Many of you may have heard the hype of the new California Consumer Privacy Act (CCPA) that went into effect on January 1 of this year. It's been hailed as the toughest law in the country on online privacy. This new law is complex and enforcement of it will begin in several months. So, companies are in an uproar to make sure that they are in compliance.
But there's already been one extensive privacy law in place in California since 2004: the California Online Privacy Protection Act (CalOPPA). Any startup or business in California and beyond California needs to understand this Act just as much as they need to understand the new Act. With all the attention on the CCPA right now, it may be a good time to revisit the CalOPPA so that new businesses don't let compliance fall by the wayside.
What is the Scope of the CalOPPA?
An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service [...]
As such, the Act applies to any operator of a commercial website, whether your company is located in California or China and whether it makes millions of dollars or no profit at all. If the commercial website collects personal information about California residents, then the law applies to the website.
Less specific is that the Act also applies to mobile apps. Any mobile app collecting personal information must also be in compliance in order to operate in California.
What does Personal Information Mean?
The CalOPPA defines personal information as "personally identifiable information" – this is somewhat different and not as broad as the definition of personal information in the CCPA. Personally identifiable information is defined at § 22577 as
individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form[...]
This information includes things like:
(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
Item 7 is important because it includes things like cookies and IP addresses.
What does the CalOPPA Require?
The CalOPPA was the first law in the country requiring privacy policies to be displayed on websites. Privacy policies per CalOPPA must disclose:
- the categories of personal information collected;
- the categories of third parties that may receive that information;
- the process for consumers to review and request changes to the collected information;
What are the Penalties for Violations of the CalOPPA?
When a website operator does not comply with the terms and conditions of the CalOPPA, the business faces penalties of up to $2,500 per violation according to Cal. Business and Professions Code § 17206. This may not seem bad, but the fine is for each violation. For example, if your startup app has 100 users but you are in violation of the CalOPPA, you could be looking at a $250,000 fine. The California Attorney General is the enforcer of this law, and the office stays pretty vigilant on these matters.
If you are unsure if your website is in compliance with CalOPPA, you should contact a business attorney in California at your earliest convenience. With new privacy laws in effect, you need to make sure you are in compliance with both the old and the new.