california office of privacy protection - recommended ... · pdf filethis document is for...

Recommended Practices onCalifornia Information-Sharing Disclosures

and Privacy Policy Statements

April 2008

This document is for informational purposes and should not be construed as legal advice or as policy ofthe State of California. If you want advice in a particular case, you should consult an attorney-at-lawor other expert. The brochure may be copied, if (1) the meaning of the copied text is not changed ormisrepresented, (2) credit is given to the California Office of Privacy Protection, and (3) all copies aredistributed free of charge.

November 2004Rev. April 2008

California Office of Privacy Protectionwww.privacy.ca.gov

866-785-9663

California Office of Privacy Protection

California Information-Sharing Disclosures & Privacy Policy Statements 3

Contents

Introduction...............................................5Privacy Notice Laws.................................................5

Privacy and Customer Trust...................................5

Benchmark Study.......................................................6

Recommended Practices.........................7

Information-Sharing Disclosures............8Disclosure Document..............................................8

Customer Choice Notice........................................9

Notice of Information-Sharing Disclosure....10

Privacy Policy Statements...................12

Notes.........................................................15

Appendices..............................................19Appendix 1: Advisory Group Members.........19

Appendix 2: “Shine the Light” Law..................20

Appendix 3: Online Privacy Protection Act....28



Introduction

Privacy Notice LawsAs was the case for each prior set of recom-mended practices issued by the California Officeof Privacy Protection, these recommendationsaddress practical issues raised by new Californiaprivacy laws. The “shine the light” law, known asSB 27 of 2003, imposes specific privacy noticerequirements on certain businesses that share cus-tomer personal information with others for mar-keting purposes.1 This law is unique in requiringdisclosure of the details of a business’s sharingof customer personal information. The “shinethe light” law was a response to growing con-sumer concern about such information sharing.This document also addresses the broader topicof privacy policy statements, including the re-quirements of the California Online Privacy Pro-tection Act.2

Over the past three decades, an internationalconsensus has developed regarding general guide-lines for collecting and managing personal infor-mation, expressed as the Fair Information Prac-tice Principles.3 The United States of America,as a member of the Organisation for EconomicCo-operation and Development, participated inthe development of these principles and reaf-firmed their viability as recently as 1998, in theDeclaration on the Protection of Privacy in Global Net-works.4 In that work, the U.S. committed to re-specting individual privacy rights as an essentialcomponent to building and retaining public con-fidence in a marketplace that is increasingly glo-bal and increasingly online. The Principles formthe foundation of most privacy laws in the U.S.and elsewhere.

The issue of giving meaningful notice ofprivacy policies and practices concerns the mostbasic Fair Information Practice Principle: Open-ness. The issue has received considerable legisla-

tive attention. In developing the present recom-mendations, the Office of Privacy Protectionconsidered several major laws in this area. Thelaws whose notice provisions we reviewed in-cluded, in addition to the California Online Pri-vacy Protection Act, the California Financial In-formation Privacy Act; the federal privacy regu-lations and guidance on the Gramm-Leach-BlileyAct, the Health Insurance Portability and Ac-countability Act, and the Safe Harbor framework;Canada’s Personal Information Protection andElectronic Documents Act; and the EuropeanUnion’s Data Protection Directive.5 We note thatthe notice provisions of these different laws ap-pear to be complementary. Nonetheless, meet-ing the requirements of several of them at once,as some companies must do, may present chal-lenges in certain instances.

Privacy and Customer TrustRecent research in the U.S. confirms the need fororganizations to earn consumer confidence in theway they manage personal information. A na-tional survey conducted in June 2004 by Privacyand American Business (P&AB) with Harris In-teractive found that more Americans are actingon their privacy concerns today than five yearsago.6 Consumers are particularly unhappy aboutthe unauthorized use of their personal informa-tion for marketing, whether the use is by a com-pany with which the consumer has a business re-lationship or by other companies with which theinformation was shared. The P&AB survey foundthat 87 percent of consumers had asked a com-pany to remove their name and address frommarketing lists, an increase of 29 percent since1999. An equally striking 81 percent had asked acompany not to sell or give their name and ad-dress to another company, up 28 percent since

6

1999. The P&AB survey also found that 65 per-cent of consumers online – more than 94 mil-lion people – decided not to register at a Website because they deemed the privacy policy toocomplicated or unclear. Thus, an effective pri-vacy policy statement is a critical element in win-ning customers online.

According to Dr. Alan Westin, a nationalexpert on information privacy and the presidentof P&AB, the survey results confirm, “not justconsumer resistance to what they see as intrusivemarketing probes, but a clear desire to be givenand to be able to exercise rational personal choicesin how marketing to them is conducted by thecompanies those consumers already patronize.”7

Another national study conducted in June2004 by the Ponemon Institute (a think tank onprivacy and information security policy) foundthat consumers gauge a company’s privacy trust-worthiness by three criteria. The most impor-tant factor is the company’s overall reputation forproduct and service quality, followed by thecompany’s limits on collection of its customers’personal information. The third factor is the useof advertisements and solicitations that respectconsumer privacy.8

Other studies by the Ponemon Institutehave found that organizations that achieve higherprivacy trust ratings experience tangible positiveoutcomes.9 Examples of positive outcomes in-clude higher consumer data accuracy, higher cus-tomer participation in online activities, lower cus-tomer churn rates, and much higher product orbrand loyalty. The following key activities werecommon among companies with high scores:

•

•

•

Providing clear and concise privacy policystatements and notices, including explain-ing the distinction between Web and non-Web privacy practices.

Offering customers the ability to partici-pate in data collection and use decisions,with well defined steps for opting in orout.

Setting limits on data sharing and provid-ing clear information on how shared datawill be used.

• Providing well defined steps for redressand for making general inquiries aboutprivacy issues.

More companies today recognize that re-spect for privacy is an essential component ofcustomer trust and that privacy statements are,as a Canadian privacy official puts it, relationshipbuilders rather than legal disclaimers.10 We offerthese recommendations to encourage the provi-sion of meaningful and understandable state-ments of a company’s privacy practices. Suchopenness enables consumers to play their properrole in a robust free market.

Benchmark StudyIn June 2004, the Ponemon Institute conducted apreliminary benchmark study on corporatepreparations for California’s “shine the light” law.Based on interviews with 32 mostly large com-panies, the study results show that some are striv-ing to do more to track and control data sharingwith direct marketers, including using data-track-ing technology. A majority of the companies,however, see the requirement as a fairly simplerevision to their existing privacy disclosure andnotice process. The major changes being imple-mented included Web site redesign, printing anddistributing customer information on the newlaw, and awareness training for customer contactpersonnel. Several respondents mentioned thatthe new requirement gave them an opportunityto build trust and confidence with customers.More information on the survey results is avail-able from the Ponemon Institute.11



The Office of Privacy Protection’sRecommended Practices

California law obligates the Office of PrivacyProtection to protect the privacy of individuals’personal information by “identifying consumerproblems in the privacy area and facilitating [the]development of fair information practices.”12

One of the ways that the Office of Privacy Pro-tection is directed to fulfill this mandate is by mak-ing “recommendations to organizations for pri-vacy policies and practices that promote and pro-tect the interests of California consumers.”13

The recommendations offered here areneither regulations, nor statutory mandates, norlegal opinions. Rather, they are a contribution tothe development of “best practices” for busi-nesses and other organizations to follow in man-aging personal information in ways that promoteand protect individual privacy interests, while fos-tering economic development.

