MANDATORY PRIVACY POLICIES
IVAN HOFFMAN, B.A., J.D.
Now before you say: “But I’m not in California and my web site is not on a server in California so what has that got to do with me?,” read the above again carefully. The statute, often in law called a “long arm statute” because of its reach, applies to any web site, presumably anywhere in the universe, that collects such information from an individual consumer residing in California. (For another California statute that projects its reach outside of the geographic boundaries of California and that applies to e-commerce web sites, read “The California Long Arm Statute”. )
Therefore, if you run a “commercial web site or online service” and you “collect personally identifiable information,” you are very likely to be in violation of the California law.
The policy must contain at least the following information:
(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information. [emphasis added]
(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.
(4) Identify its effective date.
The statute has the following definitions:
It is important to note the breadth of the definition of “consumer” which is not limited to parties who “purchase or lease” but includes as well those who “seek” information about “any goods, services, money or credit” for the indicated purposes.22577. For the purposes of this chapter, the following definitions apply:
(a) The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: [emphasis added]
(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
(c) The term "operator" means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include any third party that operates, hosts,
or manages, but does not own, a Web site or online service on the owner's behalf or by processing information on behalf of the owner.
(d) The term "consumer" means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.
The statute defines “conspicuously post” as follows:
However, in order to have even a remote chance of making the policy binding, especially when combining it with terms and conditions of site usage, it has to be posted in such a manner as to constitute a “contract.” Read “The Validity of Online Contracts.”22577. For the purposes of this chapter, the following definitions apply:
(A) Includes the word "privacy."
(B) Is written in capital letters equal to or greater in size than the surrounding text.
(C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.
What Constitutes A Violation
Moreover, the statute provides that:(a) Knowingly and willfully.
(b) Negligently and materially.
An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.
Thus, the California law, whether it is the precursor to other state laws or federal laws, has applicability now. All site operators should review these matters with their attorney with experience in these areas of the law.
Copyright © 2005 Ivan Hoffman. All Rights Reserved.