As Of July 1, 2004, Websites Require Privacy Policy Changes Under New California Law

Thursday, July 1, 2004 - 01:00

If you take steps now to review your privacy policy and make any necessary changes, you can reduce your potential exposure to liability under a new and ground-breaking privacy law that just went into effect. The State of California passed a law late last year that requires any commercial website or online service operator who collects personally identifiable information about consumers residing in California ("Operators") to provide individuals with notice of its privacy policies. The law, which is known as the Online Privacy Protection Act of 2003 ("Online Privacy Protection Act" or the "Act"),1 went into effect on July 1, 2004. The Act requires Operators to have a privacy policy that includes specified information, and the privacy policy must be posted (or, in the case of an online service, any reasonably accessible means may be used to make the privacy policy available to consumers) in a "conspicuous" manner on the website. The Online Privacy Protection Act will preempt any local laws that regulate the posting of a privacy policy on an Internet website.

Although the federal government has enacted laws and regulations in recent years explicitly to protect children's, financial, and health privacy,2 it has informally ceded responsibility for articulating the legal parameters of general commercial privacy practices (including the types of disclosures made in a privacy policy) to the Federal Trade Commission ("FTC"). The FTC has refused to impose a general privacy policy disclosure requirement on Operators, focusing instead on whether a company's practices are consistent with its privacy policy. For example, the FTC has stated that the failure to adhere to the privacy practices articulated in a company's privacy policy and to ensure adequate data security protections for collected personal information may be construed as deceptive and misleading trade practices, in violation of Section 5 of the FTC Act.3 Consequently, the California Online Privacy Protection Act is significant because it represents the first instance of enacted legislation (on the federal or state level) that places an affirmative, blanket requirement on all Operators collecting personally identifiable information from consumers to make comprehensive disclosure of their privacy policies. California's enactment of the Online Privacy Protection Act thus demonstrates a holistic approach of generally mandated disclosures in order to address consumer privacy concerns, in contrast to the piecemeal approach that has characterized the federal government approach to privacy. A summary of the Online Privacy Protection Act, as it applies to Operators, is set forth below.

Required Contents Of Privacy Policy

A compliant privacy policy must:

• Identify the categories of personally identifiable information that an Operator collects about its individual visitors or users and disclose the categories of third-party persons or entities with whom the Operator may share that personally identifiable information;

• Disclose and explain any existing process that allows its individual visitors or users to review and request changes to the personally identifiable information that has been collected about them;

• Describe the process the Operator uses to notify individual consumers who visit or use its website or online service of any material changes that are made to the privacy policy for that website or online service; and

• Identify the privacy policy's effective date.

Most Operators should already be in compliance with the first three elements noted above, since these elements are consistent with the principles that the FTC has previously stated should appear in a complete privacy policy.4 In order to comply with the fourth element of the Act, an Operator could make (in conjunction with a statement that its privacy policy is subject to change at any time) a statement of the effective date of the privacy policy in the following format: "Effective Date: This policy was last updated on _________ [Insert date]."

Conspicuous Placement Of Privacy Policy

The Online Privacy Protection Act requires the conspicuous posting of a privacy policy and states that there are three ways to post the policy "conspicuously":

• The actual privacy policy may be placed on the website homepage or first significant page after entering the website;

• An icon can hyperlink to a web page containing the privacy policy, if (1) the icon is located on the website homepage or first significant page after entering the website, (2) the icon uses the word "privacy," and (3) the icon uses a color that is different than the background color of the web page on which it appears, or is otherwise distinguishable; or

• A text link can hyperlink to a web page containing the privacy policy, if the text link is located on the website homepage or first significant page after entering the website and the text link (1) contains the word "privacy," (2) is written in capital letters greater than or equal in size to the surrounding text, or (3) is either written in larger type than the surrounding text or is the same size as the surrounding text, but in a contrasting color, type, or font, or is set off from the surrounding text by symbols or other marks that call attention to the language.

