California Governor Jerry Brown Signs Two Bills Addressing Additional Requirements For Personally Identifiable Information

October 03, 2013

On September 27, 2013, California Governor Jerry Brown signed into law two bills adding additional requirements related to consumers’ personally identifiable information, including online accounts and activities. The first bill, Assembly Bill 370, which adds transparency provisions to the California Online Privacy Protection Act (“CalOPPA”),1 will require operators of websites, mobile apps, and other online services to disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about online activities over time and across sites and services. The second bill, Senate Bill 46, adds additional requirements to California’s data breach notification law. These actions follow Governor Brown’s signing of a separate bill creating “Privacy Rights for California Minors in the Digital World,”2 and indicate that online privacy — particularly with regard to one’s online activities — is an increasing area of focus and a potential area for enforcement.

Amendments to CalOPPA
CalOPPA currently requires an operator of a website or online service that collects personally identifiable information from California consumers to post a conspicuous privacy policy. With respect to content, the policy must include at least the following: (1) a list of categories of personally identifiable information collected and the parties with whom such information may be shared; (2) a description of the process (if any) by which consumers may review and request changes to such information; (3) a description of the process by which the operator notifies customers of material changes to its privacy policy; and (4) the effective date of the policy.

The new amendments, effective January 1, 2014, will require that the policy also: (5) disclose how the operator responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about their online activities over time and across third party sites or services, if the operator collects such information; and (6) disclose whether third parties may collect personally identifiable information about online activities over time and across different sites when a consumer uses the operator’s site or service. An operator may satisfy the requirement of paragraph (5) by including in its privacy policy a clear and conspicuous hyperlink to a description of any protocol the operator follows that offers consumers a choice regarding collection of personally identifiable information about their online activities.

In addition, effective January 1, 2015, the law will prohibit certain online marketing or advertising to minors (i.e., those under 18) and will generally require operators to honor requests by minors who are registered users to remove content posted by the minor.

CalOPPA does not contain an enforcement provision, but California Attorney General Kamala D. Harris has made efforts to enforce CalOPPA through California’s Unfair Competition Law, which permits penalties of up to $2,500 per violation. Earlier this year, the Attorney General brought suit against Delta Airlines, alleging that Delta violated CalOPPA and California’s Unfair Competition Law by failing to “conspicuously post a privacy policy in its Fly Delta app” and failing to comply with its own privacy policy. The suit was dismissed on preemption grounds, so it generally remains to be seen how enforcement may proceed and how the law may be interpreted by courts.

The recent CalOPPA amendments represent the first legislation addressing the concept of do-not-track, a recent area of focus by both the FTC and self-regulatory groups. In addition, since CalOPPA applies specifically to operators collecting information about California residents, out-of-state entities may be subject to the new requirements if they collect covered data from California residents.

Amendments to California’s Data Breach Notification Law
In addition to the amendments to CalOPPA, Governor Brown also signed into law a bill amending California’s data breach notification law, which took effect in 2003.3

Existing law requires those that conduct business in California, and that own or license computerized data including personal information, to disclose a security breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. “Personal information” is currently defined to include an individual’s first name or first initial and last name in combination with unencrypted data elements such as social security numbers, driver’s license numbers, financial account information, and medical information.

The amendments, which will take effect on January 1, 2014, expand the definition of “personal information” — and therefore expand notification obligations — to apply to “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” However, notification obligations for a breach involving online account information vary depending on whether the breach involves other types of personal data. For instance, where a breach involves online account information and “no other personal information,” businesses may comply with the obligation “by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.”

In light of these new laws, businesses should carefully review CalOPPA and other applicable privacy and data security laws, and should update their policies and practices to ensure compliance.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:


1 The Online Privacy Protection Act of 2003, Cal. Bus & Prof. Code § 22575 et. seq. (2004).

2 California Governor Jerry Brown Signs Bill Amending California Online Privacy Protection Act

3 Cal. Civil Code §§ 1798.29 and 1798.82.

This article was originally published by Bingham McCutchen LLP.