News & Events

California May Soon Be Calling You

Recently California amended its privacy laws requiring website privacy notices for businesses outside California’s borders.  If your business operates a commercial website that collects consumers’ personally identifiable information (“PII”) through the Internet from California residents, then you must post your business’s privacy policy conspicuously on the website.

California requires the following in the privacy policy:

(1) identify the types of PII you collect and the categories of third-party entities with which you may share that information;

(2) provide a description of how consumers may review or request changes to personal information collected through the website or service;

(3) describe how the operator will notify consumers regarding material changes to the privacy policy; and

(4) list the policy’s effective date.

Your online privacy policy must also disclose how your business responds to Do Not Track signals from web browsers. This is the first law in the U.S. imposing disclosure requirements on businesses that track consumers’ online behavior.  This requirement may be satisfied by “providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.” Online privacy policies also must disclose whether third parties may collect PII about a consumer’s online activities over time and across sites when the consumer visits your website.

Your business will in violation of California’s privacy law if you fail to post your policy within 30 days after being notified of noncompliance.

Any business collecting PII on California residents – even if the business is not based in California – should assess its current website privacy policies to ensure it is compliant with California’s laws requiring disclosure of its privacy policies.

Melody McAnally