United States: Technology Commentaries: California First State To Require Online Privacy Policies

In 2003, California enacted groundbreaking consumer rights legislation in the areas of database security, sharing of personal financial information, spam, and the use of personal information in direct marketing.¹ Maintaining its pioneer status, California is the first state to require that all companies that collect personal information online from California residents must post online privacy policies that describe their practices in a conspicuous manner. Although it is relatively easy to comply with the statute, the failure to do so could expose companies to consumer lawsuits, including class actions, under California’s prohibition of unfair business practices generally.

The Online Privacy Protection Act of 2003 (AB 68), codified as California Business and Professions Code § 22575 et seq., requires that entities collecting "personally identifiable information" from California residents for a commercial purpose conspicuously post a privacy policy disclosing what information is being collected and how it may be used. The Act becomes effective on July 1, 2004.

Operators. The statute applies to any "operator," defined as a person or entity that owns a commercial Web site or online service located on the Internet that collects and maintains personally identifiable information from a "consumer" residing in California who uses or visits the Web site or online service. The statute specifically excludes entities that operate, host, or manage Web sites or online services on the owner’s behalf or that merely process information on behalf of the owner.

Personally Identifiable Information. The statute defines "personally identifiable information" as identifiable information collected online from an individual that is maintained in a form accessible to the collecting entity. This includes: first and last name, address, e-mail address, telephone number, social security number, any other identifier that permits the physical or online contacting of the individual, or any information concerning an individual maintained in personally identifiable form in combination with one of the above.

Consumers. The statute defines "consumers" as any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.

Content. The statute provides that a privacy policy must:

• Identify the categories of information the Web site collects and the categories of persons or entities with whom the operator may share the information.

• Disclose whether the operator maintains a process for a user to review and request changes to his or her personally identifiable information and, if it has such a process, include a description.

• Describe the process by which the operator notifies users of material changes to the privacy policy.

• Identify the effective date of the policy.

Conspicuously Posted. The statute further provides that the privacy policy must be posted in a conspicuous manner. Companies may meet this requirement in one of several ways:

• Posting the policy on the homepage or first significant page viewed by a user after entering the Web site.

• Posting an icon on either of the above pages with a link to the policy, provided that the icon contains the word "Privacy" and uses a color that contrasts with the background color of the page on which it appears (or is "otherwise distinguishable").

• In lieu of the above icon link, posting a text link that includes the word "Privacy" and (a) is written in capital letters equal in size to surrounding text, or (b) if not in capital letters, then (i) in type larger than surrounding text, (ii) in a contrasting font or color to the surrounding text, or (iii) is set off by symbols or other marks that call attention to the language.

• Posting any other functional hyperlink that is displayed such that a reasonable person would notice it.

Online Service. An "online service," which is not defined in the statute, alternatively can meet the requirement to post a conspicuous policy by utilizing "any other reasonably accessible means of making the privacy policy available for consumers."

Consequences of Noncompliance

Any operator that knowingly and willfully, or negligently and materially, fails to comply with the posting requirements — or fails to follow the terms of its posted privacy policy — is in violation. The statute includes a 30-day cure period, after notice of noncompliance, in which to comply. Although the statute is silent as to specific remedies, it is likely consumer class actions could be filed for violations.

California has aggressively moved to regulate the acquisition, security, and use of consumer data. Although the California Online Privacy Protection Act is aimed at securing consumer confidence, its opponents argue that the law is overreaching because it applies to companies located outside of California. Due to the borderless nature of cyberspace, legal precedent for jurisdiction, enforcement, and the feasibility of state Internet regulation is still evolving. National and global companies doing business with California residents now face the challenging task of creating consistent data acquisition and utilization polices that comply not only with California law, but with federal requirements applicable to particular industry segments, as well as the European Union Privacy Directive.