The updated Children's Online Privacy Protection Act Rule, which became effective on July 1, 2013, also has spurred updating or preparation of privacy policies.
Now there is another reason to revisit privacy policies—the Act has been amended to require additional disclosure items—including items about "do not track" signals—in privacy policies. See Cal. A.B. 370, which will become effective on January 1, 2014.
The Act has broad reach, beyond California, since numerous commercial websites and online services collect personally identifiable information through the Internet about individual California resident consumers.
- Categories of personally identifiable information that the operator collects through the website or online service about individual consumers who use or visit its commercial website or online service and the categories of third-party persons or entities with which the operator may share that personally identifiable information.
- Any process that the operator maintains for an individual consumer who uses or visits its commercial website or online service to review and request changes to any of the consumer's personally identifiable information that is collected through the website or online service.
- Its effective date. Id. at 22575(b).
The amendment adds the following two disclosure items to the foregoing:
- Whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service. Id.
The California Attorney General enforces the Act. An operator is in violation of the Act if the operator fails to post its policy within 30 days after being notified of noncompliance. Id. at (a). Under California's Unfair Competition Law, violations of the Act may result in civil penalties of up to $2,500 for each violation. Id. at 17206(a).
To address, companies should:
- Review their existing privacy policies to determine what the effective dates are. Revisiting may be especially warranted where an effective date is less recent.
- Review their websites or online services (including mobile applications) against their privacy policies as the former may have changed since the effective dates of the privacy policies. In addition, a number of companies are reviewing their websites or online services more comprehensively regarding compliance with other laws, guidance, and requirements.
- Review the privacy policies and websites or online services of their competitors and of any other companies to which they may compare themselves.
- Update their privacy policies as warranted.
- Monitor other privacy and related developments that implicate websites and online services. For example, California S.B. 568 adds requirements involving an operator's Internet website, online service, online application, or mobile application regarding (1) the removal of content or information posted by minor California residents under age 18 and (2) marketing or advertising certain specified products and services to minor California residents under age 18. (See "California Minors under Age 18: Privacy Requirements for Deleting Content/Information and Advertising/Marketing.")
This article was first published on IRMI.com and is reproduced with permission. Copyright 2013, International Risk Management Institute, Inc.