Online Privacy Protection Act – California

Internet privacy concept

The Online Privacy Protection Act of 2003 (codified in Cal. Bus. Code Secs. 22575-22579), made operative as of July 1, 2004 (and amended in 2013), requires an owner of a commercial website or online service (“operator”) that collects personally identifiable information through the internet about individual California resident consumers to conspicuously post its privacy policy.  An individual’s personally identifiable information (PII) includes his or her name, address, e-mail address, phone, social security number, identifying information that enables physical or online contact with such individual, and other information collected and maintained in personally identifiable form in combination with the preceding identifiers.

Are Nonprofits Covered?

An individual nonprofit organization’s website collecting such information may or may not be regarded a commercial website.  Some important factors may be whether the organization’s website promotes any unrelated business activities, includes any paid advertising, or solicits new members who may receive in return for their dues some commercial benefit not related to the organization’s exempt purpose.  Accordingly, an organization should carefully consider whether it would be advantageous to comply with the Act’s requirements.

Privacy Policy Requirements

Under the Online Privacy Protection Act, the privacy policy must do the following:

  1. Identify the categories of (a) PII collected through the website or online service about individual consumer visitors and (b) third-party persons or entities with whom the operator may share such information.
  2. Provide a description of the process for an individual consumer to review and request changes to his or her PII collected through the website or online service, if the operator maintains such process.
  3. Describe the process by which the operator notifies consumers who use or visit its website or online service of material changes to the operator’s privacy policy.
  4. Inform consumers of how the organization responds to Do Not Track signals or similar mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
  5. Identify its effective date.

In order to “conspicuously post” a privacy policy, an operator may either:

  1. Post the privacy policy on its homepage or the first significant page after entering the site.
  2. Include a distinguishable icon (that hyperlinks to the page containing the privacy policy) containing the word “privacy” on its homepage or first significant page.
  3. Include a noticeable, reasonably accessible text link (that hyperlinks to the page containing the privacy policy) containing the word “PRIVACY” in all caps on its homepage or first significant page.

Resources (updated 2/24/16)

You can find more information about privacy policies and the Online Privacy Protection Act at the links below:

California Privacy Enforcement and Protection, Office of the Attorney General

California Privacy Laws, Office of the Attorney General

Making Your Privacy Policies Public, Office of the Attorney General

General Online Privacy Resources

State Laws Related to Internet Privacy, NCSL (2016)

A Nonprofit’s Cyber Liability And Data Privacy, The Nonprofit Times (2015)

Nonprofits and Online Website Privacy, Wagenmaker & Oberly (2015)

75+ free tools to protect your privacy online (Comparitech)