Under the Act, an operator of a commercial website or online
service, including mobile and social applications, that collects
personally identifiable information through the Internet about
individual consumers residing in California who use or visit its
commercial website or online service must conspicuously post its
privacy policy on its website, or in the case of an operator of
an online service, make such privacy policy available in
accordance with any other reasonably accessible means of making
the privacy policy available for consumers of the online service
(California Bus. and Prof. Code Sections 22575(a) and
22577(b)(5)).
Personally identifiable information means individually
identifiable information about an individual consumer collected
online by the operator from that individual and maintained by
the operator in an accessible form, including any of the
following: (1) first and last name, (2) home or other physical
address, including street name and name of a city or town, (3)
email address, (4) telephone number, (5) Social Security
number, (6) any other identifier that permits the physical or
online contacting of a specific individual, or (7) information
concerning a user that the website or online service collects
online from the user and maintains in personally identifiable
form in combination with an identifier described in the Act
(California Bus. and Prof. Code Section 22577(a)).
Specific Requirements
The privacy policy required by the Act must do all of the
following:
-
identify the categories of personally
identifiable information that the operator
collects through the website or online service
about individual consumers who use or visit its
commercial website or online service and the
categories of third-party persons or entities
with whom the operator may share that personally
identifiable information;
-
provide a description of any process for an
individual consumer who uses or visits its
commercial website or online service to review
and request changes to any of his or her
personally identifiable information that is
collected through the website or online service;
-
describe the process by which the operator
notifies consumers who use or visit its
commercial website or online service of material
changes to the operator's privacy policy for
that website or online service; and
-
identify its effective date.
California Bus. and Prof. Code Section 22575(b).
Conspicuously posting with respect to a privacy policy
includes posting the privacy policy through any of the
following:
-
a Web page on which the actual privacy
policy is posted if the Web page is the home
page or first significant page after entering
the website;
-
an icon that hyperlinks to a Web page on
which the actual privacy policy is posted, if
the icon is located on the home page or the
first significant page after entering the
website, and if the icon contains the word
"privacy" (the icon must also use a color that
contrasts with the background color of the Web
page or is otherwise distinguishable);
- a text link that hyperlinks to a Web page
where the actual privacy policy is posted, if
the text link is located on the home page or
first significant page after entering the
website, and if the text link does one of the
following:
- includes the word "privacy,"
- is written in capital letters
equal to or greater in size than the surrounding
text, or
- is written in larger type than
the surrounding text, or in contrasting type,
font, or color to the surrounding text of the
same size, or set off from the surrounding text
of the same size by symbols or other marks that
call attention to the language;
-
any other functional hyperlink that is so displayed
that a reasonable person would notice it; or
-
in the case of an online service, any other reasonably
accessible means of making the privacy policy available for
consumers of the online service.
California Bus. and Prof. Code Section 22577(b).
According
to a sample notice of noncompliance, an operator of a mobile
application that uses the Internet to collect personally
identifiable information is an online service within the meaning
of the Act. An application's commercial operator must
conspicuously post its privacy policy in a means that is
reasonably accessible to the consumer. Having a website with the
applicable privacy policy conspicuously posted may be adequate
but only if a link to that website is reasonably accessible to
the user within the application. A recipient of a notice of
noncompliance has an application available through a platform(s)
without having a privacy policy reasonably accessible for
consumers. A recipient must respond to the California Attorney
General's notice of noncompliance within 30 days of the date of
that notice with the specific plans and timeline to comply with
the Act or why the application is not covered by the Act.1
Ramifications for Noncompliance
A website or online
service operator that collects personally identifiable
information and fails to post its privacy policy within 30 days
after being notified of noncompliance is in violation of the Act
(California Bus. and Prof. Code Section 22575(a)). Under
California's Unfair Competition Law, violations of the Act may
result in civil penalties of up to $2,500 for each violation
(i.e., for each copy of the unlawful application downloaded by
California consumers) (California Bus. and Prof. Code Section
17206(a)).
Accordingly, mobile application developers and
companies that have applications should determine whether their
applications include a privacy policy that is conspicuously
posted in a means that is reasonably accessible to consumers in
accordance with the Act and, if not, take the steps necessary to
make sure that their applications do so in compliance with the
Act.
This California Attorney General notification of
noncompliance follows its 2012 adoption of a Joint Statement of
Principles with Amazon, Apple, Facebook, Google,
Hewlett-Packard, Microsoft, and Research in Motion (i.e., mobile
and social application market companies) regarding privacy
principles designed to bring the industry in line with the Act.
This agreement allows consumers the opportunity to review an
application's privacy policy before they download the
application rather than after and offers consumers a consistent
location for an application's privacy policy on the
application-download screen in the platform store. The agreement
also commits these platforms to educate developers about their
obligations to respect consumer privacy and to disclose to
consumers what private information they collect, how they use
the information, and with whom they share it. These platforms
will also work to improve compliance with privacy laws by giving
users tools to report noncompliant applications and committing
companies to implement processes to respond to these reports.
The Act is one of the privacy laws that the Privacy Enforcement
and Protection Unit in the California Department of Justice is
charged with enforcing. The mission of this unit, which was
created in July, is to enforce laws regulating the collection,
retention, disclosure, and destruction of private or sensitive
information by individuals, organizations, and the government,
including laws regarding cyber privacy, health privacy,
financial privacy, identity theft, government records, and data
breaches.2
1See
State of California Department of Justice, Office of the
Attorney General press release, "Attorney
General Kamala D. Harris Notifies Mobile App Developers of
Non-Compliance with California Privacy Law," October 30,
2012.
2See State of California
Department of Justice, Office of the Attorney General press
release, "Attorney
General Kamala D. Harris Announces Privacy Enforcement and
Protection Unit," July 19, 2012.