California Online Privacy Protection Act of 2003
Parties Subject to OPPA
OPPA applies to any person or entity that owns a commercial Web site or an online service (i.e., an "operator") that "collects and maintains personally identifiable information from a consumer residing in California who uses or visits" such Web site or online service. OPPA does not apply to ISPs or similar entities that transmit or store personally identifiable information at the request of third parties.
"Personally identifiable information" means information collected online about an individual consumer, such as a first and last name, a physical street address, an e-mail address, a telephone number, a social security number, or any other information that permits the physical or online contacting of a specific individual. Personally identifiable information also includes information concerning a consumer that is collected online (such as birthday, weight, hair color, etc.) and is maintained by an operator in personally identifiable form in combination with one of the above identifiers.
A "consumer" is an individual who seeks or acquires goods, services, money, or credit for personal, family, or household purposes.
What OPPA Requires
A list of the categories of personally identifiable information the operator collects;
A list of the categories of third-parties with whom the operator may share such personally identifiable information;
A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information collected by the operator;
Consequences of Noncompliance
OPPA does not contain enforcement provisions. It is expected, however, that OPPA will be enforced through California's Unfair Competition Law (the "UCL"), which is located at Business and Professions Code ¤¤ 17200-17209. Under the UCL, the California Attorney General, district attorneys, and some city and county attorneys can file suit against businesses3 for acts of "unfair competition," which are considered to be any act involving business that violates California law.4 As a result, once OPPA becomes effective, violations of OPPA may be considered violations of the UCL. Government officials bringing suit for violations of OPPA may seek civil penalties and equitable relief under the UCL.5 In addition, the UCL provides that private plaintiffs may assert private claims for violations of OPPA under the UCL.6
Determine whether your commercial Web site or online service is collecting "personally identifiable information" from California "consumers."
Keep in mind that even though there is no current federal law mandating the use of privacy policies, other states, such as New York and New Jersey, are considering laws similar to OPPA,8 and thus state laws requiring privacy policies may become plentiful and perhaps disparate.
Ensure that you provide adequate security for the personally identifiable information that you collect and maintain.
Create internal procedures to prevent privacy breaches, such as privacy training for employees and security checks.
Cooley Godward advises clients to review their current privacy policies and data collection practices to comply with OPPA. Please contact an attorney in Cooley's Technology Transactions Group for updated information and further counsel on this matter.
1 The Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code ¤ 22575 - 22579 (2004).
3 Cal. Bus. & Prof. Code ¤ 17204 (2004).
4 Id. ¤ 17200.
5 Id. ¤ 17203; id. ¤ 17206; id. ¤ 17207.
6 Id. ¤ 17204.
8 New York State Internet Privacy Law, A. 08035, 2003 Assembly, 2003-2004 Reg. Sess. (N.Y. 2003); New Jersey Online Privacy Protection Act, S. 1050, 211 Legislature, 2004-2005 Sess. (N.J. 2004).