Privacy has been a hot legal issue for years, and the temperature is moving even higher. Governmental enforcement actions and class action suits have become ever more common. One common trigger is a data privacy or security breach. Surprisingly, in 2013, another common trigger is the lack of a privacy policy. Yes, there are some companies that create online services or Internet applications collecting personal information from consumers and yet have no privacy policies.

California’s Online Privacy Protection Act (OPPA) of 2003 requires commercial websites or online services that obtain personally identifiable information about California consumers to post their privacy policies. “Personally identifiable information” includes a first and last name, address, email address, telephone number, social security number, or any other identifier that permits physical or online contacting of a specific individual. Accordingly, the definition of “personally identifiable information” is quite broad, and beyond the scope of the security breach notification laws in California and other states. Violations of the law can occur even if the website operator or online service provider did not knowingly or willfully fail to comply.

OPPA not only says that operators of online services must have privacy policies, it also says that these privacy policies must cover certain topics. A privacy policy must identify the categories of information collected by the operator, the categories of others with whom the operator may share the information, any means for the consumer to review and request changes to the information, the process to notify consumers of changes to the policy, and the effective date of the policy.

None of these requirements is new. They are standard fare for privacy policies. For instance, Federal Trade Commission has long published information about these topics in its guide to fair information practice principles.

In sum, online services that collect personally identifiable information from California consumers and have no privacy policy are violating OPPA and are risking lawsuits and governmental enforcement actions. Even if a service has a privacy policy, if it is inaccurate, the service may be violating laws against unfair and deceptive trade practices. Areas of greater risk include companies that collect certain kinds of information, such as geolocation information, without notifying the user first. Also, companies that share information with third parties, but do not warn the user, are at risk. The bottom line is that online services should review their privacy practices, write a privacy policy if they don’t already have one, update their privacy policies to match changes in law and their circumstances, and make sure their policies match their information practices.

Stephen S. Wu
Partner, Cooke Kobrick & Wu LLP