California again is at the forefront of legislation affecting national marketers. The soon-to-be-effective California Online Privacy Protection Act establishes for the first time a mandatory posting requirement for privacy policies.
Because of the Internet’s borderless nature, the law affects nearly all marketers. Moreover, given the unique private consumer protection laws in California, marketers who fail to comply risk what are essentially class actions for violating the law.
The law takes effect July 1. As of that date, commercial Web sites that collect personally identifiable information from California residents are required to post their privacy policies on their Web sites. For Web site operators who have not done so previously, this legislation likely will be the push needed to make such operators conform to what has been until now only an industry standard.
Though these four methods conform to the general industry standard, setting forth requirements on how a Web site should be posted is yet another standard to which site owners will have to adhere in order to comply with the act.
Operators who fail to comply with the act will be in violation if their noncompliance is either “knowing and willful” or “negligent and material.” The act exempts Internet service providers and similar entities that transmit or store personally identifiable information at the request of third parties.
Purpose of the law. The act aims to protect the privacy interests of California residents by informing them as to whether information obtained through the Internet may be disclosed or sold to other parties. Presumably, California enacted the law in response to the lack of federal legislation in this area. Similar laws are pending in New York and New Jersey, and other states likely will follow.
Effect of the law. More important than the law’s requirements are its scope and application. The act applies to any operators that collect information from California residents, regardless of the operators’ location. If a Web site operator in New York collects information from consumers “who reside in California,” the act is triggered even if the New Yorker has no physical presence in California. Because even “negligent and material” conduct can result in a violation, it is unlikely that a site owner could argue it did not foresee California residents accessing its site.
Federal action? The act is another example of a trend in California whereby legislature is enacting expansive laws under the auspices of protecting consumers. Just as California’s anti-spam law threatened essentially to block unsolicited commercial e-mail nationwide with its opt-in requirement, the Online Privacy Protection Act effectively regulates privacy policies nationwide because of the unique ability of the Internet to reach people across state lines.
The passage of this law and the existence of similar pending bills in other states leave open the question of whether a federal law will be enacted that will set a uniform standard.