You enter an online store. You slow down. You look left and right, making sure that the website is well-known and secure. You start making the purchase. Having carefully completed the site registration form, name, address, credit card number etc. you hit "Send". The transaction is complete…and so, by the click of a mouse-key you have just sent your private information across the World Wide Web. Though this is a common, almost casual action these days, for many it is still accompanied by a sense of foreboding. With no "carbon copy" to rip into little shreds as in the "olden days", the information sent is now at the mercy of the website owner.

….This is no longer the case in California.

On July 1, 2004, the California Online Privacy Protection Act 2003 went into effect. This is the first law in the United States to require the posting of a website privacy policy. It is expected that this law will have far-reaching implications as it applies to the owners of certain commercial websites or to providers of online services worldwide.

The Law, intended to prevent the sale or distribution of private information of people surfing the net, requires websites or providers of online services to conspicuously post their privacy policy on their websites if the website is one which collects a certain type of information from consumers who are residents of the State of California and maintains such information. OPPA requires that the privacy policy specify the type of information the website collects as well as any third parties with whom such information might be shared and the circumstances when such sharing may take place. The websites are then required to comply with the terms of the privacy policy.

To whom does the law apply?

The law applies to websites or services engaging in the collection of "personally identifiable information". Such information is defined as information collected through the internet which allows a consumer to be individually identifiable, for example: first and last name, address, email address, telephone number, personal ID (Social security) number, and any other information which allows such person to be contacted online or in the physical world. Personally identifiable information also includes information collected and maintained by the website e.g.: date of birth, weight, height, eye color etc with regard to an individual consumer when added to any of items listed above. A "consumer" is defined as a person who seeks or purchases information, services, money or credit for his personal needs or for the needs of his household or family.

Requirements from Website owners

The OPPA requires the operators of a commercial website to conspicuously post their website's privacy policy. That is to say that they must post the terms of the policy on the website's homepage, on the first page following the homepage or on another page which is hyperlinked to the homepage. Such link may be done using an icon or text which is distinguishable in size, font, or color and must include the word "Privacy".

Under OPPA a privacy policy must include the following terms:

• Categories of personally identifiable information collected by the website or online service.
• A list of third parties with whom the website/service may share the said personally identifiable information.
• A description of the process (if there is one) through which visitors may change their personal information collected by the website.
• A description of the process by which the site/service will notify consumers of changes in its privacy policy.
• The date the privacy policy goes into effect.

A website which does not implement the said requirements within 30 days from the time it receives notification that it does not comply – will be in violation of OPPA.

A violation of any of the provisions of OPPA may be considered a breach of the California Unfair Competition Law and the party in violation may be subject to remedies under this law. In addition, a party who violates OPPA may be susceptible to actions by the US Federal Trade Commission who may bring enforcement actions against the breaching entities.

California based commercial companies have already prepared for the entry of OPPA into effect and have implemented the necessary changes for making their websites' privacy policies compliant with OPPA. An example of this is Google, operator of the famous search engine.

Recommendations

It is recommended that every owner of a commercial website or online service which collects personally identifiable information, as aforesaid, update the privacy policy posted on its website. Such privacy policy must include the categories of information collected and maintained by the website/service and the third parties with which such information may be shared. The privacy policy must be updated regularly and it must be ascertained, by periodic checks that the type of information collected and the manner in which it is collected is in accordance with the same terms. In addition, it the information must be maintained in a secure manner using proper information security technology.

*Odia Kagan is the Head of the IT and Internet Law department of Shavit Bar-On Inbar Law Offices and is admitted to practice law in Israel, New York and England & Wales. She may be contacted at: okagan@sbilaw.com

*This article does not constitute legal advice and may not be relied upon for any action or omission.