First Online Data Privacy Law Looms in California

Computerworld - The nation's first privacy law that specifically targets online businesses will go into effect in California on July 1. But it's unlikely to cause many problems for companies, because most of the privacy requirements stipulated by the law are already in place at commercial Web sites.
The Online Privacy Act of 2003 (Calif. AB 68) was authored by Joseph Simitian, a member of the California State Assembly. Under the law, any online business that collects personally identifiable information from California residents is required to take steps such as posting its privacy policy and notifying consumers about what kinds of data will be gathered and how it will be used.
The law is structured so that anyone can bring an "individual course of action" against companies that fail to comply, Simitian said.
The AB 68 legislation formalizes what most online businesses have been doing for some time anyway, said Christopher Pierson, a partner at Lewis and Roca LLP, a law firm in Phoenix. Previously, consumers had to take action such as filing a complaint with the Federal Trade Commission or suing a company under unfair business practice laws to address an online privacy breach, Pierson said.
From an IT standpoint, there is little that companies have to change.
"Most companies doing business on the Web have privacy statements," said Kirk Herath, chief privacy officer at Nationwide Mutual Insurance Co. in Columbus, Ohio. "They just need to make sure that their old statements contain all of the elements of the new requirements."
Not as Threatening
The bill isn't as "threatening" as other California privacy laws, such as the SB 1386 Database Breach Notification Act and the pending SB 1279 measure that toughens the scope of SB 1386, said a user at a financial services company who requested anonymity.
Part of the reason may be that the original bill had been watered down quite a bit before being passed, he said.
According to Simitian, there was heavy industry opposition to some of the bill's initial provisions. The strongest objections were over a provision that required companies to maintain a history of their privacy policies, he said.