California again is at the forefront of legislation affecting national marketers. The soon-to-be-effective California Online Privacy Protection Act establishes for the first time a mandatory posting requirement for privacy policies.
Because of the Internet’s borderless nature, the law affects nearly all marketers. Moreover, given the unique private consumer protection laws in California, marketers who fail to comply risk what are essentially class actions for violating the law.
The law takes effect July 1. As of that date, commercial Web sites that collect personally identifiable information from California residents are required to post their privacy policies on their Web sites. For Web site operators who have not done so previously, this legislation likely will be the push needed to make such operators conform to what has been until now only an industry standard.
The legislation. Under the new law, commercial Web site owners – called “operators” in the act – must post privacy policies that set forth the categories of personally identifiable information they collect from consumers. A privacy policy also must enumerate the types of third parties with whom the information may be shared.
If the operator maintains a process that consumers can use to request changes to their personally identifiable information, the privacy policy must explain this process. Also, operators must inform consumers how they will be notified of material changes to the privacy policy. The policy must contain an effective date.
In addition to content requirements, the law sets forth parameters on how a privacy policy must be posted. Web site operators must “conspicuously post” their policy. Operators of online services must simply use reasonably accessible means of making their privacy policy available. The law offers four ways a site owner can “conspicuously post” its privacy policy.
Though these four methods conform to the general industry standard, setting forth requirements on how a Web site should be posted is yet another standard to which site owners will have to adhere in order to comply with the act.
Operators who fail to comply with the act will be in violation if their noncompliance is either “knowing and willful” or “negligent and material.” The act exempts Internet service providers and similar entities that transmit or store personally identifiable information at the request of third parties.
Purpose of the law. The act aims to protect the privacy interests of California residents by informing them as to whether information obtained through the Internet may be disclosed or sold to other parties. Presumably, California enacted the law in response to the lack of federal legislation in this area. Similar laws are pending in New York and New Jersey, and other states likely will follow.
Effect of the law. More important than the law’s requirements are its scope and application. The act applies to any operators that collect information from California residents, regardless of the operators’ location. If a Web site operator in New York collects information from consumers “who reside in California,” the act is triggered even if the New Yorker has no physical presence in California. Because even “negligent and material” conduct can result in a violation, it is unlikely that a site owner could argue it did not foresee California residents accessing its site.
Essentially, the broad wording of the act means all businesses must comply. Thus, a business in New York, Hawaii, Texas or anywhere will have to conform its privacy policy to the requirements of the act if it can reasonably expect California residents to use its Web site.
These far-reaching effects are troublesome when considered in conjunction with California’s representative action statute. The representative action statute lets virtually anyone bring suit against a company as a class representative where the party can allege that Californians would be harmed. Actual harm is not necessary. Thus, a consumer in California could bring suit against a Web site owner if its privacy policy does not comply with the terms of the law, even if that consumer’s personal information was never collected.
Federal action? The act is another example of a trend in California whereby legislature is enacting expansive laws under the auspices of protecting consumers. Just as California’s anti-spam law threatened essentially to block unsolicited commercial e-mail nationwide with its opt-in requirement, the Online Privacy Protection Act effectively regulates privacy policies nationwide because of the unique ability of the Internet to reach people across state lines.
If a business has any reason to believe its Web site will be used by California residents – which it likely will – the business will have to comply with the act when drafting its privacy policy. As a result of this trend in California, it is now essential that businesses look to California law before undertaking national marketing campaigns.
The passage of this law and the existence of similar pending bills in other states leave open the question of whether a federal law will be enacted that will set a uniform standard.
