Under California Business and Professions Code section 22575-22579, any “operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California” must have a privacy policy on its web site.

        Now before you say: “But I’m not in California and my web site is not on a server in California so what has that got to do with me?,” read the above again carefully.  The statute, often in law called a “long arm statute” because of its reach, applies to any web site, presumably anywhere in the universe, that collects such information from an individual consumer residing in California.  (For another California statute that projects its reach outside of the geographic boundaries of California and that applies to e-commerce web sites, read “The California Long Arm Statute”. )

        To this point, with some important exceptions, there is no federally mandated requirement that most web sites have a privacy policy.  The Federal Trade Commission has, however, come down hard on sites which do have a privacy policy but which violate the terms of their own privacy policy.  (Read “Rights of Privacy: An Overview” and “Privacy Issues: New Wrinkles”)   Additionally, those sites that are directed to children, among other kinds of web sites, must have a very detailed privacy policy.  (Read “The Children’s Online Privacy Protection Act” and “Verifiable Parental Consent Under COPPA.”)

        Thus, the California statute in legal effect makes having a privacy policy mandatory for all covered sites since, as a practical matter, there is no way that any site can realistically exclude “individual consumers residing in California.”

        Therefore, if you run a “commercial web site or online service” and you “collect personally identifiable information,” you are very likely to be in violation of the California law.

Some Details

The Nature of the Privacy Policy

        The policy must contain at least the following information:

(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information. [emphasis added]

   (2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.

   (3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service  of material changes to the operator's privacy policy for that Web site or online service.

   (4) Identify its effective date.


        The statute has the following definitions:

22577.  For the purposes of this chapter, the following definitions apply:

   (a) The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: [emphasis added]
   (1) A first and last name.
   (2) A home or other physical address, including street name and name of a city or town.
   (3) An e-mail address.
   (4) A telephone number.
   (5) A social security number.
   (6) Any other identifier that permits the physical or online contacting of a specific individual.
   (7) Information concerning a user that the Web site or online service collects online from the user and  maintains in personally identifiable form in combination with an identifier described in this subdivision.

   (c) The term "operator" means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes.  It does not include any third party that operates, hosts,
or manages, but does not own, a Web site or online service on the owner's behalf or by processing information on behalf of the owner.
   (d) The term "consumer" means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.

        It is important to note the breadth of the definition of “consumer” which is not limited to parties who “purchase or lease” but includes as well those who “seek” information about “any goods, services, money or credit” for the indicated purposes.

How the Privacy Policy Must Be Posted

        The statute defines “conspicuously post” as follows:

22577.  For the purposes of this chapter, the following definitions apply:

   (b) The term "conspicuously post" with respect to a privacy policy shall include posting the privacy policy through any of the following:
   (1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site.
   (2) An icon that hyperlinks to a Web  page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word "privacy."  The icon shall also use a color that contrasts with the background color of the Web page or is
otherwise distinguishable.
   (3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following:
   (A) Includes the word  "privacy."
   (B) Is written in capital letters equal to or greater in size than the surrounding text.
   (C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
   (4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.
   (5) In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.

        However, in order to have even a remote chance of making the policy binding, especially when combining it with terms and conditions of site usage, it has to be posted in such a manner as to constitute a “contract.”  Read “The Validity of Online Contracts.”

What Constitutes A Violation

        In addition to substantive violations as indicated above, the statute offers a bit of flexibility.  It provides that an operator is in violation “if the operator fails to comply with the provisions of Section 22575 or with the provisions of its posted privacy policy in either of the following ways:

   (a) Knowingly and willfully.
   (b) Negligently and materially.
        Moreover, the statute provides that:
An operator shall be in violation of this subdivision only if the operator fails to post its policy within  30 days after being notified of noncompliance.

        Thus, the California law, whether it is the precursor to other state laws or federal laws, has applicability now.  All site operators should review these matters with their attorney with experience in these areas of the law.

Copyright © 2005 Ivan Hoffman.  All Rights Reserved.


This article is not legal advice and is not intended as legal advice.  This article is intended to provide only general, non-specific legal information.  This article is not intended to cover all the issues related to the topic discussed.  The specific facts that apply to your matter may make the outcome different than would be anticipated by you.  This article is based on United States law.  You should consult with an attorney familiar with the issues and the laws of your country.  This article does not create any attorney client relationship and is not a solicitation.


No portion of this article may be copied, retransmitted, reposted, duplicated or otherwise used without the express written approval of the author.



Where Next?

Ivan Hoffman Attorney At Law || More Internet and Electronic Rights Articles || More Articles About Spam and Privacy ||  More Articles for Web Site Designers and Site Owners || Home