Prior to AB 370, California required that privacy policies included the following information:
- The kinds of information gathered by the website,
- how the information may be shared with other parties;
- a description of any existing process the user can use to review and make changes to their stored information;
- the effective date of the policy.
Boilerplate privacy policies (which many sites use) that speak in general terms are not effective, since the law requires specificity about the particular practices used by that site.
The new requirements under AB 370:
Failure to comply with these requirements could result in litigation and fines from the California Attorney General’s office, and should be taken seriously.
The best practice for a site or service available on the Internet to any location is usually to comply with the most demanding requirements, which seems to be California at the moment. For sites that are directed or have actual knowledge of use by those under 13 years of age, an entirely separate body of law and requirements is necessary (a post on new COPPA regulations is forthcoming, so stay tuned). A review of posted web site privacy policies and the procedures dealing with users’ personal information, are recommended to ensure continued compliance with state law. Contact an attorney to set one up.
For further reference, the full text of the statute may be found here.