Out-Law News 2 min. read

California's privacy policy law affects us all


A new privacy law came into force on 1st July, demanding that all commercial web sites that collect "personally identifiable information" from users in California must now have a conspicuous privacy policy on their web sites – even if based overseas.

The California Online Privacy Protection Act (OPPA) appears to affect every business in the world that has a web site collecting information on-line, even just e-mail addresses for newsletters, because a Californian resident could sign up at any time.

The Act, passed last year but only in force this month, applies to any person or entity "that collects personally identifiable information from California residents through an internet web site or on-line service for commercial purposes".

Such a person or entity, known as an operator, "shall conspicuously post its privacy policy on the Web site."

The privacy policy shall "identify the categories of information that the operator collects through the internet about individual users of, and visitors to, its commercial Web site or online service and the categories of persons or entities with whom the operator may share the information."

The notice should state whether the operator reserves the right to change its privacy policy without notice to the individual user; whether and how a user can change the details stored about him or her; and identify its effective date.

Operators must also, from now on, keep old versions of their privacy policies and make them available on request for up to five years.

According to California law firm Cooley Godward, while OPPA does not contain enforcement provisions itself, it is likely that the Act will be enforced under provisions of the State's Unfair Competition Law.

The requirements for full disclosure on the use of personal data echo those of Europe's data protection regime. These have no equivalent in US federal law.

In the UK, a fair processing notice – or data protection notice – must be displayed on a web site before personal data is "processed." A link to this notice is insufficient, although an additional "privacy policy," available from a link on each page, is also recommended as good practice.

In California, the requirements for displaying the privacy policy are more relaxed than the UK's requirement for displaying a data protection notice.

OPPA states that: "a text link that hyperlinks to a Web page on which the actual privacy policy is posted" is sufficient "if the text link is located on the homepage or first significant page after entering the Web site". There are other suggestions in the Act, but if following the text link approach, the Act says that the link must do one of the following:

  1. include the word privacy, in a type size no smaller than the type size of the majority of the remainder of the page, and is located either at the bottom of the page or in the left-most column;
  2. be written in capital letters equal to or greater in size than the surrounding text, or in contrasting type, font, or colour to the surrounding text of the same or lesser size;
  3. be written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.

There are some other display options described in the Act. Alternatively, it suggests compliance can be achieved with "any other functional hyperlink" that is "so displayed that a reasonable person would notice it."

William Malcolm, a data protection law specialist with Masons, the international law firm behind OUT-LAW.COM, said:

"This is yet another example of the patchwork approach of the US to protecting consumer privacy. The new law gives rise to a raft of jurisdiction and enforcement issues that won't be easy to resolve, especially since the law is a state law and not a federal one. Companies who collect identifiable information of California residents – even if they're unaware that that's what they're collecting – need to review the adequacy of their disclaimers and privacy policies."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.