Despite monumental breaches of the most private user data and the epidemic of identity theft in the United States, few if any perpetrators have faced legal consequences of such a breach. It is because, on the federal level, there is no overriding law that protects user data and provides for a mandated warning of what is being collected by a website from the user visiting it. Due to such lax or inexistent legal framework, individual states are forced to create their own policies on how to handle collected user data on various websites. Complying with this complex web of state regulations has become one of the top legal issues faced by internet-based companies.
In response to the lax Federal regulations, California enacted one of the strictest and a landmark privacy protection acts in 2004 called California Online Privacy Protection Act or CalOPPA. Although the law was enacted in 2004, it wasn’t until 2012; during the reign of then attorney general (now US Senator) Kamala Harris that California started enforcing CalOPPAin earnest. Ms. Harris sent non-compliance letters to about 100 companies with mobile apps that collected consumer data without comprehensively informing them of such actions and ended up suing Delta Airlines, Inc. in the state court for non-compliance.
When the Children's Online Privacy Protection Act became effective on July 1, 2013, it also warned online businesses that the State of California was serious about compliance with CalOPPA and its provisions and will rigorously enforce it in the future.
How is The CalOPPA Applied?
· Display in an obvious spot with the word "Policy" included in the link verbiage
· The link must contrast enough to make it easily visible using font, color, size and design methods to do so.
· Create a policy in simple language to facilitate ease of readability
1. The information you collect from your users:
A website may be collecting either personally identifiable information (PII) about its users or non-personally identifiable information about its users.
· Personally Identifiable Information may include Full names, Birthdates/places, Email addresses, Billing and shipping addresses, Phone and mobile numbers, Social security numbers, Biometric data (for fingerprint/facial recognition software), Vehicle information (like driver’s license numbers or plate numbers), Education history, Healthcare information, Professional Licenses and certifications, Government identification, Family history or genetic information, Mother’s maiden name or next of kin, Bank, credit or other financial account information, Criminal history, Web cookies, Social platform accounts, and Chat threads and online content, etc.
· Non-personally Identifiable Information may include IP addresses, Passwords, Browser activity, Product descriptions viewed, Forms submitted, Videos watched, Security answers, Shopping cart data, User preferences, and Location data, etc.
In addition to this, the users may need to be informed of security safeguards and other efforts made by the company to protect user data and to ensure no personal data gets breached.
2. Which Third-Parties Are You Sharing That Information With?
It might also be useful to provide your users with an option to opt-out of data sharing arrangement you have for targeted or re-targeted advertisement with a trade partner.
3. Giving Users the Ability to Review and Change Their Personal Information:
4. Information about Acknowledging “Do Not Track” Settings:
In 2013, the CalOPPA was amended to add “Do Not Track” requirements to the act. Per the added requirements websites are required to positively inform the users if their website is equipped to acknowledge a "Do Not Track" (DNT) request from the browser and act accordingly by not gathering non-personally identifiable information such as IP addresses, Passwords, Browser activity, Product descriptions viewed, Forms submitted, Videos watched, Security answers, Shopping cart data, User preferences, and Location data, etc. A DNT header is often added to the HTTP header of your web browser’s header field that asks a web application of a website to turn off its user tracking or cross-site user tracking for a particular visitor. It must be noted that while the new DNT requirements in CalOPPArequire the websites to inform its user if its website has the capability to respond to a DNT request it does not define how or if the website is required to respond to such a request.