Home > Legal Library > Article

Join Matindale-Hubbell Connected

New Year, New Requirements for Consumer Web Sites and Mobile Apps

Jesse M. Brody
Alan L. Friel
Edwards Wildman Palmer LLP - Los Angeles Office

January 15, 2014

Previously published on January 2014

There are a myriad of new, and not-so-new, privacy and consumer protection laws that impose requirements on web site and mobile app operators. For instance, if you do business with California consumers, certain specific notices are required. The California Attorney General is stepping up enforcement of these laws, one of which is new and went into effect as of January 1, 2014. While bringing sites and apps into compliance with these additional requirements, publishers should undertake a broader compliance check-up.


Companies should be sure that they are in compliance with the following notice posting requirements for online services if they engage in transactions with, or otherwise directing the service to, California residents, even if they are not physically located in California:

  • The California Online Privacy Protection Act (“CalOPPA”) requires that web sites, mobile apps and other online services available to California residents post a privacy policy that meets certain minimum requirements. As of January 1, 2014, that policy must give notice to consumers regarding so-called behavioral or interest-based advertising practices (“OBA”). Specifically, those disclosures must explain:

    1. if it allows other parties to use tracking technologies in connection with the site or service to collect certain user data over time and across sites and services (e.g., vendors and ad networks); and
    2. as to how it responds to browser “do not track” signals or other mechanisms designed to give consumers choice as to the collection of certain of their data over time and across sites and services

  • The California Shine the Light Act requires that companies (excepting certain entities such as non-profits and businesses with less than 20 employees) collecting broadly defined personal information from California consumers on or offline either: (a) give consumers choias to the sharing of that information with third parties (including affiliates) for their direct marketing purposes; or (b) provide notice of, and maintain, a method by which consumers can annually obtain information on the categories of information disclosed the names and addresses of the recipients of that data, and a description of the recipients’ business. Specific notices and homepage links are dictated by the CA Shine the Light Act, and failure to comply has already resulted in several class action lawsuits seeking statutory damages available under the Act.

  • The California Transparency in Supply Chains Act of 2010 (the “Supply Chain Act”) is a little know law that requires retail sellers and manufacturers doing business in California that have $100 million or more in worldwide gross revenue to provide specified details of their efforts (if any) to eradicate slavery and human trafficking from their supply chain.

  • If an e-commerce service offers tangible goods or services, or vouchers for them, to California consumers, it must give certain notices to consumers, including how they can file a complaint with the CA Department of Consumer Affairs.

California consumer protection law continues to evolve. As of January 1, 2014, California’s data breach notification law has been expanded to include online account credentials (e.g., username and password or security question). In addition, commencing January 1, 2015, a recently enacted California law will require online services with user-posted content to give minors the ability to have their previously posted content removed from public view. This law will also restrict the advertising of certain age-restricted products and services to minors. More on these and other recent California consumer protection laws is available here. Further legislation is currently being considered. For instance, there is a bill in the California legislature, known as the Right to Know Act that would give California consumers the right to demand from companies details on information a company maintains about them. We will be monitoring this and other potential consumer protection legislation that may be enacted in 2014.

Other Considerations

Beyond updating sites and apps to comply with the recent CalOPPA amendment, companies should annually audit their sites, apps and data practices to confirm private policies remain accurate, complete and in compliance with data security and consumer protection compliance issues. For more information on what needs to be included in your privacy policy, see our prior client advisory here. Beyond California, self-regulatory requirements applicable to national advertisers and publishers that accept their ads require that OBA be disclosed adn that information on an opt-out program be provided. If you offer videos on an online service, the federal law known as the Video Privacy Protection Act (“VPPA”) has been applied to prohibit disclosure of personal information related to content consumption without having first obtained consent from the user. The form of consent requires a separate independent consent be obtained from the user (outside of a consent obtained in a Terms of Use/Privacy Policy). Thus, companies wishing to share video content consumption information may need to post a separate “Video Privacy Policy” on their site that complies with the requirements of the VPPA and obtain consent to this document from users that is separate and apart from the consent obtained to a company’s typical Privacy Policy and Terms of Use. There are various state laws with similar requirements. Companies engaging in e-mail or text marketing, including send-to-friend tools on sites and apps, must comply with the federal CAN-SPAM and TCPA laws. In October of last year amendments to the TCPA went into effecting raising the level of consumer consent required. For details click here. 2013 also saw a significant reworking of the federal COPPA Rule, which regulates collection of personal information (now including IP address and device identifiers) from children.


The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.

View More Library Documents By...

Edwards Wildman Palmer LLP
Los Angeles Office
Los Angeles Office
Practice Area
Internet Law
Edwards Wildman Palmer LLP Overview