In 2003, California became the first state in the country to set robust strictures on the visibility of online consumer data. The California Online Privacy Protection Act, also known as CalOPPA, created regulations that required online websites and businesses to prominently display their Privacy Policy in regard to their users data.This law aimed to protect online users’ data and to inform them as to how their data might be tracked, mined, stored, trolled, sold, used, or shared. As of now, the posting of this notification is mandatory for any business or website that accrues personally identifiable information from California residents. CalOPPA states, [A website must] conspicuously post its Privacy Policy on its Web site, or in the case of an operator of an online service, make that policy available. If you are an online business found in non-compliance, if you do not clearly convey to your customers what data you collect, how you collect it, and what you plan to do with it, there are potentially severe ramifications that could cripple your business.
Accessible California Privacy Policy statements shield consumers by allowing them to make educated choices about which companies they will trust with their personal data and information. Further, they enable companies to be transparent, which in turn helps a business to build and grow their brand upon a foundation of trust. Unfortunately, all too often, Privacy Policies are unclear, filled with purposefully vague or deceitful language. CalOPPA was created to prevent and protect California consumers from such actions. Because of this, the consequences of non-compliance with CalOPPA are far more significant to you personally than the time and cost of making the updates in order to adhere to the requirements. In this article, we will discuss the main consequences of non-compliance, and what you must do as a business to observe CalOPPA.
Non-compliance with CalOPPA
A business can be flagged for non-compliance for several reasons including:
- Business was found to have violated the Privacy Policy
- Business did not update customers about changes to the Privacy Policy
- Business did not post the Privacy Policy on the website
- Business Privacy Policy hyperlink or icon does not work
- Business Privacy Policy is inconspicuously displayed on the website
- Business Privacy Policy is incomplete, or missing sections
If reported and marked for non-compliance, a business owner must make amendments and comply with CalOPPA within thirty days or else face potential consequences. Although CalOPPA does not have an enforcement mechanism or provisions, its enforcement falls under the scope of Californias Unfair Competition Law. Under this law, the California AGs office can file suit. CalOPPA states, Under the UCL the California Attorney General’s Office, district attorneys, and some city and county attorneys can file suit against businesses for acts of “unfair competition,” which are considered to be any act involving a business that violates California law. As a result, violations of CalOPPA may be considered violations of the UCL. Government officials bringing suit for violations of CalOPPA may seek civil penalties and equitable relief under the UCL. In addition, the UCL provides that private plaintiffs may assert private claims for violations of CalOPPA under the UCL. Operators who violate CalOPPA may also be susceptible to actions by the Federal Trade Commission, which may bring an enforcement action against.”
In California Business and Professions Code, Chapter 22, sections 22575-22579, the provision says, Any person who engages, has engaged, or proposes to engage in unfair competition shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) for each violation.” The most significant consequence of non-compliance is the money multiplier effect of this fine. Since these violations occur every single time a user accesses the website without a Privacy Policy, a penalty can end up being massive. For instance, Delta Airlines received a claim for a $37,500,000 fine, but the case was dropped for other reasons. That said, future companies may not be so fortunate.
Does CalOPPA Apply to Me?
If you run a commercial business on a website, there is little to no doubt that you are subject to the requirements of CalOPPA and will be subject to consequences if found in non-compliance. The law applies to any business that gathers, personally identifiable information through the Internet about individual consumers residing in California. The latitude of this directive reaches past the California border, and it matters not whether you are even a company in California. The only requirement for you to fall under the scope of CalOPPA is if you operate a website that is accessible to Californians.
Now, you might wonder what personally identifiable information is. Examples include:
- Bank account, routing, or credit card numbers
- Biometric identification
- Birthdate
- Cookies
- Criminal past
- Education history
- Email or home address
- First or last name
- Government ID, License number, or social security number
- Healthcare and medical records
- Height and weight
- Passwords, shortcuts, or password hints
- Phone number
- Social media accounts
Even a Google, a massive company, has been affected by CalOPPA. In fact, the internet search engine king was recently accused of non-compliance by privacy advocates. They claimed that since Googles Privacy Policy was inconspicuously hidden behind their about Google tab it was not following the rules set forth by CalOPPA. Although Google has yet to have been taken to court over the matter, privacy advocacy groups have been imploring the California Attorney General’s office to uphold the law. Because of this, it would behoove you as a business to ensure that you are compliant with CalOPPA.
