The California Attorney General recently released a series of guidelines to assist with compliance with the California Online Privacy Protection Act of 2003 (CalOPPA), which was amended to require new data collection and Do Not Track disclosures. These guidelines offer assistance regarding the form and content of operators’ privacy policies. The AG has stated she will actively enforce operators’ compliance with CalOPPA, including through litigation. Operators of websites and online services that are used or visited by California residents should ensure as soon as possible that their privacy policies comply with the AG’s guidelines.
California Online Privacy Protection Act’s New Requirements Regarding Data Collection and Do Not Track Disclosures.
The California Attorney General’s CalOPPA Recommendations for Compliance
On May 21, 2014, the Privacy Enforcement and Protection Unit (the “Privacy Unit”) of the California Attorney General’s Office issued “Making Your Privacy Practices Public,” which provides detailed, specific guidance regarding how operators of websites and online services should implement the requirements of CalOPPA as amended. These recommendations, which are summarized below, cover not only the disclosures required in operators’ privacy policies, but also the style and format of the policies.
Guidance on New Disclosure Requirements
Guidance on Pre-2014 CALOPPA Disclosure Requirements
Security safeguards: The AG recommends that privacy policies describe the security measures used to safeguard personal information in the operator’s care and the measures used to control information security practices of third parties with whom the operator shares consumers’ personal information.
The Attorney General’s Office has indicated that it will actively enforce operators’ compliance with the Attorney General’s CalOPPA recommendations. In an interview given to The New York Times, a member of the Privacy Unit stated that the Attorney General’s Office “would review companies’ privacy policies and work with them to make sure they followed the new law. Those who don’t comply will receive 30-day warnings before facing potential litigation from the state.”3
“Operator” means any person or entity that owns a website or online service operated for commercial purposes that collects and maintains personally identifiable information from a California resident who uses or visits the website or online service. “Operator” does not mean third parties who operate, host or manage, but do not own, a website or online service. Cal. Bus. & Prof. Code § 22577(c).
“Personally identifiable information” means “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form” and expressly includes (1) first and last names; (2) home or other physical addresses; (3) e-mail addresses; (4) telephone numbers; (5) social security numbers; (6) any other identifier allowing consumers to be contacted online or physically; and (7) information concerning a consumer that the operator maintains along with any of the foregoing six types of information. Cal. Bus. Prof. Code § 22577(a).
Vindu Goel, California Urges Websites to Disclose Online Tracking, N.Y. Times, May 21, 2014.