California Online Privacy Protection Act

Last updated

The California Online Privacy Protection Act of 2003 (CalOPPA), [1] effective as of July 1, 2004 and amended in 2013, is the first state law in the United States requiring commercial websites on the World Wide Web and online services to include a privacy policy on their website. According to this California State Law, under the Business and Professions Code, Division 8 Special Business Regulations, Chapter 22 Internet Privacy Requirements, operators of commercial websites that collect Personally Identifiable Information (PII) from California's residents are required to conspicuously post and comply with a privacy policy that meets specific requirements. [2] A website operator who fails to post their privacy policy within 30 days after being notified about noncompliance will be deemed in violation. PII includes information such as name, street address, email address, telephone number, date of birth, Social Security number, or other details about a person that could allow a consumer to be contacted physically or online.

Contents

Requirements

According to the act, the operator of a website must post a distinctive and easily found link to the website's privacy policy, commonly listed under the heading "Your California Privacy Rights". The privacy policy must detail the kinds of information gathered by the website, how the information will or could be shared with other parties, and, if such a process exists, describe the process the users can use to review and make changes to their stored information. It also must include the policy's effective date and an update on any changes that take place since then.

The owner of a website can be subject to legal actions over CalOPPA within 30 days of being notified for not posting the privacy policy or not meeting the law's criteria. The owner could be faulted for their negligence, possibly even consciously, over their inability to comply with the act, which ultimately results in charges filed against them for this noncompliance. [3]

CalOPPA non-compliance violations may be reported to the California Attorney General's office via their website. [4] [2]

Scope

The act is broad in scope, well beyond California's border. Neither the web server nor the company that created the website has to be in California in order to be under the scope of the law. The website only has to be accessible by California residents. [5] Many American websites thus include a boilerplate disclaimer, usually under the titled hyperlink of "Your California Privacy Rights", on their site's footer section by default for all-page access. [6]

Consequences of non-compliance

As it does not contain enforcement provisions of its own, CalOPPA is expected to be enforced through California's Unfair Competition Law (UCL), [7] which prohibits unlawful, unfair, or fraudulent business acts or practices. UCL may be enforced for violations of CalOPPA by government officials seeking civil penalties or equitable relief, or by private parties seeking private claims. [8]

Non-compliance violations may be reported to the California Attorney General's office website.

Compliance by Google

In May 2007, getting to Google's privacy policy required clicking on "About Google" on its home page, which brought up a page that included a link to its privacy policy. New York Times reporter Saul Hansell posted a blog entry [9] raising questions about Google's compliance with this act. A coalition of privacy groups also sent a letter [10] to Google's CEO, Eric Schmidt, questioning the absence of a privacy policy link on its home page. According to Electronic Privacy Information Center director Marc Rotenberg, a lawsuit challenging Google's privacy policy practices as a violation of California law was not filed in the hope that their informal complaints could be resolved through discussions. [11] Later, Google added a direct link to its privacy policy on its homepage. [12]

Amendments

AB 370

Assembly Bill 370 (Muratsuchi), which was signed into law in 2013, amended CalOPPA requiring new privacy policy disclosures for websites and online services that track visitors. It was defined in the legislative analysis of the bill as "the monitoring of an individual across multiple websites to build a profile of behavior and interests." [13] [14] It required privacy policies to either contain a disclosure, or link to a disclosure on a separate page, detailing how websites responded to the Do Not Track header and "other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services", if websites tracked the personally identifiable information of users. It also required privacy policies to disclose if websites allowed third-parties to engage in cross-site tracking of their users. See Cal. Assembly Bill 370, which became effective on January 1, 2014.

Other Proposed Amendments

On February 6, 2013, Assembly Member Ed Chau had introduced AB 242, which would amend the act to impose additional requirements on privacy policies. [15] The amendments would require:

[P]rivacy polic[ies] to be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th-grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared. [15]

AB 242 died in the Assembly Judiciary Committee. [16]

See also

Related Research Articles

<span class="mw-page-title-main">Gramm–Leach–Bliley Act</span> Act of the 106th United States Congress (1999–2001)

The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies. The legislation was signed into law by President Bill Clinton.

Consumer privacy is information privacy as it relates to the consumers of products and services.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 150 national constitutions mention the right to privacy. On 10 December 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR), originally written to guarantee individual rights of everyone everywhere; while right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

<span class="mw-page-title-main">Privacy Act of 1974</span>

The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent of the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records and sets forth various agency record-keeping requirements. Additionally, with people granted the right to review what was documented with their name, they are also able to find out if the "records have been disclosed" and are also given the right to make corrections.

<span class="mw-page-title-main">Privacy laws of the United States</span>

Privacy laws of the United States deal with several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into their private affairs, discloses their private information, publicizes them in a false light, or appropriates their name for personal gain.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handing sensitive information.

Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.

