California’s website privacy law gets unusual enforcement tool
In a very unusual action and an effort to increase enforcement of privacy laws, the California Attorney General released an online form that California residents can use to notify the Attorney General’s Office of website and mobile app owners who are violating the California Online Privacy Protection Act (CalOPPA). This appears to be the first online instrument used to police the Internet for privacy violations.
A website or mobile app operator anywhere in the world that collects personal information such as an email address, name, phone number, physical address and other information about California residents is required to comply with the CalOPPA. Violating this law can subject website and mobile app owners to a civil fine of $2,500 per incident. For mobile app owners this fine could get extremely costly, as they can be fined for each copy of their mobile app that does not comply with the CalOPPA that is downloaded by California residents.
A website or mobile app owner (online operator) will be in violation of CalOPPA if they fail to post a privacy policy or if their current policy does not contain provisions and disclosures that meet the CalOPPA requirements.
California’s reporting form creates an army of public compliance agents
A privacy law that was rarely enforced in the past now has a public army to help spot and report violations. So in minutes, a California resident can anonymously file a complaint with the California Attorney General’s Office against a company’s website or mobile app using the new online form at https://oag.ca.gov/privacy/caloppa/complaint-form.
The online report form lets people report these types of violations
• There is no privacy policy. This violation is pretty obvious; a user can report a mobile app or website owner if they have no visible privacy policy.
• The privacy policy is hard to locate on the website or in the mobile app. Reporting this violation can be very challenging and subjective (especially for users or consumers), as the law does not provide a definitive description of exactly what qualifies as being conspicuous. It uses the term conspicuous when describing how to post a privacy policy; however, the term conspicuous is open to interpretation, as past case law demonstrates. See this post: https://goo.gl/FnY6uv. Based on past case law, and the guidelines that are suggested by regulatory agencies (including in California), the vast majority of websites are violating this legal requirement.
• The website or mobile app owner does not follow their own privacy policy. Users can report online operators who violate the promises they make in their current privacy policy. An example would be promising not to share a user’s personal information for direct marketing purposes and then proceeding to share that information with direct marketers.
• The privacy policy does not notify users of significant (material) changes to their policy. Users can report website and mobile app owners if they make significant changes to their privacy policy affecting the way they treat users’ personal information, or changes to other information required by CalOPPA without properly notifying users about the changes.
• The privacy policy does not contain all the information required by CalOPPA. Here a website or mobile app owner can be reported if their privacy policy does not contain the privacy requirements under CalOPPA. (See the CalOPPA list below.)
Here is a shortened version of the CalOPPA requirements for website and mobile app owners:
An online operator that collects personal information about California residents through the Internet will conspicuously post a privacy policy in their mobile app and on their website.
The website or mobile app privacy policy will do all of the following:
* Identify the date the privacy policy is effective.
* List the types of personally identifiable information the online operator collects about their users and the entities, persons and third-parties whom they share such information with.
* Have a procedure so users of their website or mobile app can review and request changes to their personal information that is collected and describe that procedure.
* Describe how the online operator notifies people who use its mobile app or website when there are significant (material) changes to their privacy policy.
* Disclose how the online operator replies to a person’s web browser “do not track” signals about the collection of personal information over time and across third-party websites or other online services.
* Disclose if any other parties collect personal information concerning a person’s activities online and across other websites when a person uses the operator’s service or website.
Drafting a compliant website privacy policy is no small task.
In light of the enforcement action being taken by the state of California, it is time to review your privacy policy. If website and mobile app owners want to avoid being reported by individuals (and competitors), they should thoroughly review their privacy policy with a privacy professional to ensure that it complies with the CalOPPA and the Federal Trade Commission (FTC) regulations.
They should also eliminate language in their policy that may increase their legal liability. Using cookie cutter or free privacy policies should be avoided, as they are usually poorly drafted and may contain language that could subject online operators to legal liability for deceptive trade practices by the state of California and the FTC.
Enforcing California Privacy Laws
Only time will tell, but asking California residents to police website privacy laws could pose a workload problem for the Attorney General’s Office. If one looks at the CalOPPA , there are one or two requirements like having a privacy policy that are pretty obvious, and a simple observation will determine whether one exists or not on a website or in a mobile app.
However, other requirements are not so obvious to the average Internet user and even to some attorneys, and they remain unclear. The most fundamental and important requirement is one of the least understood (a website or online service shall conspicuously post its privacy policy on its website). One only needs to look at case law and the definition of “conspicuously post a privacy policy” to see that the vast majority of websites are in violation of this requirement. Reviewing complaints about this unclear regulation could alone be extremely time-consuming for the Attorney General’s Office.
More enforcement tools on the horizon for mobile apps
Mobile app owners should also pay attention to new enforcement tools being developed to detect privacy violations. The California Attorney General’s Office is partnering and collaborating with the Carnegie Mellon University’s Usable Privacy Policy Project to create a software tool that will detect mobile apps that might be violating the CalOPPA.
This new tool will look for inconsistencies between a mobile app’s disclosures in their privacy policy against the app’s actual information collection practices and those who they share that information with. If a mobile app owner shares a user’s personal information with third-parties and does not disclose that in their privacy policy, the tool will identify these policies for potential enforcement actions.