First online privacy law looms
But most companies already follow requirements of California's AB 68, experts say
Computerworld - The nation's first privacy law targeted specifically at online businesses will go into effect in California on July 1. But it's unlikely to cause many problems for companies, because most of the privacy requirements stipulated by the law are already in place at a majority of commercial Web sites.
The Online Privacy Act of 2003 (Calif. AB 68) was authored by Assembly member Joseph Simitian. Under the law, any online business that collects personally identifiable information from a California resident is required to do the following:
- Post its privacy policies in a prominent manner on its Web site and identify the effective date.
- Inform consumers of the different types of personally identifiable information that's being collected about them, including how the data will be used and shared.
- Describe how individuals can request and make changes to their personal information.
- Specify the process by which any changes to the company's privacy policies will be communicated to consumers.
"If you are going to collect personal information from people, you need to tell them what your privacy policies are and then honor that commitment," Simitian said.
The law is structured in such a manner that anyone can bring an "individual course of action" against companies that fail to comply with it, he said.
AB 68 is the first law to legally formalize something that most online businesses have been doing for some time anyway, said Christopher Pierson, a partner at Lewis and Roca LLP in Phoenix.
"It sets the bar specifically for online merchants," Pierson said. Previously, a consumer would have had to take action such as filing a complaint with the Federal Trade Commission or suing a company under unfair business practice laws to address an online privacy breach, he said.
From an IT standpoint, there is little companies have to change to comply with the law.
"Most companies doing business on the Web have privacy statements," said Kirk Herath, chief privacy officer at Nationwide Insurance Cos. in Columbus, Ohio. "They just need to make sure that their old statements contain all of the elements of the new requirements."
The bill isn't as "threatening" as some other California privacy laws, such as the SB 1386 database breach notification act and the pending SB 1279, which toughens the scope of SB 1386, said one user at a large financial services company who requested anonymity.
Part of the reason may be that the original online privacy bill had been watered down quite a bit before being passed, he said.
According to Simitian, there was strong industry opposition to the bill over some of the initial provisions. The biggestconcern had to do with a provision that required companies to maintain a history of their privacy policies. There was also considerable concern over the prospect of companies having to comply with a patchwork of policies if other states adopted such measures, he said.
Though AB 68 passed the state legislature in 2002, it was vetoed by then-governor Gray Davis. A revised version of the bill was approved in 2003.
Read more about Privacy in Computerworld's Privacy Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Privacy White Papers | Webcasts