The Independent Counsel

Government Contracts

California's Online Privacy Protection Act


"Why should I care about one state's Internet statute?" you ask. Here's one scenario: Your company's marketing department is overflowing with leads from on-line giveaways for its new game. Sales should double in twelve months! All is well in your Hartford, CT, headquarters...

Down the hall, a Web server reaches out to touch a 19-year-old Californian named Terry, who tries to decide whether or not to fill in the contact information on your company Web site. He's looking for your company's privacy policy.

He finally finds it via a small link at the foot of the "About Us" page. The policy is a few brief paragraphs copied from a competitor. More than 30 days ago, the California attorney general's office sent your company a notice that its site was in noncompliance with the California Online Privacy Protection Act (Business and Professions Code §§22575-22579) ("OPPA"). Your company has just violated OPPA.

OPPA, which became effective on July 1, 2004, potentially can affect any business with a Web site that collects personally identifiable information ("Identifiers") through the Internet about individual consumers in California. Identifiers can be IP addresses, first and last names, geographical addresses, telephone numbers, and other data that can be used to contact the visitor.

Many sites today automatically capture at least one Identifier: the visitor's IP address. Consumers under OPPA include any individual that seeks or acquires goods, services, money or credit for personal, family or household purposes, so that would be just about any California based user of a commercial Web site.

California is a technology center with more than 35 million people and a GDP that in 2001 exceeded $1.3 trillion. It makes sense for businesses to reach California consumers. Thus, for all practical purposes, OPPA can apply to any site that targets consumers, since some of those will be California residents.

To comply with the Act, owners of Web sites or online services must post a privacy policy either on the home page or first significant page of their site, or be linked conspicuously from that page to the actual policy.

For a link to be conspicuous, the word "PRIVACY" must be in capital letters, and also in larger type or a different font than the words around it. The links on most Web sites today do not comply with this very specific requirement.

The requirements for the privacy policy itself to comply with OPPA are:

  1. It must specify which Identifiers the owner collects, and the types of third parties with which Identifiers might be shared;
  2. If the owner provides a process for consumers to change the Identifiers, that process must be described;
  3. The effective date of the policy must be stated; and
  4. The operator must describe how it will notify consumers of any material changes to its privacy policy.

OPPA could catch many Web site owners unaware. On-line purveyors of products and services should therefore check their privacy policies against the act.

Readers may also wish to review California's Unfair Competition Law (Business and Professions Code §17200), California's most frequently used consumer protection statute, and considered by many to be the toughest in the country.

Comment: Depending on how aggressively California's Attorney General enforces OPPA, an ounce of OPPA compliance could save pounds for a defense against a combined OPPA and California Consumer Protection Act violation claim.

© ASSOCIATION OF INDEPENDENT GENERAL COUNSEL 2005; (all rights reserved). This article is not intended as legal advice. Consult a qualified attorney for assistance concerning a specific issue or problem.