Requirements of Compliance
In order to prevent the consequences of non-compliance with CalOPPA requirements, your business must provide a conspicuous Privacy Policy link on your websites, and it must follow these guidelines:
- Either there must be a visible icon that contains the word privacy
- The icon must be a different color than the front pages primary background color
- Or there must be a hyperlink text that contains the word PRIVACY
- The word must be written in capital letters in a size that is as big, if not larger than the other words on the front page
- In a font or color that contrasts with similar sized text surrounding the hyperlink
According to CalOPPA the Privacy Policy that this link to should contain the following: A list of the categories of personally identifiable information the operator collects; A list of the categories of third parties with whom the operator may share such personally identifiable information; A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by the operator; A description of the process by which the operator notifies consumers of material changes to the operators Privacy Policy; and the effective date of the Privacy Policy. The Privacy Policy should have a detailed overview of your companys practices of the assemblage, usage, sharing, selling, and protection of personally identifiable information. There are several things the Privacy Policy should feature and contain:
- Scope You should describe the scope of the Privacy Policy, including whether it only covers online data collection and activity, or it applies to offline practices as well. You should make evident what entities, affiliates, and subsidiaries the policy covers.
- Availability Availability pertains to the icon or hyperlink on the front page. In order to make it conspicuous to online users, it is advisable to give it a descriptive title. The policy should be in a format that is available for print as a separate document. For mobile apps, this Privacy Policy should be made available for reading prior to download, specifically on the About, or Information pages.
- Readability Although CalOPPA does not have specific rules on legibility, it would be wise to follow practices already in place from the California AG and the Federal Trade Commission. You are advised to employ simple, direct language and to eschew legal or technical lingo. The sentences should be short and written in an active voice. Headers and titles should be used to highlight important aspects of the Privacy Policy. Some might even recommend having alternative language options for the Privacy Policy besides English. You should write the policy in a format that is readable, especially on mobile devices.
- Do Not Track Online tracking consists of the collection of a customers personally identifiable information. This process generally goes unseen and unnoticed. Even customers who use a Do Not Track signal on their browsers are unsure as to whether the business actually complies with the request. You should stipulate your websites online tracking practices, what other parties might track customers, so that there is clarity and understanding between you and your websites visitors. It is recommended that you highlight the section that contains your companys stated policy on online tracking and how you react to a consumers do not track request.
- Data Use and Sharing In this section, you should describe to the consumer how you use, share or sell personally identifiable information. Describe what personally identifiable information you use that goes beyond that which is needed for a purchase or a login. Describe your companys practices in regard to the distribution of personally identifiable information with marketing partners, affiliates or any other entity. At least list the different kinds of company you share customers data with. If possible, share a link to the privacy policies of the companies with whom you share data.
- Individual Choice and Access CalOPPA requires a website operator to have an easy process for an individual to read this Privacy Policy and request a change as to how their personal information may be collected. This should clarify what choices a consumer has in regard to the gathering, consumption, and sharing of personal data. There should be clear options as to how they may exercise those options. It is recommended that customers preferences and requests are honored promptly.
- Security Safeguards This section should expound upon your companys plan to protect its customers personal data from illegal or unconsented changes, access, or destruction. It should include a brief description of security measures protecting personally identifiable information. It is also wise to discuss the security practices of third parties with whom you share the data.
- Effective Date The effective date of your Privacy Policy should be given. It should also include an explanation of how you will proceed to notify customers about any significant changes to the Privacy Policy. Merely changing the Privacy Policy on the website without alerting customers is not noticeable enough.
- Accountability You should have a section where you inform customers who they can contact with any concerns, questions, or requests in regard to your privacy policies and practices. This should at least include a title, email address, a phone number, and a postal address, of the official in charge of responding to privacy concerns.
Preventing CalOPPA Non-compliance
CalOPPA aims to encourage businesses to be open with their customers about how they handle their personal data and improve cybersecurity practices. So, in order to avoid being flagged, make sure your privacy policy is easily accessible and readable. Include all of the sections above and be thorough, but clear.
If you make any changes to the Privacy Policy, notify your customers. Make sure that your Privacy Policy is conspicuously placed on the front page of the website and that it is current. Most of all, be honorable in your practices and follow the strictures set out by your Privacy Policy.
A violation of the terms could lead to a significant loss of trust in your brand, not to mention the inevitable monetary loss and potential fines or penalties. Always err on the side of caution in such matters, especially since consumers appreciate businesses that play it straight with them. By following these rules, you protect both your business and customers and set yourself up for future success. For more information about cyber security solutions, please contact RSI Security today.