As online businesses and technologies evolve, so do the laws affecting them. On January 1, 2014, a new law amending the California Online Privacy Protection Act ("CalOPPA") went into effect.1 See CAL. BUS. & PROF. CODE §§ 22575-22579 (eff. Jan. 1, 2014). In addition to expanding the scope of data security laws, the new CalOPPA imposes stringent legal requirements that could affect California and non-California operators of websites and online services. The California Attorney General has taken the position that "online services" broadly includes mobile apps, gaming platforms, cloud services and VoIP.
The failure of an operator of a website or online service to comply with CalOPPA requirements are potentially severe. If an operator does not comply with the law within 30 days after receiving notice of its non-compliance, then it might face fines up to $2,500 per violation under California's Unfair Competition Law.2 Moreover, the California Attorney General has demonstrated a commitment to aggressively pursue enforcement.3 For example, the California Attorney General has argued that each mobile app download constitutes a violation that can result in a separate fine.4 Given that many mobile apps are free or less than $1.00, the effect of this penalty could be devastating to a business.
As a result of the evolving legal landscape in the areas of privacy and data tracking, it is increasingly important to both audit and update privacy policies and practices. And while CalOPPA is limited to California residents, the ubiquitous nature of the Internet and wide availability of most mobile app downloads suggest that companies should closely consider compliance with these new requirements.
1 The amendment was made by California Assembly Bill 370 (AB 370).
2 See CAL. BUS. & PROF. CODE § 17206(a) (providing that "[a]ny person who engages, has engaged, or proposes to engage in unfair competition shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) for each violation . . ."), and CAL. BUS. & PROF. CODE § 22575(a) ("An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.").
3 In late 2012, and continuing through 2013, the California Attorney General embarked on a campaign to enforce the prior version of CalOPPA against mobile app providers, which included lawsuits against several companies who allegedly failed to comply with the statute.
4 In its suit against Delta Air Lines, Inc. for alleged non-compliance with CalOPPA, the California Attorney General argued that a violation of CalOPPA constituted unfair competition under California Business and Professions Code section 17200 et seq., which authorizes a statutory damages award of $2,500 per violation in certain instances. See Complaint at 8, People v. Delta Air Lines, Inc., No. CGC-12-526741 (Cal. Super. Ct. Dec. 6, 2012), available here (last visited Jan. 21, 2014) (alleging "[t]hat under California Business and Professions Code section 17206, Delta [should] be ordered to pay Two Thousand Five Hundred Dollars ($2,500) for each violation of California Business and Professions Code section 17200 by Delta, as proved at trial"); see also CAL. BUS. & PROF. CODE § 17206(a). The lawsuit was later dismissed after Delta raised various arguments, including that the lawsuit was preempted by the federal Airline Deregulation Act. See J. Vijayan, First California Lawsuit Over Mobile Privacy Crashes, Computer World, May 14, 2013, available here (last visited Jan. 21, 2014) ("While the dismissal of the lawsuit is a setback for [California Attorney General Kamala] Harris, few expect that it will slow down the state’s plan to go after alleged violators of online privacy laws.").