California privacy law kicks in

Legal experts warn that out-of-state operators may not be exempt if they want to do business with residents.

Stefanie Olsen Staff writer, CNET News
Stefanie Olsen covers technology and science.
Stefanie Olsen
3 min read
Web companies doing business with Californians are beholden to a new state law protecting consumer privacy, and industry executives believe many sites have yet to comply.

As of July 1, California companies operating a commercial Web site must post a conspicuous privacy policy on their Web sites and disclose the kinds of personally identifiable data that they collect and share with third parties, according to the California Online Privacy Protection Act (OPPA) of 2003. Companies must also clearly mark their privacy statements; abide by their policies; inform consumers of processes to opt out of data sharing; and publish a date it goes into effect.

The statute is the nation's first state law governing online privacy policies, according to a legal analysis by Cooley Godward, a California-based law firm.

Site operators in violation of the law will be subject to civil lawsuits, after a 30-day notification period.

Many California-based companies were rushing to comply with OPPA at the 11th hour. Google, for example, got in line with the new law last week. It expanded its privacy statement on July 1 to reflect its fast-growing business and clarify its information-sharing practices.

The law could have sweeping ramifications, attorneys said, because the Web effectively has no borders and holds any company or Web site conducting business with California citizens accountable for their practices. Therefore, privacy experts believe that many sites have yet to meet the laws' requirements.

"There are a lot of companies, period, that are dealing with California citizens that are not in compliance," said Carolyn Hodge, director of marketing for Truste, which operates an online privacy certification program.

The Federal Trade Commission also said recently it plans a crackdown on Web site operators over privacy practices. The California attorney general's office has made consumer privacy a high priority and plans to "vigorously defend the law," according to spokesman Tom Dressler.

Other major dot-coms including Yahoo and eBay have not changed their policies, but their statements appear to be in accordance with the law. California companies including Zonelabs.com updated their sites last week to reflect the laws' stipulations. Some other sites do not include requirements of OPPA, however. Shopping.com, for example, does not display an effective date of its privacy policy.

Shopping.com did not immediately return phone calls seeking comment.

For its part, Google said it changed its privacy policy to make it even more clear to users how the search company manages data across multiple services. But Google said it has not changed its practices.

"We have not changed the types of data Google collects and/or how that data is managed. Additionally, these changes also ensure that we are fully compliant with the new California state privacy law," said a Google representative.

Over the past several years, the company has morphed into a multifaceted media business, with services for advertising, e-mail, social networking, Web publishing, and corporate and Web search. Now, as Google prepares for a $2.7 billion initial public offering, it is seeking to explain the data-gathering policies of its various services in one policy.

It could be a crucial time for Google, too, as the company has fielded harsh complaints over its upcoming free e-mail service, Gmail, from privacy advocates and lawmakers. A bill recently passed the California senate seeking to restrict online providers' ability to scan e-mail for advertising purposes.

In a revised privacy policy that added about 400 words, Google clarified that the personally identifiable data it collects for users of its services, such as Gmail or Orkut.com, will be recognized on other areas of its service to provide a "seamless experience." The company also highlighted that in the event of a merger or company buyout, it would notify consumers before transferring personally identifiable data.

Privacy experts commended the new policy as clear and easy to read. Ari Schwartz, associate director for the Center for Democracy and Technology, highlighted one downside of Google's policy in that it does not detail how the company will handle legal requests for personal information on users.

Google states that it will share personal information in the event that it's required by law to do so. But Schwartz said that does not go far enough. Google and other companies should disclose the process for divulging that information in civil and criminal cases, and whether users will be notified beforehand, he said.

"As Google gets into lots of new businesses, they're going to be asked for more information about their users from outsiders," he said.