California Ups the Ante On Privacy Policy Disclosures

For the past decade, California law has set the template for commercial website privacy policies. With the passage of a new law, set to take effect January 1, 2014, the state has updated the disclosures required of any commercial website operator who collects personally identifiable information from California residents.

California’s Online Privacy Protection Act. In 2003, California became the only state to require all websites that collect personal information (“PII”) from visitors – in this case, California residents – to post a privacy policy. Until then, there was no generally applicable privacy policy requirement under either state or federal law, and, to this day, neither the other states nor the federal government have imposed such a requirement. Federal privacy policy requirements have been limited to specific kinds of information (such as under Children’s Privacy Protection Act) or industries (under the Health Insurance Portability and Accountability Act). Under the 2003 law, Internet sites need to identify the “categories” of personally identifiable information collected about “individual consumers”; describe the “categories” of third parties with whom the information may be shared; disclose (if there is one) any process for individuals to review or request changes to their personal information; explain how notice is given to consumers of changes in the privacy policy; and post the policy’s effective date. The definition of PII is more expansive than encountered in data breach statutes, and includes email addresses, partial addresses (including street names and towns), and first and last names. The privacy policy also must be “conspicuously” posted, as defined by the statute.

Now, however, the law has been significantly expanded.

The New Requirements. Under recently enacted Assembly Bill 370, the privacy policy requirements of California’s Online Privacy Protection Act have been expanded to include (1) disclosure of how the web site “responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection”; and (2) disclosure of “whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.” The statute was approved by the Governor and chaptered by the Secretary of State on September 27, 2013. It will take effect on January 1, 2014. Fortunately for Internet sellers, the law provides that “[a]n operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.” As a result, potential liability will only attach after a notice of noncompliance. Nonetheless, it is prudent to review and amend privacy policies to conform with the new law to avoid having to implement last minute changes should your company receive notice of non-compliance (which is not defined, and presumably could include a telephone call or email from a consumer).

The Light Still Shines. Companies should also remain mindful of California’s so-called “Shine the Light” Law, which can be found at California Civil Code § 1798.83, and as to which we’ve previously blogged. Violations of this law, which, among other things, requires privacy policy disclosures, have led to class actions being filed against Internet sellers. Customers can be awarded up to $3,000 per each violation, plus attorneys’ fees and costs. Some of these cases have been dismissed, but the costs of defending even an unsuccessful class action lawsuit can be substantial.

The Shape Of Things To Come. California isn’t stopping there. Beginning on January 1, 2015, all web sites that direct services to minors, or have actual knowledge that minors are using their sites, must provide a “delete” button to permit minors to remove all of their online content (together with clear instructions for doing so). The law will also prohibit Internet marketing of a wide variety of products and services to minors, including aerosol paint (apparently to inhibit graffiti), etching creams, BB guns, and tanning services. Unlike the COPPA, which is directed to persons under the age of 13, the California law applies to all persons under the age of 18.

Posted by David Bertoni