The law requires all owners of commercial Web sites or online services that collect personal information from California residents to:
- Conspicuously post their privacy policies on their websites and comply with those posted policies. The law lays out very specific guidelines as to what constitutes "conspicuously".
- Disclose in the privacy policies the types of personally identifiable information (that information which allows a visitor to be individually identified, such as name, e-mail, physical address, etc.) collected, and must identify, generally, any third parties with whom that information might be shared, and under what circumstances.
- Provide a description of the process (if one exists), by which a visitor can request changes to any of that information.
- Describe the process by which the operator of a Web site notifies users of changes to that privacy policy.
- Identify the effective date of the privacy policy.
View the full text of the bill at www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579
Also, Privacy Compliance Group has created an excellent guide to Creating a Compliant Privacy Policy.
Also at stake is the very lucrative market for this personal information between financial institutions and a variety of third parties, particularly direct marketing companies who in turn offer access to these consumers to their customers.
The untold story here, though, is the potential impact on small website operators, not just from this bill, but from the impending wave of similar bills being passed in other states. Considering that this affects literally millions of Web sites, it's astounding to only find only a few hundred sites referencing the topic, and even more disturbing to find not one criticism of the law and its potential impact on entrepreneurs.