On October 14, the California Attorney General released a new online form designed to crowdsource reporting of allegedly inadequate privacy policies. The tool allows users to report violations of the California Online Privacy Protection Act (“CalOPPA”). CalOPPA is a broad privacy rule that generally affects any organization that collects personally identifiable information from California residents. The new tool is the California Office of the Attorney General’s request for the public’s help in enforcing the statute, and all companies that collect personally identifiable information online or through mobile applications should take note.
With the passage of CalOPPA in 2003, California became the first state in the nation to require commercial websites and online services to post privacy policies. Any website or mobile app that collects personally identifiable information such as name, address, e-mail address, phone number, or Social Security number from California residents must post a compliant and easy to find privacy policy. The policy must also include the categories of information collected, the types of third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the effective date of the privacy policy. In 2013, the law was expanded to require inclusion of information on how the operator responds to “Do Not Track” signals from users, as well as requiring privacy policies to disclose whether third parties can collect personally identifiable information about the site’s users.
The new online form provides several options for consumers to select, including whether the privacy policy is missing, inapplicable, difficult to locate, incomplete, or was violated, or whether the operator failed to provide notice of a material change. According to the California Attorney General, the new tool is intended to “exponentially increas[e] the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.”
Under CalOPPA, website or mobile app operators that collect personally identifiable information have a 30-day grace period after being notified by the California Attorney General to post a CalOPPA-compliant privacy policy. Failure to do so results in a violation of CalOPPA. While there is no private right of action under CalOPPA, the Attorney General has argued that each violation (each download of a non-compliant mobile application, for example) could result in a penalty of up to $2,500 under California's unfair competition law.
