California Attorney General Kamala Harris has released a 28-page set of recommendations for businesses in order to comply with the California Online Privacy Protection Act (CalOPPA).

The directives are essentially “best practices” that are intended to help business “create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.”  The policies are intended to change common practices among website operators to post lengthy privacy policies but fail to actually notify users about how their information is collected and used.

Some of the key recommendations from the guide are as follows:

  • Clear. Prominently making the privacy policy available on the website, in a larger type-font so it is conspicuously available. 
  • Simple.  Using straightforward language that avoids legal jargon and is in a format that is readable.
  • Do Not Track.  Make it easy for consumers to find the section of your privacy policy regarding online tracking, for example “California Do Not Track Disclosures” or something similar.   Make it clear how your company responds to Do Not Track signals or similar mechanisms, instead of just linking to a “choice program” website.
  • Personally Identifiable Information. Make sure you explain how you collect and use personally identifiable information beyond what is necessary to satisfy completion of the customer’s purchase or provision of the services you provide online.  If the information is shared with third parties, provide links to those thid-party websites.
  • Third-Party Tracking.  State whether third parties are collecting any personally identifiable information about the individuals visiting your site or service.
  • Choice.  Ensure that you are giving the consumer a choice regarding the collection, use, and sharing of their  personal information.
  • Accountability.  Provide contact information if the visitor has questions or concerns about your privacy policy.

“Personally identifiable information” includes the following:

  • A first and last name.
  • A home or other physical address, including street name and name of a city or town.
  • An e-mail address.
  • A telephone number.
  • A social security number.
  • Any other identifier that permits the physical or online contacting of a specific individual.
  • Information concerning a user that the web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.

The California Online Privacy Protection Act  of 2003 (CalOPPA), the first law in the nation  with a broad requirement for privacy policies, requires operators of commercial web sites and online services to conspicuously post a privacy policy when collecting information about visitors. The privacy policy must include a) the categories of personally identifiable information that are collected through the site about visitors and users; b) third parties to whom personally identifiable information is shared; c) the process by which a user can review or request changes to his or her personally identifiable information; d) a process for notifying users and visitors of material changes to the privacy policy; and e) effective date of the privacy policy.

Axis Legal Counsel represents clients in numerous types of privacy violations, including HIPAA/medical information violations, violations by doctors, medical care providers, schools, and employers, data breaches, violations of financial information, violations of name, likeness, and image, right of publicity claims, online / internet privacy violations, and numerous others.  To contact us, please call (213) 403-0130 or email info@axislegalca.com for a confidential consultation.

Enhanced by Zemanta