Operators should already be in compliance or find it easy to comply with this "conspicuous posting" requirement, since most commercial websites and online services that collect information and disclose a privacy policy typically do so (at the very least) through a text link on the bottom of the website homepage. If such a text link includes the word "privacy," the Act is satisfied. On the other hand, Operators who have a text link (perhaps on the bottom of the website or online service homepage) that is labeled "Terms of Use" or is labeled with some other non-explicit reference to the fact that the link includes the website's privacy policy can easily comply with the Act by adding an additional text link explicitly referencing the privacy policy that already exists.

Definition Of Personally Identifiable Information

The Online Privacy Protection Act defines "personally identifiable information" as any individually identifiable information about an individual consumer that has been collected online by an Operator and is maintained in an accessible form. The requirement that the information must be maintained in an accessible form means that if the Operator has unintentionally received certain information (perhaps through a cookie that collects more information than required by the Operator) but makes no attempt to actually organize or track it, then it may not be subject to this law. Examples of "personally identifiable information" include the following:

• First and last name;

• Home or other physical address (including street and city or town);

• Email address;

• Telephone number;

• Social security number; and

• Any other information that permits the individual subject of the information to be contacted, either physically or online.

Violations

The Online Privacy Protection Act provides a thirty-day safe harbor. An Operator will only be deemed to have violated the Act if it fails to post a compliant privacy policy within thirty days after it has been notified of noncompliance, and such noncompliance is either knowing and willful or negligent and material.

Exemption

The Online Privacy Protection Act does not apply to third parties who operate, host, manage, or process information on a website or online service on behalf of an Operator, but do not themselves own the website or online service.

Penalties

Although the Online Privacy Protection Act does not provide for specific penalties, any violations of the Act would be deemed an "unlawful" act or practice under the enforcement provisions of the General Business Regulations Division of the Business & Professions Code. As such, in addition to injunctive relief, public attorneys can seek civil penalties in the amount of $2,500 for each violation, with additional penalties for violations involving senior citizens and disabled persons. As an unlawful act or practice, such violations may also be subject to class action claims.

Conclusion

From a practical perspective, Operators that currently post comprehensive privacy policies will probably only need to ensure that their privacy policy links are "conspicuously" posted and add effective dates to their privacy policies, in order to comply with the Act.

As previously noted, the California Online Privacy Protection Act represents the first legislative attempt on the federal or state level to explicitly require the creation and conspicuous placement of a privacy policy on a website. Given that Operators are unable to identify website users who are California residents, the Act effectively functions as a federal law, forcing Operators that collect personal information from California consumers to provide the required privacy policy information to all website visitors, without regard to their state of residency. It remains to be seen whether other states will follow California's lead and eventually pass their own privacy policy statutes, presumably resulting in varying and sometimes inconsistent requirements. This possibility recalls the patchwork of state unsolicited commercial email laws that resulted in the enactment of a federal unsolicited commercial email law earlier this year (the CAN-SPAM Act). The passage of the California Online Privacy Protection Act therefore portends legislation from additional states that may force Congress to enter the fray, in order to enact a comprehensive federal privacy law that ensures consistent requirements and regulations pertaining to information collection practices.1 Cal Bus & Prof Code § 22575 (2004).
2 See the Children's Online Privacy Protection Act of 1998 at 15 U.S.C. § 6501 (2004) et seq. and the implementing regulations at 16 C.F.R. 312.1; the Gramm-Leach-Bliley Act at 15 U.S.C. § 6801 (2004) et seq. and the implementing FTC regulations at 16 C.F.R. 313 et seq.; the Health Insurance Portability and Accountability Act of 1996 at 1996 Pub. L. 104-191 and the implementing regulations at 45 C.F.R. 160 et seq. and 45 C.F.R. 164 et seq.
3 15 U.S.C. § 45 (2004).
4 See, e.g., Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress, 12, 27 (May 2000).

Joseph J. Lewczak is a Partner and Sofia S. Rahman is an Associate in the Advertising, Marketing and Promotions Department and New Media Group of Davis & Gilbert LLP in New York.

Please email the authors at jlewczak@dglaw.com or srahman@dglaw.com with questions about this article.