On July 1, 2004, California's Privacy Protection Act of 2003 (the "Act") will become effective and will be the first law to require "conspicuously placed" privacy policies on all Web sites that collect personally identifiable information from California consumers. While many businesses voluntarily post privacy policies on their Web sites, currently there are only laws that impose similar privacy requirements upon businesses in particular markets, such as child-oriented companies, financial services, and healthcare organizations. The Act is much more general in scope; it applies to all consumer transactions with California residents in which personally identifiable information is disclosed.
1. Scope of the Act
The Act only applies to Web sites that collect "consumer" information. A "consumer" is defined by the Act as an individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family or household purposes. There is no requirement, however, that the entity collecting personal information be located within California for the Act to apply. Accordingly, any business which conducts transactions with California consumers for personal, family or household goods and services via the Internet should audit existing Web site privacy policies and practices to confirm compliance with the Act.
2. Personally Identifiable Information
The Act also only applies to the collection of "personally identifiable information." "Personally identifiable information" is defined by the Act as identifiable information about an individual collected by the operator of a Web site from the individual and which is maintained in a form accessible by the operator. Such information includes first and last names, address, e-mail address, telephone numbers, social security numbers, and any other identifiers that permit the physical or online contacting of an individual.
3. Conspicuous Posting
To comply with the Act, a company will need to "conspicuously post" its privacy policy on its Web site. Any of the following means of posting the privacy policy will suffice:
Posting the policy on the homepage or first significant page after entering the Web site;
Posting an icon containing the word "privacy" on the homepage or first significant page after entering the Web site that hyperlinks to a Web page on which the actual privacy policy is posted. The icon must appear in a color that contrasts with the background color of the Web page or is otherwise distinguishable; or
Rather than posting an icon as described above, posting a text link that either (i) includes the word "privacy," (ii) appears in capital letters equal to or greater in size than the surrounding text, or (iii) is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or is set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
4. Contents of the Privacy Policy
The Act provides that a privacy policy must:
Identify the categories of information that the company collects and the categories, persons or entities with whom the company may share the information;
If a company maintains a process by which users may review and request changes to their information that the company collects, the company must provide a description of that process;
Describe the process by which the company notifies users of material changes to its privacy policy; and
Identify the effective date of the policy.
An operator of a commercial Web site is in violation of the Act if it fails to comply within thirty (30) days of notice of noncompliance with the provisions of the Act or with the provisions of its posted privacy policy either (i) knowingly and willfully, or (ii) negligently and materially. If the company opts not to post a privacy policy on its Web site at this time, it will need to be prepared to post one that complies with the Act within thirty (30) days of notice of noncompliance with the Act. The Act does not specify specific remedies but could lead to consumer class actions.
If your organization currently accepts or plans to accept orders and collects data from individuals in California, now is the time to determine if the Act applies to your Web site, and if so, how to comply. If you have any questions regarding the information in this bulletin, please contact Walter Crouch, Mark Plotkin, Amy Roland or any member of our Intellectual Property Practice Group at (615) 244-6380.
The opinions expressed in this bulletin are intended for general guidance only. They are not intended as recommendations for specific situations. As always, readers should consult a qualified attorney for specific legal guidance.
RSS feed: RSS is a web feed format used to publish frequently-updated content. Use this feed in an RSS reader or browser (Safari 2, Firefox 2, or Internet Explorer 7 and higher)
ICS file: Use this feature to download an ICS file to use to import the calendar's event(s) into another program, such as Outlook, iCal, or Google Calendar.
ICS Feed: This is a live feed in the iCalendar format. To use this feed, you will need a program capable of subscrbing to a life iCalendar feed. Some examples include Apple iCal, Microsoft Outlook 2007 or higher, or Windows Calendar in Vista.
