California Takes the Lead – Again – in Online Privacy3 Dec, 2013 By: Marc Roth
It is often said that as California does, the rest of the country follows. Nowhere is this truer than in the area of Internet privacy. California was the first state to enact a privacy law requiring commercial website operators to post privacy policies on their websites. Now, given the stalemate between privacy advocates and the online advertising industry on developing an acceptable do-not-track standard, California has once again stepped into the breach by requiring companies to disclose in their privacy policies whether or not they honor consumer preferences not to be tracked as they surf the Internet.
In light of this new law, which goes into effect in January 2014, website operators must review their privacy policies (both the documents and their actual policies) to determine whether and to what extent this new law applies to them and revise their policies accordingly or risk prosecution by the California Attorney General (AG).
Also in 2003, California added a provision to its civil code requiring website operators to inform consumers that provide their PII to the operator whether the company shares such information with third parties for marketing purposes. This law, aptly named “Shine the Light,” requires operators that do not allow consumers to opt out of such sharing to provide the consumer, upon request, with the categories of information that they shared, and the names of the companies with whom they shared such information in the prior year.
This new provision of CalOPPA, which goes into effect next month, only applies: (a) where the operator allows third parties to track consumers on the operator’s site; and (b) across other websites, where a third party collects consumer information either directly on the host operator’s site or through an advertising network.
In the event that the California AG’s office finds that a website operator is not complying with these new requirements, it may send the operator a written notice specifying the noncompliant practice and providing an opportunity to cure within 30 days, as permitted by the law. If the operator fails to cure within that period, the state may sue.
California takes its enforcement powers very seriously. There is little doubt that California will continue to vigorously monitor websites and apps for compliance with CalOPPA and, when necessary, send warning notices. Given California’s progressive stance on privacy matters and demonstrated aggressiveness in enforcing its laws, companies that allow third parties to collect consumers’ personal information on or through their sites or online services are well advised to review their privacy policies and relationships with these third parties.
Marc Roth is a partner in the Advertising, Marketing and Media division of Manatt Phelps & Phillips LLP in New York. He can be reached at [email protected].