January 8


privacypolicyIf you have a commercial website and have not done so already,  NOW is the time to update your company’s online privacy policy. WHY? Because January 1 was the effective date of amendments to California’s Online Privacy Protection Act(“OPPA”); these amendments require additional information in the online privacy policies of covered websites.

But, but, but, I’m not IN California!

Good for you! But that is not how we determine whether OPPA applies. It does not matter where YOU are located – what matters is whether  you collect personal information about California residents who stumble across your commercial website.

How do I know if the law applies to my website?

If you operate a commercial website and collect “personally identifiable information” (PII) about consumers through your website, OPPA applies to your site unless you ensure that PII is not collected from California residents. Good luck with that. 

Let’s unpack that just a little. First, what’s a consumer? A consumer is anyone who seeks or acquires any goods, services, money or credit for personal, family, or household purposes. In other words, if someone is checking out your site for the purpose of getting stuff, getting a service, or getting credit, that person is a consumer if the stuff, service, or credit is for their own use or the use of others in their family or household.consumer

Next, what is PII? PII (this initialism stands for “personally identifiable information,” remember?) is any individually identifiable information about an individual consumer collected online by the website operator from that individual, if it is maintained by the operator in an accessible form. PII includes any identifier that permits the physical or online contacting of a specific individual, such as the person’s name, address, e-mail address, telephone number, or social security number. PII can be affirmatively given to you by the consumer, but it also includes information concerning a user that the website collects online from the user (e.g. by capturing or tracking user data), if that information is maintained in personally identifiable form in combination with one of the other identifiers described here.

In summary, if you take or a consumer gives information through your commercial website that identifies the individual, you should adopt an  OPPA-compliant online privacy policy.

How should I post the privacy policy on my website?


That is what the law requires. A conspicuous link to it from an eye-catching icon with the word “Privacy” in it from your home page is your best bet.

What Needs to be Included in the Privacy Policy?

There is no one-size-fits-all Online Privacy Policy. Instead, the law provides that certain content must be included in the Online Privacy Policy.  Since 2004 (so, nothing new), the law has required the following to be included, as relevant:

(1) The categories of personally identifiable information the operator collects through the Web site about individual consumers who use or visit the web site and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.

(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.

(3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.

(4) Identify its effective date;

Last Fall, California enacted an amendment to this law that was effective January 1, 2014, which requires the following “do not track” disclosures, as relevant:

(5) disclose how the operator responds to web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services, if the operator engages in that collection; and

(6) disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.

One way to comply with the new disclosures might be something along the lines of: “We do not currently respond or otherwise take any action with regard to Do Not Track requests,” assuming that is true. Don’t take my word for it, though because I have not reviewed your website and do not know your practices – ask YOUR attorney.

If you are a special type of business – such as a financial institution or health care provider – additional privacy laws may apply to you. More on those laws in later posts. This one is limited to OPPA.

fine printCovering my bases: There is no legal advice contained in this post. Legal advice entails applying the law to specific facts. I don’t know what your facts are and any resemblance to them here is purely coincidental. Instead, this post is meant to provide general information, which may or may not be complete and accurate. If you need legal guidance, please feel free to contact me using the contact information on my web site.