Risk managers grab the aspirin. Lack of a sufficient national standard in the United States for online privacy practices has been promising to produce a rash of state laws, each with its own compliance requirements. And, it's finally begun.
Effective July 1, 2004, California's Online Privacy Protection Act of 2003 (A.B. 68) requires owners of commercial Internet websites or online services (referred to as "operators" under the Act) that collect personally identifiable information (PII) from California residents to:
First, it is important to understand what the law says and does not say and to clarify the terminology used. The complete text of A.B. 68 can be read online. Following is a detailed explanation of the provisions of the law. You'll need to get legal counsel's opinion on how these provisions apply specifically to your organization and on any ambiguous language that has yet to be interpreted in the courts.
What's the Point? The stated purpose of A.B. 68 is to "improve the knowledge" that consumers have "as to whether personally identifiable information obtained by the commercial website through the Internet may be disclosed, sold or shared." In other words, A.B. 68 requires transparency of information handling practices from commercial website operators so that consumers can be well informed. The hope is that with improved knowledge will come improved trust in online commerce.
Who Must Comply? The law applies specifically to "An operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service." However, "Internet service providers or similar entities shall have no obligations under this act related to personally identifiable information that they transmit or store at the request of third parties." What's notable here is the reach of A.B. 68. The California law applies to any commercial website operator collecting PII from Californians, regardless of the operator's location. The law's reach stretches far beyond state lines.
What Constitutes Personally Identifiable Information (PII)? According to the letter of the law, personally identifiable information is information about "an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:"
What's notable here is that the definition of PII could conceivably apply to cookies and tracking technologies even though these technologies are not specifically named in the law.
The regulatory scheme envisioned by A.B. 68 would pose significant costs and challenges for companies. Imagine if many or all states adopt different online privacy notice standards that conflict in some respect, websites would be unable to comply without engaging in more data collection (asking every user what state they are from) and engaging in the costly and onerous task of posting a separate privacy notice for each state." 1
An explanation of the Fair Information Practices follows.
Opt-in requires affirmative steps by the consumer to allow the collection and/or use of information; opt-out requires affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule that applies when the consumer takes no steps.
To be meaningful, the "Access/Participation" section of the policy must accurately describe the following:
If a company allows access to data that has been collected and/or received, it is critical that adequate security mechanisms are in place to authenticate the access request.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.