In October of last year, the California Attorney General took an innovative step by asking the public to help enforce its privacy laws! Consumers can now access an online form to report service providers who are in violation of the California Online Privacy Protection Act (CalOPPA).
CalOPPA applies to any organization that collects personally identifiable information (PII) online from California residents. The law requires that if you collect PII you must post a privacy policy which includes (among other things) the effective date, how you collect, share, store, address do not track requests and whether third parties can collect PII about users.
The new online form allows consumers to report several types of violations:
- Failure to post a privacy policy
- A privacy policy that is too difficult to locate. (e.g., how many clicks it takes to get to the privacy policy from the home page of the website or mobile application; whether the icon or hyperlink to the privacy policy was hard to see, etc.)
- An incomplete privacy policy. (e.g., the effective date of the privacy policy or the categories of PII collected)
- A failure to provide a notice of a material change to the privacy policy. (e.g., what changes the company made to the privacy policy without notifying the consumer)
- Any representations in the privacy policy which were not be followed
It is unclear how the Attorney General intends to use the information received from consumers but we can be sure it is part of California’s effort to increase enforcement of CA privacy laws.
This initiative is a good reminder to review your websites and mobile applications to ensure they include a privacy policy that is compliant with CalOPPA. Copying another company’s policy or using a “cookie cutter” approach that is not tailored to your specific service should be avoided. In addition, reviewing your privacy collection and procedures periodically to address any changes in how you handle data is important to ensure that your policy is accurate.