The Fair Information Practice Principlesunderlie these recommendations. Following thecommon path marked out by the Principles canmake it easier for businesses to harmonize some-times various privacy requirements. This approachresembles that of the U.S. Department ofCommerce’s “Safe Harbor” framework, which isintended to “bridge different privacy approachesand provide a streamlined means for U.S. orga-nizations to comply with the European Union’s

Directive on Data Protection.”14 This approachalso benefits consumers by encouraging a reduc-tion in the number and complexity of privacystatements provided by a single business.15

The Office of Privacy Protection is ex-tremely grateful for the generous work of theadvisory group that assisted us on this project.The 22-member group included representativesof the banking, securities, insurance, health care,technology, telecommunications, retail, manufac-turing, marketing and entertainment industries,along with consumer and privacy advocates. Alist of the members of the advisory group isincluded as Appendix 1.

Recommendations on Information-SharingDisclosures and Privacy Policy Statements

These recommendations focus on the disclosureof the details of a business’s practices in sharingpersonal information for marketing purposes.This is but one aspect of a larger issue: the im-portance of providing individuals with mean-ingful notice of all of a business’s policies andpractices for managing personal information.These recommendations begin with the new Cali-fornia requirement that businesses disclose the de-tails of their sharing of personal information.The recommendations address how to notify cus-tomers of their right to obtain this disclosure orthe alternative customer choice opportunity. Fi-nally the recommendations address the broaderstatement of a business’s privacy polices and prac-tices, including the requirements for online pri-vacy statements.

Recommended Practices

8

The key terms used in this document are definedspecifically for that use in the box at right.

Recommendations on the California Informa-tion-Sharing Disclosure

Provide your Information-Sharing Disclo-sure promptly.

• Respond to a customer’s request for anInformation-Sharing Disclosure as soonas possible after receiving it, but no laterthan within 30 days for a request made tothe contact point designated in the Noticeof Information-Sharing Disclosure.16

Make your Information-Sharing Disclosurespecific and comprehensive.

• List all categories of customer personalinformation that you disclosed, during thepast calendar year, to other companies17

for their direct marketing purposes.

Consider giving examples of the typesof personal information in a category.For example, contact information suchas name, mailing address, phone num-ber and e-mail address; financial infor-mation such as billing address, bankinginformation, credit card information;and profile information such as interests,marital status, gender, age, or householdincome level.

Scenario: Acme Widgets collects personalinformation from its customers in thefollowing categories: Contact Informa-tion, including name, mailing address, ande-mail address; and Billing Information,including credit card account number

Information-SharingDisclosures

PrivPrivPrivPrivPrivacy Pacy Pacy Pacy Pacy Policies and Practicesolicies and Practicesolicies and Practicesolicies and Practicesolicies and Practices: An organization’srules and procedures for collecting, using, disclos-ing, protecting, and managing personal informa-tion.

PrivPrivPrivPrivPrivacy Pacy Pacy Pacy Pacy Policy Statolicy Statolicy Statolicy Statolicy Statement or Privement or Privement or Privement or Privement or Privacy Statacy Statacy Statacy Statacy Statementementementementement: Awritten statement of an organization’s PrivacyPolicies and Practices provided or made availableto individuals whose personal information isinvolved.

CalifCalifCalifCalifCalifornia Custornia Custornia Custornia Custornia Customer Choice Noomer Choice Noomer Choice Noomer Choice Noomer Choice Noticeticetice: A ticetice componentof a company’s Privacy Policy Statement thatallows a customer to choose to prevent the sharingof the customer’s personal information with othercompanies for their direct marketing purposes, asprovided by California Civil Code section 1798.83.

CalifCalifCalifCalifCalifornia Infornia Infornia Infornia Infornia Information-Sharing Disclosureormation-Sharing Disclosureormation-Sharing Disclosureormation-Sharing Disclosureormation-Sharing Disclosure: Acompany’s list of categories of customer personalinformation shared with other companies for directmarketing purposes and a list of companies withwhom the information is shared, as required byCalifornia Civil Code section 1798.83.

CalifCalifCalifCalifCalifornia Noornia Noornia Noornia Noornia Notice of Inftice of Inftice of Inftice of Inftice of Information-Sharing Disclo-ormation-Sharing Disclo-ormation-Sharing Disclo-ormation-Sharing Disclo-ormation-Sharing Disclo-suresuresure: A nosuresure tice of consumers’ right, under CaliforniaCivil Code section 1798.83, to request and receivea copy of a company’s Information-SharingDisclosure or a cost-free means of preventing suchinformation sharing (see Customer Choice Notice).It includes the mailing address, e-mail address,toll-free telephone number or toll-free fax numberto which customers may submit a request for acompany’s Information-Sharing Disclosure.

Key terms are defined for use in this document.

and billing address. In 2004 Acme Wid-gets disclosed its customers’ Contact In-



formation to Superior Products. Supe-rior used it to send out an offer on itsnew products. Acme Widgets wouldlist in its Information-Sharing Disclosureprovided in response to a request receivedin 2005, the following categories of per-sonal information: Contact Information,including name, mailing address and e-mail address.

• List all other companies to which, duringthe past calendar year, you disclosedcustomer personal information for theirdirect marketing purposes.18

Consider listing the companies by type,such as subsidiaries and affiliates, mar-keting partners, market research compa-nies, advertisers, data aggregators, etc.

Scenario: Under the facts of the previousscenario, Acme Widgets would includeSuperior Products in the list of compa-nies in its Information-Sharing Disclo-sure, with its address and examples ofSuperior’s products, for example, sport-ing goods and camping equipment.

Recommendations on the California Cus-tomer Choice Notice

If your company’s published Privacy Policy State-ment offers customers the right to consent to oropt out of sharing their personal information withother companies for direct marketing purposes,then provide a customer who requests an Infor-mation-Sharing Disclosure with a CustomerChoice Notice allowing the customer to exercisethat right at no cost.

Provide your Customer Choice Noticepromptly.

•

•

Respond to a customer’s request for anInformation-Sharing Disclosure byproviding your Customer Choice Noticeas soon as possible after receiving therequest.

Respond no later than within 30 days to a

request made to the contact pointdesignated in your Notice of Informa-tion-Sharing Disclosure.19

Make your Customer Choice Notice clearand understandable.20

•

•

When giving a customer an opt-in choice,state clearly that you will not sharepersonal information about the customerwith other companies for their marketinguse unless the customer actively consentsto such sharing.

When giving a customer an opt-outchoice, use a simple check-box formatand language such as “Unless you say noby checking this box, we may sharepersonal information about you withother companies for their marketinguse.”21

Give customers a cost-free way to indicatetheir preference.

•

•

•

Allow your customers to communicatetheir preferences, preferably in a mannerthat creates a record for you and forthem: on your Web site, by e-mail, bymail, by a toll-free phone or by a toll-freefax.

Clearly explain the extent of a customer’soption not to share the customer’sinformation. Explain, for example,whether it applies to all relationships thata customer has with a company or to justone account.

For example, a customer may have sev-eral bank accounts or may have signedup with a Web site several times. Ex-plain whether the customer’s preferencesapply to all accounts or whether the cus-tomer needs to exercise an opt-out op-tion for each individual account.

It is a good idea to explain other non-marketing reasons for contacting custom-ers, such as product safety or customer

10

service.

Explain that denying consent to infor-mation sharing may not prohibit shar-ing for such non-marketing purposes.

•

•

Respect your customers’ preferences bykeeping records and ensuring thatpreferences are always honored.

Implement customer requests not toshare their personal information within areasonable time period.

For example, a reasonable period toimplement a customer’s request not toshare might be within 30 to 45 days af-ter receiving the customer’s request .22

It is a good idea to inform customers ofthe timeframe in which they can expectthat their information will no longer beshared.

