California Ups the Ante On Privacy Policy Disclosures

For the past decade, California law has set the template for commercial website privacy policies.  With the passage of a new law, set to take effect January 1, 2014, the state has updated the disclosures required of any commercial website operator who collects personally identifiable information from California residents.

California’s Online Privacy Protection Act.   In 2003, California became the only state to require all websites that collect personal information (“PII”) from visitors – in this case, California residents – to post a privacy policy.   Until then, there was no generally applicable privacy policy requirement under either state or federal law, and, to this day, neither the other states nor the federal government have imposed such a requirement.  Federal privacy policy requirements have been limited to specific kinds of information (such as under Children’s Privacy Protection Act) or industries (under the Health Insurance Portability and Accountability Act).  Under the 2003 law, Internet sites need to identify the “categories” of personally identifiable information collected about “individual consumers”; describe the “categories” of third parties with whom the information may be shared; disclose (if there is one) any process for individuals to review or request changes to their personal information; explain how notice is given to consumers of changes in the privacy policy; and post the policy’s effective date. The definition of PII is more expansive than encountered in data breach statutes, and includes email addresses, partial addresses (including street names and towns), and first and last names.  The privacy policy also must be “conspicuously” posted, as defined by the statute.

Now, however, the law has been significantly expanded.

FTC Report outlines Consumer Privacy Framework, urges self-regulation

Following on the heels of the White House’s “Consumer Privacy Bill of Rights,” (recently discussed in this space), the Federal Trade Commission released its own final report on Consumer Privacy last month: “Protecting Consumer Privacy in an Era of Rapid Change, Recommendations for Businesses and Policymakers.” The issue of consumer privacy online continues to receive sustained attention from privacy advocates, policymakers and journalists (see, for example, the Wall Street Journal’s “What they Know” series), and this latest policy paper highlights a number of important areas for retailers.