This initiative by the Attorney General is effective immediately and is just the latest example of California’s effort to increase enforcement of laws aimed at protecting the privacy and data security of individual consumers.
The California Online Privacy Protection Act (CalOPPA) is a broad privacy rule affecting any organization that collects personally identifiable information (PII) from California residents. Now, the California Office of the Attorney General (the Attorney General) is seeking the public's help to try to enforce it, and all entities that collect PII through online tools or mobile applications should take note.
Importantly, CalOPPA applies to any company that obtains PII from California residents, regardless of whether that company is based in California or is targeting California residents.
The new online form allows consumers to report several types of violations:
It is unclear if the Attorney General intends to use the results of the information collected through the form other than to directly notify companies of violations of CalOPPA. For example, will the Attorney General make the information related to verified offenders public as part of a “name and shame” program? In addition, it is unclear from the announcement of the online form whether the information would be eligible for disclosure under California public records laws or whether the Attorney General would take the position that such information should not be released on the grounds that they are unproven allegations of misconduct, as is the Attorney General’s standard practice with regard to consumer complaints today.
This initiative by the Attorney General is effective immediately and is just the latest example of California’s effort to increase enforcement of laws aimed at protecting the privacy and data security of individual consumers. With plans to develop a tool to proactively identify mobile apps that may be in violation of CalOPPA on the Attorney General’s agenda, these efforts show no sign of abating. Consequently, privacy compliance programs that ensure documentation of appropriate policies and disclosures are more important than ever.
1 The U.S. Department of Health and Human Services has also shown an increased interest in what it sees as gaps in the regulation of health data collection by mobile applications. See U.S. Dep’t of Health & Human Servs. , Examining Oversight of the Privacy and Security of Health Data Collected by Entities Not Regulated by HIPAA (June 17, 2016), available at https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf.
2 Cal. Bus. & Prof. Code § 17200.
3 See People ex rel. Harris v. Delta Air Lines, Inc., No. A139238, 2016 LEXIS 419 (Cal. Ct. App. May 25, 2016).
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.