|Photo credit: Truthout / Foter.com|
In prior articles regarding website (and application) privacy policies, I've mentioned that a few states have their own website privacy rules, and California's are the most rigorous. If your company's website is directed at California residents (and this includes websites directed at U.S. audiences generally), it will need to comply with California's unique rules.
A new privacy law that amends California's existing Online Privacy Protection Act became effective on January 1, 2014. The new law requires a website operator to disclose (i) how it responds to “do not track” signals and (ii) whether other parties may collect personally identifiable information when a consumer uses the operator’s Web site or service.
As amended, California's Online Privacy Protection Act now requires the following from an operator of a website or online service that collects personally identifiable information (which is defined very broadly) about residents of California:
- Identify the categories of information collected.
- Identify the parties with whom the operator shares the information.
- Describe any process for the review and request of changes to personally identifiable information.
- The effective date of the policy.
- A description of how the operator responds to web browser “do not track” signals. (This can be satisfied by a link to a separate disclosure. Note that there is no legal obligation to honor such signals.)
- Disclosure of whether other parties may collect personally identifiable information about the user's activities over time and across different websites ("tracking").
Website privacy policies are gaining increasing attention from governmental entities, consumer groups and plaintiffs
class action attorneys, and is an emerging source of risk for many
businesses. Having advised local, national and international businesses on
website privacy issues, I believe most of that risk is avoidable if care is
taken to observe the patchwork of applicable legal requirements, including the laws of states other than your own.
P.S. Don't confuse the Children's Online Privacy Protection Act ("COPPA") with the California Online Privacy Protection Act ("CalOPPA"). I've written about COPPA here.