Oregon District Court ruling highlights importance of posting an accurate online privacy policy
September, 2006
Companies that maintain commercial websites are required to comply with a variety of state and federal laws pertaining to the online collection and use of personal information. A recent Oregon case, CollegeNET, Inc., v. XAP Corp., highlights one costly implication of posting a deficient online privacy policy: a claim for unfair competition.
Plaintiff, CollegeNET, Inc. ("Plaintiff"), provides online college admission application services to college-bound students. Colleges and universities pay Plaintiff for these services. Defendant, XAP Corporation ("Defendant"), provides similar online college application services to college-bound students through numerous "Mentor" websites.
Some of Defendant's Mentor websites include a webpage with the following statement: "Personal data entered by the user will not be released to third parties without the user's express consent and direction." Certain account set-up screens on Defendant's Mentor websites also include the following language: "The information you enter will be kept private in accordance with your express consent and direction. Click here to view the Privacy Statement." In addition to these statements, some of the Defendant's Mentor sites ask the following opt-in question: "Are you interested in receiving information about student loans or financial aid?" Personal data collected from students that answered "yes" to the opt-in question was shared with Defendant's paying clients.
As to Defendant's online statements concerning privacy, the Court ruled that there were genuine issues of material fact as to whether a student "expressly consented" to the release of personal information. As the CollegeNET ruling reflects, the Defendant may incur potential liability because it did not post an accurate and comprehensive privacy policy.
To ensure compliance with applicable privacy regulations, companies should comply with the most stringent state's applicable law. California was the first state to mandate the use of a privacy policy for commercial websites. Web sites that collect personally identifiable information from California consumers must comply with the California Online Privacy Protection Act of 2003 ("OPPA"). OPPA, which became effective on July 1, 2004, is one of the first state laws in the nation to require certain web sites to post a privacy policy. OPPA requires web sites that collect personally identifiable information from California consumers to post a conspicuous privacy policy on web sites stating what personal information is collected. OPPA applies to any operator of a web site or online service that collects personally identifiable information from a consumer residing in California who uses or visits such online service or web site.
OPPA requires operators of commercial web sites to post a noticeable privacy policy that includes:
- A list of the categories of the collected personally identifiable information;
- A list of the categories of third-parties with whom such personally identifiable information is shared;
- A description of the process (if any) by which the consumer can review and request changes to collected personally identifiable information;
- A description of the process by which the operator notifies consumers of material changes to the privacy policy; and
- The effective date of the privacy policy.
An operator violates OPPA if it fails to post a privacy policy within 30 days after being notified of noncompliance. Those who do not comply with OPPA face potential civil liability.
In addition to state-specific laws like OPPA, specific industries such as financial institutions or businesses that target minors have to examine compliance with additional state and federal regulations.