Chapter 22Internet Privacy Requirements

Section § 22575

Explanation

If you run a commercial website or online service that collects personal information from people in California, you need to have an obvious privacy policy posted on your site. You have 30 days to do this after being told you're not following the rules. The privacy policy must explain what types of personal information you collect, who you might share it with, and how users can change their own information. It should also explain how you'll inform people about big changes to your policy and how you deal with 'do not track' signals. You need to tell users the policy's effective date and if others can collect their data while they're using your service.

(a)CA Business and Professions Code § 22575(a) An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.
(b)CA Business and Professions Code § 22575(b) The privacy policy required by subdivision (a) shall do all of the following:
(1)CA Business and Professions Code § 22575(b)(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
(2)CA Business and Professions Code § 22575(b)(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.
(3)CA Business and Professions Code § 22575(b)(3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.
(4)CA Business and Professions Code § 22575(b)(4) Identify its effective date.
(5)CA Business and Professions Code § 22575(b)(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
(6)CA Business and Professions Code § 22575(b)(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
(7)CA Business and Professions Code § 22575(b)(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.
privacy policy personal information consumer data do not track signals third-party sharing policy effective date online privacy data collection California residents user notification material changes data request process browser signals tracking mechanisms internet privacy
(Amended by Stats. 2013, Ch. 390, Sec. 1. (AB 370) Effective January 1, 2014.)

Section § 22576

Explanation

If a company running a website or online service collects personal information from users in California, they must follow their own privacy policy and certain legal requirements. If they don't, they're breaking the law. They can be in trouble whether they ignore the rules on purpose or because of carelessness.

An operator of a commercial Web site or online service that collects personally identifiable information through the Web site or online service from individual consumers who use or visit the commercial Web site or online service and who reside in California shall be in violation of this section if the operator fails to comply with the provisions of Section 22575 or with the provisions of its posted privacy policy in either of the following ways:
(a)CA Business and Professions Code § 22576(a) Knowingly and willfully.
(b)CA Business and Professions Code § 22576(b) Negligently and materially.
online privacy policy personal information collection California consumers privacy policy compliance website operators online services negligence willful non-compliance privacy violation consequences data protection responsibilities
(Added by Stats. 2003, Ch. 829, Sec. 3. Effective January 1, 2004. Section operative July 1, 2004, pursuant to Section 22579.)

Section § 22577

Explanation

This part of California Business and Professions Code explains important terms related to collecting personal information online. "Personally identifiable information" is any data that can identify a person, like their name, address, email, phone number, or social security number. Website or service providers need to clearly post privacy policies where people can easily find them. This could be on the homepage or the first important page when someone enters a site. "Operator" refers to anyone who runs a commercial website or online service collecting data from California users, not including outside companies managing the site on their behalf. A "consumer" is someone using the site for personal needs, like buying or leasing goods and services.

For the purposes of this chapter, the following definitions apply:
(a)CA Business and Professions Code § 22577(a) The term “personally identifiable information” means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
(1)CA Business and Professions Code § 22577(a)(1) A first and last name.
(2)CA Business and Professions Code § 22577(a)(2) A home or other physical address, including street name and name of a city or town.
(3)CA Business and Professions Code § 22577(a)(3) An e-mail address.
(4)CA Business and Professions Code § 22577(a)(4) A telephone number.
(5)CA Business and Professions Code § 22577(a)(5) A social security number.
(6)CA Business and Professions Code § 22577(a)(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7)CA Business and Professions Code § 22577(a)(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
(b)CA Business and Professions Code § 22577(b) The term “conspicuously post” with respect to a privacy policy shall include posting the privacy policy through any of the following:
(1)CA Business and Professions Code § 22577(b)(1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site.
(2)CA Business and Professions Code § 22577(b)(2) An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word “privacy.” The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable.
(3)CA Business and Professions Code § 22577(b)(3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following:
(A)CA Business and Professions Code § 22577(b)(3)(A) Includes the word “privacy.”
(B)CA Business and Professions Code § 22577(b)(3)(B) Is written in capital letters equal to or greater in size than the surrounding text.
(C)CA Business and Professions Code § 22577(b)(3)(C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
(4)CA Business and Professions Code § 22577(b)(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.
(5)CA Business and Professions Code § 22577(b)(5) In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.
(c)CA Business and Professions Code § 22577(c) The term “operator” means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner’s behalf or by processing information on behalf of the owner.
(d)CA Business and Professions Code § 22577(d) The term “consumer” means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.
personally identifiable information online privacy privacy policy consumer data website operator commercial purposes California consumer data collection home page privacy link text link hyperlink privacy icon user data online service data identifier
(Added by Stats. 2003, Ch. 829, Sec. 3. Effective January 1, 2004. Section operative July 1, 2004, pursuant to Section 22579.)

Section § 22578

Explanation

This law says that when it comes to posting privacy policies on websites, the state rules take priority over any local laws. Local governments aren't allowed to have their own rules on this issue because the state wants it to be the same everywhere in California.

It is the intent of the Legislature that this chapter is a matter of statewide concern. This chapter supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the posting of a privacy policy on an Internet Web site.
statewide concern supersedes local laws preempts local regulations internet privacy policy website privacy rules city and county laws local agency regulations consistency across California local ordinances standardization website privacy online data practices governing privacy policies
(Added by Stats. 2003, Ch. 829, Sec. 3. Effective January 1, 2004. Section operative July 1, 2004, pursuant to Section 22579.)

Section § 22579

Explanation

This law section states that the rules or regulations within this chapter started being effective on July 1, 2004.

This chapter shall become operative on July 1, 2004.
operative date July 1 2004 effective date of chapter enactment date implementation date commencement beginning of operations start date for rules activation date initiation of chapter regulatory start calendar date applicability law effectiveness timeline of enforcement law operational date
(Added by Stats. 2003, Ch. 829, Sec. 3. Effective January 1, 2004. Note: This section prescribes a delayed operative date for Chapter 22, commencing with Section 22575.)