Creating a Privacy Policy Compliant with the New Online Privacy Protection Act

December 2003

A new California law is certain to result in lawsuits against commercial Web site operators who don't post an adequate privacy policy. Learn the requirements, ramifications, and what should be done to comply.

by Jennifer Simin, edited by Gary E. Clayton
www.privacycg.com

Risk managers grab the aspirin. Lack of a sufficient national standard in the United States for online privacy practices has been promising to produce a rash of state laws, each with its own compliance requirements. And, it's finally begun.

A new California law will certainly produce a flurry of lawsuits against commercial Web site operators who don't post a privacy policy that meets specific standards. It also opens up those operators to civil suits when they fail to comply with their own privacy policies. The law has a national impact, applying to any Web site operator that collects information on California residents. Similar laws are pending in New Jersey and New York with other states likely to follow suit.

Effective July 1, 2004, California's Online Privacy Protection Act of 2003 (A.B. 68) requires owners of commercial Internet Web sites or online services (referred to as "operators" under the Act) that collect personally identifiable information (PII) from California residents to:

• Conspicuously post their privacy policies on their Web sites
• Disclose in their privacy policies the categories of personally identifiable information collected from consumers
• Disclose in their privacy policies the types of third parties with whom that information may be shared
• Provide in their privacy policy a description of the process through which consumers may request changes to their personal information (when an operator allows such changes)
• Provide in their privacy policy a description of the process by which consumers will be notified of material changes to their privacy policy
• Identify in their privacy policy the policy's effective date

Violation of the Act occurs when an operator fails to post their privacy policy within 30 days after being notified of noncompliance. Failure to comply with the Act or with the provisions of one's own privacy policy is a violation of the Act when noncompliance is either knowing and willful or negligent and material. And finally, ISPs and similar entities that transmit or store PII at the request of third parties are exempt from the law.

Sound complicated? Wait until you hear about the font and color specifications required for the privacy policy. But, while compliance with A.B. 68 sounds complex, it is an essential activity for any online organization. Noncompliance with privacy laws will create legal costs and can have a negative effect on brand. Being sued for neglecting online privacy may very well throw an organization into the court of public opinion where the ruling can be a public relations nightmare that does irrevocable damage. Would you, for instance, shop online at a Web site known for not protecting personal data?

However, the risk associated with A.B. 68 applies not only to those who don't comply with the law, but to those who do as well. That's because properly managing privacy is a complex business initiative. In the case of A.B. 68, if you don't have the right privacy policy, you're in trouble. But if you do post the right privacy policy you become vulnerable to the inevitable compliance confusion and honest mistakes that cause your organization to violate its stated policies. So, what's the best defense?

To begin, a clear understanding of the law is necessary for all members of your organization. With that understanding in pocket, you can then develop, post, and adhere to a privacy policy that helps mitigate the risks imposed by A.B. 68. This article provides an explanation of the law's provisions and some practical guidelines for complying.

Getting Down to the Details

First, it is important to understand what the law says and does not say and to clarify the terminology used. The complete text of A.B. 68 can be read online. Following is a detailed explanation of the provisions of the law. You'll need to get legal counsel's opinion on how these provisions apply specifically to your organization and on any ambiguous language that has yet to be interpreted in the courts.

What's the Point? The stated purpose of A.B. 68 is to "improve the knowledge" that consumers have "as to whether personally identifiable information obtained by the commercial Web site through the Internet may be disclosed, sold or shared." In other words, A.B. 68 requires transparency of information handling practices from commercial Web site operators so that consumers can be well informed. The hope is that with improved knowledge will come improved trust in online commerce.

Who Must Comply? The law applies specifically to "An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service." However, "Internet service providers or similar entities shall have no obligations under this act related to personally identifiable information that they transmit or store at the request of third parties." What's notable here is the reach of A.B. 68. The California law applies to any commercial Web site operator collecting PII from Californians, regardless of the operator's location. The law's reach stretches far beyond state lines.

What Constitutes Personally Identifiable Information (PII)? According to the letter of the law, personally identifiable information is information about "an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:"

• A first and last name
• A home or other physical address, including street name and name of a city or town
• An e-mail address
• A telephone number
• A social security number
• Any other identifier that permits the physical or online contacting of a specific individual
• Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with any of the above identifiers.

