Two new laws that may impact companies that collect personal information from California residents, online or offline
Two California laws are scheduled to take effect in the coming months, one on July 1, 2004 and one on January 1, 2005, that may significantly impact your business, even if your business is not based in California. These laws govern marketing activity and the collection of information from California residents.
The first, the Online Privacy Protection Act of 2003 (or AB 68), requires that commercial web sites and online service operators that collect personally identifiable information from California residents conspicuously post a privacy policy. The second, which is known as SB 27, and which replaces Section 1798.83 of the Civil Code, generally grants California consumers the right to know the third parties with whom their personal information is shared, unless the consumer was given the cost-free right to prevent such sharing.
In order to comply with these laws, which are discussed in detail below, and to lessen any potential liability, we recommend that affected businesses take action now to analyze the statutes' impact and undertake necessary compliance steps in advance of the impending deadlines.
Failure to fully and properly comply with either or both of these laws potentially could lead to class action law suits, regulatory action (by the California Attorney General, the Federal Trade Commission ("FTC") and other state Attorneys General), and significant negative publicity.
As of July 1, 2004, your web site may be legally required to prominently post an accurate privacy policy.
The Online Privacy Protection Act of 2003 requires commercial websites that collect personally identifiable information from consumers residing in California to conspicuously post an accurate privacy policy. It also requires the owner of an online service to make its privacy policy available to consumers by reasonably accessible means. A third party who merely operates, hosts, or manages a website on the owner's behalf or that processes information on the owner's behalf is not subject to the statute.
To comply with the Online Privacy Protection Act of 2003, a website must conspicuously post a privacy policy, by taking specific steps delineated in the statute, such as posting a prominent, distinguishable link on the homepage. The policy must explain what personally identifiable information the website or service collects, any third parties with whom it may share the personally identifiable information, and a description of any process available to the consumer to review and request a change to his or her information. The privacy policy also must state its effective date and the process the website or online service will use to notify consumers about a change in its privacy policy.
An operator violates the law if it fails to post its privacy policy or comply with its posted policy within thirty days of being notified of noncompliance. The Act does not specifically address penalties for a violation, but a violation could lead to regulatory action and civil law suits, potentially including a class action law suit brought under California's broad consumer protection laws.
The greatest potential liability connected with the Online Privacy Protection Act of 2003 may come from hastily written and posted privacy policies.
When posting a privacy policy, it is imperative that such a policy fully and accurately describe your business practices with regard to the personal information you may collect from consumers. Both the FTC and the many state Attorneys General are very active in this area. Even an inadvertent violation of a privacy statement, which may result from statements made elsewhere to consumers, either online or offline, can lead to significant penalties. In addition, the negative publicity surrounding an alleged violation of consumer privacy can lead to devastating financial consequences. Perhaps most importantly, numerous class action lawsuits have been and continue to be filed over alleged privacy related violations, and it is reasonable to anticipate that California's legislation requiring accurate privacy policies will lead to even greater activity in this area.
Therefore, in light of the pending Act and existing United States law, we recommend that most businesses that maintain a website consider the following steps:
- Understand your business practices, including the various ways and places you collect personal information from consumers, the technology used on your websites, the various ways you market to consumers, and the ways in which you may share information with third parties.
- Draft an accurate privacy policy that discloses all relevant information, maintains adequate flexibility for marketing, and complies with applicable current laws.
- Audit your website and other relevant marketing tools to ensure there are no conflicting or inaccurate statements regarding how you collect and handle personal information, and that you are in compliance with applicable laws (such as the Children's Online Privacy Protection Act).
- Ensure that the security of the personal information you collect and maintain is reasonable under the circumstances, which will vary depending upon the size of your organization, the type of information collected, and statements made to consumers.
- Institute adequate compliance procedures to protect your business from inadvertent breaches of your privacy promises and to shield your business from potential liability to the greatest extent possible.
As of January 1, 2005, you may need to provide California consumers information regarding the sharing of personal information with third parties.
California SB 27, which mandates disclosure of certain information sharing practices, applies to a business that:
- has disclosed personal information about a customer (defined as a California resident who provides personal information to a business in connection with an established business relationship that is personal, family or household in nature);
- to one or more third parties;
- within the 'immediately preceding calendar year'; and
- the company reasonably knows the third party will use the data for direct marketing purposes.
Please note that this statute applies to information collected both online and offline. In addition, an "established business relationship" does not require consideration, and includes a relationship formed for obtaining "a product or service from the business."
Subject to the exception discussed below, to comply with SB 27, a business must:
- provide to a consumer, within 30 days of his or her request: (a) the categories of information disclosed during the preceding calendar year (which categories are set forth in the statute, and include, for example, name and address, age or birth date, e-mail address, and a various demographic data); and (b) the names and addresses of the third parties that received personally identifiable information for use in direct marketing in the preceding calendar year (the "Disclosure Information");
- take action to notify consumers of the available method to request the Disclosure Information (as set forth in the statute, and which includes both offline and online methods of notice).
The statute does not require individual responses, but rather a standardized form setting forth the Disclosure Information.
There is an important exception for a business that gives consumers either opt-in or opt-out choice regarding the use of the consumer's personal information. So long as the business maintains and discloses the consumer's right to exercise opt-in or opt-out consent for the sharing of his or her personal information, the business may comply with the Act by:
- giving the consumer notice of his or her right to prevent disclosure of his or her personal information; and
- providing the consumer with a cost free means to exercise that right.
SB 27 also specifically enumerates exceptions for the use of personal information by third parties in certain circumstances, such as use by a third party solely to process or store the personal information and for certain jointly offered products.
There are business considerations that should factor into the procedures a business adopts for compliance with SB 27
A business subject to SB 27 must decide how it will comply. First, it may be possible and desirable for certain businesses to simply cease collecting personal information from California residents.
A business that will continue collecting personal information from California residents after January 1, 2005 must decide whether or not to continue sharing personal information with third parties for direct marketing purposes. If the business will not share any personal information with third parties for direct marketing purposes, the business is outside the scope of SB 27. However, such a business should consider preparing a standardized response to send to a consumer who makes an SB 27 inquiry after the effective date.
If the business will share personal information collected from California residents after January 1, 2005, the next question for the business to answer is whether or not it will offer choice, either on an opt-in or opt-out basis. If choice always and reliably will be offered, the company should ensure the appropriate opt-out or opt-in procedures are in place by January 1, 2005, and should prepare a standardized response (explaining the consumer's no cost option to exercise his or her choice) to send to any consumer that requests SB 27 disclosures after the effective date.
If, however, opt-out or opt-in choice will not be consistently offered, a company must put in place a procedure to comply with the disclosure requirements by January 1, 2005.
An important consideration for a business considering its compliance options is whether its contracts with third party marketing partners contain confidentiality provisions that prohibit the disclosures mandated by the Act.
In addition, any business that decides to institute an opt-out or opt-in procedure after SB 27 takes effect should carefully address the transition issues that will arise, including potential ongoing disclosure requirements to consumers whose information was shared prior to the consumers having the right to exercise choice, as well as an obligation to ensure all consumers are truly notified of their opt-out or opt-in rights upon implementation of those rights.
Conclusion
Any business actively marketing in California, and almost any business collecting personal information through a website, could be subject to these laws and should carefully consider its compliance obligations. The most efficient way to proceed may be for an organization to analyze its business practices in connection with both laws, and to implement the necessary disclosure of its business practices prior to July 1, 2004, rather than addressing the issues separately, and perhaps having to issue a revised privacy policy on January 1, 2005.