(a) Each state department and state agency shall enact and maintain a permanent privacy policy, in adherence with the Information Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of Part 4 of Division 3 of the Civil Code). Each state department and state agency shall conspicuously post its privacy policy on its Internet Web site.
(b) The privacy policy required by subdivision (a) shall include, but is not limited to, the following principles:
(1) Personally identifiable information is only obtained through lawful means.
(2) The purposes for which personally identifiable data are collected are specified at or before the time of collection, and any subsequent use is limited to the fulfillment of purposes not inconsistent with those purposes previously specified.
(3) Personal data shall not be disclosed, made available, or otherwise used for purposes other than those specified, except with the consent of the subject of the data, or as authorized by law or regulation.
(4) Personal data collected must be relevant to the purpose for which it is collected.
(5) The general means by which personal data is protected against loss, unauthorized access, use modification or disclosure shall be posted, unless that disclosure of general means would compromise legitimate state department or state agency objectives or law enforcement purposes.
(6) Each state department or state agency shall designate a position within the department or agency, the duties of which shall include, but not be limited to, responsibility for the privacy policy within that department or agency.
(c) For purposes of this section, the term “conspicuously post” shall include posting the privacy policy through any of the following means:
(1) An Internet Web page on which the actual privacy policy is posted if the Internet Web page is the homepage or first significant page after entering the Internet Web site.
(2) An icon that hyperlinks to an Internet Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Internet Web site, and if the icon contains the word “privacy.” The icon shall also use a color that contrasts with the background color of the Internet Web page or is otherwise distinguishable.
(3) A text link that hyperlinks to an Internet Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Internet Web site, and if the text link does any of the following:
(A) Includes the word “privacy.”
(B) Is written in capital letters equal to or greater in size than the surrounding text.
(C) Is written in larger type than the surrounding text or in contrasting type, font, or color to the surrounding text of the same size, or is set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it and understand it to hyperlink to the actual privacy policy.
(Amended by Stats. 2014, Ch. 851, Sec. 1. (AB 928) Effective January 1, 2015.)