, the Attorney General has made efforts to enforce the law under California’s Unfair Competition Law, which permits penalties of up to $2,500 per violation. Those doing business in California should consider reviewing their privacy policies and practices to make sure they comply with CalOPPA and related laws, and to ensure that such policies clearly and accurately reflect privacy practices.
In general, CalOPPA requires an operator of a website or online service that collects personally identifiable information from California consumers to post a conspicuous privacy policy. With respect to content, the policy must include: (1) the categories of personally identifiable information collected and the categories of third parties with whom such information may be shared; (2) a description of the process (if any) by which users or visitors may review and request changes to such information; (3) a description of the process by which the operator notifies customers of material changes to its privacy policy; and (4) the effective date of the policy. The recent amendments to CalOPPA, which took effect January 1, 2014, introduced two added obligations, requiring that an operator also disclose: (5) how it responds to “do not track” (“DNT”) signals or “other mechanisms” that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about their online activities over time and across third party sites or services, if the operator collects such information; and (6) whether third parties may collect personally identifiable information about online activities over time and across different sites when a consumer uses the operator’s site or service.3 The new provisions do not prohibit online tracking or mandate a particular DNT standard, but they do raise some questions about disclosure obligations, including what qualifies as a DNT signal or “other mechanism.”
On May 21, 2014, Attorney General Harris issued a publication titled Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy, which provides guidance on complying with CalOPPA.4 The Attorney General acknowledges that the recommendations are not binding and offer greater protection than is required under existing law. Among other things, the recommendations clarify that “other mechanisms” can be understood to refer to “any technology that, like a Do Not Track browser signal, provides consumers the ability to exercise choice about the collection of their personally identifiable information over time and across third-party web sites or online services.” The recommendations encourage operators to provide a description of online tracking practices and the possible presence of third party tracking. Operators are also encouraged to consider and disclose whether consumers who send DNT signals are treated differently. The recommendations favor a description of an operator’s DNT response over the use of a hyperlink to a description of “choice protocol” the operator follows, which the statute provides as an alternative.
The Attorney General also suggests several ways to improve transparency for consumers. These suggestions include making it easier for a consumer to learn about online tracking by clearly labeling that section of a privacy policy (e.g., “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures”). The suggestions also include improving readability, for instance, through the use of a layered or “nutrition label” format for privacy policies. The Attorney General has also previously recommended “surprise minimization” through enhanced measures and special notices intended to draw users’ attention to unexpected data practices, delivered in context and just-in-time.5
CalOPPA represents the first piece of legislation directly addressing the concept of do-not-track, but the White House, the FTC, and self-regulatory groups have all indicated increasing interest in this area. Additionally, out-of-state entities may be subject to CalOPPA’s requirements if they collect covered data from California residents. Attorney General Harris has made efforts to enforce the statute through California’s Unfair Competition Law, but it generally remains to be seen how the law may be interpreted by courts. As privacy enforcement appears likely to continue, businesses should carefully review the recommendations as well as their privacy policies and practices to ensure compliance and safeguard consumer data.
Contacts
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Del-Sesto-Ronald1 The Online Privacy Protection Act of 2003, Cal. Bus & Prof. Code § 22575 et. seq. (2004).
2 http://www.bingham.com/Alerts/2013/10/California-Governor-Jerry-Brown-Signs-Two-Bills.
3 In addition, effective January 1, 2015, the law will prohibit certain online marketing or advertising to minors (i.e., those under 18) and will generally require operators to honor requests by minors who are registered users to remove content posted by the minor.
5 http://www.bingham.com/Alerts/2013/01/CA-AG-Recos-Mobile-Ecosystem.
This article was originally published by Bingham McCutchen LLP.