California Online Privacy Protection Act

California’s recent amendments to the California Online Privacy Protection Act require certain online services to make additional disclosures about how they respond to browser-based Do Not Track signals―new obligations that went into effect on January 1.  Along with Joanne McNabb of the Office of the California Attorney General, Kurt Wimmer and I will be discussing

The California legislature has enacted a flurry of privacy-related laws over the past few months.   Still more bills are pending.  This post provides a brief overview of new privacy laws enacted in California in 2013, including measures that will become effective on January 1, 2014.  For a more detailed look at some of these key laws, please see our recent client alert

  • A.B. 370 “Do-Not-Track” Amendment to California Online Privacy Protection Act (effective Jan. 1, 2014).  The California Online Privacy Protection Act (“CalOPPA”) requires that operators of commercial websites and online services that collect personal information conspicuously post a privacy policy disclosing certain information.  This amendment requires operators to further disclose (1) how they respond to “do-not-track” signals or “other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information,” and (2) whether they allow other parties to collect personally identifiable information when a consumer uses the operator’s service.  An operator may satisfy the first disclosure requirement by providing in its privacy policy a conspicuous link to a description of a program or protocol that offers consumers a choice regarding the collection of their personally identifiable information.
  • S.B. 46 Amendment to California’s Security Breach Notification Law (effective Jan. 1, 2014).  California’s existing breach notification law requires an entity to notify consumers following discovery of a data breach involving the unauthorized acquisition of “personal information.”  The law defines “personal information” as an individual’s first name or initial and last name in combination with one or more sensitive data elements, such as Social Security number, financial account number, or medical information.  This amendment expands the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account,” regardless of whether name and/or other sensitive data elements are breached.

Continue Reading Roundup of Recently Enacted Privacy Legislation in California; Some Measures Will Become Effective on January 1, 2014

Last week the California Senate unanimously approved a bill requiring that operators of commercial websites and online services that collect personal information disclose how they respond to “do-not-track” signals from web browsers and whether they allow third parties to engage in online tracking.  The legislation, which was introduced by Assemblyman Al Muratsuchi, has been sponsored by CA Attorney General Kamala Harris. 

The proposed new law would amend the California Online Privacy Protection Act (“CalOPPA”), which requires that covered websites conspicuously post a privacy policy disclosing certain information and practices.  Specifically, the bill adds new requirements that a privacy policy:

  • “disclose how the operator responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection”; and
  • “disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

The operator may satisfy the disclosure regarding how the operator responds to do-not-track signals by “providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”Continue Reading Bill Adding Do-Not-Track Disclosures to CalOPPA Passes California Senate

Yesterday, California Attorney General Kamala Harris continued her efforts to promote privacy best practices in the mobile app ecosystem by issuing a number of recommendations in her report, “Privacy on the Go.”  The report encourages app developers, platform providers, ad networks, OS developers, and even mobile carriers to incorporate privacy by design into their products and services and provides detailed suggestions on how to do so.  Importantly, the report notes that its recommendations in many cases go beyond what’s currently required by law; they are, for the most part, best practices. 

As the report explains, “[t]he basic approach . . . is to minimize surprises to users from unexpected privacy practices.”  A practice is “unexpected” when it’s not “related to an app’s basic functionality” or when it involves “sensitive information.”  Minimizing surprises means limiting the collection and retention of data that is unrelated to the app’s core functionality; giving users “enhanced notice” (i.e., notice beyond what is provided in the developer’s general privacy policy) of unexpected practices; and giving users control over those practices.  (These concepts, if not the precise terminology, will be familiar to those who have read the FTC’s March 2012 report, which recommended that companies provide consumers with robust notice and meaningful choices for practices that were “inconsistent with the context” of a particular transaction or with the company’s relationship with the consumer.)

The report goes onto make a number of specific recommendations that build on these basic propositions.  After the jump, we discuss a few that struck us as particularly noteworthy.Continue Reading Key Takeaways from the California AG’s Mobile Apps Report

California Attorney General Kamala Harris has made good on her promise to get tough with mobile app makers that fail to provide privacy policies in their apps.  Yesterday, her office sued Delta Airlines for violating the California Online Privacy Protection Act (“CalOPPA”), which requires providers of websites and “online services” to conspicuously post privacy policies