California is a leader in regulating consumer privacy and data security. As part of a multi-pronged effort to improve online privacy, the California Attorney General’s office established a new online form that allows individuals to report violations of the California Online Privacy Protection Act (“CalOPPA”). This “crowdsourced” tool seeks to greatly enhance the AG’s ability to enforce CalOPPA.
In a press release announcing the online form, the AG’s office emphasized the continuing need to protect Californians’ privacy in light of the growth of the Internet of Things and the lack of transparency exhibited by some technology companies. In particular, the AG’s office observed that some mobile apps employ data practices that are not properly disclosed to consumers, such as the sharing of personal information with third parties.
The complaint form allows consumers to report the following violations:
- The site/app lacks a privacy policy;
- The privacy policy is hard to find;
- The privacy policy does not contain all the information required by law;
- The company does not follow its own privacy policy; and/or
- The company does not notify users of significant changes to its privacy policy.
The press release also discussed the AG’s partnership with the Usable Privacy Policy Project at Carnegie Mellon University, detailing efforts to create a tool that will identify mobile apps that are violating CalOPPA. The tool will search for discrepancies between the disclosures in a mobile app’s privacy policy and its actual data collection and sharing practices. Finally, the press release emphasized the AG office’s continued focus on data security, and the need for businesses to implement “reasonable security” standards in protecting personal information.
So what’s the bottom line? If you operate a commercial website, app, or other online service, and you collect personal information from California residents, you should confirm your compliance with CalOPPA. This includes:
- Confirming you have a privacy policy that can be easily located by consumers. In an app, for example, ensure your policy is accessible at all stages of app use—not just the initial registration page;
- Confirm your privacy policy details: (1) what information you collect through the site or app; (2) who you share that information with; (3) the effective date of the policy; and (4) if you provide such access, instructions on how a consumer can review and request changes to their information;
- Further confirm your privacy policy states how you respond to “Do Not Track” signals, and whether third parties can collect personal information about an individual consumer’s online activities over time and across different websites when a consumer uses your site or service;
- Confirm that your privacy policy is accurate; and
- Assess whether you are providing reasonable security when protecting personal information of consumers.
Being proactive will reduce the likelihood of regulatory scrutiny and negative publicity, as the launch of this tool signals the California AG’s intent to crack down on CalOPPA violations. Plus, all websites and online services that collect and use information from consumers should review and, as needed, update their privacy policies regularly as part of appropriate privacy and security hygiene.