The California Online Privacy Protection Act of 2003 (CalOPPA), effective as of July 1, 2004 and amended in 2013, is the first state law in the

United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...

requiring commercial

website A website (also written as a web site) is any web page whose content is identified by a common domain name and is published on at least one web server. Websites are typically dedicated to a particular topic or purpose, such as news, educatio ...

s on the

World Wide Web The World Wide Web (WWW or simply the Web) is an information system that enables Content (media), content sharing over the Internet through user-friendly ways meant to appeal to users beyond Information technology, IT specialists and hobbyis ...

and online services to include a

privacy policy A privacy policy is a statement or legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify ...

on their website. According to this California State Law, under the Business and Professions Code, Division 8 Special Business Regulations, Chapter 22

Internet Privacy Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. P ...

Requirements, operators of commercial websites that collect

Personally Identifiable Information Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely used in the United States, but the phrase it abbreviates has fou ...

(PII) from California's residents are required to conspicuously post and comply with a

that meets specific requirements. A website operator who fails to post their

privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...

policy within 30 days after being notified about noncompliance will be deemed in violation. PII includes information such as name, street address, email address, telephone number, date of birth,

Social Security number In the United States, a Social Security number (SSN) is a nine-digit number issued to United States nationality law, U.S. citizens, Permanent residence (United States), permanent residents, and temporary (working) residents under section 205(c)(2 ...

, or other details about a person that could allow a consumer to be contacted physically or online.

Requirements

According to the act, the operator of a

must post a distinctive and easily found link to the website's

, commonly listed under the heading "Your California Privacy Rights". The privacy policy must detail the kinds of information gathered by the website, how the information will or could be shared with other parties, and, if such a process exists, describe the process the users can use to review and make changes to their stored information. It also must include the policy's effective date and an update on any changes that take place since then. The owner of a website can be subject to legal actions over CalOPPA within 30 days of being notified for not posting the privacy policy or not meeting the law's criteria. The owner could be faulted for their

negligence Negligence ( Lat. ''negligentia'') is a failure to exercise appropriate care expected to be exercised in similar circumstances. Within the scope of tort law, negligence pertains to harm caused by the violation of a duty of care through a neg ...

, possibly even consciously, over their inability to comply with the act, which ultimately results in charges filed against them for this noncompliance. CalOPPA non-compliance violations may be reported to the

California Attorney General The attorney general of California is the state attorney general of the government of California. The officer must ensure that "the laws of the state are uniformly and adequately enforced" (Constitution of California, Article V, Section 13). The ...

's office via their website.

Scope

The act is broad in scope, well beyond California's border. Neither the

web server A web server is computer software and underlying Computer hardware, hardware that accepts requests via Hypertext Transfer Protocol, HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, co ...

nor the company that created the website has to be in California in order to be under the scope of the law. The website only has to be accessible by California residents. Many

American American(s) may refer to: * American, something of, from, or related to the United States of America, commonly known as the "United States" or "America" ** Americans, citizens and nationals of the United States of America ** American ancestry, p ...

websites thus include a boilerplate disclaimer, usually under the titled

hyperlink In computing, a hyperlink, or simply a link, is a digital reference providing direct access to Data (computing), data by a user (computing), user's point and click, clicking or touchscreen, tapping. A hyperlink points to a whole document or to ...

of "Your California Privacy Rights", on their site's footer section by default for all-page access.

Consequences of non-compliance

As it does not contain

enforcement Enforcement is the proper execution of the process of ensuring compliance with laws, regulations, rules, standards, and social norms. Governments attempt to effectuate successful implementation of policies by enforcing laws and regulations. En ...

provisions of its own, CalOPPA is expected to be enforced through California's Unfair Competition Law (UCL), which prohibits unlawful, unfair, or fraudulent business acts or practices. UCL may be enforced for violations of CalOPPA by government officials seeking civil penalties or equitable relief, or by private parties seeking private claims. Non-compliance violations may be reported to the California Attorney General's offic
website

Compliance by Google

In May 2007, getting to Google's privacy policy required clicking on "About Google" on its home page, which brought up a page that included a link to its privacy policy.

New York Times ''The New York Times'' (''NYT'') is an American daily newspaper based in New York City. ''The New York Times'' covers domestic, national, and international news, and publishes opinion pieces, investigative reports, and reviews. As one of ...

reporter Saul Hansell posted a

blog A blog (a Clipping (morphology), truncation of "weblog") is an informational website consisting of discrete, often informal diary-style text entries also known as posts. Posts are typically displayed in Reverse chronology, reverse chronologic ...

entry raising questions about Google's compliance with this act. A coalition of privacy groups also sent a letter to Google's CEO,

Eric Schmidt Eric Emerson Schmidt (born April 27, 1955) is an American businessman and former computer engineer who was the chief executive officer of Google from 2001 to 2011 and the company's chairman, executive chairman from 2011 to 2015. He also was the ...

, questioning the absence of a privacy policy link on its home page. According to

Electronic Privacy Information Center The Electronic Privacy Information Center (EPIC) is an independent nonprofit research center established in 1994 to protect privacy, freedom of expression, and democratic values in the information age. Based in Washington, D.C., their mission i ...

director

Marc Rotenberg Marc Rotenberg (born April 20, 1960) is president and founder of the Center for AI and Digital Policy, an independent non-profit organization, incorporated in Washington, D.C. Rotenberg is the editor of ''The AI Policy Sourcebook'', a member of t ...

, a lawsuit challenging Google's privacy policy practices as a violation of California law was not filed in the hope that their informal complaints could be resolved through discussions. Later, Google added a direct link to its privacy policy on its homepage.

Amendments

AB 370

Assembly Bill 370 (Muratsuchi), which was signed into law in 2013, amended CalOPPA requiring new privacy policy disclosures for websites and online services that track visitors. It was defined in the legislative analysis of the bill as "the monitoring of an individual across multiple websites to build a profile of behavior and interests." It required privacy policies to either contain a disclosure, or link to a disclosure on a separate page, detailing how websites responded to the

Do Not Track Do Not Track (DNT) is a deprecated non-standard HTTP header field designed to allow internet users to opt out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the ...

header and "other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services", if websites tracked the

personally identifiable information Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely used in the United States, but the phrase it abbreviates has fou ...

of users. It also required privacy policies to disclose if websites allowed third-parties to engage in cross-site tracking of their users. See Cal. Assembly Bill 370, which became effective on January 1, 2014.

Other Proposed Amendments

On February 6, 2013, Assembly Member Ed Chau had introduced AB 242, which would amend the act to impose additional requirements on privacy policies.Assembly Bill 242
The amendments would require: : ivacy polic esto be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th-grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared. AB 242 died in the Assembly Judiciary Committee.

References

{{reflist

External links

Consumer Federation of California

How to Read a Privacy Policy

California California () is a U.S. state, state in the Western United States that lies on the West Coast of the United States, Pacific Coast. It borders Oregon to the north, Nevada and Arizona to the east, and shares Mexico–United States border, an ...

United States federal computing legislation California statutes 2004 in American law 2013 in American law