California Online Privacy Protection Act of 2003 (CalOPPA; also OPPA), as amended by A.B. 370 (eff. Jan. 11, 2014), codified at Cal. Business & Professions Code §§22575-79 (2004).
- The categories of personal information that are collected.
- The categories of third parties with whom personal information may be shared.
- The ability for consumers to review the personal information the site has collected and the ability to remove it if allowed.
- The effective date of the policy.
The goal of the legislation was to create transparency in data collection practices and to help users make informed decisions. However, the legislation does not regulate the substance of websites' practices; they only need to disclose those practices.
Application to mobile apps
California Attorney General Kamala Harris stated publicly on October 26, 2012 that her office would interpret CalOPPA's application to "online services" to include mobile applications for compliance and enforcement purposes.
- (1) the operator's response to a browser DNT signal or to "other mechanisms," and
- (2) the possible presence of other parties conducting online tracking on the operator's site or service.
It is designed as one additional step to existing California requirements for online privacy policies that is intended to bring greater transparency and consumer scrutiny over websites' practices related to honoring "Do Not Track" (DNT) preferences of Internet and mobile app users.
The stated purpose of the legislation is to provide greater transparency to consumers about how companies' websites and online services, including mobile apps, respond to a DNT signal from an Internet browser.
The California Attorney's Office added that
|“||all the major browser companies have offered Do Not Track browser headers that signal to websites an individual's choice not to be tracked, [but that there was] no legal requirement for sites to honor the headers.||”|
- Notice of Non-Compliance with California Online Privacy Protection Act.
- Cal. Bus. & Prof. Code §22575(b)(5). The "other mechanisms" in the first disclosure requirement can be understood to refer to any technology that, like a Do Not Track browser signal, provides consumers the ability to exercise choice about the collection of their personally identifiable information over time and across third-party web sites or online services. An operator must make the first disclosure only if the operator engages in the collection of personally identifiable information about a consumer's online activities over time and across third-party web sites or online services.
- Id. §22575(b)(6).
- Id. §22575(b)(7). Note that the term used here, "program or protocol," is not the same as the term used in subdivision 5, "mechanism."
- A.B. 370, Bill Analysis, at 3 (statement of Assemblymember Muratsuchi) (full-text).
- Id. (statement of Cal. Atty' Gen.)
- "2013 amendment" section: Making Privacy Practices Public, at 7.