• News
  • Law

New privacy law requires Web site compliance

Related Special Reports

Operate a commercial Web site that markets to, and collects information regarding, California residents? If so, you had better ensure that your privacy policy and practices comply with California's new law. Beginning July 1, affected Web site operators will have to comply with California's Online Privacy Protection Act of 2003 (ALB. 68) (the "Act") or risk pricey civil suits. The Act requires operators of commercial Internet Web sites or online services that collect personally identifiable information about consumers that reside in California to conspicuously post their privacy policies on their Web site. Such privacy policies must: * Identify the categories of personally identifiable information collected about consumers. * Identify the categories of third-party persons or entities with whom the operator shares that personally identifiable information. * Provide a description of the process by which a consumer may change his or her personally identifiable information with such operator (if the operator provides such a mechanism). * Describe how the operator will notify consumers of changes to the site's privacy policy. * Identify the policy's effective date. Drafting, posting and complying with a privacy policy sounds simple enough, but with many companies obtaining a variety of types of data and sharing it with numerous parties for a myriad purposes, it can quickly grow quite complicated. Drafting an appropriate policy requires an entity to conduct a thorough investigation of their information collection and sharing practices. An entity must identify the type of personally identifiable information it collects and the parties with whom it shares such information. Given the Act's broad definition of personally identifiable information, this task can be quite involved. The Act defines personally identifiable information as "individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator..." Personally identifiable information includes first and last name; home or other physical address, including street name and name of a city or town; e-mail address; telephone number; Social Security number; any other identifier that permits the physical or online contacting of a specific individual; and information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described above. Note, pursuant to the definition above, e-mail addresses are considered personally identifiable information. When combined with other personally identifiable information, cookies and tracking devices may also fall under the definition of personally identifiable information. Given the above, a company's disclosure obligations may be numerous. For example, a company may share certain customer information with third parties that assist the company in the fulfillment of product or service orders. That same company may share the same or different customer information with the company's marketing partners or affiliates. The same company could possibly trigger disclosure obligations by collecting data vis-?-vis the use of cookies and other tracking methods. Once all disclosure requirements are identified and the policy is drafted, the Act requires that the policy be conspicuously posted. The Act also sets forth specific requirements concerning the placement and appearance of the privacy policy and any links to it. These requirements include color, font and capitalization specifications. Drafting and posting the policy is only half the battle. Web site operators must also take special care to ensure that they comply with their posted policies. Failure to do so is a violation of the Act when noncompliance is either negligent and material or willful and knowing. Such violations may subject the operator to civil suits for unfair business practices. At the federal level, the Federal Trade Commission may bring a deceptive or unfair trade practices charge against a company that does not accurately disclose its practices. Ongoing compliance requires regular monitoring of company practices and timely updates of the company's privacy policy. The company must take also take caution to ensure that new business relationships it enters and programs it launches are consistent with the company's stated privacy practices.

Davalle is an associate in Luce, Forward, Hamilton & Scripps LLP's Carmel Valley/Del Mar office, and can be reached at (858) 720-6328 or ddavalle@luce.com.>

User Response
0 UserComments