By: Jim Halpert and Anne Kierig

Online businesses and those with mobile applications have a new incentive to post privacy policies that comply with the California Online Privacy Protection Act (CalOPPA).  California Attorney General Kamala Harris launched an online tool Friday through which people can report websites, mobile apps, and other online services that they allege are in violation of the law.  A business is in violation of CalOPPA if it fails to post privacy policies or posts policies that are incomplete and it fails to cure that violation within 30 days of notice from the Attorney General’s Office.  

The online tool issued Friday in California allows consumers to crowdsource reports of privacy policy violations, increasing the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.  The form is available here.

Under CalOPPA, which went into effect in 2003, commercial websites and online services are required to post privacy policies.  Any operator in the world that collects personally identifiable information such as name, address, email address, phone number, or Social Security number from California consumers is required to comply.  The privacy policy must include the categories of information collected, the types of the third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the effective date of the private policy.  Moreover, privacy policies must include information on how the operator responds to “Do Not Track” signals or similar mechanisms, as well as requiring privacy policies to state whether third parties can collect personally identifiable information about the site’s users. 


CalOPPA compliance is a particular challenge for smaller organizations.  According to an August 2016 study issued by the Future of Privacy Forum (FPF), a think tank commissioned by Attorney General Harris to study compliance with CalOPPA by the top 100 apps, there is a particular gap in compliance with regard to health and fitness apps.  The FPF and computer scientists at Carnegie Mellon University state that this is particularly true of information sharing with third parties. 

Find out more about this development by contacting either of the authors.