California Attorney General Kamala Harris recently released guidance, Making Your Privacy Practice Public, to help companies comply with the California Online Privacy Protection Act's (CalOPPA) "Do Not Track" (DNT) disclosure requirements which took effect on January 1, 2014. CalOPPA, 2013 Bill Text CA A.B. 370, [enhanced version available to lexis.com subscribers], Cal Bus & Prof Code § 22575-22579, [enhanced version available to lexis.com subscribers], requires online privacy policies to disclose whether the company tracks and collects personally identifiable information (PII) (which includes names, contact information, unique identifiers, and passively collected information such as device identifiers and geolocation data) about California residents' online activities over time and across third-party websites or services, including via mobile apps, and whether or not the company recognizes DNT mechanisms that have been designed to prevent such tracking.
• State whether consumers who use DNT mechanisms are treated differently than consumers who do not, and how the treatment is different (e.g., "Your experience may be degraded . . . ")
• Disclose whether PII is collected when a DNT signal is received
• Describe how that information is used if PII is collected when a DNT signal is present
In addition to describing a company's own DNT privacy policies, CalOPPA also requires companies to disclose whether third parties, such as advertising networks that track consumers over time and across websites, are present on the company’s website or service. The guidance poses useful questions to determine whether third-party trackers present on a company's website are authorized to be there and adhere to the company's DNT policy.
The Attorney General's Privacy Enforcement and Protection Unit will begin reviewing companies' privacy policies for compliance and work with companies to help them comply with the DNT disclosure requirements. Companies found to be in noncompliance will have 30 days to comply with CalOPPA before being subject to an enforcement action. Failure to comply with CalOPPA can result in civil penalties of up to $2,500 per violation.
Companies should remember that even if they are not physically present in California, CalOPPA applies if the company collects PII from California residents. In addition, although this alert focuses on the required DNT disclosures, the Attorney General’s guidance offers additional recommendations regarding online privacy policies.
Ballard Spahr attorneys regularly advise financial institutions and other companies providing financial services online on compliance with consumer financial services laws, as well as related data security and privacy laws. Our attorneys regularly conduct website and mobile app audits to help clients ensure that they know what third parties are present on their sites and whether the practices of those parties are consistent with their privacy policies.
The firm's Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products as well as its experience with the full range of federal and state consumer credit laws. Members of the Group who are also part of the Privacy and Data Security Group focus on financial privacy by design—evaluating new and existing products and services and communications channels to ensure that financial institutions are meeting their privacy and data security obligations.
Copyright © 2014 by Ballard Spahr LLP.http://www.ballardspahr.com/(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.
For more information about LexisNexis products and solutions connect with us through our corporate site