Two new laws that may impact companies that collect personal information from California residents, online or offline
Two California laws are scheduled to take effect in the coming months, one on July 1, 2004 and one on January 1, 2005, that may significantly impact your business, even if your business is not based in California. These laws govern marketing activity and the collection of information from California residents.
In order to comply with these laws, which are discussed in detail below, and to lessen any potential liability, we recommend that affected businesses take action now to analyze the statutes' impact and undertake necessary compliance steps in advance of the impending deadlines.
Failure to fully and properly comply with either or both of these laws potentially could lead to class action law suits, regulatory action (by the California Attorney General, the Federal Trade Commission ("FTC") and other state Attorneys General), and significant negative publicity.
The greatest potential liability connected with the Online Privacy Protection Act of 2003 may come from hastily written and posted privacy policies.
Therefore, in light of the pending Act and existing United States law, we recommend that most businesses that maintain a website consider the following steps:
- Understand your business practices, including the various ways and places you collect personal information from consumers, the technology used on your websites, the various ways you market to consumers, and the ways in which you may share information with third parties.
- Audit your website and other relevant marketing tools to ensure there are no conflicting or inaccurate statements regarding how you collect and handle personal information, and that you are in compliance with applicable laws (such as the Children's Online Privacy Protection Act).
- Ensure that the security of the personal information you collect and maintain is reasonable under the circumstances, which will vary depending upon the size of your organization, the type of information collected, and statements made to consumers.
- Institute adequate compliance procedures to protect your business from inadvertent breaches of your privacy promises and to shield your business from potential liability to the greatest extent possible.
As of January 1, 2005, you may need to provide California consumers information regarding the sharing of personal information with third parties.
California SB 27, which mandates disclosure of certain information sharing practices, applies to a business that:
- has disclosed personal information about a customer (defined as a California resident who provides personal information to a business in connection with an established business relationship that is personal, family or household in nature);
- to one or more third parties;
- within the 'immediately preceding calendar year'; and
- the company reasonably knows the third party will use the data for direct marketing purposes.
Please note that this statute applies to information collected both online and offline. In addition, an "established business relationship" does not require consideration, and includes a relationship formed for obtaining "a product or service from the business."
Subject to the exception discussed below, to comply with SB 27, a business must:
- provide to a consumer, within 30 days of his or her request: (a) the categories of information disclosed during the preceding calendar year (which categories are set forth in the statute, and include, for example, name and address, age or birth date, e-mail address, and a various demographic data); and (b) the names and addresses of the third parties that received personally identifiable information for use in direct marketing in the preceding calendar year (the "Disclosure Information");
- take action to notify consumers of the available method to request the Disclosure Information (as set forth in the statute, and which includes both offline and online methods of notice).
The statute does not require individual responses, but rather a standardized form setting forth the Disclosure Information.
There is an important exception for a business that gives consumers either opt-in or opt-out choice regarding the use of the consumer's personal information. So long as the business maintains and discloses the consumer's right to exercise opt-in or opt-out consent for the sharing of his or her personal information, the business may comply with the Act by:
- giving the consumer notice of his or her right to prevent disclosure of his or her personal information; and
- providing the consumer with a cost free means to exercise that right.
SB 27 also specifically enumerates exceptions for the use of personal information by third parties in certain circumstances, such as use by a third party solely to process or store the personal information and for certain jointly offered products.
There are business considerations that should factor into the procedures a business adopts for compliance with SB 27
A business subject to SB 27 must decide how it will comply. First, it may be possible and desirable for certain businesses to simply cease collecting personal information from California residents.
A business that will continue collecting personal information from California residents after January 1, 2005 must decide whether or not to continue sharing personal information with third parties for direct marketing purposes. If the business will not share any personal information with third parties for direct marketing purposes, the business is outside the scope of SB 27. However, such a business should consider preparing a standardized response to send to a consumer who makes an SB 27 inquiry after the effective date.
If the business will share personal information collected from California residents after January 1, 2005, the next question for the business to answer is whether or not it will offer choice, either on an opt-in or opt-out basis. If choice always and reliably will be offered, the company should ensure the appropriate opt-out or opt-in procedures are in place by January 1, 2005, and should prepare a standardized response (explaining the consumer's no cost option to exercise his or her choice) to send to any consumer that requests SB 27 disclosures after the effective date.
If, however, opt-out or opt-in choice will not be consistently offered, a company must put in place a procedure to comply with the disclosure requirements by January 1, 2005.
An important consideration for a business considering its compliance options is whether its contracts with third party marketing partners contain confidentiality provisions that prohibit the disclosures mandated by the Act.
In addition, any business that decides to institute an opt-out or opt-in procedure after SB 27 takes effect should carefully address the transition issues that will arise, including potential ongoing disclosure requirements to consumers whose information was shared prior to the consumers having the right to exercise choice, as well as an obligation to ensure all consumers are truly notified of their opt-out or opt-in rights upon implementation of those rights.