In re Gateway Learning Corp, 138 F.T.C. 443 File No. 042-3047, was an investigatory action by the Federal Trade Commission (FTC) of the Gateway Learning Corporation, distributor of Hooked on Phonics. In its complaint, the FTC alleged that Gateway had committed both unfair and deceptive trade practices by violating the terms of its own privacy policy and making retroactive changes to its privacy policy without notifying its customers. Gateway reached a settlement with the FTC, entering into a consent decree in July 2004, before formal charges were filed.

<i>Lane v. Facebook, Inc.</i>

Lane vs. Facebook was a class-action lawsuit in the United States District Court for the Northern District of California regarding internet privacy and social media. In December 2007, Facebook launched Beacon, which resulted in users' private information being posted on Facebook without the users' consent. Facebook ended up terminating the Beacon program and created a $9.5 million fund for privacy and security. There was no monetary compensation awarded to Facebook users affected negatively by the Beacon program.

The Personal Data Privacy and Security Act of 2009, was a bill proposed in the United States Congress to increase protection of personally identifiable information by private companies and government agencies, set guidelines and restrictions on personal data sharing by data brokers, and to enhance criminal penalty for identity theft and other violations of data privacy and security. The bill was sponsored in the United States Senate by Patrick Leahy (Democrat-Vermont), where it is known as S.1490.

<span class="mw-page-title-main">California Shine the Light law</span>

California's "Shine the Light" law is a privacy law passed by the California State Legislature in 2003. It became an active part of the California Civil Code on January 1, 2005. It is considered one of the first attempts by a state legislature in the United States to address the practice of sharing customers' personal information for marketing purposes, also known as "list brokerage." The law outlines procedures requiring companies to disclose upon the request of a California resident what personal information has been shared with third parties, as well as the parties with which the information has been shared. The law also outlines specific language that companies who do business with California residents must include in their online privacy policies.

Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.

<span class="mw-page-title-main">Ed Chau</span> American judge

Edwin “Ed” Chau is an American jurist and politician who served in the California State Assembly as a Democrat representing the 49th state assembly District from 2012 to 2021. On November 29, 2021, California Governor Gavin Newsom appointed Chau to be a judge in the Los Angeles County Superior Court.

The Biometric Information Privacy Act is a law set forth on October 3, 2008 in the U.S. state of Illinois, in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. Notably, the Act does not apply to government entities. While Texas and Washington are the only other states that implemented similar biometric protections, BIPA is the most stringent. The Act prescribes $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. Because of this damages provision, the BIPA has spawned several class action lawsuits.

Financial privacy laws regulate the manner in which financial institutions handle the nonpublic financial information of consumers. In the United States, financial privacy is regulated through laws enacted at the federal and state level. Federal regulations are primarily represented by the Bank Secrecy Act, Right to Financial Privacy Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. Provisions within other laws like the Credit and Debit Card Receipt Clarification Act of 2007 as well as the Electronic Funds Transfer Act also contribute to financial privacy in the United States. State regulations vary from state to state. While each state approaches financial privacy differently, they mostly draw from federal laws and provide more stringent outlines and definitions. Government agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission provide enforcement for financial privacy regulations.

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the state of California in the United States. The bill was passed by the California State Legislature and signed into law by the Governor of California, Jerry Brown, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.

References

  1. The Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code §§ 22575-22579 (2004).
  2. 1 2 "Business and Professions Code - BPC". leginfo.legislature.ca.gov. Retrieved 2020-10-28.
  3. Privacy Rights Clearinghouse, California's Online Privacy Protection Act Goes into Effect July 1: Requires Internet Merchants to Post a Privacy Policy (June 28, 2004).
  4. website
  5. John Yates and Paul Arne, Protecting Your Visitors: California's Online Privacy Protection Act Could Set Standards , LocalTechWire.com (Feb. 23, 2004).
  6. "The "Your California Privacy Rights" clause". TermsFeed. Retrieved 1 September 2018.
  7. Cal. Bus. & Prof. Code §§ 17200-17210.
  8. Hunton & Williams LLP, New Requirements for Online Privacy Policies (June 2004).
  9. Saul Hansell, Is Google Violating a California Privacy Law? , New York Times (May 30, 2008).
  10. Letter to Dr. Eric Schmidt, CEO Google Inc. from Privacy Groups (June 3, 2008).
  11. Anne Broache, Google attacked over privacy policy visibility , CNET News (June 3, 2008).
  12. John Paczkowski, "Privacy" Counts as Half a Word if It's in an 8-Point Font , All Things DigJuly, 2008.
  13. "The California Online Privacy Protection Act (CalOPPA) | Consumer Federation of California" . Retrieved 2020-10-28.
  14. "Today's Law As Amended". leginfo.legislature.ca.gov. Retrieved 2020-10-28.
  15. 1 2 Assembly Bill 242.
  16. Olsen. "AB 928 Assembly Bill - Bill Analysis". www.leginfo.ca.gov. Retrieved 2018-03-23.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.