Often at the forefront of privacy issues, California has enacted a law that took effect on July 1, 2004 and is likely to affect every business with an online presence that collects personal information - even those without any obvious California ties.
Overview Of The Online Privacy Protection Act Of 2003
California's Online Privacy Protection Act of 2003 (the "Act") requires commercial website operators to conspicuously post their privacy policy on their websites when collecting any information that personally identifies consumers. Personally identifiable information includes information such as name, home address, email address, telephone number or Social Security number. The provisions of the Act are required for websites visited, used or viewed by consumers residing in the State of California. The terms of the Act do not apply to any "third party that operates, hosts, or manages, but does not own, a website or online service" and is only acting on behalf of the owner. Third-party individuals or entities are not considered operators under the Act.
According to the Act, a privacy policy posted on a website must contain the following information:
Categories of personally identifiable information that is collected through the website;
Categories of third-parties or entities with whom the operator of the site may share personally identifiable information;
A description of the process (if one exists) that a consumer would use to review or change his or her personally identifiable information
A description of the process for communicating changes in the privacy policy; and
The effective date of the privacy policy.
A policy is conspicuously posted through any of the following:
It is posted on either the homepage or first significant page after entering the website;
An icon that hyperlinks to the policy appears on the homepage or first significant page of the website; or
A text link that hyperlinks to the policy appears on the homepage or first significant page of the website, and does one of the following: (a) includes the word "privacy," (b) is written in capital letters or is the size of surrounding text, or (c) is written in larger type than the surrounding text, or in contrasting type, font or color, or otherwise is set off with marks that call attention to the language.
The Act also requires a site operator to comply with the terms of the policy posted on its website. It gives a site operator a grace period of 30 days after being notified of noncompliance to post its policy or presumably correct any violations contained in a posted policy. An operator subject to the law is in violation for failing to comply with either the Act or its own policy if it acts in a manner that is either "knowingly and willfully" or "negligently and materially."
Privacy Policy Best Practices
Compliance with the Act
If you operate a website that is visited, used or viewed by consumers residing in the State of California, the Act is applicable to you and you must comply with it. Even if a consumer residing in the State of California never visits, uses or views your website, you are still well-advised to follow the requirements of the Act. Customers are growing to expect sensitive treatment of their personal information, and most, if not all, of the requirements of the Act appear to make good business sense in today's Internet climate. In addition, other states (such as New York and New Jersey) are actively considering similar legislation, and we expect that eventually every website operator will be subject to at least one state's Internet privacy law.
Retain Prior Privacy Policies
The legislative history suggests that a user should be able to request the version of the privacy policy which was posted when he or she entered personally identifiable information. Therefore, we recommend that you keep an internal record of all versions of any Privacy Policy that you have posted on your website.
Notification of Changes to the Privacy Policy
Although the Act does not mandate the manner in which changes to a privacy policy must be communicated, we recommend adopting an approach that is designed to actually communicate the policy changes. Language such as, "Please consult this portion of the website regularly for important changes to the Privacy Statement as they occur. By using this website after any changes to this Privacy Policy are posted on it, you agree to accept those changes, whether or not you have reviewed them, and such acceptance shall be deemed legally conclusive" may no longer be sufficient. Instead, we suggest one of the following practices:
1.Send an Email to Users.
If you collect any personally identifiable information at all, you should also consider requiring a user to submit an email address. Whenever you change your privacy policy, send an email indicating that changes have been made to the policy. The email could include a summary of the policy changes and a link to the updated policy. The legislative history indicates that the purpose of the Act was to provide consumers with as much notice as possible, so we generally prefer this type of notice.
2.Provide a Link on the Homepage of the Website.
If you choose not to send email notification to users, or if you want to offer an additional method of communicating changes to your privacy policy, you may include a link on your home page with the words "CHANGES TO PRIVACY POLICY" appearing in a manner that draws attention to them. This link will appear when changes have been made to the privacy policy in the last thirty (30) days. Users will click on the link, which will then take them to the top of the privacy policy. There, users will be able to view a list of changes made to the policy, as well as the complete, updated policy. The link can additionally be placed in a "News" portion of your website.
Published September 1, 2004.