While at the 35th Annual Marketing Law Conference hosted by the Brand Activation Association, an assistant attorney general of the state of California said that California’s position is that any business with a website is doing business in California and that the business should have a California-compliant privacy policy.

It is important to have a privacy policy that follows federal and state law if you are collecting data in order to get a better view on what your customers demographics are.

However, it seems to be a stretch that a business that, for example, is headquartered in New Jersey with customers in New York, Pennsylvania, and Connecticut would have enough contacts to be subject to California law, especially if California tries to enforce a fine against that company.  But the assistant attorney general’s statement tends to disagree with this legal theory.

However, this is an argument about economics.  California is a gigantic economy and many companies want to have customers in California.  California, like many other governments, also needs money and money from fines helps to offset any deficits.

What does California say about collecting data and privacy policies?  Let’s take a quick look at some policies that differ from other jurisdictions.

The California Online Privacy Protection Act (CalOPPA) requires operators of commercial websites that collect personally identifiable information from California’s residents are required to conspicuously post and comply with a privacy policy that meets certain requirements:

  • The operator of a website must post a distinctive and easily-found link to the website’s privacy policy, commonly listed under the heading “Your California Privacy Rights”
  • The privacy policy must detail the kinds of information gathered by the website,how the information may be shared with other parties, and, if such a process exists, describe the process the user can use to review and make changes to their stored information.
  • The privacy policy also must include the policy’s effective date and a description of any changes since then.

This privacy policy reaches outside the borders of California because it would apply to any business that is collecting data from California residents.

Under California’s “Shine the Light” law, California residents who provide personal information in obtaining products or services for personal, family, or household use are entitled to request and obtain from the business that operates the website once a calendar year information about the customer information we shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which the business that operates the website has shared customer information for the immediately prior calendar year (e.g., requests made in 2013 will receive information regarding 2012 sharing activities).

So, while the assistant attorney general’s statement is overbroad, if your business is looking for California customers, then your privacy policy on your website must conform.

There are also new requirements as of January 1, 2014.

  • California law does not require companies to apply a response to do-not-track signals, it only requires them to disclose what the response is, and what that response looks like if they are in fact honoring the do-not-track request. Here’s the nutshell:
    • If your website does not react to the do-not-track signals, then state that fact in your policy
    • If your website does honor those requests, then you need to outline in more detail what exactly that means and how it affects users
  • An affected company must disclose to users whether third parties may collect personally identifiable information about a user’s online activities over time and across different websites when a consumer uses the operator’s website or online service. However, an operator is not required to disclose the identities of such third parties.

In 2020, there are updates to California privacy law. Please see our video blog on those updates.