California has adopted a new law that affects almost all website operators and online service providers. The update to the California Online Privacy Protection Act (“CalOPPA”), effective January 1, 2014, applies to any person or company that operates a commercial website or online service (California’s position is that “online service” includes mobile apps) and collects personal information about California residents, whether such information is actively provided by the visitor or user or automatically collected by the site or service.
CalOPPA now requires that site operators and online services disclose in their privacy policies whether or not the site operator or online service and/or any third party (e.g. advertisers) collecting personal information through the site or service comply with “do not track” signals from the browsers of site visitors or users of the service. “Do not track” signals allow the site visitor or service user to request that websites not automatically collect personal information from the visitor’s or user’s computer. CalOPPA does not require compliance with such signals, but does require that privacy policies notify visitors and users whether or not the site operator or service provider complies. CalOPPA may be enforced by the California Attorney General or by private parties (including class action lawsuits) under California’s unfair competition laws, which allow for penalties of up to $2,500 per violation. CalOPPA allows site operators and online service providers up to thirty days to correct any issues after receiving notice of noncompliance before they will be deemed to be in violation of the statute.