Do You Have Your Privacy Policy Ready?

California is, once again, proving itself a leader in the consumer privacy area with its enactment of a state law designed to protect Internet users’ personal information. Because the new law applies to operators tha t collect personal information from California residents, regardless of where the operator is located, its reach is quite broad, extending beyond the state’s borders. Most businesses that sell products or services online in the United States will therefore fall within its reach.

The California Online Privacy Protection Act of 2003 (AB 68 – Business & Professions Code Section 22575 et seq.), the nation’s first state law mandating privacy policies for commercial Web site and online services operators, will take effect July 1, 2004. The Act requires operators of commercial Web sites or online services ("operators") that collect personal information from California residents (1) to post a privacy policy on their Web sites, which sets forth their information practices with respect to consumers’ personal information and (2) to comply with it.1

Requirements

An operator that collects personally identifiable information must conspicuously post its privacy policy on its Web site and comply with it. The Act does not apply to Internet service providers (ISPs) or similar entities which transmit or store personally identifiable information at the request of third parties. "Personally identifiable information" is defined as, "individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

  1. A first and last name.

  2. A home or other physical address, including street name and name of a city or town.

  3. An e- mail address.

  4. A telephone number.

  5. A social security number.

  6. Any other identifier that permits the physical or online contacting of a specific individual.

  7. Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision."

Section 22577(a).

Posting the privacy policy in a "conspicuous" manner includes: 1) posting on the operator’s home page or on the first significant page after accessing the Web site; or 2) placing an icon or text link (that hyperlinks to a Web page where the privacy policy is posted) on the home page or the first significant page after accessing the Web site (if the latter option is utilized, certain other criteria must be satisfied)2 Online service operators need only use reasonably accessible means of making their privacy policy available to meet this standard.

The Act sets forth four specific areas that must be covered in an operator’s privacy policy. An operator must:

  1. Identify the categories of personally identifiable information that the operator collects about consumers who use or visit its Web site or online service as well as the categories of third parties with who m such personally identifiable information may be shared.

  2. If offered, describe how consumers who use or visit its Web site or online service may request changes to their personally identifiable information that is collected.

  3. Describe how the operator notifies consumers who use or visit its Web site or online service of material changes to the privacy policy.

  4. Identify the effective date of the privacy policy.

Violations

An operator is in violation of the Act if it, either knowingly and willfully, or negligently and materially, fails to comply with the Act’s posting requirements or fails to adhere to the terms of its own privacy policy. An operator has 30 days to comply after being notified of non-compliance. Enforcement actions as well as individual lawsuits and class action suits will likely be filed once the Act goes into effect. The Act does not set forth specific remedies, but failure to comply can subject an operator to a private civil suit for unfair business practices, including under Business & Professions Code Section 17200, which has been used increasingly as the basis for class actions to obtain injunctive relief and the recovery of plaintiff’s attorneys’ fees.

What Businesses Should Do

As a result of the Act, businesses that collect personal information of California residents online and that do not yet have a privacy policy should adopt one. Those businesses which have already voluntarily adopted a privacy policy (an industry best practice) should review that policy to verify compliance with the Act. Businesses should also ensure that their actual practices match the practices described in their privacy policy, or they can face potential liability for deceptive business practices under state or federal law.

This article is meant to highlight the most salient requirements of the Act. For more information about the Act or other privacy and data protection regulations, please contact the authors of this article.

Footnotes

1. The Act defines an "operator" as "any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner’s behalf or by processing information on behalf of the owner." Section 22577(c).

2. Use of an icon or text link is sufficient if: 1) the icon that hyperlinks to the actual policy contains the word "privacy" and uses a color that contrasts with the web page’s background or is otherwise distinguishable and is placed on the home page or the first significant page after entering the Web site; 2) the text link that hyperlinks to the actual policy appears on the homepage or on the first significant page after accessing the Web site, provided the text link either (a) contains the word "privacy," (b) is written in capital letters that are at least as large as the surrounding text, (c) is written in larger type than the surrounding text or, d) if the surrounding text is the same size, then the link is set apart with a contrasting type, font, color, or by symbols or other markings which draw attention to the text link; or 3) any other hyperlink to the policy is displayed in such a way that a reasonable person would become aware of it.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.