Client Alerts

06/29/2004

California Online Privacy Protection Act of 2003

The California Online Privacy Protection Act of 20031 ("OPPA"), which becomes effective on July 1, 2004, is the first state law in the nation to require owners of commercial Web sites or online services to post a privacy policy. OPPA's reach extends beyond California's borders to require any person or company in the United States (and conceivably the world) that operates a Web site that collects personally identifiable information from California consumers to post a conspicuous privacy policy on its Web site stating what information is collected and with whom it is shared, and to comply with such policy. Those who do not comply with OPPA risk civil suits for unfair business practices. This alert summarizes OPPA to help you prepare to comply with this new law.

Parties Subject to OPPA

OPPA applies to any person or entity that owns a commercial Web site or an online service (i.e., an "operator") that "collects and maintains personally identifiable information from a consumer residing in California who uses or visits" such Web site or online service. OPPA does not apply to ISPs or similar entities that transmit or store personally identifiable information at the request of third parties.

"Personally identifiable information" means information collected online about an individual consumer, such as a first and last name, a physical street address, an e-mail address, a telephone number, a social security number, or any other information that permits the physical or online contacting of a specific individual. Personally identifiable information also includes information concerning a consumer that is collected online (such as birthday, weight, hair color, etc.) and is maintained by an operator in personally identifiable form in combination with one of the above identifiers.

A "consumer" is an individual who seeks or acquires goods, services, money, or credit for personal, family, or household purposes.

What OPPA Requires

OPPA requires that each operator of a commercial Web site conspicuously post a privacy policy on its Web site.2 According to OPPA, a privacy policy is conspicuously posted on a Web site when:

  • The privacy policy appears on the homepage of the Web site; or
  • The privacy policy is directly linked to the homepage via an icon that contains the word "privacy," and such icon appears in a color different from the background of the homepage; or
  • The privacy policy is linked to the homepage via a hypertext link that contains the word "privacy," is written in capital letters equal to or greater in size than the surrounding text, is written in a type, font, or color that contrasts with the surrounding text of the same size, or is otherwise distinguishable from surrounding text on the homepage.

The privacy policy itself must contain the following features:

  • A list of the categories of personally identifiable information the operator collects;
  • A list of the categories of third-parties with whom the operator may share such personally identifiable information;
  • A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information collected by the operator;
  • A description of the process by which the operator notifies consumers of material changes to the operator's privacy policy; and
  • The effective date of the privacy policy.

An operator will be considered in violation of OPPA if it fails to post a privacy policy within 30 days after being notified of noncompliance. An operator who fails to comply with OPPA or with the terms of its privacy policy will be found to be in violation of OPPA only if its noncompliance is either knowing and willful or negligent and material. This means that a non-material (i.e., minor), but deliberate, breach can give rise to liability. As a result, minor technical defects in the posting or the contents of a privacy policy could be a basis for liability.

Consequences of Noncompliance

OPPA does not contain enforcement provisions. It is expected, however, that OPPA will be enforced through California's Unfair Competition Law (the "UCL"), which is located at Business and Professions Code ¤¤ 17200-17209. Under the UCL, the California Attorney General, district attorneys, and some city and county attorneys can file suit against businesses3 for acts of "unfair competition," which are considered to be any act involving business that violates California law.4 As a result, once OPPA becomes effective, violations of OPPA may be considered violations of the UCL. Government officials bringing suit for violations of OPPA may seek civil penalties and equitable relief under the UCL.5 In addition, the UCL provides that private plaintiffs may assert private claims for violations of OPPA under the UCL.6

Operators who violate OPPA may also be susceptible to actions by the Federal Trade Commission, which may bring enforcement action against businesses whose posted privacy policy is deceptive, i.e., where the business fails to comply with its posted privacy policy.7

Recommendations

Effective July 1, 2004, every commercial Web site or online service that collects personally identifiable information from California consumers is required to generate, and conspicuously post, a privacy policy. As a result, we recommend that you take the following steps:

  • Determine whether your commercial Web site or online service is collecting "personally identifiable information" from California "consumers."
  • If you are collecting personally identifiable information from California consumers, create an accurate privacy policy that discloses all relevant information, maintains flexibility for marketing purposes, includes the OPPA required features, and complies with other applicable laws.
  • Conspicuously post your privacy policy on your Web site.
  • Conduct regular audits of your Web site and other relevant marketing tools to ensure that your privacy policy accurately reflects the ways in which you collect and handle personally identifiable information, and that you are in compliance with your privacy policy.
  • Keep in mind that even though there is no current federal law mandating the use of privacy policies, other states, such as New York and New Jersey, are considering laws similar to OPPA,8 and thus state laws requiring privacy policies may become plentiful and perhaps disparate.
  • Ensure that you provide adequate security for the personally identifiable information that you collect and maintain.
  • Create internal procedures to prevent privacy breaches, such as privacy training for employees and security checks.

Conclusion

OPPA requires all persons or businesses that maintain a commercial Web site or online service that collects information from California consumers to post a conspicuous privacy policy on such Web site. OPPA further requires that such privacy policy include specific features and that operators comply with their policies. Violators risk civil suits brought by government officials and private citizens.

Cooley Godward advises clients to review their current privacy policies and data collection practices to comply with OPPA. Please contact an attorney in Cooley's Technology Transactions Group for updated information and further counsel on this matter.

Notes

1 The Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code ¤ 22575 - 22579 (2004).

2 Operators of an online service are required to use "reasonable means" to make their privacy policy available for consumers, but the law provides no guidance on what constitutes "reasonable means."

3 Cal. Bus. & Prof. Code ¤ 17204 (2004).

4 Id. ¤ 17200.

5 Id. ¤ 17203; id. ¤ 17206; id. ¤ 17207.

6 Id. ¤ 17204.

7 See Press Release, Federal Trade Commission, FTC Announces Settlement With Bankrupt Website, Toysmart.com, Regarding Alleged Privacy Policy Violations (July 21, 2000), at http://www.ftc.gov/opa/2000/07/toysmart2.htm.

8 New York State Internet Privacy Law, A. 08035, 2003 Assembly, 2003-2004 Reg. Sess. (N.Y. 2003); New Jersey Online Privacy Protection Act, S. 1050, 211 Legislature, 2004-2005 Sess. (N.J. 2004).


©2003-2014 Cooley LLP. All rights reserved.
COOLEY® and the COOLEY LLP® logo are registered U.S. service marks of Cooley LLP.
Cooley was founded in 1920 – for our story, visit our history page.