The focus of this column over the past several months has been on compliance with the card associations’ Payment Card Industry (PCI) requirements and related topics. While the PCI is still extremely important for all companies that store, process or transmit cardholder data, recent legislation has broadened the responsibilities for all companies storing personal customer information. As merchants or service providers, companies are required by the card associations to comply with the PCI requirements. Complying with the PCI however may not protect against potential liability in the event of compromised consumer data.
    To reiterate some points made in previous articles, the PCI requirements were developed with the objective of protecting cardholder account data. In addition to the requirements, the PCI outlines fines and other penalties for companies that fail to comply with the standards. While the older Cardholder Information Security Program (CISP) standards developed by Visa USA required merchants and service providers to ‘comply with relevant state and federal regulations’, the newly adopted PCI standards have omitted this requirement. There are however, a number of existing and proposed regulations with which companies should be familiar to mitigate the risk of running afoul of state or federal laws.
    In July of 2004, California passed the Online Privacy Protection Act of 2003 (OPPA). The bill was authored by Assembly member Joseph Simitian and requires that a privacy policy be “conspicuously” posted on all commercial websites that collect personally identifiable information about consumers. The primary impetus behind the law is the selling or sharing of consumers’ personal information by financial institutions. While the Gramm-Leach-Bliley Act in 1999 does allow the sharing of this type of information at a federal level, it also allows states to pass stronger privacy laws, if they choose. States have begun to address privacy concerns through new regulations. To date North Dakota, Alaska, Connecticut, Illinois, Vermont, and now, with the passing of AB 68, California have passed laws related to the protection of consumer information. In addition, several other states, including New York and New Jersey currently have similar laws pending.
    To the casual observer, the OPPA appears as just one more state law in a long line of regulations that are rarely enforced and typically ignored until it is demonstrated that the state or Federal government takes action. In fact, some critics have claimed that this law is simply a formality as most online businesses have used online privacy policies for some time. By 2000, over 80% of online businesses were employing privacy policies on their website. Contrary to what some critics say, this law in particular appears to be a complementary to some of the current regulations and actions taken by the Federal Trade Commission. In addition, while not particularly strong from an enforcement perspective, the OPPA is clearly setting a precedent with regard to privacy policies.
    In February 2005, I addressed the Federal Trade Commission Act §5A and its impact on business in the article titled “Federal Trade Commission Act §5A, What You Don’t Know Can Hurt You.” The FTCA§5A charges the Federal Trade Commission with the prevention of “unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in affecting commerce.” To summarize the main points of the article, the FTC has charged and successfully sued a number of large companies with deceptive trade practices for not operating in a manner that was consistent with their published information security policy. Previously, this left companies with the option of ensuring that they had a sufficiently comprehensive privacy policy posted on their website, and ensuring that they followed the policy explicitly or simply not posting such a policy. While laws have existed for several years mandating privacy policies for specific business types, until OPPA was passed in California, a comprehensive law did not exist that mandated all online businesses that collect personally identifiable information to publish a privacy policy. As it is logical to assume that every business operating online today has a number of California residents as customers, it is prudent to adopt the standards outlined in the OPPA.
    To ensure that your company is complying with the OPPA, you must understand what type of information you are collecting from consumers. While several organizations have defined Personally Identifiable Information (PII), the OPPA specifically outlines what is considered PII. The code defines Personally Identifiable Information as:
    Individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

• A first and last name.
• Home or other physical address, including street name and name of a city or town.
• E-mail address.
• Telephone number.
• Social security number.
• Any other identifier that permits the physical or online contacting of a specific individual.
• Information concerning a user that the website or online service collects online from the user and maintains in a personally identifiable form in combination with an identifier described in this subdivision.

    As most merchants and service providers have been focused on protecting only the cardholder account number, implementing measures to protect PII is sure to be a challenge. The OPPA stipulates that any online business that collects personally identifiable information from a California resident must take the following steps to comply with the law:
    Conspicuously post its privacy policy on its website. It should be noted that to meet the requirements of ‘conspicuous’ posting, companies may elect to do any of the following:

• Post on the homepage or the first significant page after entering the Web site.
• Provide an icon that hyperlinks to the privacy policy. This icon must both be on the homepage or first significant page and include the word ‘privacy’.
• Text hyperlink to the privacy policy. Must be on the first page or first significant page and include one of the following:
• Include the word ‘privacy’.
• Be writing in capital letters greater than the surrounding text.
• Written in larger text, contrasting type, font, or color set off from surrounding text by symbols.
• Any other functional hyperlink displayed so that a reasonable person would notice.
• In the case of an online service, any reasonably accessible means of making the privacy policy available for consumers of the online service.
• Identify the categories of personally identifiable information that the operator collects through the web site or online service about individual consumers who use or visit its commercial website or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
• If the operator maintains a process for an individual consumer who uses or visits its commercial web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the web site or online service, provide a description of that process.
• Describe the process by which the operator notifies consumers who use or visit its commercial web site or online service of material changes to the operator’s privacy policy for that web site or online service.
• Identify its effective date of the policy. With the passing of the OPPA, California effectively mandated that all companies operating online implement a privacy policy. Although the penalties for non-compliance with the OPPA are not severe, when taken in context with the FTC’s actions, this becomes a more serious matter. With the focus on protecting individual consumers’ privacy and as identity theft maintains its position as the fastest growing crime in the US, it is anticipated that more states will begin to pass laws similar to the OPPA. As merchants and service providers, it is imperative that we begin to move beyond the PCI and start focusing on the protection of all personally identifiable data.

    More information on the Federal Trade Commission’s privacy initiatives can be found at www.ftc.gov/privacy.
    Information on the OPPA can be found on the California legislative website: www.leginfo.ca.gov section under the Business and Professions Codes # 22575.