Home Compliance StandardsCalifornia's Cybersecurity RegulationsCalifornia Online Privacy Protection Act (CalOPPA) California Privacy Policy: What is CalOPPA?
California Online Privacy Protection Act (CalOPPA)

California Privacy Policy: What is CalOPPA?

by RSI Security
written by RSI Security

Established in 2003, The California Online Privacy Protection Act (CalOPPA) was the very first state law in the United States that required commercial and online websites to post their privacy policy to the general public. The goal of this act was to protect online users from having their data mined, stored, used, or sold, without their knowledge or consent.

In 2013, CalOPPA was updated with an amendment which required websites to give privacy disclosures about their tracking of online visitors. This law applies to any company or individual within the country who uses a website that gathers personally identifiable information from California users. It compels the website owner to have a prominently displayed California privacy policy that states precisely what kind of user data they are trolling for, what they intend to do with it, and who they intend to share it with.

Those who fail to comply with California’s privacy policy laws face the risk of civil litigation under California’s Unfair Competition Law. So, if you are a business who operates in California, or has consumers who are from California, it is vital that you comply with CalOPPA regulations. Since you may not know what exactly those entail, below, we will go into detail regarding the ins and outs of the California privacy policy requirements and cybersecurity compliance laws.

 

What is a Privacy Policy?

A Privacy Policy divulges to the public the vast array of information that may be gathered, stored, used, shared, or sold that could be used to identify an individual. From the business side, it is a clear message to your users regarding how you plan to use the information you collect, and how you plan to protect that information. It is also an open-door type of policy in which you also share with your visitors how you actually go about collecting their personal information. Such data mining can generally occur in one of two ways:

  1. Directly The user fills out a form or inputs their information somewhere on your website, such as in the cases of creating a Customer Login.
  2. Indirectly The user enters the website, and their data is trolled via website cookies or other electronic data miners.

Whether your website uses direct or indirect data collection methods or some combination of both, that information must be disclosed in your Privacy Policy in order to be compliant with California’s Privacy Policy.

 

Assess your cybersecurity

 

Personally Identifiable Information

In a legal sense, personally identifiable information may refer to a variety of gathering details, which distinguish a specific customer from one another. Such information can include:

  • Users bank account number
  • Users biometric identification
  • Users birthdate
  • Users chat threads
  • Users credit card number
  • Users criminal history
  • Users education history
  • Users email address
  • Users family history
  • Users first name
  • Users genetic information
  • Users government ID
  • Users healthcare information
  • Users height
  • Users last name
  • Users licenses and certifications
  • Users mothers maiden name or next of kin
  • Users online content
  • Users social media platform accounts
  • User’s Social Security Number
  • User’s street address
  • Users telephone number
  • Users web cookies

If you gather any of this type of data, you must detail it in your privacy policy.

Non-personally Identifiable Information

There is non-personally identifiable data that is trackable which the California Privacy Policy requires a business to disclose. Such data that must be addressed by the Privacy Policy include:

  • Users browser activity
  • Users IP addresses
  • Users location data
  • Users passwords
  • Users product descriptions viewed
  • Users security answers
  • Users shopping cart data
  • Users submitted forms
  • Users preferences
  • Users visited pages
  • Users watched videos

caloppa-laptop

California Privacy Policy Compliance

At its essence, CalOPPA forces a business to disclose what type of personal information they are regularly gathering from consumers. In order for you to comply with this privacy policy, your business must take the following steps:

  1. Does CalOPPA apply to you? Ask yourself if CalOPPA applies to your business. According to CalOPPA, the rules and regulations apply to operators of commercial websites or online services that collect, Personally identifiable information through the Internet about individual consumers residing in California. Under the lens of CalOPPA, a consumer is considered to be: Any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes. If CalOPPA restrictions are in fact relevant to your business practices, move to the next step. 
  2. Information to have on hand – Once you have confirmed that your business must be compliant with CalOPPA, it is necessary that you identify and know the following information:
    1. What personal data your site might be gathering from California residents.
    2. How that personal data is being collected and whether it is directly or indirectly gathering that information.
    3. What data might be shared or sold to third-party sites.
    4. How that data might be shared or sold to third parties.
    5. Whether your site regularly attracts customers who are minors.
    6. Whether your website is capable of handling do not track settings.
    7. How your website can give users access to their personal data after a request.
    8. How to delete that personal data, if desired.
    9. How your website transfers requested personal data to another website.nist-teamwork-analyze2

       

