Privacy is a tricky subject in the United States. How so? The founding fathers apparently became distracted and failed to mention it in the Constitution. Oops! Despite this exclusion, the Justices of the United States Supreme Court have concluded that there is a right of privacy inferred in the Constitution even if the founders failed to write it down. The result of this judicial activism has created an enormous and ongoing controversy over cases decided one way or another on this inferred right. For instance, the seminal abortion case of Roe vs. Wade is based on a woman’s right to privacy.
California Privacy Rights
The situation in California is entirely different. The state constitution expressly states that citizens have a right to privacy. In truth, California has overreacted a bit to the lack of privacy law at the federal government level. Whereas the “feds” are relatively incompetent when it comes to privacy issues, California has passed the following laws on privacy subjects:
- California Anti-Phishing Act of 2005;
- California Online Privacy Protection Act of 2003;
- California Financial Information Privacy Act;
- California Right to Financial Privacy Act;
- Consumer Protection Against Computer Spyware Act;
- California Invasion of Privacy Act;
- Information Practices Act of 1977; and
- Confidentiality of Medical Information Act.
By the time you read this, there may be another five to ten laws on the books! Regardless, California has become the defacto privacy center of the country.
That is a very convoluted sentence, but it is critical that you pay attention to the second part that states “…personally identifiable information from visitors to the site who live in California…” Regardless of the location of your business, you must comply with this law if you capture the name of a single visitor from California. Practically speaking, the vast majority of sites will do so and must comply with the law.
- On the operator’s home page or the first significant page after entering the website;
- Through an icon that hyperlinks to the actual policy, if the icon is located on the operator’s home page or the first significant page after entering the website, and the icon contains the word “privacy” in a contrasting color from the web page where it is located;
- Through a hyperlink to the actual policy if the link is located on the operator’s home page, or the first significant page after entering the website, and the link includes the word “privacy,” is in capital letters at least as big as the surrounding text, and is in larger type than the surrounding text, or contrasting type, or set off by symbols or other marks;
- Through any other functional hyperlink that a reasonable person would notice; or
- Identify the categories of personally identifiable information the operator collects through the website about individuals who visit the site and the third persons or entities with whom the operator may share the information;
- Describe any process the operator maintains for an individual to review and request changes to any of his or her information;
- Indicate the policy’s effective date.
Website owners will often publish statements on their site to the tune of “we will not rent or sell your email address to third parties because we value your privacy.” Is there anything wrong with this statement? There certainly can be.
What happens if Microsoft decides it loves your site and offers you a huge amount of money for it? Can you sell the site? Yes, but what about your customer email list? You told those customers you would not sell their email addresses to third parties. You are about to do just that and violate your policy! This violation will get you into trouble with the customers as well as federal and state governments.
Mind you; the above educational discussion only covers general commercial sites or services. If the site in question deals with financial or medical issues, the privacy requirements are much more stringent. Then we get into Civil Code Section 1798.83. This California law creates additional burdens a site must deal with if it provides member information to third parties for direct marketing purposes. This code section is spawning lawsuits left and right, so make sure you are in compliance.
Richard A. Chapo, Esq.