The amendment also requires operators to disclose whether other parties may collect PII about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service. AB 370 does not state that operators must identify those other parties.
AB370 takes effect on January 1, 2014. Operators who must comply with CalOPPA and these amendments have 30 days to comply after being notified of noncompliance. Companies can face fines of up to $2,500 per violation of CalOPPA.4 The California Attorney General has maintained that each download of a non-compliant mobile app constitutes a single violation.
- Conduct an audit of your online service to determine: (a) the tracking methods your service uses and how your service responds to "do not track" settings; and (b) whether third parties conduct tracking activities on your online service.
- Cal. Bus. & Prof. Code §§ 22575-22579
- The term "personally identifiable information" as defined by CalOPPA means "individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision."
- See November 5, 2012, Cooley Client Alert: Attorney General of California Targets Mobile Apps that Fail to Post Privacy Policies
- Cal. Bus. & Prof. Code § 17206(a)