- What is the CalOPPA definition of personal information?
- What does CalOPPA require to protect a consumer’s information?
- How to use CalOPPA to protect the personal information of your customers.
Table of Contents
What is the CalOPPA definition of personal information?
California passed CalOPPA to protect the personal data of consumers that reside in California. The focus of CalOPPA is requiring a business to provide transparency to California residents about the use of their personal data.
Operators often collect PII when communicating with a customer
CalOPPA applies to the collection of “personally identifiable information” (PII) through the Internet that a website collects about an individual consumer. The law concerns identifiable information about a California consumer that an operator collects online from an individual and maintains in an accessible form. The CalOPPA statute defines PII as including any of the following:
- A first and last name
- A home or other physical address, including street name and name of a city or town
- An e-mail address
- A telephone number
- A social security number
PII also includes an individual’s online user information that is in a personally identifiable form when combined with another identifier listed in CalOPPA. In addition, PII includes “any other identifier” that permits someone to contact a specific individual in person or online. Examples of other identifiers often used by operators include:
- User preferences
- Security answers
- Online activity
- Shopping cart data
- Data submitted in forms
Other identifiers also include personal details that consumers provide to websites and mobile apps when they set up an account. This type of information can be used with the identifiers listed in the statute to identify an individual. Examples of personal details include:
- Bank account numbers
- Credit card numbers
- Education history
- Family information
- Social media accounts
An operator needs to be aware of the sensitive data that it collects. A web business should establish internal controls for how sensitive information is collected, used, and stored.
Operators should review automated processes that collect data
One of the most significant ways that individuals leak private data is through their web browser. The browser communicates with the website and sends various information about the user.
Many online services collect data using an automated process to increase a website’s functionality. Under CalOPPA, PII includes information that is collected passively through various methods, such as a web browser. Websites use the information gathered from a user’s browser to track information. For example, a website may record the IP address of a visitor for security purposes. The website may also track what type of browser, device, and operating system the visitor is using. Other types of automatically collected data include:
- Web beacons
- Geolocation data
When surfing the web, many websites send a “cookie” to a user’s browser. A cookie is a small file that saves a user’s settings to offer the user a more efficient experience when returning to the site. A cookie is a type of note-taker that logs a user’s activity on the website. Users will normally encounter two types of cookies, which are:
- Session cookies – stores information temporarily and disappears when the browser is closed
- Persistent cookies – stores information for long periods of time and remains when the browser is closed
An example of a persistent cookie is a shopping cart. When a user visits a shopping site, the cookie keeps track of the items added to a shopping cart that the user may want to purchase when returning to the website.
A web beacon is a graphic that is usually no larger than 1 pixel x 1 pixel. They are also called pixel tags, clear GIFs, or web bugs. Web beacons are a part of a website and work together with cookies. They are mostly used for general statistics and are not normally used to access personally identifiable information.
Geolocation data tracks where a website visitor or app user is located. This type of data refers to the geographical location of an Internet-connect device using latitudinal and longitudinal information.
Some users do not want to be tracked with information communicated from their browsers to online service providers. Under CalOPPA, an operator must respect a consumer’s right to use a “Do Not Track” mechanism. If a visitor requests no tracking by the operator, the visitor should be able to exercise a choice before the operator collects any PII.
What does CalOPPA require to protect a consumer’s information?
CalOPPA defines a “consumer” as a California resident who uses or visits a commercial website or online service. The law considers a consumer as “any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.” In the statute, a consumer also includes anyone in California that uses a mobile application.
Operators should provide transparency and choice to consumers
The core idea of CalOPPA is to provide transparency to California residents about data collection practices. The law sets standards for data collection practices so that consumers have an opportunity to choose if they want their personal data shared with others.
On a regular basis, companies capture, analyze, and share the PII of consumers for marketing purposes. Some companies sell access to an individual’s personal information. Customer data is usually collected by:
- Asking the consumer
- Tracking the consumers indirectly
- Aggregating consumer data from other sources
The collection of consumer data is big business, and information about consumers is extremely valuable. Companies have entire business models built around the collection of consumer data. The sharing of information flows all over the Internet and is accessed by a wide variety of entities, including academic researchers, law enforcement, and criminals.
Operators should share information to benefit consumers
Data brokers aggregate information about consumers and place the information on public websites for anyone to see. To remove the information, a consumer often has to make time-consuming efforts to figure out how to “opt-out” of these data aggregating services.
The sharing of PII does not always benefit consumers. Often, a consumer finds their personal information all over the Internet. As a result, a consumer could end up being targeted for a crime, such as fraud. Also, the consumer is left vulnerable to doxing, which is when an individual’s personal information is publicly released without consent.
Under CalOPPA, your business must identify the types of information that you collect and inform them of how you use the data. If you want to share your customer’s data, you can promote the value that they will receive or allow them to opt-out.
To enforce the provisions of CalOPPA, the California Attorney General created the Privacy Enforcement and Protection Unit. To report violations of CalOPPA, consumers can fill out an online complaint form.
How to use CalOPPA to protect the personal data of your customers
As a business practice, you should safeguard the personal data of your customers.