California Attorney General Crowdsources Privacy Policing to Consumers
CalOPPA is a California law that requires website operators that collect personal information from consumers in California to post privacy policies to notify users about their online privacy practices. Given the fact that most online services collect information from California residents, the law has widespread impact.
Why Should You Care?
Given CalOPPA’s broad reach, many website operators are now subject to being reported through the new CalOPPA Complaint Form. The Form makes organizations’ compliance even more important in light of the fact that the CA OAG has effectively crowdsourced the CA Department of Justice’s privacy policing function to individuals, exponentially increasing their ability to identify potential violators.
What Do You Need to Know?
The Form instructs individuals reporting a violation that they can use the Form against a website, mobile application, or other online service provider for the following CalOPPA violations:
While the Form asks whether the user has attempted to contact the company first, it does not require users to provide website operators with notice and a chance to remedy prior to submitting a report.
The tool, which is in the format of an online form, is available at https://oag.ca.gov/reportprivacy.
What’s the Takeaway?
Given the broad reach of CalOPPA, all website operators should be aware of its requirements and ensure that their online practices are in order. Notably, companies that are collecting personal information online should do the following:
- Review and revise existing privacy policies to ensure that they are up-to-date and cover CalOPPA’s requirements.
- Establish a procedure for responding to consumer complaints, with approved messaging, considering that these communications could be submitted to the CA OAG or other regulators.
Website operators should view the release of the Form as a wake-up call to review their online privacy practices. While CalOPPA may incorporate some of the more stringent requirements of state laws requiring privacy policies, many states have such requirements. Further, the Federal Trade Commission also reviews online privacy statements to police against misleading and deceptive practices.