Editor’s note: John Yates chairs the Technology Group and Paul Arne is a Partner in the Technology Group of the law firm Morris, Manning & Martin.In 2003, California adopted several important laws related to the use of computer technology and the Internet. These laws may have an impact on every business in the U.S. that has a web site. Also, these Internet laws may be copied by other states and enacted across the country.

The Online Privacy Protection Act was signed by the Governor of California in October, 2003. It will go into effect on July 1, 2004. This legislation involves privacy policies on web sites and imposes some new strict standards.

Who regulates web privacy? Until now, privacy policies on the web have been regulated mostly by the Federal Trade Commission. The FTC has brought actions against companies when the privacy policies on their web sites have differed from their actual privacy practices. The argument is that using personal data differently from the privacy policies as disclosed is a form of unfair and deceptive trade practice.

Do you have to include a privacy policy? What if your web site has no privacy policy at all? The FTC has asserted, somewhat gingerly, that it is a form of unfair trade practice not to have a privacy policy. However, we are unaware of any actions by the FTC to require companies to include privacy policies on their web sites. Best practice suggests that you should.

What’s the scope of the Online Privacy Protection Act? The scope of the Online Privacy Protection Act is very broad. Note that neither the web server nor the company that created the web site have to be in California to be under the scope of the law. The web site only has to be accessed by California residents. Therefore, many web sites will be subject to the jurisdictional reach of the new law.

What does the California law require? The California law specifically requires that commercial web sites have conspicuously placed privacy policies — at least for those web sites that collect personally identifiable information from consumers who reside in California. Many web sites require personally identifiable information — data about an individual that would identify them as opposed to anonymous information from a user.

What’s conspicuous? There are rules in the new law describing the meaning of “conspicuous” placement of a privacy policy. For example, the use of a logo or other image to create a hyperlink to a privacy policy must have the word “privacy” embedded in it.

What are the required contents of a privacy policy? The new law also sets forth a specific list of criteria for inclusion in a privacy policy. Examples include:

  • A description of the categories of personally identifiable information being retained,

  • The description must also include the specific information that can be used to identify the individual, and

  • The process a site visitor may use to review or correct the information.
  • Any business with a web site should review the provisions of the Online Privacy Protection Act. Importantly, if you collect personally identifiable information from your visitors, you should implement steps to make sure that your privacy policies conform to this new law.

    John Yates Chairs the Technology Group of the law firm Morris, Manning & Martin, LLP, which has offices in Atlanta, Charlotte and Washington, D.C. He can be reached at jcy@mmmlaw.com and (404) 504-5444.

    Paul Arne is a Partner in the Technology Group of the law firm Morris, Manning & Martin, LLP. His practice focuses on ecommerce and internet legal issues. He can be reached at pha@mmmlaw.com and (404) 504-7784.

    This column is presented for educational and information purposes and is not intended to constitute legal advice.