  3. Creating the Privacy Policy CalOPPA requires a business to provide a visible and easily accessible link to your complete Privacy Policy agreement. According to CalOPPA, evidently posting a privacy policy means: The privacy policy is shown on the websites homepage; or a link via an icon that contains the word privacy appears on the homepage and directly takes consumers to the privacy policy. In this instance, the icon must be in a color different from the home pages background; or the privacy policy is linked to the homepage via a hypertext link that contains the word privacy, is written in capital letters equal to or greater in size than the surrounding text; is displayed in a type, font or color that contrasts with the surrounding text of the same size; or is otherwise distinguishable from surrounding text on the homepage. Typically, this hyperlink should be placed beneath a section titled along the lines of, Your California Privacy Rights. Such a policy should include the information you gathered in step 2; the categories include:
    1. The scope of the Policy This broad stroke clause should cover CalOPPA restrictions and requirements and discuss how they apply to your business. This bit should say plainly what your policy entails.
    2. Data Collection If you do collect personal data from California residents and share it or sell it to other businesses, you must identify all types of data your site currently collects, how it goes about stockpiling that information, and how that data collection might change or expand in the future.
    3. Data Use and Sharing You must identify all third parties with which you might share user data with be it a marketing company, a partner, or a credit card company.
    4. DNT There must be a clause in which your website identifies whether or not they acknowledge and run with users who employ do not track me settings. You must outline whether you stop monitoring users who use DNT and what other methods you apply to comply with a do not track request. You should provide a link that explains how to block tracking technology.
    5. Individual Choice and Access This clause should state how users can see and alter, edit or update their information that has been collected. It will let customers know how they may request changes to any of this information and can be as simple as saying, You may go to your user profile and change or delete any identifiable information you wish to alter. There should be an easy and accessible way for users to review and make alterations to their data.
    6. Security Safeguards This clause will let users know how you plan on protecting their data from potential data breaches or data theft. This section should also allow the customer to know what you will do to protect them in the event of a data breach.
    7. Effective Date This clause should identify the date of your policy and include the dates of any updates or changes to that policy.
    8. Accountability This final section should clearly state how customers can contact you with any questions, concerns or inquiries about your business or its privacy policy. Most advise that you post a title, an email address or telephone number, of the customer service department, or whoever will be responding to customer inquiries.


Non-compliance with CalOPPA

A business that fails to post a privacy policy or posts an incomplete privacy policy may be flagged for non-compliance. If flagged and notified of non-compliance, a business owner will be violating California Privacy Policy laws if it neglects to post a privacy policy or make the required changes within a month of the warning. However, it should be noted that a business operator will only be found in violation of CalOPPA if noncompliance is either, Knowing and willful or negligent and material.

CalOPPA allows a complaint form to be filled out by individuals who believe a business is violating CalOPPA restrictions. They can report non-compliance with CalOPPA for the following reasons:

  1. The Privacy Policy is not posted on the website, does not work, or is hidden.
  2. The Privacy Policy is not easily accessible.
  3. The Privacy Policy is unfinished or missing specific information or required clauses.
  4. The Privacy Policy has been violated.
  5. The business neglected to provide a notice of a change to their Privacy Policy.

In order to prevent receiving non-compliant complaints make sure that you do the following:

  1. You post a conspicuous Privacy Policy on your website.
  2. You have a Privacy Policy that is easily accessible.
  3. You have a Privacy Policy that is comprehensive and up to date.
  4. You follow the rules of your Privacy Policy and do not violate the terms of the agreement.
  5. You notify customers of any changes or alterations made to the Privacy Policy.


nist-writing-paperAccording to the CalOPPA website, CalOPPA does not contain enforcement provisions. It is expected, however, that CalOPPA will be enforced through California’s Unfair Competition Law (UCL), which is located at Business and Professions Code 17200-17209. Under the UCL, the California Attorney General’s Office, district attorneys, and some city and county attorneys can file suit against businesses for acts of “unfair competition,” which are considered to be any act involving a business that violates California law. As a result, violations of CalOPPA may be considered violations of the UCL. Government officials bringing suit for violations of CalOPPA may seek civil penalties and equitable relief under the UCL. In addition, the UCL provides that private plaintiffs may assert private claims for violations of CalOPPA under the UCL. Operators who violate CalOPPA may also be susceptible to actions by the Federal Trade Commission, which may bring enforcement action against. Because of this, CalOPPA violations seem to fall under the California Unfair Competition Law (UCL), whose goal is to identify any business that may be conducting business in a way that is viewed to be unlawful, fraudulent or unfair.

The UCL states that any violations that do occur may receive a penalty of $2,500 per violation. That may seem like a minor slap on the wrist, but the important aspect of that clause is the per violation. According to the UCL, that means every single time and person who visited your site or mobile app while you were considered to be non-compliant could be counted as a violation. As you might imagine, if you are a business that gets thousands of daily hits, let alone millions, this fine could quickly add up to an astronomical amount.

Conclusions

The California Privacy Policy Act was created to protect consumers and provide them with visibility and transparency about their personal data and how it may be used. If found in violation of CalOPPA, your business could be financially crippled, or liable in the case of a serious data breach. Therefore, it is in your companys best interests to make sure that you comply with CalOPPAs requirements and improve your cybersecurity efforts in order to protect both your business and your customers.

For more information on cyber security solutions, please contact RSI Security today.

Speak with a Cybersecurity expert today

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

Consequences of Non-compliance With CalOPPA

September 25, 2018

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More