New Online Privacy Policy Requirements Take Effect January 1, 2014

VedderPriceLogo

 

California Online Privacy Protection Act (CalOPPA)

Owners of websites, online services or mobile applications (apps) that can be accessed or used by California residents should ensure their compliance with the new amendments to the California Online Privacy Protection Act of 2003 (CalOPPA) by the law’s January 1, 2014 effective date.  The borderless nature of the Internet makes this law applicable to almost every website or online service and mobile application.  Accordingly, companies should review and revise their online privacy policies to ensure compliance with the new law and avoid potentially significant penalties.

Previously, CalOPPA required the owner of any website or online service operated for commercial purposes (an “operator”) that collects California residents’ personally identifiable information (PII) to conspicuously post a privacy policy that met certain content requirements, including identifying the types of PII collected and the categories of third parties with whom that information is shared. The new law requires that companies subject to CalOPPA provide the following additional disclosures in their privacy policies.

  • How an operator responds to “do not track” signals from Internet browsers and any other mechanism that provides consumers a choice regarding the collection of PII about an individual consumer’s online activities over time and across third-party websites and online services.  A company may satisfy this requirement by revising its privacy policy to include the new disclosures or by providing a clear and conspicuous hyperlink to a webpage that contains a description of any program or protocol the company follows to provide consumers a choice about tracking, including the effects of the consumer’s choice.
  • An affected company must disclose to users whether third parties may collect PII about a user’s online activities over time and across different websites when a consumer uses the operator’s website or online service. However, an operator is not required to disclose the identities of such third parties.

The California law does not require that operators honor a user’s “do not track” signals. Instead, operators must only provide users with a disclosure about how the website or mobile app will respond to such mechanisms. “Do not track” mechanisms are typically small pieces of code, similar to cookies, that signal to websites or mobile apps that the user does not want his or her website or app activities tracked by the operator, including through analytics tools, advertising networks, and other types of data collection and tracking practices.  Further, the Privacy Enforcement and Protection Unit of the California Office of the Attorney General recently stated that the required disclosures should not be limited to tracking simply for online behavioral advertising purposes, but those disclosures must extend to any other purpose for which online behavioral data is collected by a business’s website (e.g., market research, website analytics, website operations, fraud detection and prevention, or security).

A violation of the law can result in a civil fine of up to $2,500 per incident. The California Attorney General maintains that each noncompliant mobile app download constitutes a single violation and that each download may trigger a fine.

Given that most company websites will have California visitors, companies should consider taking the following steps to ensure compliance with the CalOPPA amendments by January 1, 2014:

  • Identify the tracking mechanisms in place on your company’s websites and online services, including (a) the specific types of PII collected by the tracking mechanism and (b) whether users have the option to control whether and how the mechanisms are used and how the website responses responds to “do not track” signals by seeking input from those familiar with your website, including (i) technicians and developers who understand the mechanics of how the website operates, including how it responds to “do not track signals,” (ii) financial and marketing personnel who understand how user PII is monetized, and (iii) any other stakeholders who access or handle user PII.
  •  Review the practices of any third parties that have the ability to track users on your website. To draft the new disclosures, you will need to understand how those third parties track your users and whether they are capable of doing so before or after the users leave your service.
  • Incorporate the information identified above to modify your online privacy policy to include the required behavioral tracking disclosures.
  • Retain the prior version of the policy in your records, including the date on which each version was posted to the site. The new version should have an updated effective date to distinguish it from the previous version.

Expansion of California’s Data Breach Notification Requirements

Under another new law taking effect on January 1, 2014, California will expand its data breach notification requirements by adding new types of information to the definition of “personal information” under California Civil Code §§ 1798.29 and 1798.82. The new law requires notification if a California resident’s personal information is compromised, and, as with CalOPPA, the breach notification requirements apply regardless of the location of the organization that sustains the breach.  Therefore, to the extent that your business collects and retains California residents’ PII, then the amended California breach notification law would apply.

