Is your organization’s privacy policy conspicuously linked from the front page of your websites and on every page you collect information? If not, you may be violating California law – even if you don’t reside in or technically do any business in California!! Google was recently publicly criticized by privacy advocates for just such a violation, before adding such links.

The California Online Privacy Protection Act (OPPA) (Cal. Bus. & Prof. Code 22575 - 22579) requires conspicuous posting of a privacy policy, and compliance with that policy. It applies to any research company that "collects and maintains personally identifiable information from a consumer residing in California who uses or visits" online. This includes research entities based anywhere in the world, whether or not they are even aware that they are collecting such data from Californians.

What is Needed In the Privacy Policy?
California’s OPPA also has specific criteria expected from any privacy policy (including a research organizations’). The policy should include:

  • a list of categories of personally identifiable information (PII) collected;
  • a list of categories of third-parties with whom the organization may share such PII;
  • a description of the process by which a respondent can review and request changes to PII;
  • a description of the process by which the research organization notifies respondents of material changes to the operator’s privacy policy; and
  • the effective date of the privacy policy.

Where Must the Policy Be Posted?
In addition, under the law, research organizations must conspicuously post their privacy policies on their websites. What does that mean in practice? Either the privacy policy must appear on the homepage of the website or the first significant page after entering the website, or the privacy policy must be hyperlinked to the homepage by an icon or text link that contains the word "privacy," and must be in a color different from the background of the homepage.

What is the Impact of Non-Compliance?
Research organizations failing to comply with the law or the provisions of their posted privacy policy terms are in violation if such noncompliance is either negligent and material or knowing and willful. Operators have thirty (30) days to post a privacy policy once notified of noncompliance. Ordinary citizens, as well as government agencies, can file suit to enforce the law and bring civil penalties.

Disclaimer: The information provided in this message is for guidance and informational purposes only. It is not intended to be a substitute for legal advice. All parties are advised to consult with private legal counsel regarding the interpretation and application of any laws to your business.