"An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available... An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance."
but sort of moot, because I don't think there is anyway to enforce it.
Then they probably need that "we use cookies" banner, and will fall under the Data Protection Act.
"The Data Protection Act does not define fair processing. But it does say that, unless a relevant exemption applies, personal data will be processed fairly only if certain information is given to the individual or individuals concerned. It is clear that the law gives organisations some discretion in how they provide fair processing information – ranging from actively communicating it to making it readily available."