CALIFORNIA ENACTS LAW REQUIRING WEBSITE PRIVACY DISCLOSURE

[16659] October 13, 2003 TO: COMPLIANCE ADVISORY COMMITTEE No. 84-03 INVESTMENT ADVISER ASSOCIATE MEMBERS No. 24-03 INVESTMENT ADVISER MEMBERS No. 37-03 PRIMARY CONTACTS - MEMBER COMPLEX No. 87-03 PRIVACY ISSUES WORKING GROUP No. 8-03 SEC RULES MEMBERS No. 139-03 SMALL FUNDS MEMBERS No. 59-03 TECHNOLOGY ADVISORY COMMITTEE No. 15-03 RE: CALIFORNIA ENACTS LAW REQUIRING WEBSITE PRIVACY DISCLOSURE Effective July 1, 2004, California will require the operator of any commercial website or online service that collects “personally identifiable information”1 through the Internet about individual “consumers”2 residing in California who use or visit such website or online service to conspicuously post its privacy policy on its website.3 The law additionally requires the operator of the website or online service to comply with its posted policy. The specific requirements of this new law are summarized below.4 Required Contents of the Disclosure The law requires that the posted privacy policy: 1 Personally identifiable information” includes any of the following that a website or online service operator collects and maintains in an accessible form: a first and last name; a home or other physical address including street name and the name of a city or town; an e-mail address; a telephone number; a social security number; and any other identifier that permits the physical or online contacting of a specific individual. 2 As used in the law, “consumer” means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes. 3 In lieu of such posting, an online service may instead use “any other reasonably accessible means of making the privacy policy available for consumers of the online service.” See Section 22577(b)(5). 4 The new law, which was enacted by Assembly Bill 68, will appear as a new Chapter 22, “Internet Privacy Requirements,” in Division 8 of California’s Business and Professions Code, consisting of Sections 22575 – 22579. A copy of Assembly Bill 68 may be accessed through the website of the California General Assembly at: http://www.assembly.ca.gov/acs/acsframeset2text.htm. 2 • Identify the categories of personally identifiable information that the operator collects through the website or online service about individual consumers and the categories of third-party persons or entities with whom the operator may share that information; • If the operator maintains a process for an individual consumer to review and request changes to any of his or her personally identifiable information that is collected through the website or online service, provide a description of that process;5 • Describe the process by which the operator notifies consumers who use or visit its commercial website or online service of material changes to the operator’s privacy policy; and • Identify its effective date. “Conspicuously Post” “Conspicuously post” is defined in the law to mean any of the following: • Posting on the home page of a website or on the “first significant page after entering the website;” • An icon that hyperlinks to a webpage on which the actual privacy policy is posted, provided that such icon: (i) contains the word “privacy;” (ii) appears either on the website’s homepage or on the first significant page and entering the website; and (iii) uses “a color that contrasts with the background color of the webpage or is otherwise distinguishable;” • A text link that hyperlinks to a webpage on which the actual privacy policy is posted if the text link: (i) is located on the home page or the first significant page after entering the website; (ii) includes the word “privacy;” (iii) is written in capital letters equal to or greater in size than the surrounding text; and (iv) is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language; or Any functional hyperlink that is displayed so that a reasonable person would notice it. Tamara K. Salmon Senior Associate Counsel 5 The law does not require an operator to have a process for consumers to review and request changes to information collected about them.