It is a good idea to provide an acknowl-edgment or confirmation when acustomer’s request not to have personalinformation shared has been imple-mented.

Recommendations on the California Noticeof Information-Sharing Disclosure

Make your Notice of Information-SharingDisclosure recognizable.

•

•

If the Notice is on a Web page separatefrom the page containing your companyPrivacy Statement, entitle the Notice“Your Privacy Rights” or “Your Califor-nia Privacy Rights,” in legible typedesigned to draw attention to its signifi-cance.

Add a link to your company’s PrivacyStatement at the end of the Notice.

If the Notice is on the page containingyour company Privacy Statement, put theNotice on the first linked page in alocation and style that make it conspicu-ous.

Make your Notice of Information-SharingDisclosure clear and understandable.23

•

•

•

Use plain, straightforward language.

Use titles and headers to identify key partsof the Notice.

Use easily readable type, in a reasonablylegible size and in a color that contrastsdistinctly with the background.

Make your Notice of Information-SharingDisclosure readily accessible to customers.

• Use at least one of the following meansof making the Notice available to yourcustomers. Consider using more than one.

Train your agents who have regular con-tact with your customers, and train su-pervisors of your customer-contact staff,in what to tell customers who requestan Information-Sharing Disclosure.

- Have your supervisors instructemployees with regular customercontact to tell customers whorequest an Information-SharingDisclosure how they can get one.

Make your Notice of Information-Shar-ing Disclosure readily available at all yourCalifornia locations that experience regu-lar customer contact.

- For example, have copies of theNotice on hand at check stands orin a designated office at eachlocation.

Post your Notice of Information-Shar-ing Disclosure on your Web site.24

- Post the Notice (or a conspicuouslink to it) on any and all companyWeb sites on pages where a cus-tomer would conduct onlinebusiness and on pages where acustomer would reasonably expectto find information on company



policies.

-

-

-

Put a conspicuous link to the Noticeon the home page, that includes thewords “Your Privacy Rights” or“Your California Privacy Rights.”

On each page containing the Notice,put it in a location and style thatmake it conspicuous.

Provide a postal address, e-mailaddress, telephone number or faxnumber for the customer to contactin order to request the Information-Sharing Disclosure.

• Include a description of a customer’srights to request and receive a cost-freemeans of preventing such sharing ofpersonal information or to request andreceive the Information-Sharing Disclo-sure.

12

Privacy Policy Statements

Recommendations on Privacy Policy State-ments25

Make your Privacy Statement recogniz-able.

•

•

•

Whether it’s printed in a brochure, postedon a Web site or enclosed with anothermailing, your Privacy Statement shouldhave a descriptive title containing theword “privacy” in legible type designed todraw attention to its significance.

When you print your Privacy Statement,make it a separate document. On yourWeb site, format the Statement so that itcan be printed as a separate document.

Consider providing your Privacy State-ment in languages other than English.

Make your Privacy Statement readilyaccessible.

• Post your Privacy Statement on your Website(s).26

Use your Web site to make available Pri-vacy Statements covering both youroffline and online practices for manag-ing personal information.

Use a conspicuous link on your homepage containing the word “privacy.”Make the link conspicuous by usinglarger type than the surrounding text,contrasting color, or symbols that callattention to it.

Put a conspicuous “privacy” link on ev-ery Web page where personal informa-tion is collected.

•

•

•

Clearly indicate which entities a PrivacyStatement covers, such as subsidiaries oraffiliates.

Make sure that employees who regularlyinteract with consumers and those whohandle consumers’ personal informationunderstand your Privacy Statement.

Provide copies of your Privacy Statementto new customers, regularly to all custom-ers, and to others who request it.

Make your Privacy Statement clear andunderstandable.27

•

•

•

•

•

•

Use plain, straightforward language.Avoid technical or legal jargon.28

Use short sentences.

Use the active voice.

Use titles and headers to identify keyparts of the Statement. On a Web site,consider using links at the top of the pageto guide users through the Statement.

Use an easily readable type font, in areasonably legible size and in a color thatcontrasts distinctly with the background.

Invite and use customer input whendrafting or revising your Privacy State-ment.

Describe how you collect personal infor-mation.

•

•

If you collect personal information fromsources other than your customers,describe this in your Privacy Statement.

If you collect personal information



through Web technologies, such ascookies or Web beacons, describe this inyour Privacy Statement.

Describe the kind of personal informationyou collect.

•

•

Be reasonably specific in describing thekind of personal information you collect.

At the least, list the categories of personalinformation that you collect from cus-tomers and from Web site visitors.29

Provide examples of the categories ofpersonal information your company col-lects. For example, “We collect contactinformation, such as your name and e-mail address, as well as billing informa-tion, such as credit card number and bill-ing address.”

Explain how you use and share personalinformation.

•

•

Explain uses of personal informationbeyond what is necessary for fulfilling acustomer transaction.

Explain your practices regarding sharingof personal information with other en-tities, including affiliates and marketingpartners.

List the different types of companies withwhich you share customer personalinformation.30

Be sure to include any companies thathave a direct link or live feed of con-sumer information through a Web site.

Give your customers choices on how theirpersonal information is used or disclosed.

•

•

Give your customers a simple, effectiveway to consent to, or to opt out of,sharing their personal information withother companies for marketing pur-poses.31

Clearly explain how customers can

exercise their option to withhold consentto such information sharing.

•

•

•

•

Clearly explain the extent of a customer’soption to limit sharing of personalinformation, for example, whether itapplies to all relationships that a customerhas with an organization or to just to oneaccount.

It is a good idea to explain other non-marketing reasons for contacting custom-ers, such as product safety or customerservice.

Explain that denying consent to infor-mation sharing may not prohibit shar-ing for non-marketing purposes, such asfor completing a requested transaction.

Respect your customers’ preferences bykeeping records of preferences andensuring that they are always honored.

Implement customer preferences within areasonable time period.

For example, a reasonable period toimplement a customer’s denial of con-sent to share might be within 30 to 45days of receiving the customer’s re-quest.32

It is a good idea to let customers knowthe timeframe in which they can expectthat their information will no longer beshared.

It is a good idea to provide an acknowl-edgment or confirmation when acustomer’s request not to have personalinformation shared has been processed.

Consider offering your customers theopportunity to review and correct theirpersonal information.

• If you do offer your customers thisopportunity, explain how they can getaccess to their own personal informationin your care.33

14

•

•

Before providing customers access totheir personal information, be sure toproperly verify identity and authenticateany access right, particularly concerningsensitive personal information, such asSocial Security numbers, financial accountnumbers, or medical information.

Control and document customer changesor corrections to personal information.,through audit logs or transaction histories,for example.

Explain how you protect your customers’personal information from unauthorized orillegal access.

•

•

Give a general description of the securitymeasures you use to safeguard thepersonal information in your care, but notin such detail as to compromise yoursecurity.

Give a general description of the mea-sures you use to control the informationsecurity practices of third parties withwhom you share customer personalinformation for any purpose.

Tell your customers whom they cancontact with questions or concerns aboutyour Privacy Policies and Practices.

•

•

•

Give at least a title and e-mail or postaladdress of a company official who willrespond to privacy questions or concerns.It is a good idea to offer a telephonenumber, perhaps toll-free.

Train your customer service telephonestaff to recognize an inquiry aboutprivacy. It is a good idea to make cus-tomer service staff aware of how cus-tomers can get an Information-SharingDisclosure and a copy of your business’spublished Privacy Statement.

·Consider providing information onidentity theft prevention and remediation.

Give the effective date of your PrivacyStatement.34

•

•

Use good version control procedures toensure that your Privacy Statement isuniform throughout the organization.

