California’s Online Privacy Protection Act requires commercial websites or online services to post an online privacy policy if they collect any "personal information" from California residents over the Internet. 1 Although the Act took effect on July 1, 2004, it received surprisingly little media attention and, in fact, many covered websites still do not comply with the Act’s requirements. Accordingly, the owners of websites or online services covered by the Act should take a moment to confirm that their online privacy policies contain each of the following elements required by the Act:
- Identification of the categories of personally identifiable information collected through the website or online service about individual consumers who use or visit that website or online service;
- Identification of the categories of third parties with whom that personally-identifiable information may be shared;
- A description of the process by which the consumers who visit or use the website or online service are notified of material changes to the privacy policy for that site or service;
- The effective date of the policy; and
- If the commercial website or online service maintains a process for an individual consumer to review and request changes to his or her personally-identifiable information gathered through that site or service, a description of that process.
Under the Act, a commercial website or online service is only considered in violation of the Act if it fails to post an adequate privacy policy within thirty days after receiving notification of its noncompliance with the Act. 2 The Act does not contain any express penalty provisions, although failure to comply with the Act may be deemed an unfair business practice for purposes of a claim under Business and Professions Code section 17200.
Action Items:
If your company operates a commercial website that collects personal information from California residents and does not post a privacy policy, you will need to adopt and post a privacy policy that complies with the Act. Even if your commercial website does have a posted privacy policy, this privacy policy should be reviewed to ensure that it complies with all of the Act’s requirements. Many commercial websites have privacy policies that do not fully comply with the Act. For instance, it is not uncommon to see privacy policies that fail to identify the categories of third parties with whom the personal information may be shared, or that fail to identify the effective date of the policy. For all of these reasons, any company operating a commercial website that collects personal information should confirm that its posted privacy policy complies with the Act.
Footnotes:
1: For purposes of the Act, "personal information" includes any of the following types of data: first and last name, mailing address, email address, telephone number, Social Security number, or any other identifier that permits a specific individual to be contacted online or by physical location. Cal. Bus. & Prof. Code §22577(a).
2: Id.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved