As the eggnog flowed and the Christmas lights sparkled, many online marketers may have lost track of legislative events, specifically the 2003 passage of some new online privacy laws in California with far-reaching implications.

The two most relevant laws to online marketing are SB 27 and AB 68. The first, SB 27, mandates that consumers be given lists of the kinds of information companies collect and share with third parties about them, as well as the names of those third parties. If this is not provided, the business must have a privacy statement giving the customer a free opportunity to opt out of information sharing. SB 27 is not specifically targeted to online businesses, but does apply to them. It goes into effect Jan. 1, 2005.

The second, AB 68, effective July 1 of this year, dictates that commercial Web sites or online services that collect personal information on California residents must post a privacy policy and comply with it.

Though the recently passed federal CAN-SPAM Act preempts most provisions of California's tough anti-spam laws, these laws deal with other areas of privacy and are not affected by CAN-SPAM. Also, they're not affected by recent amendments to the Federal Fair Credit Reporting Act, according to Joanne McNabb, chief of California's Office of Privacy Protection.

"Of the two bills, SB 27 is the most significant," said David Nielsen, founder of FightIdentityTheft.com. "AB 68 is too broad and has few consequences for violators."

"SB 27 has civil penalties. It's targeted toward large institutions, not every single person in the world who has a Web site the way AB 68 is," Nielsen commented.

"With 27 there is a civil penalty that the individual can recover of up to $3,000 plus attorney's fees. It's targeted toward large institutions. If I buy something from Costco.com or some such site, I have a right to ask them what affiliated businesses Costco.com shares my information with. And they either have to provide that or I can prosecute," Nielsen maintained.

According to Nielsen, for these reasons, SB 27 has far-reaching implications. Also, "while California is leading, other states are passing laws like this too."

Nielsen feels that AB 68 is too broad and puts enforcement in the hands of the individual. "I give all the credit in the world to the legislators in their efforts, but I don't think this law will have that much of an impact."

McNabb, of California's Office of Privacy Protection, disagreed.

"The law not only says you must post a privacy policy, but it specifies the kinds of information it must contain. If you do any sharing of individuals' information, you must say so. That hasn't been required until now," McNabb elaborated.

The law does have teeth, she affirmed.

"The way it would be enforced is through Business and Profession Code 17200, California's unfair competition law. You would go to the attorney general or the local district attorney and complain," McNabb explained. "The penalty could be civil fines or injunctive relief to make them stop violating the law. There could be actual or punitive damages."

A Direct Marketing Association senior VP said the two laws are helpful to DMA members.

"California SB 27 gives consumers the right to ask, 'What information do you have about me and where has it been shared?' Upon request, companies must provide consumers with their individual records," said Jerry Cerasale, senior VP of government affairs for the DMA.

"If, however, a company has a privacy policy, when a consumer asks that question, the company can direct the consumer to that policy, therefore not having to store and provide detailed individual records on demand," Cerasale pointed out.

According to Cerasale, having a privacy policy and giving consumers the opportunity to opt out of having their information shared are already DMA mandatory guidelines. For this reason, SB 27 helps DMA members in two ways, he said

"First, it codifies into law existing DMA guidelines, and second, it'll level the playing field in that market by forcing all companies that do business in California to play by the same rules," Cerasale maintained.

As to the second law, "AB 68 requires that companies notify consumers with a privacy policy about their online marketing activities. This is directly in line with DMA guidelines, so again, we feel it will help level the playing field for businesses and, in general, is good for all businesses as it increases consumers' comfort level in the marketplace," Cerasale said.