What's notable here is that the definition of PII could conceivably apply to cookies and tracking technologies even though these technologies are not specifically named in the law.

What Does It Mean To "Conspicuously Post" A Privacy Policy? Conspicuously posting the privacy policy includes any of the following.

• A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site
• An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word "privacy." The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable.
• A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following:
  • Includes the word "privacy."
  • Is written in capital letters equal to or greater in size than the surrounding text
  • Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language
• Any other functional hyperlink that is so displayed that a reasonable person would notice it
• In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.

What Does It Mean To Disclose Information? The remaining provisions of A.B. 68 require disclosure of various types of information: (1) categories of PII collected, (2) types of third parties with whom information is shared, (3) the process (when allowed) for changing PII, (4) the process by which you will notify consumers of policy changes, and (5) the privacy policy's effective date. Disclosure is a risk-filled process. It requires that you say what you do and do what you say or suffer the consequences of breaking your own promises. In the case of A.B. 68, the consequence of not keeping your information handling promises is a civil suit for unfair business practices. On a federal level, the Federal Trade Commission is empowered to bring a deceptive or unfair trade practices charge against a company that does not accurately reflect its practices.

Creating a Compliant Policy

Developing, implementing and enforcing a strong privacy policy are the most important actions a company can take to comply not just with California's A.B. 68, but with local, state, federal and international privacy regulations as well. In addition, a privacy policy provides a company the opportunity to build trust with consumers, employees, investors and stockholders.

Risk and legislation make privacy policy development tricky. Again, posting a policy means you are promising to abide by the policy. Even if you post the right privacy policy you become vulnerable to the inevitable compliance confusion and honest mistakes that cause organizations to violate their stated policies.

Another difficulty is compliance with the growing patchwork of laws prescribing standards and procedures for privacy policy development and implementation. New Jersey and New York both have pending legislation similar to California's A.B. 68 (see N.Y. Assembly Bill No. 08035, N.Y. Assembly Bill No. 04385, and N.J. Assembly Bill No. 365). A worst case scenario is described by the president of the Information Technology Association of America (ITAA), Harris N. Miller, who asked Governor Gray Davis to veto A.B. 68:

The regulatory scheme envisioned by A.B. 68 would pose significant costs and challenges for companies. Imagine if many or all states adopt different online privacy notice standards that conflict in some respect, websites would be unable to comply without engaging in more data collection (asking every user what state they are from) and engaging in the costly and onerous task of posting a separate privacy notice for each state."¹

To avoid a scenario like the one Mr. Miller describes, consider developing your privacy policies using the highest possible standards, thereby covering all your bases. Also, you may consider seeking outside help from privacy consultants in managing your legislative compliance effort. The recommendations that follow take an even higher road than A.B. 68 requires. The recommendations are not a substitute for professional advice in specific situations, but should serve as helpful guidelines in beginning your privacy policy development.

Privacy Assessment Review. Before creating a competent privacy policy, a company must understand its information practices. If it does not fully understand its own procedures, it is likely to have a difficult time living up to the assertions of its privacy policy. After an effective assessment, a company should be able to thoroughly answer the types of questions outlined in Figure 1.

FIGURE 1 PRIVACY ASSESSMENT REVIEW QUESTIONS What consumer and employee information does the company collect? How does the company collect the information? How does the company use the consumer and employee information? What are the company's current privacy-related policies and procedures? Does the company share consumer data with affiliates and/or nonaffiliated third parties? What agreements does the company have in place with these affiliates or third parties regarding the use of this personal data? What data systems store and access personal data? What level of security and confidentiality does the company apply to personal data? What about affiliates and third parties? Who will monitor the privacy process? What actions will be required for compliance with applicable regulations in your industry and what resources will be needed? If you operate in countries other than the United States, what are the differences in privacy policies of those countries, and how will you comply with them? Which individuals/job titles/departments have access to consumer and employee data? What training is provided to employees handling such data? Is your company prepared to deal with a media crisis or a media opportunity involving privacy?

