Despite monumental breaches of the most private user data and the epidemic of identity theft in the United States, few if any perpetrators have faced legal consequences of such a breach. It is because, on the federal level, there is no overriding law that protects user data and provides for a mandated warning of what is being collected by a website from the user visiting it. Due to such lax or inexistent legal framework, individual states are forced to create their own policies on how to handle collected user data on various websites. Complying with this complex web of state regulations has become one of the top legal issues faced by internet-based companies.
In response to the lax Federal regulations, California enacted one of the strictest and a landmark privacy protection acts in 2004 called California Online Privacy Protection Act or CalOPPA. Although the law was enacted in 2004, it wasn’t until 2012; during the reign of then attorney general (now US Senator) Kamala Harris that California started enforcing CalOPPAin earnest. Ms. Harris sent non-compliance letters to about 100 companies with mobile apps that collected consumer data without comprehensively informing them of such actions and ended up suing Delta Airlines, Inc. in the state court for non-compliance.
When the Children's Online Privacy Protection Act became effective on July 1, 2013, it also warned online businesses that the State of California was serious about compliance with CalOPPA and its provisions and will rigorously enforce it in the future.
How is The CalOPPA Applied?
Under California Business and Professional Code, Sections 22575(a) and 22577(b)(5), CalOPPA applies to any business with a website or an online service (including apps, FB apps, and SaaS) that collects personal information from users that reside in the State of California to inform the users of their rights via an accessible privacy policy. The website need not be located in the State of California to be liable if they collect such information from a resident of the State of California. According to the Act the site should:
· Provide a clear link to the site's Privacy policy
· Display in an obvious spot with the word "Policy" included in the link verbiage
· The link must contrast enough to make it easily visible using font, color, size and design methods to do so.
· Create a policy in simple language to facilitate ease of readability
Your Website's Privacy Policy Should Include:
These are the things that CalOPPArequires you must disclose in your privacy policy statement:
1. The information you collect from your users:
A website may be collecting either personally identifiable information (PII) about its users or non-personally identifiable information about its users.
· Personally Identifiable Information may include Full names, Birthdates/places, Email addresses, Billing and shipping addresses, Phone and mobile numbers, Social security numbers, Biometric data (for fingerprint/facial recognition software), Vehicle information (like driver’s license numbers or plate numbers), Education history, Healthcare information, Professional Licenses and certifications, Government identification, Family history or genetic information, Mother’s maiden name or next of kin, Bank, credit or other financial account information, Criminal history, Web cookies, Social platform accounts, and Chat threads and online content, etc.
· Non-personally Identifiable Information may include IP addresses, Passwords, Browser activity, Product descriptions viewed, Forms submitted, Videos watched, Security answers, Shopping cart data, User preferences, and Location data, etc.
In essence, a company must positively of the categories of information that their site is collecting, the source from which that information is being garnered, the commercial purpose served by the information being collected, and the specific pieces of information being collected and stored in its privacy policy statement.
In addition to this, the users may need to be informed of security safeguards and other efforts made by the company to protect user data and to ensure no personal data gets breached.
2. Which Third-Parties Are You Sharing That Information With?
No matter what the purpose of sharing your data with a third party is, you must notify your user that you are doing it. The reason for data sharing could be as scandalous as selling user data to data brokers or as useful or necessary as analytical, transaction processing, advertising or even security. Each exchange of data with a third party should be disclosed to the end user in your privacy policy statement.
It might also be useful to provide your users with an option to opt-out of data sharing arrangement you have for targeted or re-targeted advertisement with a trade partner.
3. Giving Users the Ability to Review and Change Their Personal Information:
It is also important to describe in your privacy policy statement, the options users have in their ability to review, change or even delete collected information. It is essential to explain in detail the processes you have in place to allow the users to access their data to review, amend or delete and what sort of information and/or credentials they’ll need to effect that change. Also, if it is not possible for users to be able to access, change or delete their data online and there are other processes such as an email or written request to make such a change, you must include the pertinent details and the process to follow to be able to make such changes.
As mentioned above if your business does not allow users to change their data online, but provides other methods to access their data, you must detail such steps in your privacy policy statement.
4. Information about Acknowledging “Do Not Track” Settings:
In 2013, the CalOPPA was amended to add “Do Not Track” requirements to the act. Per the added requirements websites are required to positively inform the users if their website is equipped to acknowledge a "Do Not Track" (DNT) request from the browser and act accordingly by not gathering non-personally identifiable information such as IP addresses, Passwords, Browser activity, Product descriptions viewed, Forms submitted, Videos watched, Security answers, Shopping cart data, User preferences, and Location data, etc. A DNT header is often added to the HTTP header of your web browser’s header field that asks a web application of a website to turn off its user tracking or cross-site user tracking for a particular visitor. It must be noted that while the new DNT requirements in CalOPPArequire the websites to inform its user if its website has the capability to respond to a DNT request it does not define how or if the website is required to respond to such a request.
5. Notifying Users of Effective Date and Updates to Your Privacy Policy:
It is essential that you state in your privacy policy when such a policy went into effect and inform the user of the mechanism you use to notify them of any updates to the privacy policy in the future. Every time the policy is updated you are required to amend the effective date.
In conclusion, in an effort to safeguard user data and explicitly define how the data they are asked for or tracked with is being used, exchanged and safeguarded, a privacy policy holds a detailed notification of how your company and your website intended to be a responsible business with the user's best interest at heart.