Attorney General Kamala D. Harris Launches New Tool to Help Consumers Report Violations of California Online Privacy Protection Act (CalOPPA)

Friday, October 14, 2016
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

Part of Multi-Pronged Effort to Improve Online Privacy and Increase Compliance with CalOPPA 

SAN FRANCISCO -- Today, Attorney General Kamala D. Harris announced the release of an online form to help consumers report websites, mobile applications, and other online services that are in violation of the California Online Privacy Protection Act (CalOPPA). A website or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies. This new form is one of several initiatives Attorney General Harris is undertaking to protect Californians’ privacy, especially in light of technological advances and the growth of the “internet of things.”  The form is available at https://oag.ca.gov/reportprivacy.

“In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Attorney General Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.”

In 2011, the Future of Privacy Forum (FPF) conducted a study which found that many mobile apps were missing privacy policies, prompting the Attorney General to secure a first-of-its-kind agreement with the leading mobile application platforms, including Apple, Google Play and Amazon, to improve compliance; this agreement was later expanded to include Facebook. As a part of her continued commitment to privacy, Attorney General Harris directed her office to conduct a five-year review on mobile app compliance with CalOPPA and commissioned the FPF to conduct a new study of the top 100 mobile apps.  In addition, the Attorney General’s office is collaborating with computer scientists at Carnegie Mellon University to review apps in the Google Play store for compliance with the law and consulting with privacy experts, designers, and researchers to assess the effectiveness of CalOPPA and the “Do Not Track” legislation, which was sponsored by Attorney General Harris.  

A new FPF study, released in August 2016, found that the number of apps with privacy policies has risen substantially since the 2012 Mobile App Agreement—up from 30% to 80%; but the study also highlighted a notable and persistent gap, particularly in health and fitness apps, which often collect sensitive personal information but are less likely than other apps to have a privacy policy. The CMU research revealed that some mobile apps employ data practices that are not properly disclosed in their privacy policies, especially as they pertain to information sharing with third parties. This research indicates that while much progress has been made, more needs to be done to ensure companies are protecting consumers’ privacy and employing transparent practices. 

In response to the analysis of CalOPPA compliance, Attorney General Harris is today launching an online tool allows consumers to “crowdsource” privacy policy violations, exponentially increasing the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.  To use the tool, consumers who have identified an operator that may not be in compliance can simply visit https://oag.ca.gov/reportprivacy to report the finding.    

The CalOPPA form is part of a multi-pronged approach to improve online privacy. The Attorney General’s office is also partnering with the Usable Privacy Policy Project at Carnegie Mellon University to develop a tool that will identify mobile apps that may be in violation of CalOPPA. The tool is designed to look for discrepancies between disclosures in a given privacy policy and the mobile app’s actual data collection and sharing practices (for example, a company might share personal information with third parties but doesn’t disclose that in its privacy policies).  This tool will help proactively identify and focus attention on policies that may require enforcement.

With the passage of CalOPPA in 2003, California became the first state in the nation to require commercial websites and online services to post privacy policies and the initiatives Attorney General Harris is leading will help strengthen California’s online privacy laws. Any operator in the world that collects personally identifiable information such as name, address, email address, phone number, or Social Security number from California consumers is required to comply. The privacy policy must include the categories of information collected, the types of the third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the effective date of the private policy. Assembly Bill 370, which Attorney General Harris sponsored, expanded this law in 2013 requiring privacy policies to include information on how the operator responds to ‘Do Not Track’ signals or similar mechanisms, as well as requiring privacy policies to state whether third parties can collect personally identifiable information about the site’s users. 

Attorney General Harris has a long track record of encouraging innovative and growth while protecting consumers’ privacy online. Earlier this week, she announced a new initiative—the California Cyber Crime Center—to help law enforcement fight crime in the digital era.  The center includes the California Department of Justice’s Privacy Enforcement and Protection Unit, which Attorney General Harris created in 2012. The Unit is responsible for enforcing state and federal privacy laws, providing Californians with information and strategies on how to protect their privacy, and encouraging businesses to follow best protection practices. Throughout her administration, the Attorney General has prosecuted and reached settlements with major corporations including Anthem Blue Cross, Citibank, Kaiser, Comcast, Houzz and Wells Fargo Bank for violating California’s privacy protection standards.  Attorney General Harris has also released numerous consumer alerts to help Californians, including alerts on how to adjust the location settings on your mobile phone and protect against identity theft, as well as consumer information sheets on a broad range of privacy issues.

Attorney General Harris is also strongly committed to data security, safeguarding consumers’ sensitive online information. In February, Attorney General Harris released a data breach report detailing the nature of reported breaches in the last four years, accompanied by recommendations for business and lawmakers including pointing to standards regarding “reasonable security” for protecting personally identifiable information. The office recently conducted a set of workshops for small businesses in conjunction with security experts from the Center for Internet Security.

# # #