As online businesses and technologies evolve, so do the laws affecting them. On January 1, 2014, a new law amending the California Online Privacy Protection Act ("CalOPPA") went into effect.¹ See CAL. BUS. & PROF. CODE §§ 22575-22579 (eff. Jan. 1, 2014). In addition to expanding the scope of data security laws, the new CalOPPA imposes stringent legal requirements that could affect California and non-California operators of websites and online services. The California Attorney General has taken the position that "online services" broadly includes mobile apps, gaming platforms, cloud services and VoIP.

Previously, CalOPPA required the operator of any commercial website or online service that collects personally identifiable information ("PII") from California residents to conspicuously post a statutorily compliant electronic privacy policy disclosing how the operator collects, uses and maintains such PII. The new CalOPPA goes a step further by adding to the number of items a privacy policy must include.

First, the privacy policy must disclose "how the operator responds to Web browser 'do not track' signals or other mechanisms that provide consumers with the ability to exercise choice over the collection of PII about an individual consumer's online activities over time and across third-party Web sites or online services." In other words, there is no legal requirement to honor the "do not track" signals themselves. This is an obligation to disclose whether your business responds to the signals, and if so, how. CalOPPA also provides that a business may satisfy this obligation by providing a clear and conspicuous hyperlink in the privacy policy to a description of any program or protocol the business follows that offers the consumer a "do not track" option.

Second, the privacy policy must disclose "whether other parties may collect PII about an individual consumer's online activities over time and across different Web sites when a consumer uses the operator's website or service." This is aimed at revealing whether a business permits third parties to, for example, engage in consumer tracking for behavioral advertising purposes.

The failure of an operator of a website or online service to comply with CalOPPA requirements are potentially severe. If an operator does not comply with the law within 30 days after receiving notice of its non-compliance, then it might face fines up to $2,500 per violation under California's Unfair Competition Law.² Moreover, the California Attorney General has demonstrated a commitment to aggressively pursue enforcement.³ For example, the California Attorney General has argued that each mobile app download constitutes a violation that can result in a separate fine.⁴ Given that many mobile apps are free or less than $1.00, the effect of this penalty could be devastating to a business.

As a result of the evolving legal landscape in the areas of privacy and data tracking, it is increasingly important to both audit and update privacy policies and practices. And while CalOPPA is limited to California residents, the ubiquitous nature of the Internet and wide availability of most mobile app downloads suggest that companies should closely consider compliance with these new requirements.

¹ The amendment was made by California Assembly Bill 370 (AB 370).

² See CAL. BUS. & PROF. CODE § 17206(a) (providing that "[a]ny person who engages, has engaged, or proposes to engage in unfair competition shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) for each violation . . ."), and CAL. BUS. & PROF. CODE § 22575(a) ("An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.").

³ In late 2012, and continuing through 2013, the California Attorney General embarked on a campaign to enforce the prior version of CalOPPA against mobile app providers, which included lawsuits against several companies who allegedly failed to comply with the statute.

⁴ In its suit against Delta Air Lines, Inc. for alleged non-compliance with CalOPPA, the California Attorney General argued that a violation of CalOPPA constituted unfair competition under California Business and Professions Code section 17200 et seq., which authorizes a statutory damages award of $2,500 per violation in certain instances. See Complaint at 8, People v. Delta Air Lines, Inc., No. CGC-12-526741 (Cal. Super. Ct. Dec. 6, 2012), available here (last visited Jan. 21, 2014) (alleging "[t]hat under California Business and Professions Code section 17206, Delta [should] be ordered to pay Two Thousand Five Hundred Dollars ($2,500) for each violation of California Business and Professions Code section 17200 by Delta, as proved at trial"); see also CAL. BUS. & PROF. CODE § 17206(a). The lawsuit was later dismissed after Delta raised various arguments, including that the lawsuit was preempted by the federal Airline Deregulation Act. See J. Vijayan, First California Lawsuit Over Mobile Privacy Crashes, Computer World, May 14, 2013, available here (last visited Jan. 21, 2014) ("While the dismissal of the lawsuit is a setback for [California Attorney General Kamala] Harris, few expect that it will slow down the state’s plan to go after alleged violators of online privacy laws.").