GT Alert

Nation's First State Law Mandating Privacy Policies for Commercial Web Sites Goes Into Effect July 1, 2004

December 2003
By Alan N. Sutin, Greenberg Traurig, New York Office

  View or download the PDF version of this Alert here.

The California Legislature, which recently enacted the United States’ toughest state anti-spam law to date,1 continues to stir controversy by enacting the first state law that requires commercial Internet sites to (a) conspicuously post privacy policies on their Web sites, (b) assure that those privacy policies conform to certain standards, and (c) abide by those policies in practice. Failure to do any of the foregoing, even if unintentional, can result in significant penalties.

What The New California Online Privacy Law Says

"Virtually any business selling products or services online in the United States will fall within the reach of the new California law."

The new law, known as the Online Privacy Protection Act of 2003, takes effect July 1, 2004. The law applies to “operators” of Web sites or online services, with an “operator” defined as “any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information2 from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes.” Accordingly, virtually any business selling products or services online in the United States will fall within the reach of the new California law.

Operators of commercial Web sites that collect personally identifiable information must “conspicuously post” a privacy policy on their Web sites, while online service operators may use any “reasonably accessible” means to communicate their privacy policies. The term ‘‘conspicuously post’’ with respect to a privacy policy is defined in great detail.3 Failure to post a privacy policy within 30 days after being notified of non-compliance constitutes a violation of the new California law.

To comply with the new law, each posted privacy policy must comply with four basic requirements. The policy must:

(1) Identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its site and the categories of third-party persons or entities with whom the operator may share that personally identifiable information;

(2) If the operator offers a means for individual users to review and request changes to any of their personally identifiable information, provide a description of that process;

(3) Describe the process by which the operator will notify users of its site or service when it makes material changes to its privacy policy; and

(4) State its effective date.

Failure to adhere to the foregoing requirements is a violation of the law, as is the operator’s failure to adhere to the terms of its own policy if such failure is done either (a) “knowingly and willfully,” or (b) “negligently and materially.” While the new California statute does not contain specific penalties, various state authorities could enforce the new law through the California Business and Professions Code, Unfair Trade Practices Chapter, and courts can impose fines of up to $2,500 per violation.

How The New Law Changes United States Privacy Law

Although Privacy Policies are commonly adopted by operators of commercial Internet sites, the decision to use a privacy policy in connection with a Web site has been entirely voluntary except in certain regulated areas. When the new California Online Privacy Protection Act of 2003 goes into effect in 2004, it will be the first state law in the United States to mandate the use of a privacy policy. Moreover, it will create direct legal liability under California law for those who do not comply with their posted privacy policies.

What Should You Do If You Operate A Commercial Web Site or Online Service?

For those individuals and entities operating commercial Web sites and online services that have taken the issue of consumer privacy seriously and complied with already-established industry best practices, the new California law will not likely have a material effect on their businesses. For those who have chosen not to include a Privacy Policy, the new California law will effectively force them to adopt what already are regarded as sound business practices. In practice, many businesses post privacy policies that are simply modeled after those of other sites and pay insufficient attention to whether such policies accurately state their privacy practices. For businesses that have been less than diligent in assuring that their privacy policies matched their actual practices, the new California law will expose them to increased liability. The enactment of the new Online Privacy Protection Act of 2003 in California is good reason for all businesses to review their privacy policies and practices prior to July 1, 2004 to ensure compliance.

Footnotes

1 See California's Attempt to Can Spam May Cost Legitimate Advertisers Millions.

2 The term “personally identifiable information” is defined in the new California statute to mean “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; (6) Any other identifier that permits the physical or online contacting of a specific individual; or (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.”

3 Under the new statute, “conspicuously post” includes “posting the privacy policy through any of the following: (1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site; (2) An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word ‘‘privacy.’’ The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable; (3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following: (A) Includes the word ‘‘privacy;’’ (B) Is written in capital letters equal to or greater in size than the surrounding text; (C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language; (4) Any other functional hyperlink that is so displayed that a reasonable person would notice it; or (5) In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.

© 2003 Greenberg Traurig

Additional Information:

For more information, please review our Technology, Media and Telecommunications Practice description, or feel free to contact one of our attorneys.

• Technology, Media and Telecommunications Practice Area
• Technology, Media and Telecommunications Attorneys