Explain how you will notify customersabout material changes to your PrivacyPolicies and Practices.

Do not rely on merely changing the Pri-vacy Statement on your Web site as theexclusive means of notifying customersof material changes in your uses or shar-ing of personal information.



1 California Civil Code §§ 1798.83-1798.84,enacted as Chapter 505, California Statutes of2003 (Senate Bill 27 [Figueroa]). A summary andthe complete text of the law is attached as Ap-pendix 2.

2 California Business and Professions Code§§ 22575-22579, enacted as Chapter 829, Cali-fornia Statutes of 2003 (Assembly Bill 68[Simitian]). A summary and the complete textof the law is attached as Appendix 3.

3 The Fair Information Practice Principles,as formulated by the Organisation for EconomicCo-operation and Development (OECD): Col-lection Limitation, Data Quality, Purpose Speci-fication, Use Limitation, Security Safeguards,Openness, Individual Participation and Account-ability.

4Guidelines on the Protection of Privacy andTransborder Flows of Personal Data and Declarationon the Protection of Privacy in Global Networks is avail-able from the OECD at www.oecd.org.

5 California Financial Information PrivacyAct, Financial Code §§ 4050-4060; CaliforniaOnline Privacy Protection Act, Business and Pro-fessions Code §§ 22575-22579; Health InsurancePortability and Accountability Act of 1996, Stan-dards for Privacy of Individually IdentifiableHealth Information, Final Rule - 45 C.F.R. Parts160 and 164; Financial Services ModernizationAct (Gramm-Leach-Bliley), Privacy Rule - 15 U.S.Code §§ 6801-6809; Safe Harbor Framework atwww.export.gov/safeharbor.

6 The survey was conducted by Privacy andAmerican Business with Harris Interactive. Thesurvey’s results are reported in the July 2004 is-sue of Privacy & American Business Newsletter:, v.11, no. 5, available at www.pandab.org.

7Ibid.8 2004 Most Trusted Companies for Pri-

vacy Study, Ponemon Institute, June 10, 2004.9 Studies available from the Ponemon In-

stitute at www.ponemon.org: Privacy Trust Studyof the United States Government, January 11,2004; Privacy Trust Study of the Airlines, July11, 2004; Second Privacy Trust Study of RetailBanking, December 5, 2003; Annual Privacy TrustStudy, October 31, 2003; and 2002 Privacy TrustStudy of Retail Banking, October 24, 2003.

10 Ann Cavoukian and Tyler J. Hamilton,The Privacy Payoff, McGraw Hill, 2002, page 303.

11 Ponemon Institute, Attn.: ResearchDepartment, 3901 S. Escalante Ridge Place,Tucson, Arizona 85730, 520-290-3400, e-mail:[email protected].

12 California Government Code§ 11549.5(a).

13 California Government Code§ 11549.5(c).

14 For more information on the Safe Har-bor Framework, see the U.S. Department ofCommerce’s Web site at www.export.gov/safeharbor/.

15 See the finding that more numerous andcomplex privacy policy documents have increasedthe burden on consumers, in “An Analysis ofWeb Site Privacy Policy Evolution in the Pres-ence of HIPAA,” by Annie I. Antón and othersof the Colleges of Engineering and Managementat North Carolina State University, available atwww.theprivacyplace.org/.

16 California Civil Code § 1798.83(b) requiresa company to respond within 30 days of receiptof a request made to the contact point provided

Notes

16

in the Notice of Information-Sharing Disclosure.It allows up to 150 days for responding to arequest made to a contact point other than theone designated in the notice.

17 The “shine the light law” uses the term“third party,” defined as one or more of the fol-lowing: (A) a business that is a separate legal en-tity from the business that has an established busi-ness relationship with a customer, (B) a businessauthorized to access for its own direct marketingpurposes a database shared among businesses,or (C) a business not affiliated by a commonownership or common corporate control. CivilCode § 1798.83(e)(8).

18 The “shine the light” law, at CaliforniaCivil Code § 1798.83(f), allows a more limiteddisclosure of sharing with certain affiliated com-panies for direct marketing purposes. In the caseof sharing with affiliates with the same brandname, a company may provide the number ofaffiliated companies rather than listing them allby name. And unless certain types of personalcustomer information are shared with such af-filiates, the company does not have to list thecategories of information shared. The specialtypes of information include number, age or gen-der of children; personal data, such as race andreligion; medical information; and financial in-formation.

19 See Note 16 above.20 See the Federal Trade Commission’s ad-

vice in “Getting Noticed: Writing Effective Fi-nancial Privacy Notices,” available at www.ftc.gov.

21 See the statutory notice form in the Cali-fornia Financial Information Privacy Act, at Fi-nancial Code § 4053(d), as an example of a clearand understandable opt-out notice.

22 The California Financial Information Pri-vacy Act requires financial services companies tohonor such a request within 45 days of provid-ing an opt-out opportunity, at Financial Code §4053(d)(3). The Federal Trade Commission’sguidance on the Gramm-Leach-Bliley Act’s Pri-vacy Rule recommends 30 days as a reasonabletime period.

23 See note 20 above.24 See Civil Code § 1798.83(b) of the “shine

the light” law for specific requirements on Website posting of the Notice of Information-Shar-ing Disclosure.

25 Among those businesses required by lawto make a statement of their privacy policies andpractices available to customers and others areoperators of commercial Web sites or online ser-vices that collect personal information on Cali-fornia residents (California Online Privacy Pro-tection Act); specified financial services compa-nies (California Financial Information Privacy Actand the federal Gramm-Leach-Bliley Act); healthcare providers, health plans and health clearing-houses (Health Insurance Portability and AccessAct); and certain companies doing business inEurope (Safe Harbor, EU Data Protection Di-rective).

26 Operators of commercial Web sites andonline services that collect personal informationon California residents are required by the Cali-fornia Online Privacy Protection Act to “con-spicuously post” a privacy statement on the Website. Business and Professions Code § 22577(b)defines “conspicuously post” with specific ex-amples that would make the statement notice-able by a reasonable person.

27 See Note 20 above.28 According to the National Adult Literacy

Survey, about half of American adults functionat a level that makes reading more than brief,uncomplicated texts very difficult. Readabilitymeasures are based on average sentence lengthand average number of words per sentence. Onestandard for a readable privacy notice is set inthe California Financial Information Privacy Act(Financial Code § 4053(d)), which requires a mini-mum Flesch reading ease score of 50, or FairlyDifficult. Compare this to the simpler Plain En-glish level, which has a Flesch score of 65, basedon an average sentence length of 15 to 20 wordsor less and an average word length of two syl-lables.

29 Operators of commercial Web sites and



of online services that collect personal informa-tion on California residents are required by theOnline Privacy Protection Act to include in theirprivacy statement a list of categories of personalinformation collected online. California Businessand Professions Code § 22575(b)(1).

30 The Online Privacy Protection Act re-quires operators of commercial Web sites andof online services that collect personal informa-tion on California residents to include in theirprivacy statement a list of the categories of “thirdparties” with whom personal information onCalifornia residents is shared. California Businessand Professions Code § 22575(b)(1).

31 The “shine the light” law, at CaliforniaCivil Code § 1798.83(c), allows a company sub-ject to its provisions to respond to a customerrequest for an Information-Sharing Disclosureby providing the customer with a cost-free op-portunity to prevent such information sharingwith third parties for marketing purposes. Thecompany must adopt and disclose this policy tothe public, which would include publishing it inits privacy statement.

