The California Online Privacy Protection Act (OPPA) appears to
affect every business in the world that has a web site collecting
information on-line, even just e-mail addresses for newsletters,
because a Californian resident could sign up at any time.
The Act, passed last year but only in force this month, applies
to any person or entity "that collects personally identifiable
information from California residents through an internet web site
or on-line service for commercial purposes".
Such a person or entity, known as an operator, "shall
conspicuously post its privacy policy on the Web site."
The privacy policy shall "identify the categories of information
that the operator collects through the internet about individual
users of, and visitors to, its commercial Web site or online
service and the categories of persons or entities with whom the
operator may share the information."
The notice should state whether the operator reserves the right
to change its privacy policy without notice to the individual user;
whether and how a user can change the details stored about him or
her; and identify its effective date.
Operators must also, from now on, keep old versions of their
privacy policies and make them available on request for up to five
years.
According to California law firm Cooley Godward, while OPPA does
not contain enforcement provisions itself, it is likely that the
Act will be enforced under provisions of the State's Unfair
Competition Law.
The requirements for full disclosure on the use of personal data
echo those of Europe's data protection regime. These have no
equivalent in US federal law.
In the UK, a fair processing notice – or data protection notice
– must be displayed on a web site before personal data is
"processed." A link to this notice is insufficient, although an
additional "privacy policy," available from a link on each page, is
also recommended as good practice.
In California, the requirements for displaying the privacy
policy are more relaxed than the UK's requirement for displaying a
data protection notice.
OPPA states that: "a text link that hyperlinks to a Web page on
which the actual privacy policy is posted" is sufficient "if the
text link is located on the homepage or first significant page
after entering the Web site". There are other suggestions in the
Act, but if following the text link approach, the Act says that the
link must do one of the following:
- include the word privacy, in a type size no smaller than the
type size of the majority of the remainder of the page, and is
located either at the bottom of the page or in the left-most
column;
- be written in capital letters equal to or greater in size than
the surrounding text, or in contrasting type, font, or colour to
the surrounding text of the same or lesser size;
- be written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the
same size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
There are some other display options described in the Act.
Alternatively, it suggests compliance can be achieved with "any
other functional hyperlink" that is "so displayed that a reasonable
person would notice it."
William Malcolm, a data protection law specialist with Masons,
the international law firm behind OUT-LAW.COM, said:
"This is yet another example of the patchwork approach of the US
to protecting consumer privacy. The new law gives rise to a raft of
jurisdiction and enforcement issues that won't be easy to resolve,
especially since the law is a state law and not a federal one.
Companies who collect identifiable information of California
residents – even if they're unaware that that's what they're
collecting – need to review the adequacy of their disclaimers and
privacy policies."
