California Attorney General Crowdsources Privacy Policing to Consumers

CalOPPA is a California law that requires website operators that collect personal information from consumers in California to post privacy policies to notify users about their online privacy practices. Given the fact that most online services collect information from California residents, the law has widespread impact.

Why Should You Care?

Given CalOPPA’s broad reach, many website operators are now subject to being reported through the new CalOPPA Complaint Form. The Form makes organizations’ compliance even more important in light of the fact that the CA OAG has effectively crowdsourced the CA Department of Justice’s privacy policing function to individuals, exponentially increasing their ability to identify potential violators.

What Do You Need to Know?

CalOPPA requires a website operator to include specific information in an online privacy policy and to ensure that the policy is clearly and conspicuously displayed. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information. The privacy policy must also provide information on the operator’s online tracking practices. Failure to comply with these requirements has always meant a potential enforcement action by the CA OAG and potential fines up to $2,500 per violation under California's Unfair Competition Law. Now, however, consumers are able to use the Form to ramp up enforcement of the law.
 
The Form instructs individuals reporting a violation that they can use the Form against a website, mobile application, or other online service provider for the following CalOPPA violations:

1. a privacy policy that is missing or inapplicable;
2. a privacy policy that is hard to find;
3. a privacy policy that does not contain all the information required by law;
4. a company that does not follow its own privacy policy; and/or
5. or a company that does not notify users of significant changes to its privacy policy.

While the Form asks whether the user has attempted to contact the company first, it does not require users to provide website operators with notice and a chance to remedy prior to submitting a report.
 
The tool, which is in the format of an online form, is available at https://oag.ca.gov/reportprivacy.

What’s the Takeaway?

Given the broad reach of CalOPPA, all website operators should be aware of its requirements and ensure that their online practices are in order. Notably, companies that are collecting personal information online should do the following:

• Post a privacy policy on their website, mobile application, and other online platforms, if they don’t have one already.
• Review and revise existing privacy policies to ensure that they are up-to-date and cover CalOPPA’s requirements.
• Establish a procedure for responding to consumer complaints, with approved messaging, considering that these communications could be submitted to the CA OAG or other regulators.

Website operators should view the release of the Form as a wake-up call to review their online privacy practices. While CalOPPA may incorporate some of the more stringent requirements of state laws requiring privacy policies, many states have such requirements. Further, the Federal Trade Commission also reviews online privacy statements to police against misleading and deceptive practices.