• California Attorney General Launches Complaint Form to Report CalOPPA Violations
  • October 26, 2016 | Author: Françoise Gilbert
  • Law Firm: Greenberg Traurig, LLP - East Palo Alto Office
  • When the California Privacy Protection Act (CalOPPA) (Bus. & Prof. Code §§22575-22579) was enacted in 2003 it became the first state law to specifically require operators of commercial websites or mobile apps that collect certain information about consumers to conspicuously post a privacy policy that meet the requirements detailed in the law. Its broad reach created strong incentives for U.S. businesses to publish privacy policies on their websites and mobile apps.

    Over the years, CalOPPA has been amended several times to take into account changes in technology. This year, CalOPPA again comes into the limelight. This time, it is because the Office of the Attorney General of the State of California has published a “CalOPPA Complaint Form” that the public can use to report, directly online, potential CalOPPA violations.

    This new tool will enable the Office of the State Attorney General to rapidly gather information about what consumers believe to be violations of CalOPPA, which, in turn, can provide clues to determine whether it should elect to initiate proceedings against certain alleged infringers. Under the law, a business violates CalOPPA if it fails to post a privacy policy or posts an incomplete policy and fails to cure the violation within 30 days of being notified of noncompliance. The law identifies the expected content of the privacy policy, the nature of the information that is to be provided, as well as how and where the privacy policy should be displayed.

    The Complaint Form is intended to facilitate the reporting of alleged violation of CalOPPA. It separates the potential offenses into five categories:
    1. The privacy policy is missing or inapplicable
    2. The privacy policy is difficult to locate
    3. The privacy policy is incomplete
    4. The privacy policy has been violated
    5. The entity failed to provide notice of a material change
    The individual filing the report is allowed to tick more than one box, or all five of them. The form also leaves room for unspecified “additional information.”

    The complaint form raises several concerns for businesses. The form is worded in generic and general terms that are subject to many different interpretations, and even the language within the form is inconsistent. For example, what would constitute an “incomplete” form? Presumably it refers to the earlier explanation in the form that a violation may occur if a “privacy policy does not contain all the information required by law,” but the average consumer is unlikely to be familiar with the specific requirements of the law. Further, the terms used are not consistent with those in the text of the law. For example, the form refers to a policy that is “difficult to locate,” while the law requires that the form be “conspicuously posted” and identifies specific requirements for the location of the privacy policy or an icon linking to it.

    Because of the imprecise use of language in the form, it is possible that use of this form may lead to the collection of irrelevant, unusable, or perhaps confusing information that might bring unnecessary attention to a business or its operations even where there is no violation of the law.

    Further, the tool makes it very easy for consumers, and groups of consumers, to assert allegations against companies. The loose and imprecise language of the form and the ease of filing a complaint through the online tool may encourage activist consumer groups to make vague allegations as part of a campaign to address any perceived grievance.

    Since most businesses with an online presence collect personal information of California residents, CalOPPA applies to most entities operating in the United States. Thus, any development regarding CalOPPA should be of concern to most entities selling to U.S. consumers. While the publication of the new tool should be acknowledged as an important outreach effort, it may have a wide variety of unintended consequences, from the collection of a large volume of undecipherable and irrelevant information, to enabling retaliation and activism. Its implications are yet to be seen and Greenberg Traurig will provide updates as necessary.