Previously, the California law required notification of a data breach in the event of the unauthorized access to or disclosure of an individual’s name, in combination with that individual’s (i) Social Security number, (ii) driver’s license or California ID number, (iii) account, credit or debit card number, together with a security or access code, (iv) medical information, or (v) health information, where either the name or the other piece of information was not encrypted. Under the new definition, “personal information” will also include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

Accordingly, if your business or organization collects this type of information, then it should consider undertaking the following proactive measures to reduce the risk and magnitude of a potential data breach:

  • Periodically and systematically delete nonessential personal information. By deleting obsolete PII and other sensitive information, businesses can significantly reduce the risk of a breach.  Retaining such obsolete legacy PII serves no business purpose, but only adds unnecessary exposure and potential liability.
  • Conduct a PII inventory and perform a risk assessment of your security measures.  Identify what PII is being collected by your organization, where it is retained, who has access to the PII and  the security measures to protect the PII.  Ensuring that sufficient protections are in place may not prevent every incident, but they can reduce the possibility of an incident occurring in the first place and limit the disruption to your business if there is a breach.
  • Limit the disclosure of PII to third parties only when necessary to provide services or products. You can be equally responsible for a data breach notification if the person or entity who experiences the data breach was a third party who received PII from you. Any vendor or third party with whom you share PII should contractually represent and warrant that they have in place certain standards for protecting that information and agree to indemnify your company for any loss that results from a breach.

 

Article by:

Of:

Vedder Price

Privacy Policies Now a Must for Mobile Apps

The National Law Review recently published an article, Privacy Policies Now a Must for Mobile Apps, written by Tanya L. CurtisLeonard A. Ferber, and Doron S. Goldstein of Katten Muchin Rosenman LLP:

Katten Muchin

 

California has long been a leader in privacy legislation. That position was strengthened recently when the California Attorney General filed a first-of-its-kind lawsuit against a company for its failure to include a privacy policy with a smartphone application. The lawsuit, filed on December 6 against Delta Airlines, alleges that the airline violated California law requiring online services to “conspicuously post its privacy policy” by failing to include such a policy with its “Fly Delta” mobile application. This action by the state of California has broad implications to anyone developing or distributing mobile apps.

Background

In 2004, California enacted the California Online Privacy Protection Act (CalOPPA)requiring commercial operators of websites and online services to conspicuously post detailed privacy policies to enable consumers to understand what personal information is collected by a website and the categories of third parties with which operators share that information. CalOPPA provides that “an operator shall be in violation of this [posting requirement] only if the operator fails to post its policy within 30 days after being notified of noncompliance,” and if the violation is made either (a) knowingly and willingly or (b) negligently and materially. In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service.”

While CalOPPA does not define an “online service” or specifically mention “mobile” or “smartphone” applications, the California Attorney General considers any service available over the internet or that connects to the internet, including mobile apps, to be an “online service.” In light of this interpretation, in 2011 the Attorney General’s office contacted the six leading operators of mobile application platforms in an attempt to improve mobile app compliance with CalOPPA. In February 2012, the Attorney General reached an agreement with these companies on a set of principles designed to ensure that mobile apps include a conspicuously posted privacy policy where applicable law so requires (such as in California), and that the policy appear in a consistent location on the app download screen.

Delta markets its Fly Delta mobile app though various online “app stores.” Among other things, the Fly Delta app allows customers to check in to flights, rebook cancelled flights and pay for checked baggage. Delta has a website that includes a privacy policy, but that policy did not mention the Fly Delta app or the types of information collected from the app.

The Case

In October, the California Attorney General’s office sent letters to a number of mobile application makers, including Delta, that did not have a privacy policy reasonably accessible to app users, giving them 30 days to respond or make their privacy policies accessible in their apps. Delta either forgot about or ignored the letter, and the Attorney General filed suit.

The complaint stated that the Fly Delta application did not have a privacy policy within the application itself or in the app stores from which the application could be downloaded. The complaint also noted that, while Delta’s website has a privacy policy, the policy does not mention the Fly Delta app or the personal information collected by the app, and is not reasonably accessible to consumers who download the app. Since Delta failed to respond to the October letter, the Attorney General charged the airline with violating California law by knowingly and willfully, or negligently and materially, failing to comply with CalOPPA. And, in a separate charge under a provision of CalOPPA not requiring 30 days’ notice of noncompliance, the Attorney General alleged that Delta failed to comply with the privacy policy posted on its own website, in that the Fly Delta app does not comply with that policy. The complaint asks for damages of $2,500 for each violation, presumably for each download.

What You Need to Know

While California is currently unique in applying its privacy law to mobile applications, many states look to California, as a leader in this area, for guidance. CalOPPA applies to any “operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service…” In light of California’s large population, the practical effect of CalOPPA is that an overwhelming number of online businesses (including mobile app developers) must comply with it.

It is now clear that virtually all mobile or smartphone app makers, as well as companies that use smartphone apps as part of their “mobile strategy,” must make privacy policies accessible to app users. The actions of the California Attorney General also make it clear that there is a cost to noncompliance. Such accessibility can be achieved either by including the privacy policy within the app itself or by creating an icon or text link to a readable version of the privacy policy, which may be part of a company’s or developer’s overall web privacy policy.

©2012 Katten Muchin Rosenman LLP