California has done it again! The nation’s toughest anti-spam law, the first database security breach notification law, and now the first state to require commercial website owners and online service providers to adopt and communicate privacy policies, ensure policies satisfy certain minimum standards, and pay penalties if they fail to conform.
California’s Online Privacy Protection Act of 2003 becomes effective July 1, 2004, and applies to commercial website owners and online services that collect and maintain “personally identifiable information” from a “consumer” residing in California. This will likely apply to all businesses selling goods or services online in the United States. To comply, among other things, the privacy policy must identify the categories of information collected; third parties who have access; how a consumer may review and correct information; and how consumers will be notified of changes in the policy. The statute also requires website owners to “conspicuously post” a privacy policy on their websites. A website owner can satisfy the requirement by posting the policy on its home page or by providing a hyperlink from that page to the policy. The link must include the word “privacy” and meet certain case, type size, font, or contrasting colors or marking requirements that call attention to the link and the policy. Online service providers must use “reasonably accessible means” to make its policy available.
This act is a good reason for businesses to review existing privacy, website and online practices. Re-examine privacy promises and consider liability waivers. If you have not yet adopted a privacy policy, now is the time to do so!