California's new online privacy law took effect this month. The state’s Online Privacy Protection Act requires Internet companies doing business in the state to post clear privacy policies, and to disclose the personal data they do collect and share with third parties, or face lawsuits if they violate the requirements.
But reports indicate some industry executives believe a large number of sites aren't yet compliant with the law.
Internet privacy oversight initiative program Trust-e isn't entirely sure how many companies have yet to comply with the California law. But spokeswoman Carolyn Hodge told AVNOnline.com they've been requiring their member Web companies to make small changes in their privacy statements and even polices over the past six months to bring them toward California compliance. Those included posting effective dates of their privacy statements or policies.
The law took effect in a period when the Federal Trade Commission has already said it would begin cracking down on Web companies that don't respect consumer privacy. The California law is the first in the United States to require Website owners to post conspicuous privacy policies, according to a legal analysis by the California law firm Cooley Godward.
Hodge said Trust-e had a rush toward June's end for companies who wanted to get into California compliance. "It was not a huge number of companies," she said, "but it was definitely on the radar, and we had companies calling us who didn't have statements who wanted our help writing their privacy statements."
The Cooley Godward analysis also suggested that, while the law itself contains no direct enforcement provision, violators could be held liable for even the most minor technical omissions.
"An operator will be considered in violation of OPPA if it fails to post a privacy policy within 30 days after being notified of noncompliance," the analysis said. "An operator who fails to comply with OPPA or with the terms of its privacy policy will be found to be in violation of OPPA only if its noncompliance is either knowing and willful or negligent and material. This means that a non-material (i.e., minor), but deliberate, breach can give rise to liability. As a result, minor technical defects in the posting or the contents of a privacy policy could be a basis for liability."
Would the California law inspire other states to move similarly? "California has always been a leader in consumer privacy legislation," Hodge said. "So I wouldn't be surprised to see them leading the pack once again. And there's definitely movement over the past year, people are more aware of their privacy concerns and (protecting) their personal information and how others are using it. Privacy issues are on the front pages of newspapers frequently."
In June, at the Privacy Futures symposium in San Francisco, Trust-e said a study it did in collaboration with the Ponemon Institute determined online auction kings eBay – headquartered itself in California – were the most trusted Internet operators when it came to privacy protection, with American Express, Procter & Gamble, Amazon, Hewlett Packard, U.S. Postal Service, IBM, Earthlink, Citibank, and Dell completing the top ten.
"eBay does a great job policing their security," Hodge said. "They have made security and privacy within the eBay community a huge part of their corporate commitment."
Also this month, California's SB1, a law allowing individuals to opt out of affiliate sharing, and requiring banks to get opt-in consent before selling data to third parties, was upheld by a federal judge. Banking groups challenged the law on grounds that it was pre-empted under the Fair Credit Reporting Act, but U.S. District Judge Morrison England held that the Gramm-Leach-Bliley Act lets states enact strong financial privacy measures.
The FCRA, England wrote, has an "overriding purpose…to regulate the use and dissemination of consumer reports," and that Gramm-Leach-Bliley specified "limitations on the sharing of personal financial information between financial institutions in non-credit reporting situations," allowing states to pass laws like SB1.
