On September 27, 2013, California Governor Brown signed into law amendments to the California Online Privacy Protection Act (CalOPPA), a 2004 law requiring all commercial websites and online service providers collecting personally identifiable information about California residents to “conspicuously” post a “privacy policy.”  The amendments to CalOPPA, which take effect on January 1, 2014, add two new disclosure requirements for privacy policies required by CalOPPA:

  • The privacy policy must explain how the website “responds to ‘Do Not Track’ signals from web browsers or other mechanisms that provide California residents the ability to exercise choice” about collection of their personally identifiable information (Cal Bus and Prof Code §22575(b)(5)).
  • The privacy policy must disclose whether third parties use or may use the website to track (i.e., collect personally identifiable information about) individual California residents “over time and across third-party websites” (Cal Bus and Prof Code §22575(b)(6)).

The Bill Analysis” history indicates that CalOPPA amendments are not intended to “prohibit third-party or any other form of online tracking” but rather to “implement a uniform protocol for informing Internet users about tracking . . . and any options they may have to exercise choice . . .” (6/17/13 – Senate Judiciary).A website operator may meet the “do not track” disclosure requirement by including a link in the privacy policy to “an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice” (Cal Bus and Prof Code §22575(b)(7)).  The reference in §22575(b)(7) to “an online location” suggests that businesses already complying with the “enhanced notice link” requirements of the Self-Regulatory Program for Online Behavioral Advertising of the Digital Advertising Alliance (DAA) will comply with amended CalOPPA.  Among other requirements, the DAA’s self-regulatory program requires website owners/operators (called “First Parties”) to provide “clear, meaningful and prominent” disclosure about data collection and use for advertising purposes, and to offer consumers a way to opt out of tracking, such as through the DAA’s consumer choice page.  As noted in the Bill Analyses, while the DAA’s consumer choice mechanism enables consumers to opt out of receiving advertising based on online tracking data, it only works for companies that participate in the DAA’s program and “does not allow consumers not to be tracked.” 

User Credentials Subject to California Breach Laws Effective January 1, 2014

Governor Brown also signed into law amendments to California’s breach notification laws on September 27, 2013.  As amended, the definition of “personal information” that triggers breach notification requirements includes consumers’ online credentials: “user name or email address, in combination with a password or security question and answer that would permit access to an online account.”