Non-compliance with CalOPPA
A business can be flagged for non-compliance for several reasons including:
If reported and marked for non-compliance, a business owner must make amendments and comply with CalOPPA within thirty days or else face potential consequences. Although CalOPPA does not have an enforcement mechanism or provisions, its enforcement falls under the scope of Californias Unfair Competition Law. Under this law, the California AGs office can file suit. CalOPPA states, Under the UCL the California Attorney General’s Office, district attorneys, and some city and county attorneys can file suit against businesses for acts of “unfair competition,” which are considered to be any act involving a business that violates California law. As a result, violations of CalOPPA may be considered violations of the UCL. Government officials bringing suit for violations of CalOPPA may seek civil penalties and equitable relief under the UCL. In addition, the UCL provides that private plaintiffs may assert private claims for violations of CalOPPA under the UCL. Operators who violate CalOPPA may also be susceptible to actions by the Federal Trade Commission, which may bring an enforcement action against.”
Does CalOPPA Apply to Me?
If you run a commercial business on a website, there is little to no doubt that you are subject to the requirements of CalOPPA and will be subject to consequences if found in non-compliance. The law applies to any business that gathers, personally identifiable information through the Internet about individual consumers residing in California. The latitude of this directive reaches past the California border, and it matters not whether you are even a company in California. The only requirement for you to fall under the scope of CalOPPA is if you operate a website that is accessible to Californians.
Now, you might wonder what personally identifiable information is. Examples include:
- Bank account, routing, or credit card numbers
- Biometric identification
- Criminal past
- Education history
- Email or home address
- First or last name
- Government ID, License number, or social security number
- Healthcare and medical records
- Height and weight
- Passwords, shortcuts, or password hints
- Phone number
- Social media accounts
Requirements of Compliance
- Either there must be a visible icon that contains the word privacy
- The icon must be a different color than the front pages primary background color
- Or there must be a hyperlink text that contains the word PRIVACY
- The word must be written in capital letters in a size that is as big, if not larger than the other words on the front page
- In a font or color that contrasts with similar sized text surrounding the hyperlink
- Do Not Track Online tracking consists of the collection of a customers personally identifiable information. This process generally goes unseen and unnoticed. Even customers who use a Do Not Track signal on their browsers are unsure as to whether the business actually complies with the request. You should stipulate your websites online tracking practices, what other parties might track customers, so that there is clarity and understanding between you and your websites visitors. It is recommended that you highlight the section that contains your companys stated policy on online tracking and how you react to a consumers do not track request.
- Data Use and Sharing In this section, you should describe to the consumer how you use, share or sell personally identifiable information. Describe what personally identifiable information you use that goes beyond that which is needed for a purchase or a login. Describe your companys practices in regard to the distribution of personally identifiable information with marketing partners, affiliates or any other entity. At least list the different kinds of company you share customers data with. If possible, share a link to the privacy policies of the companies with whom you share data.
- Security Safeguards This section should expound upon your companys plan to protect its customers personal data from illegal or unconsented changes, access, or destruction. It should include a brief description of security measures protecting personally identifiable information. It is also wise to discuss the security practices of third parties with whom you share the data.
- Accountability You should have a section where you inform customers who they can contact with any concerns, questions, or requests in regard to your privacy policies and practices. This should at least include a title, email address, a phone number, and a postal address, of the official in charge of responding to privacy concerns.
Preventing CalOPPA Non-compliance
A violation of the terms could lead to a significant loss of trust in your brand, not to mention the inevitable monetary loss and potential fines or penalties. Always err on the side of caution in such matters, especially since consumers appreciate businesses that play it straight with them. By following these rules, you protect both your business and customers and set yourself up for future success. For more information about cyber security solutions, please contact RSI Security today.