Once a company understands its information practices, it can decide whether to change or improve them—often a good idea if little attention has been focused on privacy issues in the past. It is at this time that a company is in a better position to articulate a responsible privacy policy with accuracy.

To create a successful privacy policy, a company should consider inclusion of the principles of Fair Information Practices, released by the Organization for Economic Co-Operation and Development (OECD) in 1980. The principles of Fair Information Practices include:

• Notice/Awareness
• Choice/Consent
• Access/Participation
• Integrity/Security
• Enforcement/Redress

An explanation of the Fair Information Practices follows.

Notice/Awareness. The most fundamental privacy principle is Notice/Awareness—telling individuals how their personal data will be collected and used. A section devoted especially to Notice/Awareness is basic to a sound privacy policy. That section should include the following subsections:

• Introduction
• Scope
• Method of Data Collection
• Type of Data Collected
• Use of Data Collected
• Data Sharing

Introduction. The notice portion of a privacy policy typically begins with a statement of the company's overall commitment to privacy.

Scope. A privacy policy should disclose to a consumer the areas of the company covered by the policy. For instance, does the policy cover both offline and online data collection? Does it cover corporate affiliates or subsidiaries?

Method of Data Collection. As a matter of notice to the consumer, a privacy policy should identify how a company collects the consumer's personal information:

• Does the company collect information that a consumer voluntarily discloses through a collection form?
• Does the company's Web server assign a permanent cookie file on a computer's hard drive?
• Does the Web server automatically collect IP address, Web browser software or the referrer Web site?

Type of Data Collected. A privacy policy should identify what kinds of information a company collects from consumers—both personal and non-personal information. Rather than identifying each piece of information the company collects (e.g., name, phone number, IP address), a privacy policy can identify the general types of data the company collects (such as contact information, profile information, billing information, etc.).

Use of Data Collected. A privacy policy should disclose the ways a company uses personal and nonpersonal information. To make an informed decision on whether to share personal information with a company, a consumer must understand exactly how a company distributes his/her information and applies it to particular purposes.

When creating a privacy policy, it is crucial to understand both the primary and secondary purposes (uses) of personal information. Primary purposes usually are initiated by and obvious to the consumer. For example, if a consumer discloses his/her shipping address to receive a product, it should be obvious to the consumer that the company will use this information for shipping purposes.

In some instances, however, a company may have secondary and nonobvious purposes for the information. For example, a company also may use a home address to send marketing materials to the consumer at a later date. In the interest of fairness, a privacy policy should disclose both primary and secondary purposes.

Data Sharing. A company that shares personal information with other parties should create a privacy policy that identifies those parties and the purpose of the disclosure. This is important, as a consumer may want to review the privacy policies of third parties before disclosing personal information. If not given this opportunity, the consumer may feel abused.

Choice/Consent. The next major issue in a privacy policy is Choice/Consent. At its simplest, choice means giving a consumer options regarding how a company collects and uses the personal information it collects. The first choice a consumer typically makes is whether or not to give his personal information to a company.

After choosing to disclose information to a company, the consumer should be given options regarding any later—especially secondary—uses of his/her information. These options allow the consumer to remain in control. Traditionally, a privacy policy considers two types of Choice/Consent systems: opt-in and opt-out.

Opt-in requires affirmative steps by the consumer to allow the collection and/or use of information; opt-out requires affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule that applies when the consumer takes no steps.

To be effective, any choice command should provide a simple and easily accessible way for consumers to exercise their choices. For example, online privacy policies should link a consumer from the privacy policy to the Choice/Consent form.

Access/Participation. The third major issue in a privacy policy is Access/Participation, which means a consumer's ability to view his/her personal data collected and to contest that data's accuracy and completeness. Both access and participation are essential to ensuring that data is accurate and complete.

To be meaningful, the "Access/Participation" section of the policy must accurately describe the following:

• The steps a consumer must take to access his/her personal information
• The cost of access, if applicable
• The time expected to take consumers to receive access to their information after making a request
• The means for contesting inaccurate or incomplete data
• The means to make corrections and/or objections to the data file
• The means to delete data or discontinue the use of personal information.

