California Establishes Privacy Enforcement and Protection Unit

August 09, 2012

New unit will police individual and organizational practices and enforce the state's various privacy and security laws and regulations.

On July 19, California Attorney General Kamala Harris announced the creation of a new Privacy Enforcement and Protection Unit (the Privacy Unit), which is likely to lead to more aggressive enforcement of the privacy laws applicable to all businesses that collect personal information of California residents, regardless of whether the businesses are based in the state. California has long been considered a leader in enacting innovative and rigorous privacy and security laws and regulations. The formation of the Privacy Unit suggests that privacy enforcement in California may be catching up with privacy regulation.

Structure and Jurisdiction of Privacy Unit

The Privacy Unit will reside in the eCrime Unit of the California Department of Justice, which was launched by the attorney general's office in November 2011. The eCrime Unit is responsible for "investigating and prosecuting large-scale identity theft and technology crimes with actual losses in excess of $50,000." The Privacy Unit will include six state prosecutors and focus on enforcing federal and state laws that regulate the collection, use, and distribution of personal information by individuals, businesses, and the government. The unit's jurisdiction will include enforcement of laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records, and data breaches. In addition to enforcement, the Privacy Unit will also conduct education and outreach regarding privacy issues under the direction of Joanne McNabb, formerly of the California Office of Privacy Protection, who will now serve as director of privacy education and policy.

In the July 19 announcement, Attorney General Harris defined the Privacy Unit's work, stating, "The Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others." She stressed the importance of the Privacy Unit's work, saying, "In the 21st Century, we share and store our most sensitive personal information on phones, computers and even the cloud. It is imperative that consumers are empowered to understand how these innovations use personal information so that we can all make informed choices about what information me want to share."

Increased California Focus on Privacy

The formation of the Privacy Unit follows Attorney General Harris's February 2012 announcement regarding a new privacy policy requirement for mobile application (app) operators applicable nationwide. In negotiations spearheaded by the attorney general's office, the state and several large mobile app providers reached an agreement requiring the companies to provide users with the opportunity to review and accept a privacy policy regarding their personal information before downloading an app.

The establishment of the Privacy Unit also follows the amendment of California's security breach notification statute, effective January 2012, which now requires reporting of security breaches involving more than 500 Californians to the attorney general's office. A representative of the attorney general's office has publicly stated that this was a key motivating factor in enhancing the state's privacy enforcement capabilities. It is not coincidence that the statutory amendment and the formation of the Privacy Unit both occurred this year-it is likely that the Privacy Unit will begin investigating security breaches now reported to the attorney general's office under the amended statute.


In recent years, California has enacted a number of unique privacy and security laws, including statutes relating to (i) disclosure of the use of customer information for direct marketing purposes (known as the "Shine the Light" law); (ii) stringent financial privacy protections; (iii) mandated "reasonable security procedures"; (iv) unauthorized access to medical information by hospitals, physicians, and other healthcare providers; and (v) required website privacy policies. Several of these recent laws have not been actively enforced thus far. In light of the Privacy Unit's creation, companies doing business in California would be well served to reevaluate their compliance with applicable California privacy and security laws and regulations.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the following Morgan Lewis attorney:

San Francisco
W. Reece Hirsch