website Privacy policies: why your business website probably needs one

California businesses with “Contact Us” forms on their websites must comply with the requirements of the California Online Privacy Protection Act (“OPPA”).  This means that the businesses likely should: (1) have a written privacy policy in place from inception of the website; and (2) “conspicuously post” their privacy policy on their website.  See California Business and Professions Code Section 22577(b).

Requesting “Personally-Identifiable Information” on Your “Contact Us” Page

As a preliminary matter, most “Contact Us” forms on business websites request at least some of the following “personally identifiable information” from prospective customers/clients visiting the website:

(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.

See California Business and Professions Code Section 22577(a).  

As a result, most businesses with “Contact Us” forms must provide website visitors with the link to access their business' privacy policy on their website.  

“Conspicuously Post” Your Privacy Policy

The privacy policy link must be displayed on the website in a manner that is “conspicuous.”  This means that the privacy policy must be displayed on:

(1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site.

(2) An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word "privacy." The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable.

(3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following:
(A) Includes the word "privacy."
(B) Is written in capital letters equal to or greater in size than the surrounding text.
(C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.

(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.

(5) In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.

See California Business and Professions Code Section 22577(b).

Non-Compliance with the California Online Privacy Protection Act

A business that fails to include a privacy policy on its website but nevertheless collects “personally identifiable information” from visitors who reside in California shall be in violation of Section 22576 of the California Business and Professions Code if the failure is: (a) knowing and willful; or (2) negligent and material.  

Furthermore, a business can also be liable for non-compliance with OPPA in cases where a business includes a privacy policy on its website, but nonetheless fails to comply with the terms of the privacy policy.

Non-compliance can result in a costly lawsuit.  For example, in late 2012, the State of California filed a lawsuit against Delta Airlines alleging that "the Fly Delta [mobile application] on multiple platforms still does not have a privacy policy conspicuously posted, i.e., reasonably accessible to consumers within the [mobile application]."  The complaint's sole cause of action alleged that Delta was in violation of the California’s Unfair Competition Law (“UCL”) by committing "unlawful, unfair, or fraudulent business acts and practices," including, but not limited to, the following: (a) “knowingly and willfully” or “negligently and materially” failing to conspicuously post a privacy policy in its Fly Delta mobile application; and (b) by “knowingly and willfully” or “negligently and materially” failing to even comply with the website privacy policy posted on the Delta website.  In its prayer for relief, the State sought: (1) $2,500 for each violation of the UCL; (2) injunctive relief enjoining Delta from committing any acts of unfair competition; and (3) an award of costs of the lawsuit including attorney fees and investigation costs.  While this lawsuit was later defended on appeal based on preemption grounds that were specific to the case itself (i.e., the Airline Deregulation Act of 1978 preempted the UCL lawsuit), this case provides an example of how businesses may be sued by the State for non-compliance with OPPA, and the types of damages for which businesses may be liable.  Click here for the decision.

Smith Shapourian & Mignano, LLP is available to answer any questions or concerns you may have regarding your business’ privacy policy, as well as to defend your business against allegations of OPPA violations.  Please contact us for a consultation.

This blog does not constitute solicitation or provision of legal advice, and does not establish an attorney-client relationship. This blog should not be used as a substitute for obtaining legal advice from an attorney licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified attorney regarding any specific legal problem or matter in a timely manner, as statutes of limitations may bar your claim.