CBA Publications >> CBA Regulatory Compliance Bulletin >> Vol 2004 No.9
June 23, 2004

Vol 2004 No. 9 June 23, 2004

Internet Web Site Privacy Law Effective July 1

The online Privacy Protection Act of 2003 (AB 68), signed last year by the outgoing Governor, requires an operator of a commercial Internet website that collects personally identifiable information from California consumers (i.e., who reside in California) to post its privacy policy conspicuously on the web site. AB 68 does not confer rights to opt out; it is strictly a notice law.

The notice must be conspicuous, and include the following elements, as applicable:

• Identify the categories of information collected
  

• Identify categories of third parties with whom the information is shared (no examples are required)
  

• If the operator maintains a process for the consumer to review and request changes to the consumer's information, describe that process
  

• Describe the process by which the operator notifies consumers (customers) of material changes to the privacy policy, and
  

• Identify the effective date of the policy.

No statutory form disclosure is provided. Because the law applies when the consumer is a California resident, the reach of AB 68 extends well beyond California's borders. Note that outside vendors that operate web sites on behalf of banks are not considered the "operator." The bank is the operator to the extent that it "owns" the web site that collects the information.

The term "personally identifiable information" means individually identifiable information about a consumer collected online by the operator from the consumer and maintained by the operator in an "accessible" form, including name, address, e-mail address, telephone number, social security number, any other identifier that permits the physical or online contacting of a specific individual, and any other consumer information collected online and maintained in personally identifiable form in combination with an identifier described above. The term "accessible" is not defined.

While AB 68 is only a notice law, its coverage is broad. Unlike GLBA, there is no exception for publicly available information. And unlike SB 1, disclosure is not limited to the sharing of information for marketing purposes. Moreover, AB 68 includes none of the exceptions available under GLBA and SB 1, such as disclosures made pursuant to the FCRA, disclosures made to complete the transaction, disclosures made in response to legal process, disclosures made through outsourcing arrangements, etc.

Because the bill makes no reference to affiliated companies, any disclosures to holding companies, subsidiaries, and affiliates should also be disclosed. Finally, no distinction is made as between experience and non-experience information.

The notice is posted "conspicuously" if any of the following conditions is met:

• The actual notice is posted on the homepage or first significant page after entering the web site.
  

• The notice is accessible through an icon hyperlink and (i) the icon is located on the homepage or the first significant page after entering the web site, and (ii) the icon contains the word "privacy." The icon must use a color that contrasts with the background color of the web page or is otherwise distinguishable.
  

• The notice is accessible through a text link and the text link is located on the homepage or first significant page after entering the web site, and the text link (i) includes the word "privacy," (ii) is written in capital letters equal to or greater in size than the surrounding text, or (iii) is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
  

• Any other functional hyperlink that is so displayed that a reasonable person would notice it.
  

• In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the service.

As when implementing privacy policies pursuant to the Gramm-Leach-Bliley Act, banks need to consider every instance in which identifying information is collected either overtly or automatically through Internet cookies and other means, and whether that information is disclosed outside the bank. Consider also whether information is collected and how it is collected when a person clicks on a link or icon located on the bank's web site that hyperlinks to a third party web site.

AB 68 contemplates private rights of action by providing that an operator may be liable for willing and knowing violations or negligent and material violations. However, an operator is in violation of AB 68 only if it fails to post its policy within 30 days after being notified of noncompliance. The bill preempts any local ordinance requiring the posting of privacy policies on websites.

It is important for banks to ensure that the stated policies are consistent with other privacy statements provided by the bank. Claims of unfair competition or fraud may be made where the bank makes inconsistent disclosures, or if the bank's actions are inconsistent with its disclosures.

If you have any questions about AB 68, you may contact Leland Chan at lchan@calbankers.com or James Clark at jclark@calbankers.com.