Privacy Policies Must Be Posted by July 1, 2004

Last year the California Legislature passed the Online Privacy Protection Act, which becomes effective on July 1. The law applies to any commercial web site or online service that collects “personally identifiable information” about California consumers, such as a person’s name, physical address or e-mail address. If the web site or online service captures such information, the operator must conspicuously post a privacy policy that identifies the categories of parties, if any, with whom the operator may share the information. The policy must specify an effective date and must describe the process by which consumers will be notified of material changes to the policy. Businesses violate the law if they do not post a policy within 30 days after being notified of noncompliance. Further, the law requires businesses to follow the privacy policies that they have posted.

Note that this law may apply to your business even if your website is an electronic billboard and you do not take orders online. For example, if your website allows California consumers to request more information by completing and transmitting a “contact us” page, you must post and follow a privacy policy.

FTC Announces Settlement with Tower Records
California’s Online Privacy Protection Act is part of a larger regulatory effort aimed at protecting privacy on the Internet. Earlier this month, the Federal Trade Commission announced a proposed settlement with MTS, Inc. and Tower Direct, LLC. The case involves an alleged security flaw in the Tower Records website. According the FTC’s complaint, for a period of eight days, any visitor to Tower’s site who entered a valid order number could view personal information relating to Tower’s customers, including their names, street and e-mail addresses, telephone numbers, and descriptions of the products they had purchased. This allegedly contradicted Tower’s assurances to its customers that its order system was secure. Under the proposed settlement, Tower must establish and maintain a comprehensive information security program, including periodic evaluations by an outside auditor.

California Legislation May Set Standards for Used Car Certification
The automobile industry is closely watching the progress of Assembly Bill 1839, the “Car Buyer’s Bill of Rights.” This bill, which has cleared an initial committee vote, would substantially affect the relationship between car dealers and their customers. Many used car dealers offer “certified” cars, but the term currently lacks a definition under state law. The bill would preclude dealers from touting cars as “certified” unless they have been inspected by a qualified technician and have not sustained material damage. The bill also would give used car purchasers the right to cancel their purchases for any reason within three days, subject to a moderate cancellation fee. Perhaps most significantly, the bill would preclude dealers from accepting receiving money for arranging financing.

FTC Specifies Label for Sexually-Explicit E-Mail
The FTC is working on adopting rules to implement the CAN-SPAM Act of 2003, which requires senders of commercial e-mail to make certain disclosures and to refrain from e-mailing consumers who opt out. In April, the FTC announced a rule that requires senders of commercial e-mail to include the phrase “SEXUALLY-EXPLICIT:” in the subject line of any message that contains such content. The rule will take effect on May 19, 2004. To the extent that e-mail marketers follow this rule, it will increase the ability of spam-blocking software to filter out unwanted messages.

Flea Market Operator Liable for Copyright Infringement
While there is no doubt that the purveyors of pirate music are liable for copyright infringement, the law is less clear with respect to third parties who facilitate the sale. In UMG Recordings, Inc. v. Richard Sinnott, a federal judge in Sacramento considered whether the operator of the Marysville Flea Market should be held liable for copyright infringement by vendors who rented booths at the market. Investigators from the Recording Industry Association of America (RIAA) allegedly found three vendors offering some 3,000 counterfeit CDs and cassettes. The RIAA claimed that it repeatedly asked the flea market operator to prevent the sale of the counterfeit merchandise, but the sales continued. The court ruled that the operator was liable for contributory and vicarious copyright infringement, and the operator may be compelled to pay a substantial sum in damages.