Edwards Wildman Client Advisory: New Year, New Requirements for Consumer Web Sites and Mobile Apps


    There are a myriad of new, and not-so-new, privacy and consumer protection laws that impose requirements on web site and mobile app operators. For instance, if you do business with California consumers, certain specific notices are required. The California Attorney General is stepping up enforcement of these laws, one of which is new and went into effect as of January 1, 2014. While bringing sites and apps into compliance with these additional requirements, publishers should undertake a broader compliance check-up.


    Companies should be sure that they are in compliance with the following notice posting requirements for online services if they engage in transactions with, or otherwise directing the service to, California residents, even if they are not physically located in California:

    • The California Online Privacy Protection Act (“CalOPPA”) requires that web sites, mobile apps and other online services available to California residents post a privacy policy that meets certain minimum requirements. As of January 1, 2014, that policy must give notice to consumers regarding so-called behavioral or interest-based advertising practices (“OBA”). Specifically, those disclosures must explain:

      1. if it allows other parties to use tracking technologies in connection with the site or service to collect certain user data over time and across sites and services (e.g., vendors and ad networks); and

      2. as to how it responds to browser “do not track” signals or other mechanisms designed to give consumers choice as to the collection of certain of their data over time and across sites and services

    • The California Shine the Light Act requires that companies (excepting certain entities such as non-profits and businesses with less than 20 employees) collecting broadly defined personal information from California consumers on or offline either: (a) give consumers choias to the sharing of that information with third parties (including affiliates) for their direct marketing purposes; or (b) provide notice of, and maintain, a method by which consumers can annually obtain information on the categories of information disclosed the names and addresses of the recipients of that data, and a description of the recipients’ business. Specific notices and homepage links are dictated by the CA Shine the Light Act, and failure to comply has already resulted in several class action lawsuits seeking statutory damages available under the Act.

    • The California Transparency in Supply Chains Act of 2010 (the “Supply Chain Act”) is a little know law that requires retail sellers and manufacturers doing business in California that have $100 million or more in worldwide gross revenue to provide specified details of their efforts (if any) to eradicate slavery and human trafficking from their supply chain. For more information click here.

    • If an e-commerce service offers tangible goods or services, or vouchers for them, to California consumers, it must give certain notices to consumers, including how they can file a complaint with the CA Department of Consumer Affairs.

    California consumer protection law continues to evolve. As of January 1, 2014, California’s data breach notification law has been expanded to include online account credentials (e.g., username and password or security question). In addition, commencing January 1, 2015, a recently enacted California law will require online services with user-posted content to give minors the ability to have their previously posted content removed from public view. This law will also restrict the advertising of certain age-restricted products and services to minors. More on these and other recent California consumer protection laws is available here. Further legislation is currently being considered. For instance, there is a bill in the California legislature, known as the Right to Know Act that would give California consumers the right to demand from companies details on information a company maintains about them. We will be monitoring this and other potential consumer protection legislation that may be enacted in 2014.

    Other Considerations

    Beyond updating sites and apps to comply with the recent CalOPPA amendment, companies should annually audit their sites, apps and data practices to confirm privacy policies remain accurate, complete and in compliance with data security and consumer protection compliance issues. For more information on what needs to be included in your privacy policy, see our prior client advisory here.  Beyond California, self-regulatory requirements applicable to national advertisers and publishers that accept their ads require that OBA be disclosed adn that information on an opt-out program be provided.  If you offer videos on an online service, the federal law known as the Video Privacy Protection Act (“VPPA”) has been applied to prohibit disclosure of personal information related to content consumption without having first obtained consent from the user. The form of consent requires a separate independent consent be obtained from the user (outside of a consent obtained in a Terms of Use/Privacy Policy). Thus, companies wishing to share video content consumption information may need to post a separate “Video Privacy Policy” on their site that complies with the requirements of the VPPA and obtain consent to this document from users that is separate and apart from the consent obtained to a company’s typical Privacy Policy and Terms of Use. There are various state laws with similar requirements. Companies engaging in e-mail or text marketing, including send-to-friend tools on sites and apps, must comply with the federal CAN-SPAM and TCPA laws. In October of last year amendments to the TCPA went into effecting raising the level of consumer consent required. For details click here. 2013 also saw a significant reworking of the federal COPPA Rule, which regulates collection of personal information (now including IP address and device identifiers) from children. Details on the challenges to complying with the new COPPA Rule are here.

    Edwards Wildman’s Advertising, Marketing and Promotions, Digital Media and e-Commerce, and Privacy and Data Security work together to assist advertisers, brick-and-mortar and e-commerce retailers, web site, mobile app and online service operators and others maintain appropriate compliance programs. For more information on how to build and maintain a data privacy and security compliance program, click here or contact one of the authors.

    Explore Additional Topics


    Please understand that your communications with Locke Lord LLP through this website do not constitute or create an attorney-client relationship with Locke Lord LLP. Any information you send to Locke Lord LLP through this website is on a non-confidential and non-privileged basis. Therefore, do not send or include any information in your email that you consider to be confidential or privileged.