Cal. Bus. & Prof. Code Section 22575 et. sec.
Relationship with other laws: CalOPPA does not contain explicit exemptions. However, organizations are excepted from CalOPPA if they are subject to Federal laws that preempt state law. For example, commercial airlines subject to the federal Airline Deregulation Act (which preempts state law consumer protection claims against commercial airlines) have been found to be exempted from CalOPPA (See Case Study: Delta Airlines Inc)
Effective date: CalOPPA become operative on July 1, 2004.
Who is subject to the CalOPPA (Territorial Scope)?
CalOPPA imposes obligations on ‘operators’ of commercial websites and online services within or outside California that collects information from consumers residing in California (see Cal. Bus. & Prof. Code Section 22575 (a)).
‘Operator’ under CalOPPA means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains PII from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes.
‘Operator‘ does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner’s behalf or by processing information on behalf of the owner. See Cal. Bus. & Prof. Code Section 22577(c).
PRACTICE TIP: Organizations that provide web hosting or managing services are typically excluded from CalOPPA compliance, although they may decide to require or encourage compliance by their customers to avoid becoming entangled in lawsuits on a contributory liability basis.
PRACTICE TIP: In theory, a ‘operator’ could be outside of the scope of CalOPPA by blocking collection of data of California residents. In practice, few organizations can or want to exclude California residents from their online services.
(2) ‘Online service’
‘Online service’ is not defined under CalOPPA.
PRACTICE TIP: The CA AG has broadly interpreted the term ‘online service’ to include ‘any service available over the Internet or that connects to the Internet, including internet-connected gaming platforms, voice-over-Internet protocol services, cloud services and mobile applications.’ (see, Case Study: Delta Airlines Inc).
What is regulated by CalOPPA (Material Scope)?
CalOPPA applies to the online collection of ‘personally identifiable information’ of a consumer.
(1) Online Collection
Collection is not defined by CalOPPA.
PRACTICE TIP: CalOPPA applies to both online websites and other online services including mobile apps (See Case Study: Delta Airlines Inc)
(2) Personally Identifiable Information
‘Personally identifiable information’ (PII) under CalOPPA means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form (See Cal. Bus. & Prof. Code Section 22577(a)). PII includes, but is not limited to:
(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town. Therefore, ‘operators’ of mobile apps that collect location information are usually covered under CalOPPA because they collect ‘physical addresses’.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7) Other information: Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in (1) through (6) above.
‘Consumer’ under CalOPPA means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes (See Cal. Bus. & Prof. Code Section 22577(d)).
PRACTICE TIP: Operators of B2B websites or online services are not expressly exempted and can be exposed to liability under CalOPPA. Even where the site or service is directed to other business, an organization may not be able to completely rule out that a consumer residing in California has accessed their site or service and, where such access results in the collection of PII as defined by CalOPPA, the obligation to notify under the law is triggered.
Individual rights: Right to be informed
Consumers have a right to be informed of the data handling practices of the ‘operator’ under CalOPPA. This is done through the posting of a privacy notice.
To be compliant with CalOPPA, a privacy notice must meet certain content and format standards
- Identify the categories of PII that the ‘operator’ collects through the Web site or online service about individual consumers and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
- If the operator maintains a process for the consumer to review and request changes to PII collected through the Web site or online service, provide a description of that process.
- Identify its effective date.
While CalOPPA does not prohibit online tracking it requires disclosure of how organizations respond to web browser signals and other mechanisms that allow consumers to choose whether they want to allow collection of their PII over time and across third-party websites. Specifically, ‘operators’ shall:
- Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection. This requirement may be satisfied by providing a clear and conspicuous hyperlink to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.
- Disclose whether other parties may collect PII about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
A statement stating that the organization does not honor ‘Do Not Track’ signals is compliant with CalOPPA
(A) For websites:
- Includes the word “privacy.”
- Is written in capital letters equal to or greater in size than the surrounding text.
- Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.
(B) For online services:
See ‘individual rights’ above.
Sanctions and remedies
An ‘operator’ is in violation of CalOPPA if it fails to complain with its provisions in either of the following ways Cal. Bus. & Prof. Code Section 22576):
(a) Knowingly and willfully.
(b) Negligently and materially.
However, an ‘operator’ is liable only if it fails to post its policy within 30 days after being notified of noncompliance (Cal. Bus. & Prof. Code Section 22575 (a)).
Enforcement actions for violation of CalOPPA can be brought under general California Unfair Competitions Law (UCL) (see, Cal. Bus. & Prof. Code Section 17200 et. sec). Actions for enforcement of CalOPPA via CUL can be brought by the Attorney General or a district attorney. Private plaintiffs, including class-action plaintiffs, may also bring action but must show that they suffered an injury-in-fact and that they lost money or property as a result of the violation (see Cal. Bus. & Prof. Code Section 17204). Although allegations that PII has been compromised is not sufficient for a private plaintiff to bring action, some courts have accepted the argument that consumers would have paid less for products or services had they been told about the ‘operator’s’ practices.
California State agencies are subject to notice requirements under Cal. Gov. Code Sec. 11015.5
California Privacy law: Practice guide a commentary of US Federal and California Law by Lothar Determann (an IAPP publication)
Guidance from regulators
Case studies and case law
Regarding private parties bringing action under CA UCL: See Rubio v. Capital One Bank, 613 F. 3d 1195, 1203 (9th Cir. 2010) and In re. iPhone Application Litig. 844 F. Supp. 2d 1040, 1072 (N.D. Cal. 2012)