- Identify the categories of personally identifiable information that an Operator collects about its individual visitors or users and disclose the categories of third-party persons or entities with whom the Operator may share that personally identifiable information;
- Disclose and explain any existing process that allows its individual visitors or users to review and request changes to the personally identifiable information that has been collected about them;
Definition of Personally Identifiable Information
The Online Privacy Protection Act defines "personally identifiable information" as any individually identifiable information about an individual consumer that has been collected online by an Operator and is maintained in an accessible form. The requirement that the information must be maintained in an accessible form means that if the Operator has unintentionally received certain information (perhaps through a cookie that collects more information than required by the Operator) but makes no attempt to actually organize or track it, then it may not be subject to this law. Examples of "personally identifiable information" include the following:
- First and last name;
- Home or other physical address (including street and city or town);
- Email address;
- Telephone number;
- Social security number; and
- Any other information that permits the individual subject of the information to be contacted, either physically or online.
The Online Privacy Protection Act does not apply to third parties who operate, host, manage, or process information on a website or online service on behalf of an Operator, but do not themselves own the website or online service.
Although the Online Privacy Protection Act does not provide for specific penalties, any violations of the Act would be deemed an "unlawful" act or practice under the enforcement provisions of the General Business Regulations Division of the Business & Professions Code. As such, in addition to injunctive relief, public attorneys can seek civil penalties in the amount of $2,500 for each violation, with additional penalties for violations involving senior citizens and disabled persons. As an unlawful act or practice, such violations may also be subject to class action claims.
Joseph J. Lewczak is a Partner and Sofia S. Rahman is an Associate in the Advertising, Marketing and Promotions Department and New Media Group of Davis & Gilbert LLP in New York.
Cal Bus & Prof Code § 22575 (2004).
See the Children's Online Privacy Protection Act of 1998 at 15 U. S. C. § 6501 (2004) et seq. and the implementing regulations at 16 C. F. R. 312. 1; the Gramm-Leach-Bliley Act at 15 U. S. C. § 6801 (2004) et seq. and the implementing FTC regulations at 16 C. F. R. 313 et seq. ; the Health Insurance Portability andAccountability Act of 1996 at 1996 Pub. L. 104-191 and the implementing regulations at 45 C. F. R. 160 et seq. and 45 C. F. R. 164 et seq.
15 U. S. C. § 45 (2004).
 See, e. g. , Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress, 12, 27 (May 2000).