June 14, 2004
CALIFORNIA ONLINE PRIVACY PROTECTON ACT EFFECTIVE JULY 1, 2004
The California Online Privacy Protection Act ("OPPA"), Business and Professions Code ¤¤ 22575-22579, is the first state statute nationwide to regulate, in part, the privacy policies of commercial Web sites and online services operators. OPPA's requirements are not onerous, and many operators may already have policies in place which satisfy them. However, we strongly recommend that all businesses engaged in Internet commerce review and update their policies to ensure that they are OPPA-compliant. As a guide to this process, we have summarized some of OPPA's key requirements below:
APPLICATION
OPPA applies to any operator of a commercial Web site or online service (whether located in California or not) that collects personally identifiable information ("PII") through the Internet about consumers residing in California.
· An operator is an owner of a commercial Web site or online service that collects PII. An operator is not an Internet Service Provider or other party who manages or hosts (but does not own) a Web site or online service.
· PII is any information which would permit the physical or online contacting of a specific individual, such as a name, street address, Internet address, telephone number or social security number.
· A consumer is any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family or household purposes.
REQUIREMENTS
OPPA regulates both the content and disclosure of an operator's privacy policy as follows:
· Content. An operator's privacy policy must:
· Identify the types of PII the operator collects and the types of third parties with whom the operator may share such PII.
· Describe the process established (if any) for a consumer to review and request changes to PII.
· Describe the process through which an operator notifies consumers of material changes to its privacy policies.
· Identify the effective date of the policy.
· Disclosure. OPPA requires that an operator must conspicuously post its privacy policy on its Internet site. This requirement can be met in a number of ways, including:
· Posting the policy on the Web site's homepage or first significant page after entering the Web site.
· Maintaining an icon or text hyperlink to the privacy policy on the Web site's homepage or first significant page after entering the Web site. Any icon or text hyperlink must include the word "privacy" and comply with specific graphic, font, and type requirements.
VIOLATIONS/ENFORCEMENT
A Web site or online service operator violates OPPA if it fails to comply with the statute's provisions or its own privacy policies either (a) knowingly and willfully; or (b) negligently and materially. Once notified of non-compliance, an operator has 30 days in which to cure the problem. OPPA does not contain any specific enforcement or remedy provisions; however, it is likely that OPPA violations will be prosecuted under California's unfair competition law, which provides for civil penalties of up to $2,500 per violation. Individuals may also bring private actions for relief through the unfair competition law.
OTHER STATE OR FEDERAL STATUTES
Through OPPA, California has taken the lead in regulating the privacy policies of commercial Web site and online service operators. It is likely that other states or the federal government (which could preempt all similar state laws) will follow. Accordingly, operators should continue to monitor developments in online privacy law to ensure that their policies comply with all applicable law.
ADDITIONAL INFORMATION
For additional information on OPPA or assistance in developing an OPPA-compliant privacy policy, please contact Colleen Sechrest either by telephone (310.712.0100 ext. 16) or email: csechrest@shiotani-inouye.com.