New California Legislation Mandates the Posting of Web Site Privacy Policies

Originally published June 18, 2004

Due to the enactment of California’s Online Privacy Protection Act of 2003 (the "Online Privacy Protection Act"), as of July 1, 2004, all operators of commercial Web sites or online services ("Operators") that collect personally identifiable information from California residents through Web sites or other similar online service ("Web Sites") will be required to post a privacy policy and to comply with it. Significantly, the Online Privacy Protection Act adopts a broad view of personally identifiable information, defining it as any individually identifiable information about an individual collected online including any of the following: (i) first and last name; (ii) a home or other physical address; (iii) an email address; (iv) a telephone number; (v) a social security number; (vi) any other identifier that permits the physical or online contacting of a specific individual; and/or (vii) information concerning a user that the Operator collects online from the user and combines with any of the identifiers described above. The breadth of the definition of Personally Identifiable Information ensures that the vast majority of Operators collecting information online will fall under the requirements of the new legislation.

While the legislation was enacted in California, it will also affect Operators based outside of California because it applies to all Operators which collect personally identifiable information about individual Web site users and/or visitors who are California residents.

In addition to requiring all Operators collecting personally identifiable information from California residents to post a privacy policy, the Online Privacy Protection Act sets forth specific requirements about the content of such a privacy policy. Specifically, the policy must:

• Identify the categories of information the Operator collects through the Internet and the categories of persons or entities with whom the Operator may share the information;

• Disclose whether or not the Operator maintains a process for an individual user of and/or visitor to the Operator’s Web sites to review and request changes to his or her personally identifiable information and, if so, provide a description of such process;

• Disclose whether or not the Operator reserves the right to change its privacy policy without notice to the individual user of, or visitor to, the Web sites; and

• Identify the effective date of the privacy policy.

Significantly, the legislation also establishes rules regarding the placement of privacy policies, requiring that they be posted conspicuously on the Operator’s Web site. The law contains very detailed requirements regarding how a privacy policy must be displayed to be considered as being posted "conspicuously."

The Online Privacy Protection Act provides that an Operator will be considered in violation if (i) the Operator fails to post a privacy policy within 30 days of being notified of that it is not in compliance with the requirements of the legislation, and/or (ii) the Operator either knowingly and willfully or negligently and materially fails to comply with the provisions of its own privacy policy. The legislation will be enforced through California’s unfair competition law (Business and Profession Code 17200), which provides for civil fines and injunctive relief.

Because the Online Privacy Protection Act will apply to the vast majority of Operators, it is an opportune time for Operators to review their current privacy policies and information collection practices. While privacy policies are a relatively common feature of most Web sites, as discussed herein, California’s Online Privacy Protection Act contains specific requirements about both the content and placement of Web site privacy policies.

Goodwin Procter LLP is one of the nation's leading law firms, with a team of 650 attorneys and offices in Boston, New York and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.

This article, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP or its attorneys. (c) 2004 Goodwin Procter LLP. All rights reserved.