Published in the Union Leader (12/5/2016)
Q: My website allows customers to create user accounts, saves their contact information and tracks their purchases to suggest new items they may want to buy. Are there any disclosures I need to make about my customer data collection?
A: One regulation governing consumer data collection is CalOPPA, a California statute that seeks to improve the transparency of a company’s data privacy practices. A New Hampshire business is subject to CalOPPA if it gathers personal information online about any California resident.
This information includes first and last names, addresses, emails, telephone numbers, and other similar information. Since most online footprints are nationwide and it is often difficult to differentiate California residents from other customers, businesses should simply comply with CalOPPA to avoid unknowing violations.
CalOPPA requires that a business post its privacy policy on its website identifying exactly what consumer information is collected and with whom that information is shared. The law also requires that the privacy policy inform consumers about the process for reviewing and requesting changes to any information collected, and that it specify how consumers will be notified of changes to the policy. Additionally, the most recent amendments require the privacy policy to detail how the business will respond to web browser “do not track” signals.
Violations of CalOPPA are enforced through California’s Unfair Competition Law. A company that does not comply with CalOPPA may be subject to penalties of up to $2,500 for each violation. With respect to mobile applications, the penalty is assessed each time the application is downloaded by a California resident.
In 2012, the California Attorney General informed hundreds of noncomplying companies (including those outside of California) that they would be fined if they did not bring their mobile applications into compliance. More recently, California Attorney General Kamala D. Harris released a new tool for consumers to report noncomplying websites, mobile applications and online services.
Given the rise in enforcement and the potential risk of exposure, it is crucial that all New Hampshire companies review their privacy policies to ensure compliance with CalOPPA.
Kevin Lin can be reached at kevin.lin@mclane.com.
Know the Law is a bi-weekly column sponsored by McLane Middleton, Professional Association. We invite your questions of business law. Questions and ideas for future columns should be addressed to: McLane Middleton, 900 Elm St., Manchester, NH 03101 or emailed to knowthelaw@mclane.com. Know the Law provides general legal information, not legal advice. We recommend that you consult a lawyer for guidance specific to your particular situation.