32 See Note 22 above.33 The Online Privacy Protection Act., at

California Business and Professions Code§22575(b)(2), requires operators of commercialWeb sites and of online services to provide adescription of the process for reviewing and cor-recting personal information, where such a pro-cess is offered.

34 The Online Privacy Protection Act., atCalifornia Business and Professions Code§22575(b)(3), requires operators of commercialWeb sites and of online services to provide apolicy effective date and a description of themeans of notifying customers and others ofmaterial changes to the policy.



Jonathan Avila Roxanne GouldThe Walt Disney Company American Electronics Association

Joanne Bettancourt Mike GriffithsSecurities Industry Association Albertsons

California Retailers AssociationSteve BlackledgeCALPIRG Charles Halnan

The Direct Marketing AssociationKaye CaldwellInternet Alliance Ed Howard

Office of Senator Liz FigueroaKeith ChereskoFord Peter McCorkell

Wells Fargo BankAnn Eowan California Bankers AssociationAssociation of California Life and HealthInsurance Companies Valerie Nera

California Chamber of Commerce Jonathan FoxSun Microsystems Deborah Pierce

PrivacyActivismMari FrankAttorney, Privacy Consultant, Author Larry Ponemon

Ponemon InstituteJoanne FurtschTRUSTe Kathy Rehmer

CingularLeanne GassawayCalifornia Association of Health Plans Saundra Kae Rubel

Jefferson Data Strategies, LLC Beth GivensPrivacy Rights Clearinghouse Sam Sorich

National Association of Independent Insurers

Appendix 1: AdvisoryGroup

20

Summary of the Law’s RequirementsWhich Businesses Are Subject to theStatuteCalifornia Civil Code section 1798.83 imposes aspecific disclosure requirement on many busi-nesses1 that share their customers’ personal in-formation with other businesses for direct mar-keting purposes. It applies to businesses that havethe following:

•

•

•

20 or more employees,

An established business relationship witha customer who is a California resident,and

Within the immediately preceding calen-dar year, shared customer personalinformation with other companies fortheir direct marketing use.

The statute exempts from its requirements: (1)financial institutions that are subject to certainprovisions of the California Financial Informa-tion Privacy Act,2 and (2) specific types of busi-ness-related disclosures to third parties, such asthose for administration or customer service,provided that the third parties do not use the in-formation for their own direct marketing pur-poses.

Notifying Customers of Their RightsUnder the StatuteBusinesses must notify California customers oftheir rights under the statute by designating acontact point (mailing address, e-mail address,toll-free phone number or toll-free fax number)for customers to contact to request a business’sdisclosure regarding how it shares personal in-formation with other businesses for direct mar-keting purposes (“California Information-Shar-

ing Disclosure”).In at least one of three ways, a business mustnotify customers of the contact point for request-ing the business’s Information-Sharing Disclo-sure:

1. Tell agents and supervisors of customer-contact staff to instruct employees aboutgiving contact point information tocustomers who request a business’sInformation-Sharing Disclosure.

2. On the business’s Web site, provideinformation on the contact point anddescribe customer rights.

• Link on home page using words “YourPrivacy Rights” or “Your California Pri-vacy Rights” to another Web page or tothe page that contains the business’s Pri-vacy Policy Statement.

• First linked page from the “Your PrivacyRights” link must describe a customer’srights to request and receive an Infor-mation-Sharing Disclosure or a cost-freemeans of preventing such disclosures,and must provide information on thebusiness’s contact point for making sucha request.

3. Make information on the contact pointreadily accessible at all California loca-tions with regular customer contact.

What Information a Business Must Dis-closeIn response to a request from a California cus-tomer for an Information-Sharing Disclosure, acompany must do one of the following, once ina calendar year for each requesting customer:

Appendix 2: California’s“Shine the Light” Law



•

•

Provide in writing or by e-mail, at no costto the customer, the following Informa-tion-Sharing Disclosure:

A list of categories of personal infor-mation shared, during the immediatelypreceding calendar year, with other busi-nesses for their direct marketing pur-poses, and

Names and addresses of other busi-nesses with whom such information wasshared, if needed to indicate nature ofbusiness, with examples of products orservices

OR

If the business has a published privacypolicy of not sharing personal informa-tion with other companies for directmarketing purposes without customerconsent (opt-in or opt-out), then providea notice of the customer’s right toprevent such sharing together with a cost-free means of doing so (“CaliforniaCustomer Choice Notice”).

Responding to a Customer RequestA business must respond to a request from aCalifornia customer for an Information-SharingDisclosure:

•

•

In response to a customer’s request madeto the designated contact point, provideInformation-Sharing Disclosure orCustomer Choice Notice, within 30 daysof receipt of request.

In response to a customer’s request madeto another address, provide Information-Sharing Disclosure or Customer ChoiceNotice, in “reasonable time period,” nolater than 150 days from receipt ofrequest.

If information about the business’s contact pointis provided on the business’s Web site via a homepage link that includes the words “Your Califor-nia Privacy Rights,” the business need not respondto requests made to any address other than the

address so provided.

Remedies and Penalties

•

•

•

•

Private right of action for damages,injunctive relief, civil penalties of up to$500 per violation.

Willful, intentional or reckless violation:damages, injunctive relief, civil penalty ofup to $3,000 per violation

A prevailing plaintiff is entitled to recoverreasonable attorney fees and costs.

Unless violation is willful, intentional orreckless, a business may assert as acomplete defense that it provided accu-rate, complete information within 90 daysof knowing of inadequacy.

Text of California Civil Code Sections 1798.83-1798.84

1798.83. (a) Except as otherwise provided insubdivision (d), if a business has an establishedbusiness relationship with a customer and haswithin the immediately preceding calendar yeardisclosed personal information that correspondsto any of the categories of personal informationset forth in paragraph (6) of subdivision (e) tothird parties, and if the business knows or rea-sonably should know that the third parties usedthe personal information for the third parties’direct marketing purposes, that business shall,after the receipt of a written or electronic mailrequest, or, if the business chooses to receiverequests by toll-free telephone or facsimile num-bers, a telephone or facsimile request from thecustomer, provide all of the following informa-tion to the customer free of charge: (1) In writing or by electronic mail, a list of thecategories set forth in paragraph (6) of subdivi-sion (e) that correspond to the personal infor-mation disclosed by the business to third partiesfor the third parties’ direct marketing purposesduring the immediately preceding calendar year. (2) In writing or by electronic mail, the namesand addresses of all of the third parties that re-ceived personal information from the business

22

for the third parties’ direct marketing purposesduring the preceding calendar year and, if thenature of the third parties’ business cannot rea-sonably be determined from the third parties’name, examples of the products or services mar-keted, if known to the business, sufficient to givethe customer a reasonable indication of the na-ture of the third parties’ business. (b) (1) A business required to comply with thissection shall designate a mailing address, electronicmail address, or, if the business chooses to re-ceive requests by telephone or facsimile, a toll-free telephone or facsimile number, to whichcustomers may deliver requests pursuant to sub-division (a). A business required to comply withthis section shall, at its election, do at least one ofthe following: (A) Notify all agents and managers who di-rectly supervise employees who regularly havecontact with customers of the designated ad-dresses or numbers or the means to obtain thoseaddresses or numbers and instruct those employ-ees that customers who inquire about the busi-ness’ privacy practices or the business’ compli-ance with this section shall be informed of thedesignated addresses or numbers or the meansto obtain the addresses or numbers. (B) Add to the home page of its Web site, alink either to a page titled “Your Privacy Rights”or to add the words “Your Privacy Rights,” tothe home page’s link to the business’ privacy policy.If the business elects to add the words “YourPrivacy Rights” to the link to the business’ pri-vacy policy, the words “Your Privacy Rights” shallbe in the same style and size of the link to thebusiness’ privacy policy. If the business does notdisplay a link to its privacy policy on the homepage of its Web site, or does not have a privacypolicy, the words “Your Privacy Rights” shall bewritten in larger type than the surrounding text,or in contrasting type, font, or color to the sur-rounding text of the same size, or set off fromthe surrounding text of the same size by sym-bols or other marks that call attention to the lan-guage. The first page of the link shall describe acustomer’s rights pursuant to this section and shallprovide the designated mailing address, e-mail

