The California Online Privacy Protection Act (OPPA) appears to affect every business in the world that has a web site collecting information on-line, even just e-mail addresses for newsletters, because a Californian resident could sign up at any time.
The Act, passed last year but only in force this month, applies to any person or entity "that collects personally identifiable information from California residents through an internet web site or on-line service for commercial purposes".
Such a person or entity, known as an operator, "shall conspicuously post its privacy policy on the Web site."
The privacy policy shall "identify the categories of information that the operator collects through the internet about individual users of, and visitors to, its commercial Web site or online service and the categories of persons or entities with whom the operator may share the information."
The notice should state whether the operator reserves the right to change its privacy policy without notice to the individual user; whether and how a user can change the details stored about him or her; and identify its effective date.
Operators must also, from now on, keep old versions of their privacy policies and make them available on request for up to five years.
According to California law firm Cooley Godward, while OPPA does not contain enforcement provisions itself, it is likely that the Act will be enforced under provisions of the State's Unfair Competition Law.
The requirements for full disclosure on the use of personal data echo those of Europe's data protection regime. These have no equivalent in US federal law.
In the UK, a fair processing notice – or data protection notice – must be displayed on a web site before personal data is "processed." A link to this notice is insufficient, although an additional "privacy policy," available from a link on each page, is also recommended as good practice.
In California, the requirements for displaying the privacy policy are more relaxed than the UK's requirement for displaying a data protection notice.
OPPA states that: "a text link that hyperlinks to a Web page on which the actual privacy policy is posted" is sufficient "if the text link is located on the homepage or first significant page after entering the Web site". There are other suggestions in the Act, but if following the text link approach, the Act says that the link must do one of the following:
There are some other display options described in the Act. Alternatively, it suggests compliance can be achieved with "any other functional hyperlink" that is "so displayed that a reasonable person would notice it."
William Malcolm, a data protection law specialist with Masons, the international law firm behind OUT-LAW.COM, said:
"This is yet another example of the patchwork approach of the US to protecting consumer privacy. The new law gives rise to a raft of jurisdiction and enforcement issues that won't be easy to resolve, especially since the law is a state law and not a federal one. Companies who collect identifiable information of California residents – even if they're unaware that that's what they're collecting – need to review the adequacy of their disclaimers and privacy policies."