As the eggnog flowed and the Christmas lights sparkled, many online marketers may have lost track of legislative events, specifically the 2003 passage of some new online privacy laws in California with far-reaching implications.
The two most relevant laws to online marketing are SB 27 and AB 68. The first, SB 27, mandates that consumers be given lists of the kinds of information companies collect and share with third parties about them, as well as the names of those third parties. If this is not provided, the business must have a privacy statement giving the customer a free opportunity to opt out of information sharing. SB 27 is not specifically targeted to online businesses, but does apply to them. It goes into effect Jan. 1, 2005.
Though the recently passed federal CAN-SPAM Act preempts most provisions of California's tough anti-spam laws, these laws deal with other areas of privacy and are not affected by CAN-SPAM. Also, they're not affected by recent amendments to the Federal Fair Credit Reporting Act, according to Joanne McNabb, chief of California's Office of Privacy Protection.
"Of the two bills, SB 27 is the most significant," said David Nielsen, founder of FightIdentityTheft.com. "AB 68 is too broad and has few consequences for violators."
"SB 27 has civil penalties. It's targeted toward large institutions, not every single person in the world who has a Web site the way AB 68 is," Nielsen commented.
"With 27 there is a civil penalty that the individual can recover of up to $3,000 plus attorney's fees. It's targeted toward large institutions. If I buy something from Costco.com or some such site, I have a right to ask them what affiliated businesses Costco.com shares my information with. And they either have to provide that or I can prosecute," Nielsen maintained.
According to Nielsen, for these reasons, SB 27 has far-reaching implications. Also, "while California is leading, other states are passing laws like this too."
Nielsen feels that AB 68 is too broad and puts enforcement in the hands of the individual. "I give all the credit in the world to the legislators in their efforts, but I don't think this law will have that much of an impact."
McNabb, of California's Office of Privacy Protection, disagreed.
The law does have teeth, she affirmed.
"The way it would be enforced is through Business and Profession Code 17200, California's unfair competition law. You would go to the attorney general or the local district attorney and complain," McNabb explained. "The penalty could be civil fines or injunctive relief to make them stop violating the law. There could be actual or punitive damages."
A Direct Marketing Association senior VP said the two laws are helpful to DMA members.
"California SB 27 gives consumers the right to ask, 'What information do you have about me and where has it been shared?' Upon request, companies must provide consumers with their individual records," said Jerry Cerasale, senior VP of government affairs for the DMA.
"First, it codifies into law existing DMA guidelines, and second, it'll level the playing field in that market by forcing all companies that do business in California to play by the same rules," Cerasale maintained.