- How to use CalOPPA to gain trust with your customers.
On January 1, 2014, the updated version of CalOPPA went into effect. The new provisions require an operator to:
- Identify the categories of personally identifiable information collected by the business
- Explain if the operator maintains a process to review and request changes to an individual’s PII, if such a process exists
- Disclose how the operator responds to Do Not Track and other anti-tracking mechanisms
- Disclose whether other parties may collect personal data about an individual
- Disclose the categories of third parties with whom you share PII
Using CalOPPA, the lawmakers want to hold operators accountable for collecting and sharing the personally identifiable information (PII) of Californians. The intent of the lawmakers was to promote consumer awareness of the tracking activities of online services and third parties. When consumers become aware that they are being tracked, they can make an informed decision before using the online service.
Describe data collecting and sharing practices
Under CalOPPA, an operator must explain if consumers have a way to review the data that is collected about them. The operator must also tell the consumer if they will be able to request changes to their data.
Disclose Do Not Track signals
Internet users surf the web by using a web browser. A browser sends a request to access a website from its server and then displays the website for the user. Popular web browsers include:
- Google Chrome
- Microsoft Explorer
- Apple Safari
- Mozilla Firefox
When a browser communicates with a server, it sends information about the user. The server uses the information to display the pages of the website. While communicating with the browser, the server can gather data passively. Information gathered from a browser includes:
- IP address
- Operating system
- Hardware data
- Browser plugins
Do Not Track signals are sent through a user’s web browser. Many browsers have an option to send a Do Not Track signal. The signal asks an online service operator not to track the user’s data that it can get from the browser.
A Do Not Track signal uses a machine-readable header that indicates a user doesn’t want to be tracked. A header contains short pieces of data, such as the type of browser and other technical information.
Disclose other anti-tracking mechanisms
CalOPPA’s disclosure requirements also cover “other mechanisms” beyond a Do Not Track signal. The operator must disclose how the operator responds to “other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.”
The term “other mechanisms” includes anti-tracking tools that users activate in their web browsers.To prevent tracking, many users add “extensions” to their browsers. The extensions can block trackers used by various sources, including social media and marketing agencies.
Browser extensions work by detecting cookies sent by trackers. A cookie is a small text file that saves small amounts of data to the user’s computer. Websites send cookies to make browsing more user-friendly. However, a “tracking” cookie can take the data gathered from the user’s browser and send it to another party.
Operators can embed tracking mechanisms from third parties into their websites and apps. Typically, the third-party uses the data to send targeted advertisements to the user.
Anti-tracking browser extensions can detect trackers and block them. Basically, the extensions can prevent the source from loading content. Without the ability to load its content, the source behind the tracker can’t track a user.
An example of an anti-tracking mechanism is the popular extension called “Disconnect” that offers private browsing. Disconnect is available for browsers, including Chrome, Firefox, Safari, and Opera. Disconnect offers different levels of tracking protection, including a basic free version for a desktop or mobile browser. As a mission, Disconnect aims to free consumers from unwanted tracking of their personal information and allows them to:
- Achieve “meaningful privacy”
- Control the sharing of personal information
- Visualize the connections that websites attempt to make
- Choose which websites to continue to block
Many other browser extensions are available for users to block unwanted tracking. Some of the most popular blockers include:
Ghostery – Intercepts and blocks trackers for a safer browsing experience
Adblock Plus – Avoids tracking, malware, and annoying ads
Privacy Badger – Learns by watching which domains appear to be tracking while browsing
AdGuard – Gets rid of intrusive ads, online tracking, and makes web surfing faster and safer
uBlock Origin – Loads and enforces thousand of filters with efficient blocking methods
uMatrix – Uses a point-and-click matrix-based firewall that includes privacy-enhancing tools
Some operators may attempt to detect when a consumer is using a blocker. For example, Detect Adblock offers different scripts for websites to detect ad blockers.
Anti-tracking tools are not just for consumers. Government agencies and consumer organizations can use browser add-ons as a way to reveal whether a website’s claims about its use of tracking actually match-up with its practices.
Disclose other parties that collect personal information
CalOPPA requires operators to “disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”
There are a variety of third-party services that operators integrate into their websites. The types of third-party services include:
- Web analytics
- Advertising networks
- Streaming video services
How to use CalOPPA to gain trust with your customers
Alice has a Juris Doctor from the Stetson University College of Law and is a licensed attorney in Florida. She is a Certified Information Privacy Professional (CIPP/US), a Certified Ethical Hacker (C|EH), and has the CompTIA Security+ certification. She currently serves on The Florida Bar Journal/News Editorial Board.