California Online Privacy Protection Act of 2003 Good Practice, Bad Prece

July 1, 2004, the California Online Privacy Protection Act of 2003 (OPPA) goes into effect, with far-reaching implications, particularly for operators of small commercial web sites. Privacy advocates hail it as a major victory. But while the provisions of the act outline excellent privacy practices for e-commerce sites, the fact that a state can pass a law affecting any web site doing business with customers in that state is a devastating precedent that could potentially mean dramatic increases in the cost of doing business online.

The law requires all owners of commercial Web sites or online services that collect personal information from California residents to:

• Conspicuously post their privacy policies on their websites and comply with those posted policies. The law lays out very specific guidelines as to what constitutes "conspicuously".
• Disclose in the privacy policies the types of personally identifiable information (that information which allows a visitor to be individually identified, such as name, e-mail, physical address, etc.) collected, and must identify, generally, any third parties with whom that information might be shared, and under what circumstances.
• Provide a description of the process (if one exists), by which a visitor can request changes to any of that information.
• Describe the process by which the operator of a Web site notifies users of changes to that privacy policy.
• Identify the effective date of the privacy policy.

Violators will be notified and given 30 days to comply. Those who still fail to comply would be subject to civil suit for unfair business practices.

View the full text of the bill at www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579

Also, Privacy Compliance Group has created an excellent guide to Creating a Compliant Privacy Policy.

Much of the support for the bill has come from consumer and privacy advocacy groups, such as the American Civil Liberties Union (ACLU), CALPIRG, Consumers Union, and the AARP. The primary issue at stake is the selling or sharing of consumers' personal information by financial institutions, a practice allowed at the federal level by the Gramm-Leach-Bliley Act in 1999. The federal law does allow states, though, to pass stronger privacy laws, which North Dakota, Alaska, Connecticutt, Illinois, Vermont, and now California have done.

Also at stake is the very lucrative market for this personal information between financial institutions and a variety of third parties, particularly direct marketing companies who in turn offer access to these consumers to their customers.

The untold story here, though, is the potential impact on small website operators, not just from this bill, but from the impending wave of similar bills being passed in other states. Considering that this affects literally millions of Web sites, it's astounding to only find only a few hundred sites referencing the topic, and even more disturbing to find not one criticism of the law and its potential impact on entrepreneurs.