If a company allows access to data that has been collected and/or received, it is critical that adequate security mechanisms are in place to authenticate the access request.

Integrity/Security. The fourth major issue in a privacy policy is integrity/security—helping a consumer feel comfortable disclosing personal information. A privacy policy should describe the steps a company takes to assure data integrity and security. Trustworthy data is accurate, up-to-date and protected from abuse.

Regarding security, a privacy policy might articulate a company's commitment to prevent the unauthorized access and use of customer data. A company should be careful not to overstate its level of protection—to avoid potential liability, should a security breach occur. Making too strong a statement also might encourage hackers to attempt to defeat the security mechanisms in place.

Enforcement/Redress. The preceding core principles of privacy protection can only be effective when there is a means of enforcing them. Creating and publishing a privacy policy on its own does not ensure compliance with core Fair Information Practices. A company should give a consumer reassurance that it will follow the principles found within its privacy policy. To do that, a company's privacy policy should describe the enforcement approach the company plans.

To ensure a consumer understands the enforcement mechanisms a company uses, a privacy policy should address topics such as:

• Applicable privacy laws
• External audits to verify compliance
• Certification seals (such as Truste or BBB- Online) that demonstrate the company has adopted and complies with a particular set of standards
• Systems to investigate and act upon complaints from consumers
• Methods available to invoke enforcement systems
• Contact information where a consumer can send questions or concerns
• The appropriate individual in a company who is responsible for privacy protection.

Regulations. In addition to the generic issues discussed in the preceding sections, a privacy policy also needs to address specific issues such as special laws or guidelines. If applicable, a company should state in its privacy policy that it abides by relevant privacy codes or regulations (e.g. the EU-US Safe Harbor agreement for companies doing business in Europe or the California Online Privacy Protection Act 2003 for online commercial operators that collect PII from California residents).

Publishing a Privacy Policy

Clear and Conspicuous. After a privacy policy is written, it needs to be published in a clear and conspicuous fashion. This means that the average person must be able to find and understand the policy. An understandable policy uses everyday words (avoids legalese), includes easy-to-read typeface and type size, uses wide margins and ample spacing, and uses boldface or italics for key words. A readable policy also includes design factors that "catch the eye" or call attention to the nature and significance of the information in the notice.

When posting on a Web site, a company should place its privacy policy in a prominent location. A user should be able to readily access the privacy policy from the Web site's home page. A user also should be able to reach the privacy policy from any Web page that collects consumer information. The requirements of A.B. 68 for clear and conspicuous posting provide a strong standard that will likely meet all other requirements.

Versions. An effective privacy policy must also disclose the date the policy was produced and posted, and should include a statement saying the company reserves the right to modify or amend the policy at any time and for any reason. It is essential that the policy inform consumers about the process by which they will be notified of material changes to the policy. When there are material changes, the company should abide by information practices described in its privacy policy at the time the consumer provided his/her personal information.

Enforcing a Privacy Policy

Work on a privacy policy does not end with writing and publication. It is extremely important that a company makes sure it honors its policy. No privacy policy can guarantee compliance and encourage consumer trust without corporate follow-through; a company must integrate its privacy approach into its corporate culture. After creating and publishing a privacy policy, a company must train and educate its workforce on the policy and motivate employees to live up to the standards it sets.

Jennifer Siminis an editor with the Knowledge Products division of Privacy Council, Inc., the global resource for privacy and data protection services. Ms. Simin has edited over 10 books and interactive CD-ROMs on privacy and data protection including Privacy Manager Work Plan, HIPAA Privacy Implementation Guide, and PR Strategies for Privacy Issues. Currently, she is editor of the nation's leading privacy, data and security digest, Privacy Weekly, which is also published by Privacy Council every Wednesday. Before entering the privacy arena, Ms. Simin spent 7 years in business-to-business marketing with a focus on healthcare, energy services, and commercial real estate markets.

________________________

Footnote

1Letter from Harris N. Miller, President, Information Technology Association of America to Governor Gray Davis, September 22, 2003, regarding A.B. 68.

---

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author’s employer or IRMI. This article does not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.