Client Alert - California Enacts Online Privacy Protection Act: Is Your Privacy Policy in Compliance?
As of July 1, 2004, operators of commercial websites (or other online services) that collect personal information about consumers in California—such as a name or email address—must conform to the requirements of California's Online Privacy Protection Act ('the Act').1 The Act affirmatively requires persons or entities that collect such information to adopt a privacy policy and conspicuously post that policy on their websites. Prior to the Act, privacy policies were encouraged by the Federal Trade Commission, but were not mandated.
According to the Act, you must conspicuously post a privacy policy that (a) identifies the categories of personally identifiable information that is collected and the categories of third-parties or entities with whom that information may be shared; (b) describes your process for allowing consumers to review and request changes to personally identifiable information collected through the website or online service, if you have such a procedure; (c) describes the process by which you notify consumers who use your website or online service of material changes to your privacy policy; and (d) identifies the effective date of your privacy policy.
A 'conspicuously posted' privacy policy includes a policy that appears on the website's homepage or first significant page thereafter or that may be accessed by a hyperlink or text link that appears on those pages. If accessible by hyperlink or text link, the link must contain the word 'privacy' and must appear in a color that contrasts with the background of the web page or be otherwise distinguishable. For online services, this requirement may be satisfied by any reasonably accessible means of making the privacy policy available to consumers of the online service.
An operator will be in violation of the Act if it fails to post its privacy policy within 30 days of being notified of noncompliance or if it 'knowingly and willfully' or 'negligently and materially' fails to comply with its posted privacy policy. Violations of the Act are enforced through California's Unfair Competition Statute and civil actions for enforcement may be brought by the Attorney General, District Attorney or City Attorney.2 Private parties may also assert claims for violations of the Act. Remedies include fines and injunctive relief.
The effect of the Act extends far beyond California's borders. If you collect information from California residents, you should make sure that you implement a privacy policy that conforms to the Act's requirements, as well as a policy for investigating and responding to complaints under the Act.
We welcome the opportunity to assist you in reviewing your current privacy policy or preparing a new one that conforms to the Act's requirements.
For more information, please contact Meichelle R. MacGregor.
1 Cal. Bus. & Prof. Code § 22575–22579.
2 Cal. Bus. & Prof. Code § 17200 et seq.