April 30, 2014
Intellectual Property, Internet & E-Commerce Alerts

CalOPPA - New Disclosure Requirements for Websites and Online Services
by Lisa P. Tse

On January 1, 2014, amendments to the California Online Privacy Protection Act ("CalOPPA") took effect.  The amendments, enacted by Assembly Bill ("AB") 370, will require operators of commercial websites and online services, including mobile applications, to make two disclosures in their privacy policies.  These disclosures are as follows:

(1)       How the operator responds to browser Do Not Track signals, which are signals sent to a website when users indicate through their web browser whether they want websites to collect their personal information.

(2)       Whether other third parties may collect personally identifying information about an individual consumer's online activities over time and across different websites when the consumer uses the operator's website or service.

Determining Whether AB 370 Applies


AB 370 applies to commercial websites and online services, including mobile applications that collect personally identifiable information of individual consumers residing in California.

What is Personally Identifiable Information?


Personally identifiable information is defined by statute, and includes any of the following: (1) a first and last name; (2) a home or other physical address, including street name and name of a city or town; (3) an email address; (4) a social security number; (5) a social security number; (6) any identifier that permits the physical or online contacting of a specific individual; and (7) information concerning a user that the website or online service collects from the user and maintains in a personally identifiable form in combination with any of the identifiers described in (1) – (6).

Operators should be conscientious of website tools or capabilities that may collect any of the above-identified categories of personally identifiable information, regardless of whether the website user or visitor is an actual customer or member of the website or business.  The obligation to comply with AB 370 could be triggered by visitors or website users that sign up for mailing lists maintained by the website, customer inquiries or communications conducted through the website, and even requests by users for notices of the availability of a product or new development.

Applicability of AB 370 Apply to Non-California Websites or Online Services


Both the new and existing provisions of CalOPPA extend de facto to all websites and online services available in the United States.  While website operators technically need only comply with AB 370 if it collects any personally identifiable information of a California resident, it would be impossible for a website operator to distinguish California residents from non-California residents.  Even if a website operator is capable of differentiating or "blocking" California residents based on location data, there are no assurances that a California resident is not accessing the website or online service in a different state.  Given these logistical challenges, all operators of websites and online services should take steps to comply with the disclosure requirements set forth in AB 370.

Complying with AB 370


The revisions to CalOPPA enacted by AB 370 are intended as disclosure requirements and do not require the adoption of any specific policies or practices.  The primary purpose of these amendments, are to require websites, mobile applications, and online services to accurately explain and disclose their Do Not Track policies and related procedures.  Therefore, websites and online services that collect information about visitors browsing their websites should take the following steps to comply with the AB 370 requirements:

(1)       Evaluate existing policies and procedures for addressing Do Not Track signals.  If there are no existing policies or procedures, then the operator should decide whether or not to honor a website visitor's Do Not Track signals.  If a website or online service does not honor Do Not Track signals, then operators may comply with AB 370 by simply stating so in the website's privacy policy.  Of course operators should also consider how consumers will interpret such a disclosure as a consumer relations matter.  If a website or online service does honor Do Not Track signals, then the operator must explain how the operator responds in the privacy policy.

(2)       Evaluate existing policies and procedures regarding whether third parties may collect personally identifiable information about a visitor's online activities over time and across different website when the consumer uses the operator's site or service.  A website or online service complies with AB 370 by stating in its privacy policy whether it does or does not permit third parties to collect personally identifiable information in this manner.

(3)       These disclosures must be conspicuously posted through one of the following methods:

(a)       By posting the actual privacy policy on the homepage or first significant page after entering the website.
(b)       An icon that hyperlinks to a webpage on which the actual privacy policy is posted.  The icon must contain the word "privacy" in a color that contrasts with the background color of the webpage.  The icon must be on the homepage or first significant page after entering the website.
(c)        A text link that hyperlinks to a webpage on which the actual privacy policy is posted.  The icon must contain the word "privacy" in capital letters or in a greater size than the surrounding.  The text must also be in a color that contrasts with the background color of the webpage.  The text link must be homepage or first significant page after entering the website.
(d)       Any other functional hyperlink displayed in a manner that a reasonable person would notice, or through any other reasonably accessible means.
Consequence of Non-Compliance

A website operator will not be held in violation of these disclosure requirements unless it fails to post a compliant privacy policy within 30 days after being notified of noncompliance.  If an operator fails to address alleged deficiencies within 30 days, then the Attorney General may impose fines of up to $2,500 per violation.
Back to Alerts