Welcome to WebmasterWorld Guest from 54.156.92.140

Forum Moderators: phranque

Message Too Old, No Replies

California Online Privacy Protection Act of 2003

This goes into effect July 1. Why is no one even talking about it?

     
1:36 pm on Jun 15, 2004 (gmt 0)

New User

10+ Year Member

joined:May 20, 2003
posts:5
votes: 0


Did you know that come July 1, if you collect any kind of personal information -- name, email address, etc. -- from visitors, you're going to have to have a very specific Privacy Policy in place?

This is a really, really dangerous precedent California is setting, which could dramatically drive up the cost of doing business on the Web for small business.

You can see the actual bill here [leginfo.ca.gov].

It just astounds me that this law will potentially affect hundreds of thousands of websites in a couple of weeks, and nobody's talking about it. And the handful of people who are all think it's great -- they're privacy advocates who see it is a victory, without any thought as to the impact on small business.

I'm interested to hear your thoughts.

Scott Allen

[edited by: oilman at 4:37 pm (utc) on June 15, 2004]

3:33 pm on June 15, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 27, 2001
posts:762
votes: 0


Thanks for the link to the law. I read it twice.

I don't share your alarm or astonishment.

I do run commercial websites and I am a consumer.

The law actually seems very rational and not all that demanding to small businesses. All it requires is to provide a page which describes how the personal information is used, then provide a conspicious link to that page.

it also does not require me to worry about third-party issues. In other words, if I run google adsense, I don't need to worry about how all of the advertisers are using any data they collect - that's their problem.

I'm sorry, but I don't see the dramatic costs involved.

What I see is a rational, simple approach to the issue: what the heck does that website do with the data that it asks me for?

The requirements are actually far less than the P3P specification demand. Cookie usage, for example, is not covered by this bill, but it is covered by P3P.

To me, this appears to be something that ALL web sites should be doing anyway.

As a small business owner, I don't see this as a big deal.

As a consumer, I am all for privacy policies - the shorter and matter-of-fact the better.

As a person who also has a day job managing a large corporate web site - I don't see it as a big deal either. Perhaps an afternoon to write a policy and a quick visit to the corporate attorney to be sure all is cool, then a few minutes to add it to the site and link it to the home page. Oh wait, we already did that!

Richard

5:56 pm on June 15, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 19, 2003
posts:1747
votes: 0


Oh wait, we already did that!

Eh, I also....

No big deal. Actually, considering the source, I found the bill to be a pretty masterful job of writing toward an exact (as far as that's possible) objective.

I AM a privacy advocate. I LOVE the privacy strictures written into the "CrystalSinger" series by Anne McCaffrey: NO ONE may ask you questions about your SELF and involvements without running the VERY real risk of having hisser nose snapped off legitimately by a statement of "privacy, citizen!"

Wish it worked that way in real life. I'm seldom averse to VOLUNTEERING information, but I HEARTILY resent people and companies which TAKE information which is not freely offered.

6:04 pm on June 15, 2004 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts:12172
votes: 61


A little OT but relative to the topic at hand because the two go hand in hand with one another.

There was another law that went into effect 2004-01-01 which has much more of an impact.

The California law, due to become effective on January 1, 2004 appears to pose the most problems for legal advertisers. It defines spam as email sent without direct consent or a pre-existing or current business relationship. But don't assume your opt-in or double opt-in subscribers automatically fit that category.

There are certain specific procedures that need to be in place on all online forms where consumer data is being collected.

6:09 pm on June 15, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 15, 2003
posts:1418
votes: 0


Having a written privacy policy has never stopped anyone from selling information anyway. Whether a government makes people have a policy or not, no one is forcing companies to adhere to it.

When I set up my personal domain, which I use for most e-mail, I set up a catch-all address. Whenever I register for a site and an e-mail is required, I enter in their_website_address@mydomain.com as the e-mail address. It will always get to me because of the catch-all forwarding.

Then I wait ... when I start seeing spam come in, I look at the receiving addres and can immediately tell who violated their privacy policy. Then I can disable that address on my server so any other mail that goes to it is just deleted.

I'm not based in California, so it won't affect me. But at least now, if a company that has my email is based out of california, I can gripe to government if they violate their policy.

I dunno, California has always kinda been the joke of the country to me ... like the little clumsy kid who trips and walks into walls and stuff. You just kinda pretend you didn't notice and try not to laugh. It's the perfect example of why liberal views don't work.

8:16 pm on June 15, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Mar 9, 2004
posts:249
votes: 0


All the law requires is a written privacy policy. I was required long ago by a company I did business with to have one. It took about five minutes to write the policy (the only thing I collect is e-mail addresses of customers, I do nothing with them, I don't see or collect the credit card numbers, I don't get anything else) put the policy on a page and put a link from certain other pages to the privacy policy. No big deal.

Of course, stating a privacy policy and following the privacy policy are two different things. If you want to collect home addresses and post on a web site for peeping toms and perverts, you had better put that in your privacy notice.

I am not a lawyer, but I understand that having a written privacy policy and then doing things that violate it may possibly, under some circumstance, give rise to lawsuits and possible criminal charges. This is perticularly true if the site and the information collection are involved in commercial transactions. So be truthful in your policy and you shouldn't have anything to worry about.

8:44 pm on June 15, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 15, 2003
posts:1418
votes: 0


I'm interested to hear your thoughts.

I'm also mildly amused by the fact that it's called the California Online Privacy Protection Act of 2003 and it doesn't go into effect until the middle of 2004.

I would be interested in hearing if anyone knows about legal recourse options for privacy policy violators. The method I described in my previous post is a 100% accurate way of determining who the violators are. The question now is what to do with them.

9:34 pm on June 15, 2004 (gmt 0)

New User

10+ Year Member

joined:May 20, 2003
posts:5
votes: 0


It took me a good couple of hours to go research the law, read through it, try to figure out how it affects me, and how to write a compliant policy. By the time I'm done and have it up on my site, I'll have another couple of hours into it. And I've got a pretty good knowledge of both law and the web.

Your typical work-at-home mom selling home-made jewelry isn't going to be able to do it that fast. Figure a minimum of four, on up to six or eight hours.

Now repeat that (discounted because you don't have the big learning curve) when New York passes theirs, and New Jersey theirs, and so on and so on.

A day initially and a few hours every time a new state passes a privacy law adds up for a solo operator, especially when webmastering isn't their forte'.

And then what happens when they start passing advertising regulations and all kinds of other state-specific laws?

One doesn't seem like that big a deal, but it's a very, very slippery slope.

3:33 pm on June 19, 2004 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8492
votes: 224


Digitalv,

The catchall with their address is brilliant. I have used some similar schemes for junk post (my middle name is the name of the company) but hadn't thought of that for email.

As for the 2003 act taking effect in 2004, I think that's typical in that the act is usually dated from the legislative session where enacted, not when it takes effect. I could be wrong though.

Tom

6:05 am on June 20, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 1, 2003
posts:1203
votes: 0


>There was another law that went into effect 2004-01-01 which has much more of an impact.

Anyone know which law this is?

6:39 am on June 20, 2004 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts:12172
votes: 61


BILL NUMBER: SB 186 CHAPTERED [leginfo.ca.gov]

"Unsolicited commercial e-mail advertisement" means a
commercial e-mail advertisement sent to a recipient who meets both of
the following criteria:
(1) The recipient has not provided direct consent to receive
advertisements from the advertiser.
(2) The recipient does not have a preexisting or current business
relationship, as defined in subdivision (l), with the advertiser
promoting the lease, sale, rental, gift offer, or other disposition
of any property, goods, services, or extension of credit.