But, but, but, I’m not IN California!
Good for you! But that is not how we determine whether OPPA applies. It does not matter where YOU are located – what matters is whether you collect personal information about California residents who stumble across your commercial website.
How do I know if the law applies to my website?
If you operate a commercial website and collect “personally identifiable information” (PII) about consumers through your website, OPPA applies to your site unless you ensure that PII is not collected from California residents. Good luck with that.
Let’s unpack that just a little. First, what’s a consumer? A consumer is anyone who seeks or acquires any goods, services, money or credit for personal, family, or household purposes. In other words, if someone is checking out your site for the purpose of getting stuff, getting a service, or getting credit, that person is a consumer if the stuff, service, or credit is for their own use or the use of others in their family or household.
Next, what is PII? PII (this initialism stands for “personally identifiable information,” remember?) is any individually identifiable information about an individual consumer collected online by the website operator from that individual, if it is maintained by the operator in an accessible form. PII includes any identifier that permits the physical or online contacting of a specific individual, such as the person’s name, address, e-mail address, telephone number, or social security number. PII can be affirmatively given to you by the consumer, but it also includes information concerning a user that the website collects online from the user (e.g. by capturing or tracking user data), if that information is maintained in personally identifiable form in combination with one of the other identifiers described here.
That is what the law requires. A conspicuous link to it from an eye-catching icon with the word “Privacy” in it from your home page is your best bet.
(1) The categories of personally identifiable information the operator collects through the Web site about individual consumers who use or visit the web site and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.
(4) Identify its effective date;
Last Fall, California enacted an amendment to this law that was effective January 1, 2014, which requires the following “do not track” disclosures, as relevant:
(5) disclose how the operator responds to web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services, if the operator engages in that collection; and
(6) disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.
One way to comply with the new disclosures might be something along the lines of: “We do not currently respond or otherwise take any action with regard to Do Not Track requests,” assuming that is true. Don’t take my word for it, though because I have not reviewed your website and do not know your practices – ask YOUR attorney.
If you are a special type of business – such as a financial institution or health care provider – additional privacy laws may apply to you. More on those laws in later posts. This one is limited to OPPA.
Covering my bases: There is no legal advice contained in this post. Legal advice entails applying the law to specific facts. I don’t know what your facts are and any resemblance to them here is purely coincidental. Instead, this post is meant to provide general information, which may or may not be complete and accurate. If you need legal guidance, please feel free to contact me using the contact information on my web site.