California Online Privacy Protection Act of 2003 – Applicability and Summary of Requirements

• By: Staff Editor
• Date: September 09, 2011

The California Online Privacy Protection Act of 2003 or OPPA became effective on July 1, 2004, is a pioneering privacy law enacted by a state. It requires owners of commercial websites or online services to conspicuously post a privacy policy.

Applicability

OPPA applies to any website that collects personally identifiable information from California consumers.

OPPA does not apply to ISPs or similar entities that transmit such information at the request of third parties.

Personally Identifiable Information

Personally identifiable information refers to information collected online about an individual customer. This may include:

• First and last name
• Physical street address
• Email addresses
• Telephone number
• Social Security Number
• Any other information that permits an entity t o contact a specific individual online or physically

Personally identifiable information also includes information such as birthdays, weight, hair color and so on that is collected online and is maintained by the collecting operator in a personally identifiable form in combination with any of the above.

OPPA defines a consumer as an individual who seeks or acquires goods, services, money or credit for personal, family or household purposes.

OPPA Requirements

The Act requires that commercial website operators or online service providers post a privacy policy conspicuously on their website. A privacy policy is considered “conspicuous” if it:

• Appears on the homepage of the website or
• Is directly linked to the homepage via an icon that contains the word "privacy," and such icon appears in a color different from the background of the homepage or
• Is linked to the homepage via a hypertext link that:
  • contains the word "privacy,"
  • is written in capital letters equal to or greater in size than the surrounding text,
  • is written in a type, font, or color that contrasts with the surrounding text of the same size, or
  • is otherwise distinguishable from surrounding text on the homepage

What comprises a privacy policy?

• According to OPPA, a privacy policy should include:
• A list of the categories of personally identifiable information the operator collects
• A list of the categories of third-parties with whom the operator may share such personally identifiable information
• A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information collected by the operator
• A description of the process by which the operator notifies consumers of material changes to the operator's privacy policy and
• The effective date of the privacy policy

Non-Compliance

An operator will be considered in violation of OPPA if it fails to post a privacy policy within 30 days after being notified of noncompliance.

An operator who fails to comply with OPPA or with the terms of its privacy policy will be found to be in violation of OPPA only if “knowingly and willfully” or “negligently and materially” ignored regulatory requirements.

OPPA is enforced through California's Unfair Competition Law (UCL):

• Under the UCL, the California Attorney General, district attorneys, and some city and county attorneys can file suit against businesses for acts of "unfair competition," which are considered to be any act involving business that violates California law.
• Therefore, OPPA violations may be considered violations of the UCL.
• Government officials bringing suit for violations of OPPA may seek civil penalties and equitable relief under the UCL.
• Operators who violate OPPA may also be susceptible to actions by the Federal Trade Commission, which may bring enforcement action against businesses whose posted privacy policy is deceptive, i.e., where the business fails to comply with its posted privacy policy.

Google accused of OPPA non-compliance

In 2008, a New York Times reporter said in a blog post that Google might be violating OPPA since it hadn’t posted a link to its privacy policy from the homepage. Rather, the search engine’s privacy policy had been posted at the bottom of the About Google page.

Following this, privacy activists and groups sent the Google CEO a letter charging that "Google's reluctance to post a link to its privacy policy on its home page is alarming."

The company had argued that users could access its privacy policy by typing Google Privacy Policy in its search engine. A month and a barrage of criticism later, Google linked to its privacy policy from its homepage, fulfilling OPPA requirements.

Additional Resources

Read the California Online Privacy Protection Act in full