Online Privacy Policies: 5 Important Requirements

Violation Warning

On October 30, 2012, California Attorney General Kamala Harris announced efforts on behalf of her office to notify as many as 100 mobile app developers that their apps' privacy policies do not comply with California's Online Privacy Protection Act (OPPA). These app developers have 30 days to bring their apps and websites into compliance or they could face fines of up to $2500 each time a noncompliant app is downloaded by a California consumer.

In light of the Attorney General's announcement and California's continued focus on privacy, companies whose websites or apps collect personal information online from California residents should take steps to ensure that they are in compliance. Because OPPA applies to any company that collects data online about California residents, companies located within and outside of California may be subject to enforcement activity.

OPPA requires website operators and online service providers that collects personally identifiable information (PII) from consumers residing in California to post a conspicuous privacy policy. For purposes of OPPA, the term PII includes any of the following:

  • First and last name
  • Home or other physical address, including street name and name of a city or town
  • E-mail address
  • Telephone number
  • Social security number
  • Any other identifier that permits the physical or online contacting of a specific individual

In order to comply with OPPA, a privacy policy must identify the following 5 components:

  1. Categories of PII that the website, online service or app collects from its users;
  2. Categories of third parties with whom PII may be shared;
  3. The process by which users can review and request changes to their PII if the website operator, online service provider or app developer maintains such a process;
  4. The process by which users are notified of material changes to a privacy policy; and
  5. The privacy policies' effective date.