Is Your Website Breaking The Law? CalOPPA – California Privacy Requirements for Website Owners

0

Internet laws

When reading about online privacy while browsing the internet, you may get a very different story depending on who you talk to.

One side of the camp is the businesses, website owners, and companies that provide tracking technology. The main points are:

  • -Tracking is needed for a variety of innocent reasons like: analytics (so a website owner can have an idea of how many visitors it has), user experience (so website owners can make sure their website is not annoying or broken), and targeted advertising (to make sure people aren’t being shown ads that have nothing to do with them.)
  • -Most commonly used tracking technology does not personally identify individuals.

The other side of the camp is the privacy advocates who are the voices behind legislation like CalOPPA (California Online Privacy Protection Act.) Their main points are:

  • -Tracking technology DOES track people individually.
  • -Users can have terrible repercussions from being tracked. For example, higher insurance policies, being tracked by the FBI, etc.

Which side is “right?” While tackling this question is a little out of our sphere, in general, we believe both sides have valid concerns. What it comes down to is this: Most website owners, and businesses who operate a website do not use super-secret technology that identifies individuals names, social security numbers addresses, and their behaviors, who then turn around and sell that information.

It is also true, that those situations are technologically possible. Most website owners (if they are even using tracking technology) use legal tracking technology for business purposes. The average business website may have the following tools:

Analytics software (Such as Google Analytics).

This software keeps a running tally of activity on a website. It does keep track of information like the type of browser used, the time of day the visit occurred, which pages you visited on a site, and the IP address (which is automatically ran against an IP location software to get a guess of your general whereabouts, like city, state, and country.) This information could technically be tracked back to you in certain circumstances. (Like a lawsuit is brought against the IP Address via John Doe suit, in which case the ISP may be forced to give that information.) However, John Doe cases usually occur in matters of torrent downloading, hacking, or defamation on 3rd party sites like yelp.

The average use for a website owner using analytics is far more mundane. It provides answers to questions like:

  • -Do people like my website? Google analytics will show a ‘bounce rate’, which is the amount of people who visit only one page on the site, then leave. If people don’t explore your businesses’ website, you might assume that your website isn’t compelling.
  • -Where are my visitors located? Let’s say your local pizza shop runs a website, and used an internet marketing company to attract business. They see that organic traffic usually is generated by IP addresses within the area of the store. However, the marketing company they used brings in hundreds of clicks from other states or countries. The pizza store is armed with information to protect against poor performance of their marketing company. Obviously driving traffic from India is not helpful to a local pizza shop owner in New Jersey.
  • -Where do visitors come from? This is useful for business owners and website owners to know for a number of reasons. Most obviously, if they see that they are getting large amounts of traffic from a social media site, that’s a great clue that they should invest more resources in interacting on that site. However, if they have been paying for an online directory (say, a Chamber of Commerce or local yellowbook directory), and they see very little traffic from it, the business should legitimately know this kind of information.

User Experience Software.

This software can actually recreate a browsing session. The idea is, if you see a large number of visitors land on your site, seem to wonder around and leave, it could be useful to change the design of your site to make it clearer. Take an ecommerce shop that sells clothing, for example:

Let’s say a fictional company, Blue Tiger Teeth.com sells clothing online. They see that users are easily able to find the types of clothes that interest them in categories (mens apparel, women’s apparel, boys, girls, etc.) but once they’ve landed on the category, they usually leave. This could help a website owner narrow down which part of their site they need to focus on improving.

In addition, there is a lot of concern over ad-tracking networks. The negative viewpoint of this is that user profiles are bundled and sold, and your privacy is at risk. The positive viewpoint of this is that information like your name is not collected, and it can help advertisers & publishers display more relevant ads.

In discussing these technologies with our staff, one member of our team recounted how when his wife would use his computer, she would use her own Pandora.com account. He would open up Pandora, and be surprised to see advertisements for bras or nearby beauty salons. However, when he realized what happened, he logged back into his account. Pandora knew he was a male, and his ip location, so he was subsequently served a recruiting advertisement for the Border Patrol. Or he might receive advertisements for flower websites around Valentines day.

CalOPPA

people illustration design

This law requires Privacy Policies to be displayed on home pages of commercially operated websites accessible by California residents. As you might guess, this requires websites that are owned, operated, or hosted from different states to comply. Unless a website specifically disallows California IP Addresses from accessing it’s site, it must comply. To say the least, this basically requires every business website in California have a privacy policy posted in a ‘conspicuous’ place. This is generally a link called “Privacy Policy”, which leads to another page that details the policy.

Now that we’ve gotten to this point, we can cover the recent controversy. The controversy is over sites that do not include detail about how they handle “Do Not Track” requests. The California Attorney General recently released a best practices report on the topic. Other attorneys have stated this report raises more questions than it answers.

In the “Highlights of Recommendations” the report lays out the following recommendations:

Readability

• Use plain, straightforward language. Avoid technical or legal jargon.

• Use a format that makes the policy readable, such as a layered format.

• Make it easy for a consumer to find the section in which you describe your policy regarding

online tracking by labeling it, for example: “How We Respond to Do Not Track Signals,”

“Online Tracking” or “California Do Not Track Disclosures.”

• Describe how you respond to a browser’s Do Not Track signal or to other such mechanisms. This is more transparent than linking to a “choice program.”

• State whether other parties are or may be collecting personally identifiable information of consumers while they are on your site or service.

Data Use and Sharing

• Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.

• Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.

Individual Choice and Access

• Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.

Accountability

• Tell your customers whom they can contact with questions or concerns about your privacy policies and practices

Business Owner Questions

Does my site even use Cross Tracking?

Ironically enough, many webmasters or business owners may have no idea if they are using such technology. Speak to your IT representative, or the support representatives for any technologies you have installed on your website to see if they track PII from your users, share PII, or track your users after they have left your website. You can also point users towards the Privacy Policy or any technologies you use on your site.

What if my site does not use Cross Domain Tracking?

The jury is still out. The report does not specifically address this, but it may be useful to state that your site does not use Cross Domain Tracking.

Adding language about how your site handles Do Not Track Requests.

We recommend speaking to an attorney regarding how your website handles DNT or Cross Site Privacy Policies.

agprivacypolicyRead the Attorney General’s Making Your Privacy Policy Public
(Document mirrored on the Nowland Law website.)

Make sure that you speak with an experienced business or real estate attorney before taking any action. This is post should not be construed as legal advice, and is for information/reference purpose only.

Business Litigation Lawyers in Orange County California