Operators of commercial Web sites and mobile applications should review their privacy policies for compliance with a recent amendment to the California Online Privacy Protection Act (“CalOPPA”), which became effective on January 1, 2014. The amendment requires online operators to disclose (i) how they respond to “Do-Not-Track” settings on browsers, and (ii) whether they allow third-party tracking on their Web site or online service.
CalOPPA applies to any operator of a commercial Web site or online service that collects personally-identifiable information through the Internet about consumers who reside in California. Given the geographically limitless scope of the Internet CalOPPA may effectively apply to all commercial online operators. California Attorney General Kamala Harris has also publicly declared that CalOPPA applies to mobile applications that collect personally identifiable information from California consumers.
- a description of types of personally identifiable information collected by the operator(including, for example: (1) a first and last name; (2) address; (3) email address; (4) telephone number; (5) social security number; (6) any identifier that enables one to contact a specific individual; and (7) information collected online that could be combined with other information to allow identification of a specific person) and identification of the categories of third parties that may have access to such information;
- a description of the process used by the operator for an individual consumer to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service (provided that the operator maintains such a process);
Second, the amendment requires online operators to disclose whether third parties may collect personally identifiable information about a consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service. This amendment would thus require disclosure of whether an online operator allows third-party behavioral tracking through an online operator’s Web site or online service or any other third-party data collection through its service.
Operators of commercial Web sites and mobile applications should review their practices and privacy policies to determine whether changes are necessary in light of the CalOPPA amendments.
As has been the case prior to the amendment, operators who fail to provide the requisite disclosures will be given a warning and thirty (30) days to comply before being deemed in violation of the law and subject to an enforcement action. The California Attorney General’s office has taken the position that violators of CalOPPA can be fined up to $2,500 per violation under California’s Unfair Competition Law. Furthermore, noncompliance can also lead to negative publicity and can have a negative impact on business.
* * *
If you have any questions regarding this recent amendment or its implications on your business, please contact your primary Goodwin Procter attorney, who can direct you to the appropriate attorney at Goodwin Procter.
 Sections 17200 et seq. of the California Business and Professions Code.