The California Online Privacy Protection Act applies to any commercial website, online service or mobile application that collects personally identifiable information from individual consumers residing in California. The Act requires that privacy policies be conspicuously posted, or in the case of an operator of an online service, be made available via a reasonably accessible means.
- Identification of the categories of personally identifiable information collected about individual consumers and the categories of third-party persons or entities with whom the operator may share that personally identifiable information;
- Disclosing whether a process is maintained for individual consumers to review and request changes to any of his or her personally identifiable information that is collected, and the provision of a description of that process;
- Disclosing how the operator responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about consumers’ online activities over time and across third-party websites or online services (if the operator engages in that collection);
- Disclosing whether third-parties on the operator’s website, online service or app (e.g., third-party ad networks or analytics providers) collect personally identifiable information about consumers’ online activity over time and across different sites;
- Disclosing whether third-parties collect personally identifiable information on the website or app; and
- Disclosing whether other parties may collect personally identifiable information about consumers’ online activities over time and across different websites.
Personally identifiable information means, without limitation, individually identifiable information about an individual consumer collected online by the operator and maintained in an accessible form (e.g., first and last name, address, email address, telephone number, social security number and any other identifier that permits the physical or online contacting of a specific individual).
- Any other functional hyperlink that is so displayed that a reasonable person would notice it; or
An operator of a commercial website or online service that collects personally identifiable information from individual consumers who reside in California shall be in violation of the Act if it knowingly and willfully, or negligently and materially fails to comply.
In addition to the foregoing, website operators must also consider the recently issued FTC Staff Report regarding best practices for cross-device tracking.
The Act is enforceable by the California Attorney General pursuant to the state’s unfair competition law.
Advertising agreements routinely require that networks assume legal liability for ensuring that the privacy and data use practices of its third-party publishers comply with applicable laws and regulations, including the Act.
Consult with an FTC compliance and defense law firm to discuss issues relating to privacy and data protection.
Follow Richard B. Newman on Twitter @ FTC Defense Lawyer.
HINCH NEWMAN LLP. ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result.