California’s Other Privacy Law
As I write this blog in the fall of 2020, California artificial intelligence and robotics companies are likely focused on the California Consumer Privacy Act (CCPA) and on compliance with its requirements. They are likely also focusing on compliance with CCPA’s regulations, which became final this past summer. CCPA, however, is not the only privacy law to worry about in California. The previous privacy legislation has not gone away, and CCPA does not preempt it. Accordingly, as I am writing privacy policies day to day, I am still taking older privacy laws into account. One such law is the California Online Privacy Protection Act (CalOPPA).
CalOPPA requires commercial websites or online services that obtain personally identifiable information about California consumers to conspicuously post their privacy policies. The definition of “consumer” under CalOPPA is different from the definition in CCPA. For purposes of CalOPPA, a consumer is any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes. The law protects any “consumers” residing in California. In other words, websites or online services that provide business-to-consumer products and services fall under CalOPPA. By contrast, a “consumer” under CCPA is any California resident, even employees and other workers, or representatives of customers making business-to-business purchases (although the full applicability of CCPA to B2B purchases has been postponed until next year).
Under CalOPPA, “personally identifiable information” includes a first and last name, address, email address, telephone number, social security number, or any other identifier that permits physical or online contacting of a specific individual. Accordingly, the definition of “personally identifiable information” is quite broad, and beyond the scope of the security breach notification laws in California and other states, but it is narrower than the definition of “personal information” under CCPA. Violations of CalOPPA can occur even if the website operator or online service provider did not knowingly or willfully fail to comply. Negligent and material violations are sufficient to trigger liability.
CalOPPA adds additional consumer protections concerning the tracking of online behavior. Online tracking permits advertisers to see and record what websites users view, what they click on, how long they view certain pages, and similar information. The idea behind this tracking is, in large part, to determine what the user is interested in so that advertisers can deliver more relevant ads to the user and hopefully generate more sales. Other types of tracking include some advertisers’ ability to view this kind of information when users move from one business’s site to other sites. Advertisers may be able to aggregate this information in order to create an even more detailed and accurate picture of what a user is interested in seeing.
In addition, web browser software permits users to create settings to signal to websites that users do not want to be tracked. Common web browser software have “do not track” settings that a user can use to indicate a preference not to be tracked. CalOPPA addresses the “do not track” idea by stating that online service providers must disclose in their privacy policies how they respond to “do not track” signals or other mechanisms, such as those described above. This requirement applies, however, only if the service provider collects personally identifiable information.
Interestingly, the statute does not require service providers to honor “do not track” requests. Thus, a service provider could comply with the statute simply by saying that it will not honor such requests. Such a policy may not be good for public relations, but it is compliant. Moreover, in my experience since the law went into effect, most websites do not look for do not track signals.
The law also requires the service provider to disclose whether or not other parties may collect personally identifiable information over time and across different websites. This part of the law covers third party advertising services that track user behavior over time when accessing multiple websites, and not just the service provider’s own website. A service provider may hire such third party advertising services to gain even more insight into a user’s preferences, not only for the user’s use of the service provider’s site, but also other sites.
Finally, CalOPPA gives online service providers a safe harbor for complying with the requirement to disclose their policies about responding to “do not track” requests. “An operator may satisfy” this requirement “by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description” of the service provider’s response to a user’s “do not track” setting.
Accordingly, operators of websites collecting personally identifiable information, including business-to-consumer (B2C) AI applications, should examine their online behavioral practices and make sure their privacy policies account for “do not track” consumer preferences and the collection of tracking information by third party advertising services. Even website operators outside of California must comply, if they collect personally identifiable information about California residents. Unless a website has a technical mechanism to prevent the collection of personally identifiable information about California residents, while collecting it about others, which is impractical and highly unlikely, any website of an operator located outside of California must also comply.
In sum, artificial intelligence and robotics companies in California must not only cover CCPA in their compliance program, they must still follow preexisting privacy law. CalOPPA is one such example applicable to B2C transactions. AI and robotics companies must not forget the “other privacy law” in California.