|
||||||||||
|
California’s Online Privacy Protection Act Requires Privacy Disclosures on Virtually All Business Websites Until now, laws regarding website privacy disclosures have applied primarily to the financial services and health care industries. California ’s Online Privacy Protection Act of 2003 (“OPPA”) will change this. The new law, which takes effect July 1, 2004 , is the first state law requiring all businesses to post their privacy policies on their websites that collect personal data. This memorandum will address the following questions: I. Who must comply with the OPPA? II. How does a business comply with OPPA? III. What are the consequences of failing to comply with the OPPA? I. Who must comply with the OPPA? The OPPA applies to any “operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service”. A. Operator of a commercial website or online service. Under the OPPA, the term “operator” refers to the owner of a website or online service that is operated for commercial purposes. Internet service providers (ISPs) are expressly identified as having no obligations under the OPPA with respect to the Web hosting services they provide to businesses. B. Collecting personally identifiable information. The OPPA lists several examples of “personally identifiable information,” including a catch-all: “Any other identifier that permits the physical or online contacting of a specific individual.” At its broadest interpretation, this could include the individual Internet protocol addresses of computers used to access the website, which are recorded by the Web server. Thus, even a business operating a website purely as a mechanism to disseminate information should implement and post an online privacy policy - even if it is as simple as this: It is the policy of this business not to collect any personally identifiable information from consumers via this website. Any information transmitted to or through this website as a result of accessing the information on this website, which may be traceable to a consumer (e.g., the Internet protocol address of the computer used to access this website), is accessible, if at all, only by technical personnel in the course of maintaining this website and/or associated hardware. Certainly there is no question that a commercial website that collects any personal information from a user (e.g., the user’s name, address, e-mail address, social security number, etc.) is collecting personally identifiable information within the meaning of the OPPA. C. Consumers residing in California . The OPPA applies to all businesses operating websites that collect personally identifiable information from California consumers. Thus, it is not the location of the business that determines OPPA applicability, but the residences of those consumers who access the business’ website. As a practical matter, this means that virtually any business with a Web presence - wherever located - potentially falls within the reach of the OPPA. While the OPPA does not apply to businesses with websites that collect only information about other businesses, the reality is that it would be very difficult to construct a website that collects information about businesses, while ensuring that no consumer information is inadvertently collected. Perhaps the most significant reason for this is that millions of people are in business for themselves, and their business information is often the same as their personal information. Accordingly, any business that collects information from a website visitor quite likely falls within the ambit of the OPPA. II. How does a business comply with the OPPA? The OPPA has but one requirement: Businesses must post their online privacy policies on their websites. This seems simple, but actually, posting the policy is only the final step in a process that requires careful analysis and diligent execution. A. The online privacy policy must be implemented through internal procedures. A privacy policy cannot be posted, of course, unless it exists. And it goes without saying that a written policy that is not actually in practice is not a policy at all. Therefore, businesses should develop internal procedures to ensure that OPPA-compliant privacy policies are actually in practice. In order to effectively implement this, OPPA procedures should be in writing, and should: 1. Define categories of personally identifiable information that is collected through the website or online service; 2. Define categories of third parties with whom the business may share personally identifiable information; 3. Define categories of third parties with whom the business will not share personally identifiable information; 4. Establish how personally identifiable information is stored, and provide for adequate protection of all stored personally identifiable information (e.g., encryption; firewalls, etc.); 5. If applicable, set forth how consumers may review and request changes to any of his or her personally identifiable information; and 6. Set forth a process for confirming that the business complies with its privacy policy on an ongoing basis, and for notifying consumers of material changes to the privacy policy. (E.g., an annual documented review and comparison of actual practice as compared to official procedure or more frequently, depending on how often the website is modified. Such a process can be effected through the use of a simple checklist, which has the added benefit of providing documentation of diligence and ongoing compliance. This can be helpful if the business is ever subjected to a lawsuit for noncompliance, as described in Section III of this memorandum.) B. The online privacy policy document must be created. Once the above procedures have been established, the online privacy policy document that will be available to the public must be created. This policy must at minimum: 1. Identify the categories of personally identifiable information collected through the website or online service, and the categories of third parties with whom the information may be shared; 2. If the website or online service provides a process for an individual consumer who visits the website or uses the online service to review and request changes to any of his or her personally identifiable information, provide a description of that process; 3. Describe the process by which the business notifies consumers who visit its website or use its online service of material changes to the online privacy policy; and 4. Identify its effective date. C. The online privacy policy must be posted. Finally, after completing all of the above steps, a business will be ready to make its online privacy policy available to consumers. To comply with the OPPA, the online privacy policy must be “conspicuously posted.” This can be accomplished through any of the following means: 1. Posting the online privacy policy in its entirety on the website’s home page; 2. Placing an icon or text link on the home page that links to a page that displays the online privacy policy, so long as the icon or text link is clearly distinguishable and contains the word “privacy”; or 3. In the case of an online service, using “any other reasonably accessible means” of making the online privacy policy available to consumers. III. What are the consequences of failing to comply with the OPPA? A business will generally be deemed to have violated the OPPA if it does not implement and post an OPPA-compliant online privacy policy within 30 days after being notified of its noncompliance. Presumably, notification can be made by any person, and, given the extensive right to bring action against a noncompliant business, as described below, it is critical that all employees be trained to report any such notification received to personnel who may address the issue. A violation of the OPPA could subject the business to an action under California ’s Unfair Competition Law, which classifies “unlawful business conduct” as one form of unfair competition, and provides for civil penalties, private rights of action, and class actions against businesses engaged in unfair competition. The statute of limitations on actions brought pursuant to the Unfair Competition Law is four years. Conclusion We recommend that any business operating a website implement and post an online privacy policy that meets the requirements of the OPPA. For most businesses, this will require an analysis of their current processes for collecting and using personally identifiable information through its website or online service, followed by the implementation of online privacy procedures that will ensure that an OPPA-compliant policy is enforced. The business must then create the policy document itself, ensuring that it reflects the business’ actual practice and that it adheres to the OPPA’s requirements. Finally, the online privacy policy must be conspicuously posted to the website or otherwise made available to consumers in accordance with the requirements of the OPPA. We recognize that many businesses have implemented and posted online privacy policies as a matter of sound operating practice. Those businesses that are already OPPA-compliant are indeed a step ahead of the rest. But as websites evolve and Internet functionally expands, it is easy to see how a business that modifies its website, without keeping in mind its own online privacy policy and the requirements of the OPPA, could inadvertently fall out of compliance. Therefore, given the substantial loss-potential, not to mention reputation risk, of a lawsuit brought against a business for failure to adhere to the OPPA, the best practice is to establish a program that will ensure OPPA-compliance today and in the future.
|
||||||||||