address, as required, or toll-free telephone num-ber or facsimile number, as appropriate. If thebusiness elects to add the words “Your Califor-nia Privacy Rights” to the home page’s link to thebusiness’s privacy policy in a manner that com-plies with this subdivision, and the first page ofthe link describes a customer’s rights pursuant tothis section, and provides the designated mailingaddress, electronic mailing address, as required,or toll-free telephone or facsimile number, as ap-propriate, the business need not respond to re-quests that are not received at one of the desig-nated addresses or numbers. (C) Make the designated addresses or num-bers, or means to obtain the designated addressesor numbers, readily available upon request of acustomer at every place of business in Californiawhere the business or its agents regularly havecontact with customers. The response to a request pursuant to this sec-tion received at one of the designated addressesor numbers shall be provided within 30 days.Requests received by the business at other thanone of the designated addresses or numbers shallbe provided within a reasonable period, in lightof the circumstances related to how the requestwas received, but not to exceed 150 days fromthe date received. (2) A business that is required to comply withthis section and Section 6803 of Title 15 of theUnited States Code may comply with this sec-tion by providing the customer the disclosurerequired by Section 6803 of Title 15 of the UnitedStates Code, but only if the disclosure also com-plies with this section. (3) A business that is required to comply withthis section is not obligated to provide informa-tion associated with specific individuals and mayprovide the information required by this sectionin standardized format. (c) (1) A business that is required to complywith this section is not obligated to do so in re-sponse to a request from a customer more thanonce during the course of any calendar year. Abusiness with fewer than 20 full-time or part-time employees is exempt from the requirementsof this section.



(2) If a business that is required to complywith this section adopts and discloses to thepublic, in its privacy policy, a policy of notdisclosing personal information of custom-ers to third parties for the third parties’ directmarketing purposes unless the customer firstaffirmatively agrees to that disclosure, or ofnot disclosing the personal information of cus-tomers to third parties for the third parties’direct marketing purposes if the customer hasexercised an option that prevents that infor-mation from being disclosed to third partiesfor those purposes, as long as the businessmaintains and discloses the policies, the busi-ness may comply with subdivision (a) by noti-fying the customer of his or her right to pre-vent disclosure of personal information, andproviding the customer with a cost free meansto exercise that right. (d) The following are among the disclosuresnot deemed to be disclosures of personal in-formation by a business for a third parties’direct marketing purposes for purposes ofthis section: (1) Disclosures between a business and a thirdparty pursuant to contracts or arrangementspertaining to any of the following: (A) The processing, storage, management,or organization of personal information, orthe performance of services on behalf of thebusiness during which personal informationis disclosed, if the third party that processes,stores, manages, or organizes the personal in-formation does not use the information for athird party’s direct marketing purposes anddoes not disclose the information to additionalthird parties for their direct marketing pur-poses. (B) Marketing products or services to cus-tomers with whom the business has an estab-lished business relationship where, as a partof the marketing, the business does not dis-close personal information to third parties forthe third parties’ direct marketing purposes. (C) Maintaining or servicing accounts, in-cluding credit accounts and disclosures per-taining to the denial of applications for credit

or the status of applications for credit and pro-cessing bills or insurance claims for payment. (D) Public record information relating to theright, title, or interest in real property or infor-mation relating to property characteristics, as de-fined in Section 408.3 of the Revenue and Taxa-tion Code, obtained from a governmental agencyor entity or from a multiple listing service, as de-fined in Section 1087, and not provided directlyby the customer to a business in the course of anestablished business relationship. (E) Jointly offering a product or service pur-suant to a written agreement with the third partythat receives the personal information, providedthat all of the following requirements are met: (i) The product or service offered is a productor service of, and is provided by, at least one ofthe businesses that is a party to the written agree-ment. (ii) The product or service is jointly offered,endorsed, or sponsored by, and clearly and con-spicuously identifies for the customer, the busi-nesses that disclose and receive the disclosed per-sonal information. (iii) The written agreement provides that thethird party that receives the personal informa-tion is required to maintain the confidentiality ofthe information and is prohibited from disclos-ing or using the information other than to carryout the joint offering or servicing of a productor service that is the subject of the written agree-ment. (2) Disclosures to or from a consumer report-ing agency of a customer’s payment history orother information pertaining to transactions orexperiences between the business and a customerif that information is to be reported in, or usedto generate, a consumer report as defined in sub-division (d) of Section 1681a of Title 15 of theUnited States Code, and use of that informationis limited by the federal Fair Credit ReportingAct. (3) Disclosures of personal information by abusiness to a third party financial institution solelyfor the purpose of the business obtaining pay-ment for a transaction in which the customer paidthe business for goods or services with a check,

24

credit card, charge card, or debit card, if thecustomer seeks the information required bysubdivision (a) from the business obtaining pay-ment, whether or not the business obtainingpayment knows or reasonably should knowthat the third party financial institution has usedthe personal information for its direct mar-keting purposes. (4) Disclosures of personal information be-tween a licensed agent and its principal, if thepersonal information disclosed is necessary tocomplete, effectuate, administer, or enforcetransactions between the principal and theagent, whether or not the licensed agent orprincipal also uses the personal informationfor direct marketing purposes, if that personalinformation is used by each of them solely tomarket products and services directly to cus-tomers with whom both have established busi-ness relationships as a result of the principaland agent relationship. (5) Disclosures of personal information be-tween a financial institution and a business thathas a private label credit card, affinity card,retail installment contract, or co-branded cardprogram with the financial institution, if thepersonal information disclosed is necessary forthe financial institution to maintain or serviceaccounts on behalf of the business with whichit has a private label credit card, affinity card,retail installment contract, or branded card pro-gram, or to complete, effectuate, administer,or enforce customer transactions or transac-tions between the institution and the business,whether or not the institution or the businessalso uses the personal information for directmarketing purposes, if that personal informa-tion is used solely to market products and ser-vices directly to customers with whom boththe business and the financial institution haveestablished business relationships as a result ofthe private label credit card, affinity card, re-tail installment contract, or co-branded cardprogram. (e) For purposes of this section: (1) “Customer” means an individual who isa resident of California who provides per-

sonal information to a business during the cre-ation of, or throughout the duration of, an es-tablished business relationship if the business re-lationship is primarily for personal, family, orhousehold purposes. (2) “Direct marketing purposes” means the useof personal information to solicit or induce apurchase, rental, lease, or exchange of products,goods, property, or services directly to individu-als by means of the mail, telephone, or electronicmail for their personal, family, or household pur-poses. The sale, rental, exchange, or lease of per-sonal information for consideration to businessesis a direct marketing purpose of the business thatsells, rents, exchanges or obtains considerationfor the personal information. “Direct market-ing purposes” does not include the use of per-sonal information (A) by bona fide tax exemptcharitable or religious organizations to solicit chari-table contributions, (B) to raise funds from andcommunicate with individuals regarding politicsand government, (C) by a third party when thethird party receives personal information solelyas a consequence of having obtained for consid-eration permanent ownership of accounts thatmight contain personal information, or (D) by athird party when the third party receives personalinformation solely as a consequence of a singletransaction where, as a part of the transaction,personal information had to be disclosed in or-der to effectuate the transaction. (3) “Disclose” means to disclose, release, trans-fer, disseminate, or otherwise communicate orally,in writing, or by electronic or any other means toany third party. (4) “Employees who regularly have contactwith customers” means employees whose con-tact with customers is not incidental to their pri-mary employment duties, and whose duties donot predominantly involve ensuring the safety orhealth of the businesses customers. It includes,but is not limited to, employees whose primaryemployment duties are as cashier, clerk, customerservice, sales, or promotion. It does not, by wayof example, include employees whose primaryemployment duties consist of food or beveragepreparation or service, maintenance and repair



