The California Online Privacy Protection Act applies to any commercial website, online service or mobile application that collects personally identifiable information from individual consumers residing in California. The Act requires that privacy policies be conspicuously posted, or in the case of an operator of an online service, be made available via a reasonably accessible means.
California has long shaped privacy and data security standards. As such, marketers are well advised to consider related consumer-facing privacy policy requirements, including:
- Identification of the categories of personally identifiable information collected about individual consumers and the categories of third-party persons or entities with whom the operator may share that personally identifiable information;
- Disclosing whether a process is maintained for individual consumers to review and request changes to any of his or her personally identifiable information that is collected, and the provision of a description of that process;
- A description of the process by which consumers are notified of material changes to the privacy policy;
- Disclosing how the operator responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about consumers’ online activities over time and across third-party websites or online services (if the operator engages in that collection);
- Disclosing whether third-parties on the operator’s website, online service or app (e.g., third-party ad networks or analytics providers) collect personally identifiable information about consumers’ online activity over time and across different sites;
- Disclosing whether third-parties collect personally identifiable information on the website or app; and
- Disclosing whether other parties may collect personally identifiable information about consumers’ online activities over time and across different websites.
Note that the Act provides for an alternative method for satisfying the “do not track” disclosure requirement. It states that an operator may satisfy it by providing a clear and conspicuous hyperlink in its privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers consumers that choice.
Personally identifiable information means, without limitation, individually identifiable information about an individual consumer collected online by the operator and maintained in an accessible form (e.g., first and last name, address, email address, telephone number, social security number and any other identifier that permits the physical or online contacting of a specific individual).
The Act also specifies that the term “conspicuously post,” with respect to a privacy policy, shall include posting the privacy policy through any of the following:
- A page on which the actual privacy policy is posted if the page is the homepage or first significant page after entering the website;
- An icon that hyperlinks to a page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the website, and if the icon contains the word “privacy.” The icon shall also use a color that contrasts with the background color of the page or is otherwise distinguishable;
- A text link that hyperlinks to a page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the website, and if the text link does one of the following: includes the word “privacy;” is written in capital letters equal to or greater in size than the surrounding text; is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language;
- Any other functional hyperlink that is so displayed that a reasonable person would notice it; or
- In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.
An operator of a commercial website or online service that collects personally identifiable information from individual consumers who reside in California shall be in violation of the Act if it knowingly and willfully, or negligently and materially fails to comply.
In addition to the foregoing, website operators must also consider the recently issued FTC Staff Report regarding best practices for cross-device tracking.
The Act is enforceable by the California Attorney General pursuant to the state’s unfair competition law.
Advertising agreements routinely require that networks assume legal liability for ensuring that the privacy and data use practices of its third-party publishers comply with applicable laws and regulations, including the Act.
Consult with an FTC compliance and defense law firm to discuss issues relating to privacy and data protection.
Follow Richard B. Newman on Twitter @ FTC Defense Lawyer.
HINCH NEWMAN LLP. ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result.