Chances are if you are doing business in 2018, your company has some sort of online presence.  It is important to remember that there are regulations that businesses must comply with when operating a website.  In particular, many businesses need to have written privacy policies under California’s Online Privacy Protection Act (the “Act”).

The Act applies to any person or company whose website or mobile application collects “personally identifiable information” from California consumers who use or visit the website.  This includes websites which require individuals to enter a username, password, email address, physical address, phone number, social security number, or any other identifiers that could permit the user to be contacted either physically or online.  If the website does collect such information, the website must feature a conspicuous privacy policy stating what information is collected and with whom it will be shared.  The law also requires that the operator of the website comply with the listed privacy policy.

In the event your company collects “personally identifiable information,” you need to ensure that your website is compliant with the requirements of the Act.  Compliance under the Act requires the privacy policy to:

  • Be conspicuously posted on the website. This may be done by putting the policy on the website and/or providing a link to the policy on the website;
  • Identify the effective date of the privacy policy;
  • Provide a list of the categories of personally identifiable information collected;
  • Provide a list of the categories of third parties with whom the operator may share such personally identifiable information;
  • Provide a description of the process, if any, by which the consumer can review and request changes to the personally identifiable information collected; and
  • Provide a description of the process by which the operator notifies consumers of any material changes to the privacy policy.

The Act additionally requires privacy policy disclosures for tracking of visitors on websites and by online services, defined as “the monitoring of an individual across multiple websites to build a profile of behavior and interests.”  To comply, a privacy policy is required to:

  • Disclose how the website responds to Do Not Track signals from web browsers;
  • Disclose whether third parties may collect visitors’ personal identifiable information on a website; and
  • Provide a conspicuous hyperlink within the privacy policy to an “online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”

If your company needs assistance in drafting a website privacy policy, the attorneys at Navigato & Battin are experienced in creating policies that comply with California and federal law.