Home / Commentary / Update your privacy policy or face a $2,500 fine per violation

Update your privacy policy or face a $2,500 fine per violation

Lisa McGrathFrom the NSA and Google Glass to Snapchat and Target’s massive data breach, it’s no wonder privacy was named the word of the year for 2013 and is poised to be one of the top legal issues of 2014.

Leading the way in privacy-law changes is California, whose state laws apply not only to California businesses but to all businesses that collect information on just one California resident. Because the reach of these laws is nationwide, with an important law going into effect at the start of this year, let’s take a look at what they mean for your company’s privacy policy.

In December 2012, California’s attorney general filed suit against Delta Airlines for failing to comply with the California Online Privacy Protection Act, or CalOPPA. The attorney general alleged that Delta’s “Fly Delta” mobile application collected, without a privacy policy, personally identifiable information, including a user’s full name, email address, phone number, frequent flyer status, photographs and geo-location. The attorney general sought, among other things, a $2,500 fine for each download of the app without a privacy policy.

CalOPPA, enacted in 2004, requires commercial operators of websites and online services, including mobile and social apps, which collect personally identifiable information from just one California resident, to conspicuously post a privacy policy that does the following:

  • Identifies the categories of personal information collected;
  • Provides a description of the process for a consumer who uses or visits a site to review and request changes to his or her information that the site has collected, if the site offers such a process;
  • Describes the process by which consumers will be notified of material changes to the privacy policy; and
  • Identifies the policy’s effective date.

Under CalOPPA, personally identifiable information includes: first and last name; home or other physical address; email address; telephone number; Social Security number; and other identifiers that permit the physical or online contacting of a specific person.

Companies face fines of up to $2,500 per violation of CalOPPA if they do not have a privacy policy that contains these legal requirements.

California also adopted AB370, the Do Not Track Law as an amendment to CalOPPA. Do Not Track, which went into effect on Jan. 1 this year, requires site operators to disclose:

  • How their sites respond to web browser “do not track” signals or other mechanisms that provide users the ability to exercise choice regarding the collection of personally identifiable information about users’ online activities over time and across third-party websites or online services.
  • Whether other parties collect the personally identifiable information about users’ online activities over time and across different websites when they use the site.

Companies subject to Do Not Track have 30 days to comply after being notified of noncompliance or face $2,500 per violation.

Some questions to address when drafting your privacy policy to comply with Do Not Track:

  • What methods does the site employ to track users, and do users have the option to control whether or how the methods are used and whether the site will honor the user’s choice?
  • Does the site allow advertising networks to set cookies or collect data?
  • Does the site combine tracking data with personal information captured across other sites?
  • Does the site allow social media platforms or other third parties to collect data on the site?

Drafting a privacy policy that complies with CalOPPA and Do Not Track is the first step toward avoiding legal liability and protecting your brand in the New Year.

Lisa McGrath is president of lisa mcgrath llc, a new-media law firm that focuses on solving legal issues related to social media compliance, the Internet, advertising and mobile apps. She is a member of Harvard University’s Berkman Center Online Media Legal Network. She can be reached at lisamcgrathllc.com.

About Lisa McGrath