California Privacy Policy Requirements – Applicable To All States?

Website owners often seem to take the position privacy policies are optional. Nothing could be further from the truth. You are legally required to publish a privacy policy on your site, and California leads the way in this regard.

California Privacy Policy Requirements - applicable to all statesPFederal Privacy Rights

Privacy is a tricky subject in the United States. How so? The founding fathers apparently became distracted and failed to mention it in the Constitution. Oops! Despite this exclusion, the Justices of the United States Supreme Court have concluded that there is a right of privacy inferred in the Constitution even if the founders failed to write it down. The result of this judicial activism has created an enormous and ongoing controversy over cases decided one way or another on this inferred right. For instance, the seminal abortion case of Roe vs. Wade is based on a woman’s right to privacy.

California Privacy Rights

The situation in California is entirely different. The state constitution expressly states that citizens have a right to privacy. In truth, California has overreacted a bit to the lack of privacy law at the federal government level. Whereas the “feds” are relatively incompetent when it comes to privacy issues, California has passed the following laws on privacy subjects:

  • California Anti-Phishing Act of 2005;
  • California Online Privacy Protection Act of 2003;
  • California Financial Information Privacy Act;
  • California Right to Financial Privacy Act;
  • Consumer Protection Against Computer Spyware Act;
  • California Invasion of Privacy Act;
  • Information Practices Act of 1977; and
  • Confidentiality of Medical Information Act.

By the time you read this, there may be another five to ten laws on the books! Regardless, California has become the defacto privacy center of the country.

Website Privacy Policy Required

The California Online Privacy Protection Act of 2003 is the state law most often applicable to online properties. The law requires operators of commercial websites or online services that collect personally identifiable information from visitors who live in California to post a privacy policy and to comply with that policy.

That is a very convoluted sentence, but it is critical that you pay attention to the second part that states “…personally identifiable information from visitors to the site who live in California…” Regardless of the location of your business, you must comply with this law if you capture the name of a  single visitor from California. Practically speaking, the vast majority of sites will do so and must comply with the law.

Pursuant to the Act, an online operator must post the privacy policy as follows:

  • On the operator’s home page or the first significant page after entering the website;
  • Through an icon that hyperlinks to the actual policy, if the icon is located on the operator’s home page or the first significant page after entering the website, and the icon contains the word “privacy” in a contrasting color from the web page where it is located;
  • Through a hyperlink to the actual policy if the link is located on the operator’s home page, or the first significant page after entering the website, and the link includes the word “privacy,” is in capital letters at least as big as the surrounding text, and is in larger type than the surrounding text, or contrasting type, or set off by symbols or other marks;
  • Through any other functional hyperlink that a reasonable person would notice; or
  • For an online service, any other reasonably accessible means of making the privacy policy available for customers.

Privacy Policy Content

A rather obvious question is what information must be included in the privacy policy statement? The general requirements pursuant to the Act are:

  • Identify the categories of personally identifiable information the operator collects through the website about individuals who visit the site and the third persons or entities with whom the operator may share the information;
  • Describe any process the operator maintains for an individual to review and request changes to any of his or her information;
  • Describe how the operator notifies visitors to the website of material changes to the privacy policy; and
  • Indicate the policy’s effective date.

Forward Thinking

It is important to think about the future when creating a privacy policy for your site. Most sites slap up any old thing and hamstring themselves in the future. Let’s look at an example of how this might happen.

Website owners will often publish statements on their site to the tune of “we will not rent or sell your email address to third parties because we value your privacy.” Is there anything wrong with this statement? There certainly can be.

What happens if Microsoft decides it loves your site and offers you a huge amount of money for it? Can you sell the site? Yes, but what about your customer email list? You told those customers you would not sell their email addresses to third parties. You are about to do just that and violate your policy! This violation will get you into trouble with the customers as well as federal and state governments.

Additional Requirements

Mind you; the above educational discussion only covers general commercial sites or services. If the site in question deals with financial or medical issues, the privacy requirements are much more stringent. Then we get into Civil Code Section 1798.83. This California law creates additional burdens a site must deal with if it provides member information to third parties for direct marketing purposes. This code section is spawning lawsuits left and right, so make sure you are in compliance.

In Closing

Are you required to post a privacy policy on the site of a business based in California or that obtains personal information from visitors in the state? In a word – yes. Make sure you avoid prosecution by complying with the requirements.

Richard A. Chapo, Esq.