Mellisa C. Marsh, Esq.
 
Home | About Us | Practice Areas | Articles | Contact Us | Directions| Links | Disclaimer | Copyright | Privacy

Internet Alert

Important Disclaimer

June 2004

California’s Online Privacy Policy Law - OPPA
Prepared By: Melissa C. Marsh

California's Online Privacy Protection Act of 2003 (OPPA) Online Privacy Protection Act of 2003 (OPPA) became effective on July 1, 2004, and applies to all businesses that have a commercial website or online service that collects personally identifying information from consumers in California.

Although many companies already have online privacy policies, the new California law imposes specific requirements concerning both the form and the content of a website privacy policy.

First, OPPA requires each business that collects personally identifiable information from California consumers through an online service or commercial website to "conspicuously post" a privacy policy. This means that either the actual text of the privacy policy, or a link to the privacy policy, must appear on the homepage, as follows:

  • If a company uses an icon as a hyperlink, it must be included on the homepage, must include the word "privacy," and must also use a color that contrasts with the background color of the page.

  • If a company uses a text link, it must either include the word "privacy" and be written in capital letters equal to or greater in size than the surrounding text or be "written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language."

  • If a company uses some other functional link, it must be displayed so that a "reasonable person" would notice it, and must be "reasonably accessible."

OPPA, further requires a privacy policy include the following information:

  1. The categories of personal information that will be collected-- personal information includes first and last name, street address, email address, telephone number, social security number, any other identifier by which a person can be contacted physically or online, and any other information that is collected from the user and maintained in an identifiable form;

  2. The categories of third parties with whom this personal information may be shared;

  3. A description of the process by which consumers can review or request changes to their personal information, if any such process exists;

  4. A description of the process by which consumers will be notified of any material changes to the privacy policy; and

  5. The effective date of the policy.

Companies that are notified of noncompliance have 30 days to comply. A failure to comply with these requirements could lead to civil fines or injunctions.

Companies that already have privacy policies posted on their websites may need to evaluate whether these policies are sufficiently accessible and contain the required information. However, before implementing any changes to your existing privacy policy, companies should be prepared to provide consumers with notice of the impending change, provide the consumer with a choice to either “opt-in” or “opt-out” with respect to previously collected data, and announce that such changes have and will occur. In some cases, providing adequate notice and an opportunity to "opt out" may be sufficient, but in other cases depending on the original privacy policy in place, "explicit, opt-in" consent may be required.

© Melissa C. Marsh 2004 All Rights Reserved.

If you have any questions, or would like further information, please e-mail us at
mmarsh@yourlegalcorner.com or call: 323-655-1002.

Disclaimer: This article has been prepared by Melissa C. Marsh for general informational purposes only and does not constitute legal advice. Readers should not rely or act upon the information contained in this article for any purpose without seeking legal advice from a local licensed attorney in your state. This article is not, and should not be used as, a substitute for legal advice as your specific factual circumstances may differ, the laws of your jurisdiction may differ, and the laws may have changed. Your use of this Internet site does not create an attorney-client relationship. Transmission of this article is not intended to create, and receipt of it does not constitute, an attorney-client relationship. All uses of the contents of this site, other than personal uses, are prohibited.