Sunday, April 27, 2014

New Website Privacy Policy Requirements

Photo credit: Truthout /

A new website privacy law has recently become effective and may require you to make a change to your existing website privacy policy.

In prior articles regarding website (and application) privacy policies, I've mentioned that a few states have their own website privacy rules, and California's are the most rigorous. If your company's website is directed at California residents (and this includes websites directed at U.S. audiences generally), it will need to comply with California's unique rules. 
A new privacy law that amends California's existing Online Privacy Protection Act became effective on January 1, 2014.  The new law requires a website operator to disclose (i) how it responds to “do not track” signals and (ii) whether other parties may collect personally identifiable information when a consumer uses the operator’s Web site or service. 
As amended, California's Online Privacy Protection Act now requires the following from an operator of a website or online service that collects personally identifiable information (which is defined very broadly) about residents of California:
  1.  Conspicuously post a privacy policy on its website or online service and comply with that policy.
  2. Identify the categories of information collected.
  3. Identify the parties with whom the operator shares the information.
  4. Describe the process by which users are notified of material changes to the privacy policy.
  5. Describe any process for the review and request of changes to personally identifiable information.
  6. The effective date of the policy.
  7. A description of how the operator responds to web browser “do not track” signals.  (This can be satisfied by a link to a separate disclosure.  Note that there is no legal obligation to honor such signals.)
  8. Disclosure of whether other parties may collect personally identifiable information about the user's activities over time and across different websites ("tracking").
Website privacy policies are gaining increasing attention from governmental entities, consumer groups and plaintiffs' class action attorneys, and is an emerging source of risk for many businesses. Having advised local, national and international businesses on website privacy issues, I believe most of that risk is avoidable if care is taken to observe the patchwork of applicable legal requirements, including the laws of states other than your own.

P.S. Don't confuse the Children's Online Privacy Protection Act ("COPPA") with the California Online Privacy Protection Act ("CalOPPA").  I've written about COPPA here.