Skip to content Skip to navigation

Does Your Website Privacy Policy Violate The Law?

June 6, 2008
by Reece Hirsch
| Reprints

Virtually every business has a website, and nearly every website has (or should have) a privacy policy describing how personal information gathered through the website is used and disclosed. What many businesses don't realize is that there's a California law that imposes some very specific requirements regarding the content and placement of those online privacy policies.

The law is called the California Online Privacy Protection Act of 2003 and, on June 4, fourteen consumer groups sent a letter to Google stating their view that Google was not in compliance with the law because its privacy policy was not displayed prominently enough on its website. Google's home page is uncluttered (some would say stark) by design. Google's privacy policy is not linked directly on the home page, but can be accessed after clicking "About Google" at the bottom of the home page. The consumer groups charge that this does not satisfy the California law's requirement that a privacy policy be posted on the home page or the first "significant page after entering the website." The consumer groups signing the letter included the Electronic Privacy Information Center, the ACLU of Northern California, the Center for Digital Democracy and the World Privacy Forum.

The California law applies to your website if you are the operator of a commercial website that gathers "personally identifiable information" online. Any website that gathers personal information from California residents is subject to the law. This is yet another example of how California privacy laws establish a de facto national standard for the privacy practices of national companies.

Your online privacy policy may not comply with the California statute if:

1. Your policy does not describe how your gather, use and disclose personally identifiable information;

2. Your policy is not "conspicuously posted," in accordance with the statute's very specific standards; or

3. Your policy does not include an effective date.

Complying with the Online Privacy Protection Act is not particularly difficult, but it is very difficult if you aren't even aware that the statute applies to you …..

Topics

Reece Hirsch

Partner, Morgan, Lewis & Bockius LLP

Reece Hirsch's Health Care Privacy Law Blog offers a lively commentary on a wide range of...