5 Requirements of Online Privacy Policies

5 Requirements of Online Privacy Policies

On October 30, 2012, California Attorney General Kamala Harris announced efforts on behalf of her office to notify as many as 100 mobile app developers that their apps’ privacy policies do not comply with California’s Online Privacy Protection Act (OPPA). These app developers have 30 days to bring their apps and websites into compliance or they could face fines of up to $2500 each time a noncompliant app is downloaded by a California consumer.

In light of the Attorney General’s announcement and California’s continued focus on privacy, companies whose websites or apps collect personal information online from California residents should take steps to ensure that they are in compliance. Because OPPA applies to any company that collects data online about California residents, companies located within and outside of California may be subject to enforcement activity.

OPPA requires website operators and online service providers that collects personally identifiable information (PII) from consumers residing in California to post a conspicuous privacy policy. For purposes of OPPA, the term PII includes any of the following:

  • First and last name
  • Home or other physical address, including the street name and the name of a city or town
  • E-mail address
  • Telephone number
  • Social security number
  • Any other identifier that permits the physical or online contacting of a specific individual

In order to comply with OPPA, an online privacy policy must identify the following 5 components:

  1. Categories of PII that the website, online service, or app collects from its users
  2. Categories of third parties with whom PII may be shared
  3. The process by which users can review and request changes to their PII if the website operator, online service provider, or app developer maintains such a process
  4. The process by which users are notified of material changes to a privacy policy
  5. The privacy policy’s effective date

Please do not include any confidential or sensitive information in this form. This form sends information by non-encrypted e-mail which is not secure.

Submitting this form does not create an attorney-client relationship.