California Online Privacy Protection Act of 2003

Citation[]

California Online Privacy Protection Act of 2003 (CalOPPA; also OPPA), as amended by A.B. 370 (eff. Jan. 11, 2014), codified at Cal. Business & Professions Code §§22575-79 (2004).

2003 law[]

In 2003, California enacted the "Online Privacy Protection Act," which requires website owners to conspicuously post a statement of their policies regarding the collection and sharing of personal information. The law, which becomes effective on July 1, 2004, was the first state law to require owners of commercial websites or online services to post a privacy policy.

The law states that if a website collects information such as first and last name, mailing address, email address, phone number, or Social Security number and is considered a commercial entity, it must post a link to its privacy policy on its home page that includes the following:

The categories of personal information that are collected.
The categories of third parties with whom personal information may be shared.
The ability for consumers to review the personal information the site has collected and the ability to remove it if allowed.
The process by which the website owner will notify consumers when the privacy policy is changed, and
The effective date of the policy.

The goal of the legislation was to create transparency in data collection practices and to help users make informed decisions. However, the legislation does not regulate the substance of websites' practices; they only need to disclose those practices.

Application to mobile apps[]

California Attorney General Kamala Harris stated publicly on October 26, 2012^[1] that her office would interpret CalOPPA's application to "online services" to include mobile applications for compliance and enforcement purposes.

2013 amendment[]

The 2013 Amendment amends CalOPPA to require two new privacy policy disclosures for websites and online services regarding online behavioral tracking:

(1) the operator's response to a browser DNT signal or to "other mechanisms,"^[2] and

(2) the possible presence of other parties conducting online tracking on the operator's site or service.^[3]

Another provision allows for an alternative way to comply with the first disclosure requirement. The alternative is to provide a "clear and conspicuous" link in the operator's privacy policy to a "program or protocol" that offers consumers a choice about online tracking.^[4] The linked location must contain a description of the program or protocol and must describe the effects of the program on consumers who participate in it.

It is designed as one additional step to existing California requirements for online privacy policies that is intended to bring greater transparency and consumer scrutiny over websites' practices related to honoring "Do Not Track" (DNT) preferences of Internet and mobile app users.

The stated purpose of the legislation is to provide greater transparency to consumers about how companies' websites and online services, including mobile apps, respond to a DNT signal from an Internet browser.

“

[T]his bill would increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps. A.B. 370 will allow consumers to learn from a website's privacy policy whether or not that website honors a Do Not Track signal. This will allow the consumer to make an informed decision about their use of the website or service.^[5]

”

The California Attorney's Office added that

“

all the major browser companies have offered Do Not Track browser headers that signal to websites an individual's choice not to be tracked, [but that there was] no legal requirement for sites to honor the headers.^[6]

”

References[]

↑ Notice of Non-Compliance with California Online Privacy Protection Act.
↑ Cal. Bus. & Prof. Code §22575(b)(5). The "other mechanisms" in the first disclosure requirement can be understood to refer to any technology that, like a Do Not Track browser signal, provides consumers the ability to exercise choice about the collection of their personally identifiable information over time and across third-party web sites or online services. An operator must make the first disclosure only if the operator engages in the collection of personally identifiable information about a consumer's online activities over time and across third-party web sites or online services.
↑ Id. §22575(b)(6).
↑ Id. §22575(b)(7). Note that the term used here, "program or protocol," is not the same as the term used in subdivision 5, "mechanism."
↑ A.B. 370, Bill Analysis, at 3 (statement of Assemblymember Muratsuchi) (full-text).
↑ Id. (statement of Cal. Atty' Gen.)

Source[]

"2013 amendment" section: Making Privacy Practices Public, at 7.

[1] Notice of Non-Compliance with California Online Privacy Protection Act.

[2] Cal. Bus. & Prof. Code §22575(b)(5). The "other mechanisms" in the first disclosure requirement can be understood to refer to any technology that, like a Do Not Track browser signal, provides consumers the ability to exercise choice about the collection of their personally identifiable information over time and across third-party web sites or online services. An operator must make the first disclosure only if the operator engages in the collection of personally identifiable information about a consumer's online activities over time and across third-party web sites or online services.

[3] Id. §22575(b)(6).

[4] Id. §22575(b)(7). Note that the term used here, "program or protocol," is not the same as the term used in subdivision 5, "mechanism."

[5] A.B. 370, Bill Analysis, at 3 (statement of Assemblymember Muratsuchi) (full-text).

[6] Id. (statement of Cal. Atty' Gen.)

[1]

[2]

[3]

[4]

[5]

[6]