of the business’ facilities or equipment, directinvolvement in the operation of a motor ve-hicle, aircraft, watercraft, amusement ride,heavy machinery or similar equipment, secu-rity, or participation in a theatrical, literary,musical, artistic, or athletic performance orcontest. (5) “Established business relationship” meansa relationship formed by a voluntary, two-waycommunication between a business and a cus-tomer, with or without an exchange of con-sideration, for the purpose of purchasing, rent-ing, or leasing real or personal property, orany interest therein, or obtaining a product orservice from the business, if the relationship isongoing and has not been expressly terminatedby the business or the customer, or if the rela-tionship is not ongoing, but is solely estab-lished by the purchase, rental, or lease of realor personal property from a business, or thepurchase of a product or service, no morethan 18 months have elapsed from the dateof the purchase, rental, or lease. (6) (A) The categories of personal informa-tion required to be disclosed pursuant to para-graph (1) of subdivision (a) are all of the fol-lowing: (i) Name and address. (ii) Electronic mail address. (iii) Age or date of birth. (iv) Names of children. (v) Electronic mail or other addresses ofchildren. (vi) Number of children. (vii) The age or gender of children. (viii) Height. (ix) Weight. (x) Race. (xi) Religion. (xii) Occupation. (xiii) Telephone number. (xiv) Education. (xv) Political party affiliation. (xvi) Medical condition. (xvii) Drugs, therapies, or medical prod-ucts or equipment used. (xviii) The kind of product the customer

purchased, leased, or rented. (xix) Real property purchased, leased, or rented. (xx) The kind of service provided. (xxi) Social security number. (xxii) Bank account number. (xxiii) Credit card number. (xxiv) Debit card number. (xxv) Bank or investment account, debit card,or credit card balance. (xxvi) Payment history. (xxvii) Information pertaining to the customer’screditworthiness, assets, income, or liabilities. (B) If a list, description, or grouping of cus-tomer names or addresses is derived using anyof these categories, and is disclosed to a thirdparty for direct marketing purposes in a mannerthat permits the third party to identify, determine,or extrapolate any other personal informationfrom which the list was derived, and that per-sonal information when it was disclosed identi-fied, described, or was associated with an indi-vidual, the categories set forth in this subdivisionthat correspond to the personal information usedto derive the list, description, or grouping shallbe considered personal information for purposesof this section. (7) “Personal information” as used in this sec-tion means any information that when it was dis-closed identified, described, or was able to beassociated with an individual and includes all ofthe following: (A) An individual’s name and address. (B) Electronic mail address. (C) Age or date of birth. (D) Names of children. (E) Electronic mail or other addresses ofchildren. (F) Number of children. (G) The age or gender of children. (H) Height. (I) Weight. (J) Race. (K) Religion. (L) Occupation. (M) Telephone number. (N) Education. (O) Political party affiliation.

26

(P) Medical condition. (Q) Drugs, therapies, or medical productsor equipment used. (R) The kind of product the customerpurchased, leased, or rented. (S) Real property purchased, leased, orrented. (T) The kind of service provided. (U) Social security number. (V) Bank account number. (W) Credit card number. (X) Debit card number. (Y) Bank or investment account, debitcard, or credit card balance. (Z) Payment history. (AA) Information pertaining to creditwor-thiness, assets, income, or liabilities. (8) “Third party” or “third parties” meansone or more of the following: (A) A business that is a separate legal entityfrom the business that has an established busi-ness relationship with a customer. (B) A business that has access to a databasethat is shared among businesses, if the busi-ness is authorized to use the database for di-rect marketing purposes, unless the use of thedatabase is exempt from being considered adisclosure for direct marketing purposes pur-suant to subdivision (d). (C) A business not affiliated by a commonownership or common corporate controlwith the business required to comply with sub-division (a). (f) (1) Disclosures of personal informationfor direct marketing purposes between affili-ated third parties that share the same brandname are exempt from the requirements ofparagraph (1) of subdivision (a) unless the per-sonal information disclosed corresponds toone of the following categories, in which casethe customer shall be informed of those cat-egories listed in this subdivision that corre-spond to the categories of personal informa-tion disclosed for direct marketing purposesand the third party recipients of personal in-formation disclosed for direct marketing pur-poses pursuant to paragraph (2) of subdivi-

sion (a): (A) Number of children. (B) The age or gender of children. (C) Electronic mail or other addresses ofchildren. (D) Height. (E) Weight. (F) Race. (G) Religion. (H) Telephone number. (I) Medical condition. (J) Drugs, therapies, or medical products orequipment used. (K) Social security number. (L) Bank account number. (M) Credit card number. (N) Debit card number. (O) Bank or investment account, debit card,or credit card balance. (2) If a list, description, or grouping of cus-tomer names or addresses is derived using anyof these categories, and is disclosed to a thirdparty or third parties sharing the same brand namefor direct marketing purposes in a manner thatpermits the third party to identify, determine, orextrapolate the personal information from whichthe list was derived, and that personal informa-tion when it was disclosed identified, described,or was associated with an individual, any otherpersonal information that corresponds to thecategories set forth in this subdivision used toderive the list, description, or grouping shall beconsidered personal information for purposesof this section. (3) If a business discloses personal informa-tion for direct marketing purposes to affiliatedthird parties that share the same brand name, thebusiness that discloses personal information fordirect marketing purposes between affiliated thirdparties that share the same brand name may com-ply with the requirements of paragraph (2) ofsubdivision (a) by providing the overall numberof affiliated companies that share the same brandname. (g) The provisions of this section are sever-able. If any provision of this section or its appli-cation is held invalid, that invalidity shall not af-



1 California Civil Code, § 1798.80, defines“business” as “a sole proprietorship, partnership,corporation, association, or other group, how-ever organized and whether or not organized tooperate at a profit, including a financial institu-tion organized, chartered, or holding a license orauthorization certificate under the law of this state,any other state, the United States, or of any othercountry, or the parent or the subsidiary of a fi-nancial institution. The term includes an entitythat destroys records.”

2 See Civil Code, § 1798.83(h), which ex-empts financial institutions that are subject to andin compliance with Financial Code, §§ 4052, 4053,4053.5 and 4054.6.

Notes

fect other provisions or applications that canbe given effect without the invalid provisionor application. (h) This section does not apply to a financialinstitution that is subject to the California Fi-nancial Information Privacy Act (Division 1.2(commencing with Section 4050) of the Fi-nancial Code) if the financial institution is incompliance with Sections 4052, 4025, 4053,4053.5 and 4054.6 of the Financial Code, asthose sections read when they were chapteredon August 28, 2003, and as subsequentlyamended by the Legislature or by initiative. (i) This section shall become operative onJanuary 1, 2005.

