On September 27, 2013, California Governor Jerry Brown signed into law two bills adding additional requirements related to consumers’ personally identifiable information, including online accounts and activities. The first bill, Assembly Bill 370, which adds transparency provisions to the California Online Privacy Protection Act (“CalOPPA”),1 will require operators of websites, mobile apps, and other online services to disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about online activities over time and across sites and services. The second bill, Senate Bill 46, adds additional requirements to California’s data breach notification law. These actions follow Governor Brown’s signing of a separate bill creating “Privacy Rights for California Minors in the Digital World,”2 and indicate that online privacy — particularly with regard to one’s online activities — is an increasing area of focus and a potential area for enforcement.
Amendments to CalOPPA
In addition, effective January 1, 2015, the law will prohibit certain online marketing or advertising to minors (i.e., those under 18) and will generally require operators to honor requests by minors who are registered users to remove content posted by the minor.
The recent CalOPPA amendments represent the first legislation addressing the concept of do-not-track, a recent area of focus by both the FTC and self-regulatory groups. In addition, since CalOPPA applies specifically to operators collecting information about California residents, out-of-state entities may be subject to the new requirements if they collect covered data from California residents.
Amendments to California’s Data Breach Notification Law
In addition to the amendments to CalOPPA, Governor Brown also signed into law a bill amending California’s data breach notification law, which took effect in 2003.3
Existing law requires those that conduct business in California, and that own or license computerized data including personal information, to disclose a security breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. “Personal information” is currently defined to include an individual’s first name or first initial and last name in combination with unencrypted data elements such as social security numbers, driver’s license numbers, financial account information, and medical information.
The amendments, which will take effect on January 1, 2014, expand the definition of “personal information” — and therefore expand notification obligations — to apply to “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” However, notification obligations for a breach involving online account information vary depending on whether the breach involves other types of personal data. For instance, where a breach involves online account information and “no other personal information,” businesses may comply with the obligation “by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.”
In light of these new laws, businesses should carefully review CalOPPA and other applicable privacy and data security laws, and should update their policies and practices to ensure compliance.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:Del-Sesto-Ronald
1 The Online Privacy Protection Act of 2003, Cal. Bus & Prof. Code § 22575 et. seq. (2004).
3 Cal. Civil Code §§ 1798.29 and 1798.82.
This article was originally published by Bingham McCutchen LLP.