As of July 1, California companies operating a commercial Web site must post a conspicuous according to the California Online Privacy Protection Act (OPPA) of 2003. Companies must also clearly mark their privacy statements; abide by their policies; inform consumers of processes to opt out of data sharing; and publish a date it goes into effect.on their Web sites and disclose the kinds of personally identifiable data that they collect and share with third parties,
The statute is the nation's first state law governing online privacy policies, according to a legal analysis by Cooley Godward, a California-based law firm.
Site operators in violation of the law will be subject to civil lawsuits, after a 30-day notification period.
Many California-based companies were rushing to comply with OPPA at the 11th hour. Google, for example, got in line with the new law last week. It expanded its privacy statement on July 1 to reflect its fast-growing business and clarify its information-sharing practices.
The law could have sweeping ramifications, attorneys said, because the Web effectively has no borders and holds any company or Web site conducting business with California citizens accountable for their practices. Therefore, privacy experts believe that many sites have yet to meet the laws' requirements.
"There are a lot of companies, period, that are dealing with California citizens that are not in compliance," said Carolyn Hodge, director of marketing for Truste, which operates an online privacy certification program.
The Federal Trade Commission also said recently iton Web site operators over privacy practices. The California attorney general's office has made consumer privacy a high priority and plans to "vigorously defend the law," according to spokesman Tom Dressler.
Shopping.com did not immediately return phone calls seeking comment.
"We have not changed the types of data Google collects and/or how that data is managed. Additionally, these changes also ensure that we are fully compliant with the new California state privacy law," said a Google representative.
Over the past several years, the company has morphed into a multifaceted media business, with services for advertising, e-mail, social networking, Web publishing, and corporate and Web search. Now, as Google prepares for a $2.7 billion initial public offering, it is seeking to explain the data-gathering policies of its various services in one policy.
It could be a crucial time for Google, too, as the company has fielded harsh complaints over its upcoming free e-mail service, Gmail, from privacy advocates and lawmakers. A bill recentlyseeking to restrict online providers' ability to scan e-mail for advertising purposes.
Privacy experts commended the new policy as clear and easy to read. Ari Schwartz, associate director for the Center for Democracy and Technology, highlighted one downside of Google's policy in that it does not detail how the company will handle legal requests for personal information on users.
Google states that it will share personal information in the event that it's required by law to do so. But Schwartz said that does not go far enough. Google and other companies should disclose the process for divulging that information in civil and criminal cases, and whether users will be notified beforehand, he said.
"As Google gets into lots of new businesses, they're going to be asked for more information about their users from outsiders," he said.