Client Alerts

Website Operators Should Review Their Privacy Policies to Ensure Compliance with New Guidelines Issued by the California Attorney General

By: Frances Floriano Goins

About: Cybersecurity & Privacy

California is increasing its requirements for companies to disclose their information-collection practices in privacy policies. Since 2003, the California Online Privacy Protection Act of 2003 (“CalOPPA”) has required operators of commercial websites and online services (e.g., a mobile application) that collect personally identifiable information from residents of California to conspicuously post their privacy policies and adequately describe their data collection and tracking policies. Because CalOPPA applies to all operators that collect personally identifiable information of California residents, the law is potentially applicable to all operators of commercial websites and online services. Effective January 1, 2014, CalOPPA was amended (AB 370) to provide additional disclosure requirements regarding data collection and “Do Not Track” disclosures and the existence of online tracking by third parties.

The California Attorney General recently reinforced the expectations that companies must have compliant privacy policies by issuing the guide Making Your Privacy Practices Public (the “Guidance”), which describes CalOPPA’s requirements and provides practical advice about how companies should disclose data-collection practices in a privacy policy. Companies should review their privacy policy to assess whether they comply with CalOPPA as explained by the new Guidance.

CalOPPA – Requirements Prior to 2014 Amendment

CalOPPA does not prevent an operator from tracking or collecting data from visitors to a website or online service, but it requires specified disclosures by operators of their data collection and tracking policies in a clear, conspicuous manner, that is easily understandable by consumers. A policy should disclose the following:

Additional Requirements Added to CalOPPA under AB 370, effective January 1, 2014

In addition to the existing requirements under the 2003 version of CalOPPA, the 2014 amendment to CalOPPA adds two additional requirements to the privacy policy disclosures: the operator must disclose (1) how it responds to “Do Not Track” browser signals or other mechanisms that give a consumer the ability to indicate the consumer does not want his or her personally identifiable information collected and tracked; and (2) whether any additional parties conduct online tracking on the operator’s website or online service.

The major browser software vendors have introduced browsers that allow users to instruct websites accessed via the browser not to track the user’s activities. This is referred to as a “Do Not Track” signal. However, there is no legal requirement stating how operators of websites or online services must respond to this “Do Not Track” signal, and such signals are commonly ignored.

If an operator engages in the collection of personally identifiable information, the amendment to CalOPPA requires an operator’s privacy policy to disclose how the operator responds to a browser’s “Do Not Track” signal (or other similar technology). In addition, the amendment to CalOPPA also requires an operator to disclose the presence of other parties conducting online tracking on the operator’s website or online service of consumers over time and across different websites.

AG’s Guidance on Privacy Practices

The Guidance provides additional suggestions about the form and content of privacy policies. A privacy policy should (i) be conspicuously available on a website; (ii) describe the security safeguards that protect personally identifiable information; (iii) comply with other laws, such as the federal Children’s Online Privacy Protection Act; (iv) explain how and under what circumstances the website operator shares personally identifiable information with other parties; and (v) describe whether the operator collects information directly or indirectly through third parties or using technology, such as cookies. The Guidance also includes other advice about how companies may improve their disclosure practices in privacy policies, such as by writing them using clear, non-legal language.

Violations

A company will be in violation of CalOPPA only if it has failed to post a privacy policy within 30 days of being notified that it is not in compliance with the law. The California Attorney General can impose fines of up to $2,500 per violation and has already pursued legal actions against businesses that operate websites and mobile apps for noncompliance under CalOPPA.

For more information, please contact Frances Floriano Goins at Ulmer & Berne LLP.