Skip to main content
A Better Partnership


Jul 2004
July 05, 2004

New California Online Privacy Law

If your company operates a commercial Web site or online service that collects personally identifiable information from consumers, you may need to comply with a new California law. The California Online Protection Act (the "Act") is the first state law in the nation to require an operator of a commercial Web site or online service to conspicuously post its privacy policy online and comply with the posted policy. The Act applies if you collect personally identifiable information from California consumers, regardless of where your company is located. The Act became effective on July 1, 2004.

General Scope and Definitions. The Act applies to any "operator" of a Web site or online service that collects "personally identifiable information" from "consumers" residing in California.

Operator: The Act defines an operator as a "person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service." The Web site or online service must be operated for commercial purposes. The Act does not apply to an Internet service provider or similar entity that transits or stores personally identifiable information at the request of third parties.

Personally Identifiable Information: "Personally identifiable information" means information about an individual consumer, such as a first and last name, an address, an e-mail address, a telephone number, a social security number, any other information that could be used to make contact with the individual. It also includes information about a consumer that is collected online (such as gender, weight, hair color, birthday etc.) that is maintained in personally identifiable form in combination with one of the personal identifiers.

Consumer: The Act defines a consumer as "an individual who seeks or acquires goods, services, money, or credit for personal, family or household purposes."

Key Provisions of the Act.

Contents. The Act provides that a privacy policy must:

  • identify the categories of personally identifiable information that the operator collects about individual consumers;
  • identify the categories of third parties with whom the operator may share that personally identifiable information;
  • describe the process (if any) by which the consumer may review and request changes to his or her personally identifiable information;
  • describe the process the operator will use to notify consumers of any material changes to the privacy policy; and
  • identify its effective date.

Conspicuously Posted. The Act provides that the privacy policy must be posted in a conspicuous manner. A company may meet this requirement in one of the following ways:

  • post the actual privacy policy on the home page (or first significant page after entering the site);
  • post on the home page (or first significant page) a graphic icon linking to the actual privacy policy, where the icon contains the word "privacy" and is in a color that contrasts with the background of the page;
  • post on the home page (or first significant page) a text link to the actual privacy policy, where the text link contains the word "privacy" and complies with certain specific requirements of conspicuousness; or
  • post another functional hyperlink so that a reasonable person would notice it.

An "online service," which is not defined in the statute, alternatively can meet the requirement to post a conspicuous policy by utilizing "any other reasonably accessible means of making the privacy policy available for consumers."

Noncompliance. An operator will be considered in violation of the Act if it fails to post a privacy policy within 30 days after being notified of noncompliance. An operator who fails to comply with the terms of the posting requirement or fails to follow the terms of its posted privacy policy will be found to be in violation of the Act only if its noncompliance is either "knowing and willful" or "negligent and material." This means that a minor, but deliberate, breach can give rise to liability.

An operator who violates the Act may also be susceptible to actions by the Federal Trade Commission. The FTC may bring enforcement action against businesses whose posted privacy policy is deceptive, i.e., where the business fails to comply with its posted privacy policy. (Although Michigan does not have a statute governing privacy policies, Michigan's Attorney General has brought similar actions against Web site owners under Michigan's consumer protection laws.)

Enforcement. The Act does not contain an enforcement provision. It is expected that the Act will be enforced through California’s Unfair Competition Law (the "UCL"). Under the UCL, the California Attorney General, local district attorneys, and private individuals can bring suit to seek enforcement of the Act.

Recommended Actions.

  • If your company collects personally identifiable information from California residents online and does not yet have a privacy policy, you should adopt one. If your company already has a privacy policy, you should review that policy to make sure it complies with the Act.
  • You should also make certain that your actual practices match the practices described in your privacy policy. You should conduct regular audits to ensure ongoing compliance.
  • You should provide adequate security for the personally identifiable information that you collect and maintain.

If you have any questions, feel free to contact Janet Knaus at 616.752.2150 or or Norbert Kugele at 616.752.2186 or


NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -