I. Overview and Summary of Requirements

On July 1, 2004, the first online privacy law in the country that applies to the collection of information from consumers over the age of 13 will take effect.

The California Online Privacy Protection Act of 2003, CAL. BUS. & PROF. CODE §§ 22575 et seq., ("Section 22575") is a privacy notice requirement law. It contains a generous safe harbor that gives companies 30 days to come into compliance if notified of failure to post a policy. The law also prohibits "negligently and materially" or "knowingly and willfully" failing to follow promises in a posted privacy policy.

The California law will require operators of a commercial Web site or online service that collect through their Web site or online service personally identifiable information1 from consumers2 residing in California to conspicuously post their privacy policy on their Web site (or, in the case of an online service, to use any other "reasonably accessible means of making the privacy policy available to consumers"). The law exempts Internet service providers and similar entities that transmit or store personally identifiable information at the request of third parties. Because many Web sites and online services do not collect physical address information, and for that reason may be unaware that they are collecting personally identifiable information from California consumers, sites and services may be well advised to conform their privacy policies to the requirements of this new law.

Section 22575 requires that posted privacy policies must:

  1. identify the categories of personally identifiable information that the operator collects through the Web site or online service and the categories of third-party persons or entities with which the operator may share personally identifiable information;

  2. describe how a consumer can review and make changes to his or her personal information, if the operator allows such review and changes;

  3. describe how consumers can learn of changes in the operator’s privacy policy;

  4. identify the effective date of the privacy policy; and

  5. be conspicuously posted on the Web site or, in the case of an online service, through any other "reasonably accessible means of making the privacy policy available to consumers."

Companies cannot be liable under Section 22575 unless they fail to post a policy within 30 days of being notified of non-compliance.

The California law also sets a deception standard for failing to abide by privacy policy statements that requires that defendants act either "negligently and materially" or "knowingly and willfully."

The new law can be enforced in the same manner as a violation of California Business and Professions Code § 17200. The California Attorney General, local district attorneys, and private individuals can bring suit under § 17200 to enforce the provisions of this new law, and can obtain penalties of $2,500 per violation in actions brought by the A.G. The plaintiffs’ bar can sue for restitution, injunctive relief and possibly attorneys’ fees.

Following is a list of action items and further guidance to determine how to address the new law’s requirements.

II. Recommended Action Items

  • If you do not already post a privacy policy for a consumer Web site or online service that collects personal information from California consumers, consider doing so. Under the California law, you have a 30-day safe harbor to post a notice after being notified of non-compliance. However, posting a privacy policy for consumer Web sites is a good business practice.
  • Undertake a review of your entire privacy policy to ensure that it is accurate and up to date. If the site or online service already has a privacy policy, review it to ensure that it is up to date and accurately reflects the site’s or service’s practices. Periodic reviews of your privacy policy are important, and this is a good opportunity to do so, in particular with regard to somewhat unusual features of California’s notice requirement:
  • Determine what, if any, additional statements need to be added to your privacy policy in light of the new California law. Privacy policies that comply with fair information practice principles, seal program requirements, and certain laws, including the Children’s Online Privacy Protection Act (COPPA) and the Gramm-Leach-Bliley Act (GLB), may not necessarily address the requirements of this law. Thus, you should doublecheck your policy to ensure that it contains all of the required disclosures, paying particular attention to the last two requirements to state how you will notify consumers about material changes to the policy and provide the policy’s effective date.
  • Assess representations regarding notification of changes. Review representations, if any, made in your privacy policy regarding how you will notify consumers of material changes to your privacy practices, and determine how you will fulfill those representations. For example, if the privacy policy states that "the site will notify consumers about changes to our privacy policy by posting a prominent notice on the site," determine what form the notice will take (e.g., using the word "updated" next to the privacy policy link on the home page or using a pop-up window, as well as including an effective date) and determine what the notice will say. Alternatively, if the site has committed to notify consumers via an e-mail, plan on how to frame the e-mail notice.
  • Ensure that the link to the privacy policy is conspicuous. Sites and services should take this opportunity to review what the link to the privacy policy looks like and how accessible it is. Sites and services whose practices are subject to COPPA, or that follow self-regulatory guidelines or participate in one of the privacy seal programs, likely will not need to address this requirement as they already ensure that (1) a link to the privacy policy is accessible from the home page and all pages that collect personally identifiable information, and (2) the link stands out and is noticeable to consumers (e.g., through a larger font size in a different color on a contrasting background).

III. Guidance

  • Applies to consumer Web sites only. This law applies only to the collection of personally identifiable information from California consumers. Thus, it does not apply to business-to business Web sites. It might, however, be interpreted to apply to company intranet sites that offer items for sale or lease to employees for personal, family or household purposes. The law applies to any Web or online service that collects information from California residents, irrespective of their location. For example, if a Web site operator in New York collects personally identifiable information from consumers "who reside in California," the act is triggered even if the New York site has no physical presence in California.
  • Does not mandate consumer access to and correction of information. The law does not require sites and online services to provide consumers with access to information collected about them online. Rather, it requires a description of the process for reviewing information, if the site or service provides such access. Thus, this law does not impose an access requirement on Web site or online services.
  • Making the link to the privacy policy conspicuous. As noted above, the privacy policy must be conspicuously posted at the Web site or online service. This requirement can be satisfied through posting the policy in any of the following ways:

– on the home page/first page of the site;

– through an icon on the home page/first page of site, labeled "Privacy" and using contrasting color;

– through a hyperlink that is labeled privacy, in capital letters, contrasting type/font/ color, or otherwise conspicuous; or

– any other functional hyperlink that a reasonable person would see.

An online service may use any other reasonably accessible means.

Sites or online services should not display the notice behind a link that reads "Legal Notices" or embed the privacy policy in a Terms of Service document.

  • Adding an effective date. Include the effective date of the policy. This likely will be the last time you made changes to the privacy policy. Thus, if you are taking this opportunity to update your policy, the effective date should reflect this.
  • Notification regarding material changes. The law does not specify how sites and services will need to notify consumers about material changes to their posted privacy policies. Consider language that will afford you flexibility to determine the appropriate notification method based on the circumstances. For example, for material changes, you may want to notify consumers via e-mail and obtain their consent, rather than through a mere posting at the site. Alternatively, for mere clarifications or minor updates, you may choose to advise consumers through a prominent posting at the site.

Footnotes

1 CAL. BUS. & PROF. CODE § 22577 defines personally identifiable information as "individually identifiable information about an individual collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) a first and last name, (2) a home or other physical address, including street name and name of a city or town, (3) an e-mail address, (4) a telephone number, (5) a social security number, (6) any other identifier that permits the physical or online contacting of a specific individual, (7) information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision." (Emphasis added.)

2 The term consumer is defined as "any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes." Id.

This article is intended to provide information on recent legal developments. It should not be construed as legal advice or legal opinion on specific facts. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising.