- Directly The user fills out a form or inputs their information somewhere on your website, such as in the cases of creating a Customer Login.
- Indirectly The user enters the website, and their data is trolled via website cookies or other electronic data miners.
Personally Identifiable Information
In a legal sense, personally identifiable information may refer to a variety of gathering details, which distinguish a specific customer from one another. Such information can include:
- Users bank account number
- Users biometric identification
- Users birthdate
- Users chat threads
- Users credit card number
- Users criminal history
- Users education history
- Users email address
- Users family history
- Users first name
- Users genetic information
- Users government ID
- Users healthcare information
- Users height
- Users last name
- Users licenses and certifications
- Users mothers maiden name or next of kin
- Users online content
- Users social media platform accounts
- User’s Social Security Number
- User’s street address
- Users telephone number
- Users web cookies
Non-personally Identifiable Information
- Users browser activity
- Users IP addresses
- Users location data
- Users passwords
- Users product descriptions viewed
- Users security answers
- Users shopping cart data
- Users submitted forms
- Users preferences
- Users visited pages
- Users watched videos
- Does CalOPPA apply to you? Ask yourself if CalOPPA applies to your business. According to CalOPPA, the rules and regulations apply to operators of commercial websites or online services that collect, Personally identifiable information through the Internet about individual consumers residing in California. Under the lens of CalOPPA, a consumer is considered to be: Any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes. If CalOPPA restrictions are in fact relevant to your business practices, move to the next step.
- Information to have on hand – Once you have confirmed that your business must be compliant with CalOPPA, it is necessary that you identify and know the following information:
- What personal data your site might be gathering from California residents.
- How that personal data is being collected and whether it is directly or indirectly gathering that information.
- What data might be shared or sold to third-party sites.
- How that data might be shared or sold to third parties.
- Whether your site regularly attracts customers who are minors.
- Whether your website is capable of handling do not track settings.
- How your website can give users access to their personal data after a request.
- How to delete that personal data, if desired.
- How your website transfers requested personal data to another website.
- The scope of the Policy This broad stroke clause should cover CalOPPA restrictions and requirements and discuss how they apply to your business. This bit should say plainly what your policy entails.
- Data Collection If you do collect personal data from California residents and share it or sell it to other businesses, you must identify all types of data your site currently collects, how it goes about stockpiling that information, and how that data collection might change or expand in the future.
- Data Use and Sharing You must identify all third parties with which you might share user data with be it a marketing company, a partner, or a credit card company.
- DNT There must be a clause in which your website identifies whether or not they acknowledge and run with users who employ do not track me settings. You must outline whether you stop monitoring users who use DNT and what other methods you apply to comply with a do not track request. You should provide a link that explains how to block tracking technology.
- Individual Choice and Access This clause should state how users can see and alter, edit or update their information that has been collected. It will let customers know how they may request changes to any of this information and can be as simple as saying, You may go to your user profile and change or delete any identifiable information you wish to alter. There should be an easy and accessible way for users to review and make alterations to their data.
- Security Safeguards This clause will let users know how you plan on protecting their data from potential data breaches or data theft. This section should also allow the customer to know what you will do to protect them in the event of a data breach.
- Effective Date This clause should identify the date of your policy and include the dates of any updates or changes to that policy.
Non-compliance with CalOPPA
CalOPPA allows a complaint form to be filled out by individuals who believe a business is violating CalOPPA restrictions. They can report non-compliance with CalOPPA for the following reasons:
In order to prevent receiving non-compliant complaints make sure that you do the following:
According to the CalOPPA website, CalOPPA does not contain enforcement provisions. It is expected, however, that CalOPPA will be enforced through California’s Unfair Competition Law (UCL), which is located at Business and Professions Code 17200-17209. Under the UCL, the California Attorney General’s Office, district attorneys, and some city and county attorneys can file suit against businesses for acts of “unfair competition,” which are considered to be any act involving a business that violates California law. As a result, violations of CalOPPA may be considered violations of the UCL. Government officials bringing suit for violations of CalOPPA may seek civil penalties and equitable relief under the UCL. In addition, the UCL provides that private plaintiffs may assert private claims for violations of CalOPPA under the UCL. Operators who violate CalOPPA may also be susceptible to actions by the Federal Trade Commission, which may bring enforcement action against. Because of this, CalOPPA violations seem to fall under the California Unfair Competition Law (UCL), whose goal is to identify any business that may be conducting business in a way that is viewed to be unlawful, fraudulent or unfair.
The UCL states that any violations that do occur may receive a penalty of $2,500 per violation. That may seem like a minor slap on the wrist, but the important aspect of that clause is the per violation. According to the UCL, that means every single time and person who visited your site or mobile app while you were considered to be non-compliant could be counted as a violation. As you might imagine, if you are a business that gets thousands of daily hits, let alone millions, this fine could quickly add up to an astronomical amount.
For more information on cyber security solutions, please contact RSI Security today.