In recent years, companies have been doing business on the Internet in one form or another and have been increasingly providing their customers and potential customers methods that were exclusive to snail mail and fax and at the same time having to wade through the numerous privacy laws affecting clients' businesses. In a statement to Congress in May 2000 from a former commissioner of the Federal Trade Commission he seemed to indicate that businesses would be required to treat information collected online in the same manner as information collected offline (which is much less regulated). Although the online/offline conformity has not come to fruition, it proved a wake-up call for many businesses and a warning of things to come.

In the summer of 2002, many credit professionals scrambled to answer questions about a relatively unpublicized law called the Financial Modernization Act, or Gramm-Leach-Bliley Act, that made distribution and compliance with privacy policies a requirement if certain types of "nonpublic personal information" was collected from customers, whether online or offline. After much fanfare and a scramble on the part of a certain professional credit organization to promote GLB seminars both on and off line it was investigated and reported by this publication that GLB did not apply to the majority of credit managers in manufacturing and distribution. By 2003, thirty-six states had their own anti-spam laws, the toughest and most controversial of which was passed by California. When Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act of 2003) it pre-empted almost all of those state laws, including California.

After reviewing and explaining all of the foregoing laws about the privacy laws affecting business operations on the Internet -- as well as a few of the lesser known, industry specific laws – credit professionals could finally feel comfortable that they had an informed management that could comply with applicable privacy-related laws. However, California then passed another law on July 1, 2004 that came into existence with relatively little fanfare, sending many credit professionals back to their attorneys to draft forms and restructure their advice to comply with that law.

The relatively new California law may affect companies that operate commercial Web sites or online services that collect personally identifiable information from consumers. The California Online Privacy Protection Act (OPPA) requires any operator of a commercial Web site or online service that collects personally identifiable information through the Internet from California residents to conspicuously post its privacy policy online and comply with that policy. OPPA potentially affects hundreds of thousands of Web sites, but it was and continues to be the subject of very little discussion and/or preparation.

OPPA is a response to a perceived federal inaction in protecting the privacy of Internet users. It protects the privacy interests of California residents by informing them of whether the personal information obtained from them through the Internet may be disclosed or sold to another party. Further, lawmakers hope OPPA will increase consumer confidence in e-commerce and the legitimacy of those firms with whom they do business on the Internet.

Until now, posting online privacy policies was largely governed by the applicable industry standard. As demonstrated by its anti-spam laws and its law governing the use of information from in-vehicle data collection devices, California is on the cutting edge of protecting its residents' rights by becoming the first state to pass an online privacy protection law. Laws similar to OPPA are pending in other states.

OPPA affects any operator of a commercial Web site or online service that collects personally identifiable information through the Internet from California residents. OPPA focuses on protecting the privacy of California residents regardless of where the operator is geographically located. Operators located outside California -- but whose sites are visited by Californians -- are susceptible to liability because of the borderless nature of the Internet. Consequently, OPPA reaches across state lines and affects almost all companies doing business in the United States that conduct business online and collect personally identifiable information from consumers.

Although OPPA only applies to commercial Web sites and online service operators that collect personally identifiable information from consumers. Commercial firms need to be reminded that asking for personal information from guarantors of corporate debt or when dealing with partnerships or proprietorships via the Internet, they are automatically liable under OPPA. Personally identifiable information is information collected online from an individual that identifies that individual in some way. OPPA lists the following examples of personally identifiable information:

* A first and last name;
* A home or other physical address, including street name and name of a city or town;
* An e-mail address;
* A telephone number;
* A social security number; or
* Any other identifier that permits the physical or online contacting of a specific individual.

Also included in that category is any other information concerning a consumer that is maintained in a personally identifiable form in conjunction with one of the previously listed identifiers.

The only businesses that OPPA explicitly does not affect are Internet service providers and similar entities that transmit or store personally identifiable information at the request of a third-party operator. OPPA requires a business to conspicuously post on its Web site its online privacy policy. Web site operators and online service operators must make the policy readily accessible to its online consumers. OPPA provides that a policy is conspicuously posted if it is posted in any one of the following four ways:

* The actual privacy policy is posted on the homepage (or first significant page after entering the site);
* The site displays an icon that hyper-links to the actual privacy policy, if the icon contains the word "privacy," and uses a color that contrasts from the homepage (or first significant page after entering the site);
* The site displays a text hyperlink to the actual privacy policy, if the text link is located on the homepage (or first significant page after entering the site) and the text link either includes the word "privacy," is written in capital letters equal to or greater in size than the surrounding text, is written in larger type or in contrasting type, font or color to the surrounding text of the same size, or is set off from the surrounding text of the same size by symbols or other marks that call attention to the language; or
* The site displays any other functional hyperlink so that a reasonable person would notice it.

OPPA also mandates what information a business/operator must include in its online privacy policy. A lawful online privacy policy consists of five elements. First, the policy must identify the categories of personally identifiable information that the business/operator collects. Second, the policy must identify with whom the operator may share the personally identifiable information. Third, the policy must describe the process, if one exists, for a consumer to review and change his or her personally identifiable information. Fourth, the policy must describe what notice the operator will provide to consumers if the business/operator changes the policy. Finally, the policy must indicate the date on which it became effective.

Once the policy satisfies the required five elements, the operator has considerable flexibility to formulate the rest of its privacy policy. Significantly, OPPA does not regulate or restrict a business in its collection, use or dissemination of personally identifiable information.

A business/ operator that fails to comply with OPPA risks being subject to civil suit for unfair business practices. The standard for liability is that acts were taken knowingly and willfully, or negligently and materially. There are two ways a business/operator may violate OPPA. One way is if 30 days after being notified of noncompliance, a business/ operator fails to post a lawful policy. Another way is if the business/operator fails to comply with the provisions of its own privacy policy. Although OPPA does not expressly provide a remedy for either type of violation, OPPA has been made a part of California's Business and Professional Code, which allows individuals to pursue claims for unfair business practices under California's Unfair Competition Law in the form of an uncertified class.

The California Online Privacy Protection Act went into effect July 1, 2004. If your company operates a Web site or online service that collects personally identifiable information from California residents, this may be an excellent opportunity to review applicable information collection practices under the parameters of OPPA. One sale to a resident of California (arguably) makes compliance with OPPA necessary. Businesses that are covered by OPPA must post and comply with a privacy policy that meets the requirements of OPPA. If a covered business already has an online privacy policy, now is a good time to review that privacy policy to ensure compliance with the terms of OPPA.

Finally, many businesses, on advice of counsel, are taking the position that posting and complying with a privacy policy that comports to the requirements of OPPA is a matter of best practices -- whether or not OPPA is applicable in any given situation -- and may help avoid other compliance issues in the future.

I wish you well.  

The information provided above is for educational purposes only and not provided as legal advice. Legal advice should be obtained from a licensed attorney in good standing with the Bar Association and preferably Board Certified in either Creditor Rights or Bankruptcy.