Risk managers grab the aspirin. Lack of a sufficient national standard in the United States for online privacy practices has been promising to produce a rash of state laws, each with its own compliance requirements. And, it's finally begun.
Effective July 1, 2004, California's Online Privacy Protection Act of 2003 (A.B. 68) requires owners of commercial Internet websites or online services (referred to as "operators" under the Act) that collect personally identifiable information (PII) from California residents to:
Conspicuously post their privacy policies on their websites
Disclose in their privacy policies the categories of personally identifiable information collected from consumers
Disclose in their privacy policies the types of third parties with whom that information may be shared
Getting Down to the Details
First, it is important to understand what the law says and does not say and to clarify the terminology used. The complete text of A.B. 68 can be read online. Following is a detailed explanation of the provisions of the law. You'll need to get legal counsel's opinion on how these provisions apply specifically to your organization and on any ambiguous language that has yet to be interpreted in the courts.
What's the Point? The stated purpose of A.B. 68 is to "improve the knowledge" that consumers have "as to whether personally identifiable information obtained by the commercial website through the Internet may be disclosed, sold or shared." In other words, A.B. 68 requires transparency of information handling practices from commercial website operators so that consumers can be well informed. The hope is that with improved knowledge will come improved trust in online commerce.
Who Must Comply? The law applies specifically to "An operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service." However, "Internet service providers or similar entities shall have no obligations under this act related to personally identifiable information that they transmit or store at the request of third parties." What's notable here is the reach of A.B. 68. The California law applies to any commercial website operator collecting PII from Californians, regardless of the operator's location. The law's reach stretches far beyond state lines.
What Constitutes Personally Identifiable Information (PII)? According to the letter of the law, personally identifiable information is information about "an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:"
A first and last name
A home or other physical address, including street name and name of a city or town
An email address
A telephone number
A social security number
Any other identifier that permits the physical or online contacting of a specific individual
Information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with any of the above identifiers.
What's notable here is that the definition of PII could conceivably apply to cookies and tracking technologies even though these technologies are not specifically named in the law.
Includes the word "privacy."
Is written in capital letters equal to or greater in size than the surrounding text
Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language
Any other functional hyperlink that is so displayed that a reasonable person would notice it
Creating a Compliant Policy
The regulatory scheme envisioned by A.B. 68 would pose significant costs and challenges for companies. Imagine if many or all states adopt different online privacy notice standards that conflict in some respect, websites would be unable to comply without engaging in more data collection (asking every user what state they are from) and engaging in the costly and onerous task of posting a separate privacy notice for each state."1
Privacy Assessment Review Questions
What consumer and employee information does the company collect?
How does the company collect the information?
How does the company use the consumer and employee information?
What are the company's current privacy-related policies and procedures?
Does the company share consumer data with affiliates and/or nonaffiliated third parties?
What agreements does the company have in place with these affiliates or third parties regarding the use of this personal data?
What data systems store and access personal data?
What level of security and confidentiality does the company apply to personal data? What about affiliates and third parties?
Who will monitor the privacy process?
What actions will be required for compliance with applicable regulations in your industry and what resources will be needed?
If you operate in countries other than the United States, what are the differences in privacy policies of those countries, and how will you comply with them?
Which individuals/job titles/departments have access to consumer and employee data?
What training is provided to employees handling such data?
Is your company prepared to deal with a media crisis or a media opportunity involving privacy?
An explanation of the Fair Information Practices follows.
Method of Data Collection
Type of Data Collected
Use of Data Collected
Does the company collect information that a consumer voluntarily discloses through a collection form?
Does the company's Web server assign a permanent cookie file on a computer's hard drive?
Does the Web server automatically collect IP address, Web browser software or the referrer website?
Opt-in requires affirmative steps by the consumer to allow the collection and/or use of information; opt-out requires affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule that applies when the consumer takes no steps.
To be meaningful, the "Access/Participation" section of the policy must accurately describe the following:
The steps a consumer must take to access his/her personal information
The cost of access, if applicable
The time expected to take consumers to receive access to their information after making a request
The means for contesting inaccurate or incomplete data
The means to make corrections and/or objections to the data file
The means to delete data or discontinue the use of personal information.
If a company allows access to data that has been collected and/or received, it is critical that adequate security mechanisms are in place to authenticate the access request.
Applicable privacy laws
External audits to verify compliance
Certification seals (such as Truste or BBB- Online) that demonstrate the company has adopted and complies with a particular set of standards
Systems to investigate and act upon complaints from consumers
Methods available to invoke enforcement systems
Contact information where a consumer can send questions or concerns
The appropriate individual in a company who is responsible for privacy protection.
1 Letter from Harris N. Miller, President, Information Technology Association of America to Governor Gray Davis, September 22, 2003, regarding A.B. 68.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI.
Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion.
If such advice is needed, consult with your attorney, accountant, or other qualified adviser.