1798.84. (a) Any waiver of a provision ofthis title is contrary to public policy and is voidand unenforceable. (b) Any customer injured by a violation ofthis title may institute a civil action to recoverdamages. (c) In addition, for a willful, intentional, orreckless violation of Section 1798.83, a cus-tomer may recover a civil penalty not to ex-ceed three thousand dollars ($3,000) per vio-lation; otherwise, the customer may recover acivil penalty of up to five hundred dollars($500) per violation for a violation of Section1798.83. (d) Unless the violation is willful, intentional,or reckless, a business that is alleged to havenot provided all the information required bysubdivision (a) of Section 1798.83, to haveprovided inaccurate information, failed to pro-vide any of the information required by sub-division (a) of Section 1798.83, or failed toprovide information in the time period re-quired by subdivision (b) of Section 1798.83,may assert as a complete defense in any actionin law or equity that it thereafter provided re-garding the information that was alleged tobe untimely, all the information, or accurateinformation, to all customers who were pro-vided incomplete or inaccurate information,respectively, within 90 days of the date thebusiness knew that it had failed to provide the

information, timely information, all the informa-tion, or the accurate information, respectively. (e) Any business that violates, proposes to vio-late, or has violated this title may be enjoined. (f) A prevailing plaintiff in any action com-menced under Section 1798.83 shall also be en-titled to recover his or her reasonable attorney’sfees and costs. (g) The rights and remedies available under thissection are cumulative to each other and to any

other rights and remedies available under law.

28

Summary of the Laws’s RequirementsWhich Businesses Are Subject to theStatuteOperators of commercial Web sites or onlineservices that collect personally identifiable infor-mation on consumers residing in California.

“Personally identifiable information” is definedas:

• individually identifiable informationabout a consumer collected online fromthe individual and maintained by theoperator,

including name, address, e-mail address,telephone number, Social Security num-ber, any other identifier that permits thephysical or online contacting of an indi-vidual, and information concerning auser collected from the user in combi-nation with another identifier.

What Operators Must Do Under theStatuteAn operator of a commercial Web sites or onlineservice must do the following:

•

•

conspicuously post a privacy policystatement containing specified informa-tion on its Web site, and

comply with the terms of that policy.

The posted policy must contain the followinginformation:

•

•

Categories of personally identifiableinformation collected

Categories of third parties with whomthe information may be shared

•

•

•

Description of the process, if one isoffered, for reviewing one’s own infor-mation collected through the site

Description of the process for communi-cating material changes in the policy

Effective date of the policy

“Conspicuously post” means any of the follow-ing:

•

•

•

•

Posting on a Web site’s home page or firstsignificant page after entering the site

Posting a link to the policy containing theword “privacy” on the Web site’s homepage or first significant page

Making the link conspicuous by includingthe word “privacy,” using capital letters inlarger type than surrounding text, usingtype that contrasts with surrounding textin size, style or color or that is set off bymarks that call attention to it, or by usingany other functional hyperlink that areasonable person would notice.

An online service may use any reasonablemeans of making the privacy policyavailable to consumers of the service.

Remedies and Penalties

•

•

An operator has a 30-day grace periodafter being notified of failure to post apolicy that complies with the law.

An operator subject to the law is inviolation for failing to comply either“knowingly and willfully” or “negligentlyand materially.”

Appendix 3: CaliforniaOnline Privacy ProtectionAct



• The law may be enforced throughCalifornia’s unfair competition statute,Business and Professions Code section17200 and following.

Text of Business and Professions CodeSections 22575-22579

22575. (a) An operator of a commercial Website or online service that collects personally iden-tifiable information through the Internet aboutindividual consumers residing in California whouse or visit its commercial Web site or online ser-vice shall conspicuously post its privacy policyon its Web site, or in the case of an operator ofan online service, make that policy available inaccordance with paragraph (5) of subdivision (b)of Section 22578. An operator shall be in violation of this subdi-vision only if the operator fails to post its policywithin 30 days after being notified of noncom-pliance. (b) The privacy policy required by subdivision(a) shall do all of the following: (1) Identify the categories of personally identi-fiable information that the operator collectsthrough the Web site or online service about in-dividual consumers who use or visit its commer-cial Web site or online service and the categoriesof third-party persons or entities with whom theoperator may share that personally identifiableinformation. (2) If the operator maintains a process for anindividual consumer who uses or visits its com-mercial Web site or online service to review andrequest changes to any of his or her personallyidentifiable information that is collected throughthe Web site or online service, provide a descrip-tion of that process. (3) Describe the process by which the opera-tor notifies consumers who use or visit its com-mercial Web site or online service of materialchanges to the operator’s privacy policy for thatWeb site or online service. (4) Identify its effective date.

22576. An operator of a commercial Web siteor online service that collects personally identifi-

able information through the Web site or onlineservice from individual consumers who use orvisit the commercial Web site or online serviceand who reside in California shall be in violationof this section if the operator fails to complywith the provisions of Section 22575 or with theprovisions of its posted privacy policy in eitherof the following ways: (a) Knowingly and willfully. (b) Negligently and materially.

22577. For the purposes of this chapter, the fol-lowing definitions apply: (a) The term “personally identifiable informa-tion” means individually identifiable informationabout an individual consumer collected online bythe operator from that individual and maintainedby the operator in an accessible form, includingany of the following: (1) A first and last name. (2) A home or other physical address,including street name and name of a city ortown. (3) An e-mail address. (4) A telephone number. (5) A social security number. (6) Any other identifier that permits thephysical or online contacting of a specificindividual. (7) Information concerning a user that theWeb site or online service collects online fromthe user and maintains in personally identifiableform in combination with an identifier de-scribed in this subdivision. (b) The term “conspicuously post” with re-spect to a privacy policy shall include posting theprivacy policy through any of the following: (1) A Web page on which the actual privacypolicy is posted if the Web page is the homepageor first significant page after entering the Website. (2) An icon that hyperlinks to a Web page onwhich the actual privacy policy is posted, if theicon is located on the homepage or the first sig-nificant page after entering the Web site, and ifthe icon contains the word “privacy.” The iconshall also use a color that contrasts with the back-

30

ground color of the Web page or is otherwisedistinguishable. (3) A text link that hyperlinks to a Web page onwhich the actual privacy policy is posted, if thetext link is located on the homepage or first sig-nificant page after entering the Web site, and ifthe text link does one of the following: (A) Includes the word “privacy.” (B) Is written in capital letters equal to or greaterin size than the surrounding text. (C) Is written in larger type than the surround-ing text, or in contrasting type, font, or color tothe surrounding text of the same size, or set offfrom the surrounding text of the same size bysymbols or other marks that call attention to thelanguage. (4) Any other functional hyperlink that is sodisplayed that a reasonable person would noticeit. (5) In the case of an online service, any otherreasonably accessible means of making the pri-vacy policy available for consumers of the onlineservice. (c) The term “operator” means any person orentity that owns a Web site located on the Internetor an online service that collects and maintainspersonally identifiable information from a con-sumer residing in California who uses or visitsthe Web site or online service if the Web site oronline service is operated for commercial pur-poses. It does not include any third party thatoperates, hosts, or manages, but does not own, aWeb site or online service on the owner’s behalfor by processing information on behalf of theowner. (d) The term “consumer” means any individualwho seeks or acquires, by purchase or lease, anygoods, services, money, or credit for personal,family, or household purposes.

22578. It is the intent of the Legislature that thischapter is a matter of statewide concern. Thischapter supersedes and preempts all rules, regu-lations, codes, ordinances, and other lawsadopted by a city, county, city and county, mu-nicipality, or local agency regarding the posting

of a privacy policy on an Internet Web site.

22579. This chapter shall become operative onJuly 1, 2004.

California Office of Privacy Protectionwww.privacy.ca.gov

Office of Information Security and Privacy Protectionwww.oispp.ca.gov

State and Consumer Services Agencywww.scsa.ca.gov