In 2004, California passed the California Online Privacy Protection Act (“CalOPPA”) to require websites to post a Privacy Policy. In 2014, California updated the law to require those Privacy Policies to contain very specific disclosures.
Under CalOPPA, online websites and businesses could face severe penalties for non-compliance. In this guide, we will offer you guidance to understand how to comply with CalOPPA and help you answer the following:
- What is non-compliance under CalOPPA?
- Who enforces the requirements of CalOPPA?
- What are the CalOPPA penalties for non-compliance?
- How Termageddon can help you avoid CalOPPA penalties for non-compliance.
Table of Contents
What is non-compliance under CalOPPA?
Operators of websites or mobile applications must be compliant with CalOPPA if the online service collects the personally identifiable information (“PII”) of California residents. Compliance with CalOPPA requires that an operator post a Privacy Policy that explains how it handles PII after the data is collected from consumers. Operators must follow the exact provisions of CalOPPA, which includes meeting the wording requirements within the policy and presenting it where it’s easily seen.
Non-compliance with CalOPPA occurs if a website or mobile app fails to comply with the Privacy Policy requirement or fails to comply with the provisions of its own posted Privacy Policy. There are two ways that a violation may occur:
- Knowingly and willfully
- Negligently and materially
To avoid being non-compliant, a business should take steps to follow the requirements of CalOPPA. To be compliant, a website operator should:
- Post the Privacy Policy on the website
- Place the Privacy Policy in a conspicuous place
- Complete incomplete or missing sections
- Fix broken hyperlinks in the Privacy Policy
- Follow the Privacy Policy as posted
- Update the Privacy Policy with changes
The purpose of CalOPPA is to inform consumers how their data is shared after they submit it online. In 2011, the Future of Privacy Forum analyzed the top 30 paid mobile apps and found that nearly three-quarters of the apps lacked a basic Privacy Policy.
The lack of transparency about data collection and sharing leaves consumers without the ability to understand the use of their personal data by online services. To improve privacy protections for consumers, California passed CalOPPA to set a standard for all online services.
CalOPPA requires a business to explain its policies for apps and other online data collection activities, including email lists. The failure to post a Privacy Policy can expose a business owner to penalties and liabilities.
Who enforces the requirements of CalOPPA?
California state government enforcement of CalOPPA
CalOPPA does not have an enforcement mechanism within the statute, so its enforcement falls under the scope of California’s Unfair Competition Law (“UCL”). The UCL defines “unfair competition” as any “unlawful, unfair, or fraudulent business practice.” A business engages in unfair competition when it violates a California law such as failing to post a Privacy Policy or not following a policy that the business posted on its website.
If a website operator is found to be in non-compliance with CalOPPA for not having a Privacy Policy, the operator must make efforts to comply. After being notified of noncompliance, an operator has 30 days to post a Privacy Policy.
The UCL allows the California Attorney General’s office and government officials to file a lawsuit against the website operator for violating CalOPPA. Using the UCL, the government may seek civil penalties and equitable relief. Civil penalties include fines that can add up per violation. Equitable relief is a requirement to do a certain act, such as posting a Privacy Policy, or refrain from doing an act, such as ceasing to include false information in a policy.
In 2012, the California Attorney General created the Privacy Enforcement and Protection Unit in the state’s Department of Justice. The Privacy Unit focuses on prosecuting violations of state and federal privacy laws that regulate private or sensitive information. In addition, the Privacy Unit has a mission to:
- Enforce privacy practices in California
- Regulate the collection, retention, disclosure, and destruction of PII
- Hold organizations accountable that misuse technology
- Educate consumers about privacy matters.
The California Attorney General also enforces CalOPPA for operators of mobile applications that collect PII using an “online service.” In 2012, the California Attorney General notified hundreds of mobile application developers and companies of their non-compliance with CalOPPA. Upon notification, the companies were given 30 days to post a Privacy Policy within their app.
