Enacted July 1, 2004, the California Online Privacy Protection Act [“CoPPA”] is the definitive law governing the collection of personally identifiable information from California residents by online businesses. Compliance with the law is a multi-step process.
COPPA vs. CoPPA
Ah, abbreviations. Lawyers commonly use abbreviations to reference legislation because politicians enjoy selecting long-winded names for the laws they enact. I certainly do as an Internet attorney. In certain cases, the abbreviations can conflict, which can lead to confusion. We have such a situation here.
The California Online Privacy Protection Act is referred to as “CoPPA”. However, there is a federal law known as the Children’s Online Privacy Protection Act with the same abbreviation. To differentiate between the laws, commentators customarily use a lower case “o” to reference the California legislation or “CalOPPA”. “COPPA” refers to the federal law. Keep this in mind and you should avoid confusion when reading different articles on the two laws.
CoPPA
The purpose of CalOPPA is to require online businesses to disclose certain information collection practices to consumers. In theory, consumers will take the information into account when deciding whether to continue using the site they are visiting. In reality, very few people read privacy policies, but companies must still comply with the law. To meet this duty, the online platform must:
- Identify the categories of personally identifiable information the operator collects through the website about individuals who visit the site and the third persons or entities with whom the operator may share the information;
- Describe any process the operator maintains for an individual to review and request changes to any of his or her information;
- Describe how the operator notifies visitors to the website of material changes to the privacy policy;
- Disclose how the website responds to “do not track” signals or other mechanisms generated by web browsers that give consumers the ability to exercise choice regarding the collection of personally identifiable information about their online activities over time and across third-party websites;
- Disclose whether other parties may collect personally identifiable information about an individual’s online activities over time and across different websites when a consumer uses the operator’s website or service; and
- Indicate the policy’s effective date.
CalOPPA applies only when a website or app collects “personally identifiable information” from a California resident. Business & Professions Code Section 2257 contains a definition of the phrase:
2257. The term “personally identifiable information” means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
While the first five entries are self-explanatory, subsections 6 and 7 are anything but. These code sections are sufficiently broad that online providers face a difficult task determining if the use of programs such as Google Analytics triggers a compliance obligation. The determination can only be made on a case-by-case basis.
Penalties
The language of CalOPPA contains no specific penalty provisions. More than a few commentators have mistakenly interpreted this absence as an indication there are no penalties associated with violating the law. The California Attorney General can and does enforce CalOPPA under authority granted by the California Unfair Competition law. Penalties range from a 30-day cure letter to enforcement actions seeking monetary penalties up to $6,000 for ever day CalOPPA is violated by the defendant.
Additional California Privacy Laws and Requirements
Critically, CalOPPA compliance is not the end of the story when contemplating California privacy laws. Depending on the specific characteristics of your online property, it may be necessary to incorporate a “minor eraser process” in the privacy policy, comply with the California “Shine the Light” law, or meet other privacy obligations dictated by law or regulation in the state. California Attorney General Kamala Harris has prioritized enforcement of California privacy laws in her administration, a trend that should continue after her term.
In Closing
California Online Privacy Protection Act compliance is mandatory for the vast majority of online businesses. Contact me now for an assessment of your online properties.
Richard A. Chapo, Esq.
References
- California Privacy Laws – Office of the Attorney General – California.
- California Online Privacy Protection Act