Natasha Shabani, Guest Contributor

online_privacyAttention California salon owners! Does your salon’s website or mobile app allow clients to make appointments online, purchase products, or sign up for your mailing list? These are examples of online activities that would subject your salon to a California privacy protection law which requires you to post a privacy policy on your site or app, detailing the collection and use of personal information from clients.

A privacy policy is an online legal notice providing information about the use of consumers’ personally identifiable information by the business owner. There is no federal law requiring a business to post an online privacy policy, but there is a California state law, which has wide applicability beyond California’s borders because websites and apps all over the world can be accessed by California residents at any time. The California Online Privacy Protection Act (CalOPPA) mandates that a privacy policy be posted on any website that collects personally identifiable information from California residents. The law requires privacy policies to set forth what information is collected and how it is shared. The Federal Trade Commission and state Attorneys General also investigate website owners, and most recently mobile app owners, who collect personal information without consumer consent and share that information with third parties.

“Personally identifiable information” generally means any information collected online about an individual, such as his/her name, address, e-mail, telephone number, social security number, or any other information that permits the physical or online contacting of a particular individual.

As a salon owner, be sure to enlist the expertise of counsel to help you draft a privacy policy that is not only legally compliant but also clear, concise and easy to understand.

More recently, as mobile apps have exploded in number and popularity, many consumers provide personal information via mobile apps downloaded on their smartphones or tablets, for instance to schedule an appointment or register as a new client at a salon. However, many apps either do not have a posted Privacy Policy at all, or have one that is buried somewhere on a page where the consumer is unlikely to see it. The California Attorney General’s office has taken the position that apps are subject to the requirements of CalOPPA just as traditional websites are.

Thus, if your salon’s website or mobile app allows clients to make appointments, make purchases, sign up for mailings, enter contests or sweepstakes, engage in social networking, or if you otherwise collect and/or share clients’ personally identifiable information, you must post a privacy policy.

A compliant privacy policy should include all of the following:

• What personal information is collected?
• How is the collected data used? Is it disclosed to third parties? If so to whom?
• Are cookies used? What kind?
• How can consumers opt out from receiving emails and from disclosure of their information to third parties?
• Is personal information collected from children under the age of 13? If so, is it in compliance with the federal Children’s Online Privacy Protection Act?
• How are the server and online operations kept secure?
• How can a consumer review and make changes to his/her personally identifiable information?
• How can consumers learn of material changes made to the privacy policy?
• What is the effective date of the privacy policy?

Once you have a good privacy policy in place, your business must act in accordance with it. Businesses have been prosecuted for having a “deceptive” privacy policy – one that does not reflect the actual practices of the company. Specifically, recent litigation in this area has focused on companies that posted privacy policies promising not to share their customers’ personal information but subsequently did disclose data to third parties. Another problem area is when businesses make material changes to their privacy policies without giving consumers appropriate notice and an opportunity to opt-out.

privacy2Once you have adopted a legally-compliant privacy policy that you are comfortable with, the privacy policy must be “conspicuously posted” on your website or app. A link to the policy should appear on the homepage of your salon’s website or on the download screen for your mobile app. Clients should have the opportunity to review an app’s privacy policy before they download the app, rather than after. The link should contain the word “privacy,” either in capital letters or in a contrasting font, or be otherwise distinguishable from the surrounding text.


Finally, to the extent possible, your privacy policy should be written in clear and simple language that the average consumer can understand. Certainly legal compliance with CalOPPA and other laws is essential; however, if your privacy policy is so filled with legal jargon that your clients feel confused about and distrustful of your privacy practices, they may lack confidence in your business and will not feel comfortable providing their information to you online. As a salon owner, be sure to enlist the expertise of counsel to help you draft a privacy policy that is not only legally compliant but also clear, concise and easy to understand.

About the Author
Natasha Shabani is a council member for Greenberg Glusker Fields Claman & Machtinger LLP. Her practices focus primarily on transactional intellectual property law, including copyright, trademark, and domain name/website issues, as well as sweepstakes and promotions law.

This article was written by an industry contributor and does not necessarily reflect the position or opinions of the Professional Beauty Association (PBA). To submit a request to contribute an article, click here.