Companies have been updating or preparing privacy policies due in part to California Attorney General Kamala Harris's enforcement of the California Online Privacy Protection Act (the "Act"). In late 2012, the California Attorney General sent letters of noncompliance to approximately 100 mobile application developers and companies that had applications available on mobile platforms and subsequently filed a lawsuit against one of these companies, Delta Air Lines, Inc., in California state court, alleging that Delta did not have a privacy policy reasonably accessible to consumers for the "Fly Delta" mobile application. In May 2013, this court held that the federal Airline Deregulation Act preempted the enforcement of state law regarding this air carrier, and this suit was dismissed.

The updated Children's Online Privacy Protection Act Rule, which became effective on July 1, 2013, also has spurred updating or preparation of privacy policies.

Now there is another reason to revisit privacy policies—the Act has been amended to require additional disclosure items—including items about "do not track" signals—in privacy policies. See Cal. A.B. 370, which will become effective on January 1, 2014.

Application

The Act requires an operator of a commercial website or online service (including a mobile application) that collects personally identifiable information through the Internet about individual California resident consumers who use or visit its commercial website or online service to conspicuously post its privacy policy on its website. For an online service (including a mobile application), the privacy policy should be made available in accordance with any other reasonably accessible means of making the privacy policy available for consumers of the online service. Cal. Bus. and Prof. Code, Sections 22575(a) and 22577(b)(5).

The Act has broad reach, beyond California, since numerous commercial websites and online services collect personally identifiable information through the Internet about individual California resident consumers.

Privacy Policy Disclosure Requirements

The Act requires the privacy policy to identify or describe all of the following:

  1. Categories of personally identifiable information that the operator collects through the website or online service about individual consumers who use or visit its commercial website or online service and the categories of third-party persons or entities with which the operator may share that personally identifiable information.
  2. Any process that the operator maintains for an individual consumer who uses or visits its commercial website or online service to review and request changes to any of the consumer's personally identifiable information that is collected through the website or online service.
  3. The process by which the operator notifies consumers who use or visit its commercial website or online service of material changes to the operator's privacy policy for that website or online service.
  4. Its effective date. Id. at 22575(b). 

The amendment adds the following two disclosure items to the foregoing:

  1. How the operator responds to Web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise   choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party websites or online services, if the operator engages in that collection. To satisfy this requirement, an operator may provide a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice. 
  2. Whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service. Id.

Enforcement

The California Attorney General enforces the Act. An operator is in violation of the Act if the operator fails to post its policy within 30 days after being notified of noncompliance. Id. at (a). Under California's Unfair Competition Law, violations of the Act may result in civil penalties of up to $2,500 for each violation. Id. at 17206(a).

Action Items

To address, companies should:

  1. Review their existing privacy policies to determine what the effective dates are. Revisiting may be especially warranted where an effective date is less recent.
  2. Review their websites or online services (including mobile applications) against their privacy policies as the former may have changed since the effective dates of the privacy policies. In addition, a number of companies are reviewing their websites or online services more comprehensively regarding compliance with other laws, guidance, and requirements.
  3. Review the privacy policies and websites or online services of their competitors and of any other companies to which they may compare themselves.
  4. Review contracts relating to their websites or online services (e.g., regarding compliance with law and privacy policy requirements).
  5. Update their privacy policies as warranted.
  6. Monitor other privacy and related developments that implicate websites and online services. For example, California S.B. 568 adds requirements involving an operator's Internet website, online service, online application, or mobile application regarding (1) the removal of content or information posted by minor California residents under age 18 and (2) marketing or advertising certain specified products and services to minor California residents under age 18. (See "California Minors under Age 18: Privacy Requirements for Deleting Content/Information and Advertising/Marketing.")

This article was first published on IRMI.com and is reproduced with permission. Copyright 2013, International Risk Management Institute, Inc.