California’s Online Privacy Protection Act (OPPA) of 2003 requires commercial websites or online services that obtain personally identifiable information about California consumers to post their privacy policies. “Personally identifiable information” includes a first and last name, address, email address, telephone number, social security number, or any other identifier that permits physical or online contacting of a specific individual. Accordingly, the definition of “personally identifiable information” is quite broad, and beyond the scope of the security breach notification laws in California and other states. Violations of the law can occur even if the website operator or online service provider did not knowingly or willfully fail to comply.
None of these requirements is new. They are standard fare for privacy policies. For instance, Federal Trade Commission has long published information about these topics in its guide to fair information practice principles.