SACRAMENTO (Legal Newsline) -- California Attorney General Kamala Harris is asking members of the public to help locate companies that violate the California Online Privacy Protection Act (CalOPPA).
Businesses that have an online presence and mobile apps are the target of the California attorney general’s new initiative because if they collect any information (name, address, social security number) from a consumer residing in California, CalOPPA requires them to conspicuously post their privacy policies.
The law applies to any online business or app anywhere in the world, if it can be used by a citizen of California.
Harris has launched a new online form on the California Department of Justice website that consumers can fill out, reporting companies that do not comply with CalOPPA.
Since 2003, when CalOPPA went into effect, online businesses that obtain personal information from citizens of California -- name, address, email address, phone number, Social Security number -- are required to post their privacy policies. The policy must be on the homepage, easy to find and contain all the information required by law. The business or mobile app must follow its own privacy policy, and notify users of significant changes to its policy.
In 2012 the law was modified. It currently requires businesses that track visitors to comply, applying to “the monitoring of an individual across multiple websites to build a profile of behavior and interests.” The website is required to indicate in its privacy policy whether it will honor a Do Not Track signal.
California is not the only state to have a privacy policy, but “California was the first. It’s the one that people talk about when they talk about the need to have a privacy policy,” said attorney Kimberly Chow of Reed Smith who is an IAPP (International Association of Privacy Professionals) certified information privacy professional (CIPP/US).
Any business that violates CalOPPA will be sent a notice of non-compliance and they have thirty days to correct the problem.
CalOPPA is unusual because “It’s only the California attorney general who has enforcement power under this law," Chow said. "There’s no private right of action.”
A private right of action is when an ordinary citizen is able to sue and allege civil damages. With CalOPPA, “The attorney general is harnessing the power of the public, or trying to enforce the law, which usually happens through private rights of action,” Chow said.
However, the online form now asks the public to make the attorney general's office aware of violators. If a citizen wants to file a lawsuit as a result of the violation, alleging their personal information was compromised, the California attorney general has to bring the suit on behalf of the citizen.
Businesses that violate CalOPPA face a civil penalty of up to $2,500 per violation if the attorney general decides to penalize them. Mobile apps also face stiff fines.