In 2016, the California Attorney General released an online tool to report violations of CalOPPA. Consumers can use the form to report any websites, mobile applications, or other online services that have a missing or inadequate Privacy Policy. The online form provides a way for consumers to “crowdsource” Privacy Policy violations.
Federal Trade Commission enforcement of CalOPPA
The Federal Trade Commission (“FTC”) is a U.S. government agency that investigates businesses that engage in deceptive or unfair practices. For online services, the FTC wants to protect consumers from placing their trust in a website’s Privacy Policy that is deceptive and misleading.
When consumers read a website’s Privacy Policy, they want to know how their personal information is used. If a website operator posts a Privacy Policy, but it does not actually follow it, then the business is being deceptive to consumers. For example, a website could mislead consumers into signing up for a mailing list because the Privacy Policy says their personal information will not be shared. However, if the website is really sharing the data, the website is being deceptive to consumers to get them to sign up for the mailing list.
If a website is violating its own Privacy Policy, the FTC can bring an action against the operator for deceptive practices. The FTC has the authority to launch an investigation and initiate an enforcement action. Further, the FTC has the power to:
- Conduct an administrative trial
- Demand civil litigation
- Seek penalties in federal court
- Require a business to submit a written report under oath
- Seek compensation for those harmed by the deceptive practice
The FTC usually settles enforcement actions through consent decrees and accompanying consent orders. In a consent decree, the respondent does not admit fault but promises to change its practices to avoid further litigation. A consent decree may include ongoing oversight that requires the business to report its practices to the FTC for several years.
What are the CalOPPA penalties for non-compliance?
What are the civil penalties under CalOPPA?
Website operators that are not in compliance with CalOPPA could face a charge of unfair competition. The UCL enforces noncompliance of CalOPPA by bringing a lawsuit against the operator.
Under the UCL, a website operator would face penalties under section 17206 of the California Business and Professions Code. The California Attorney General, any District Attorney, or any County Counsel can bring a civil action against the website operator.
If a court finds that the website operator engaged in unfair competition, the court will impose a civil penalty of up to $2,500 for each violation. To assess the amount of the civil penalty, the court will consider any relevant circumstances that the parties present in the case, which include:
- The nature and seriousness of the misconduct.
- The number of violations.
- The persistence of the misconduct.
- The length of time over which the misconduct occurred.
- The willfulness of the defendant’s misconduct.
- The defendant’s assets, liabilities, and net worth.
A significant consequence of non-compliance is that every violation receives a fine. Each violation creates a multiplier effect that could add up to be a large amount of money. This means that every visit to a website or each download while failing to comply can be a violation.
Does CalOPPA allow a private action?
California’s “unfair competition” law prohibits anti-competitive practices. Unfair competition includes false advertising, such as if a website posts a Privacy Policy that it doesn’t actually follow.
Under California’s UCL, a consumer or a business may file a private action for violations of CalOPPA. Lawsuits can be initiated by either consumers or businesses that suffer damages by a competitor’s unfair actions. The UCL provides that a lawsuit may be brought “by a person who has suffered injury in fact and has lost money or property as a result of the unfair competition.”
How Termageddon can help you avoid CalOPPA penalties for non-compliance.
Having a Privacy Policy posted on an online service, such as a website, app, or contact form, is mandatory for those collecting the personal information of residents of California. Failure to follow the provisions of CalOPPA can cause a business to face civil penalties and federal actions.
Termageddon is a Privacy Policy generator that you can easily use to help avoid CalOPPA penalties for non-compliance. To be compliant, you will need to have a Privacy Policy if you answer “yes” to one or both of the following questions:
- Do you conduct business in California?
- Do you collect the PII of California residents?
Once you answer “yes” to one of the above questions using the generator, you can create a Privacy Policy after answering some additional questions. Once you submit the answers, the generator will give you a code to embed onto your Privacy Policy page. We use this embed code to automatically update your Privacy Policy whenever laws change. Considering we’re constantly tracking dozens of privacy bills across the globe, this happens more often than you might think.
