Privacy AdvisorIAPP Westin Research Center

Straight from the Pacific Ocean: A Tidal Wave of California Privacy Laws

November 6, 2013

By Kelsey Finch
IAPP Westin Research Fellow

Last Wednesday, the New York Times leading story covered the onslaught of privacy legislation at the state level, even as federal laws protecting privacy remain stalled in Congress. For more than a decade, California has stood at the forefront of this legislative wave. Two 2003 California statutes have stood out and, in fact, revolutionized the field: the Online Privacy Protection Act (CalOPPA), which was the first state law to require websites to post a privacy policy, and the law commonly known as “SB 1386,” the first security breach notification statute. Today, websites and applications all over the world post privacy policies based on local versions of CalOPPA in what has become standard market practice. The security breach notification statute spawned similar legislation in more than 40 states and, increasingly, all over the world. It helped bring the realities of data breaches to the public eye.

It should therefore come as no surprise that yet another tidal wave of privacy legislation is sweeping its way from California, which is home to many of the leading technology companies in the world, across the nation and the privacy world. It’s important to take stock of new and pending California privacy legislation, highlighting new regulatory risks for privacy managers and outside counsel.

Editor’s note: For more on recently enacted legislation, see Hogan Lovells’ recent Privacy Tracker post.

Recent Legislation

Online Tracking Transparency Act (effective Jan. 1, 2014): Assembly Bill (A.B.) 370 was signed into law this past September as an amendment to CalOPPA. This law, which introduces two new disclosure requirements related to online tracking, has effectively forced the debate over Do Not Track (DNT). CalOPPA applies to any website, online service or – according to the California Attorney General –mobile application (“operator”) that collects personally identifiable information (PII) from “consumers residing in California.” Hence, it effectively applies to any website or mobile app nationwide (and quite possibly worldwide, if it has an English or Spanish interface). Operators must now clearly disclose in their privacy policies (1) how they respond to DNT signals and (2) whether third parties collect PII on their websites or apps. CalOPPA’s definition of PII is broad, and may extend to cookies or device identifiers. The California Attorney General’s Privacy Office has indicated that a report on best practices under CalOPPA might be forthcoming in early 2014. In the meantime, for further discussion of the new law see the Westin Research Center’s executive summary on What the New CalOPPA Disclosure Requirements Mean for Your Business.  

Data Breach Notification (effective Jan. 1, 2014): Senate Bill (S.B.) 46 amends the definition of “personal information” under – and provides new triggers for – California’s data breach notification law. The bill specifically incorporates data elements that permit access to an online account (i.e., online credentials such as user names and passwords or security questions/answers) within the definition of “personal information.” The bill will also impose additional notification methods for breaches of credential information, such as providing online notification to an alternative, non-affected email account. The California Attorney General’s Privacy Office has indicated that it will update its best practice recommendations to encompass these changes in the near future.

Privacy and Advertising to Minors on the Internet (effective Jan. 1, 2015): S.B. 568 will first prohibit website operators and mobile apps from marketing certain types of products to minors. Website operators and advertisers would be forbidden from knowingly using, disclosing or compiling the personal data of minors to advertise products that minors are not legally allowed to purchase (e.g., tobacco, firearms or alcohol), or to permit a third party to do the same. In addition, the bill creates a right for minors who are registered users of a website or mobile app to remove content or information that they posted to that service. Content or information posted by a third party, otherwise required by law to be maintained or that has been anonymized will be exempt from these requirements. Online service providers will also be required to post notices of this limited “right to be forgotten” to minors.

Confidentiality of Medical Information Act (effective Jan. 1, 2014): Also signed into law this September, A.B. 658 strengthens protections for personal health care records (PHRs) by subjecting mobile health information and management applications to California’s Confidentiality of Medical Information Act (CMIA). As of next January, any software or hardware vendor that provides consumers with a product “designed to maintain medical information . . . or for the diagnosis, treatment, or management of a medical condition of the individual” will be considered a “provider of health care” under the CMIA. Accordingly, such vendors will need to acquire individual consent (or “authorization”) prior to making certain disclosures, including sharing, selling, using or marketing any personal medical information for purposes not related to the provision of health care. Mobile medical app providers should note that the CMIA’s marketing restrictions are stricter than those required by federal law (HIPAA). 

Privacy of Consumer Electrical or Natural Gas Usage Data (effective Jan. 1, 2014): This newly signed law, A.B. 1274, is designed to protect the privacy of consumers using smart grid technologies by prohibiting the sale of consumption data and penalizing providers that fail to comply with industry data security standards. Home energy providers will need to acquire express, individual consent to sell, share, disclose or use a consumer’s electrical or gas consumption data; such disclosures will need to conspicuously disclose to whom the disclosure is made available and how the data will be used. Consent may not be sought by way of consumer incentives or discounts. Businesses will also need to contractually obligate their business associates to maintain reasonable security procedures and practices, and to reasonably dispose of consumer data when it is no longer required. The bill also authorizes a private right of action for damages not exceeding $500 for each willful violation.

Pending Legislation

In addition to these five new laws, the following privacy related bills remain pending in the current California legislative session:

Right to Know Act (pending): A.B. 1291 would expand consumers’ rights to access their information and learn how it is being shared with third parties. It would require any business that retains a consumer’s personal information or discloses it to a third party to provide a free copy of that information to the consumer within 30 days of receiving a specific request. This disclosure would also include the name and contact information of any third party that the information had been shared with over the previous year. Finally, the bill would require businesses to provide consumers with specific notice of their privacy policies.

Unmanned Aircraft Systems (Drones) I  and II (pending): A.B. 1327 and S.B. 15 both seek to regulate the use of drones by both public and private entities in California. S.B. 15 would “state the intent of the Legislature to enact legislation that would establish appropriate standards for the use of unmanned aircraft systems.” More specifically, A.B. 1327 would generally prohibit public agencies from using unmanned aircraft systems without due process; impose a warrant requirement for law-enforcement use of drones to block or interfere with electronic communications; and create new legislative oversight mechanisms for public drone use, subject to certain exceptions. The restrictions on law enforcement use of drones would also apply to any private person or entity operating or contracting for an unmanned aircraft system.

Debit and Credit Cards (pending): A.B. 844 would extend to debit cards the same restrictions on the collection and use of personal data that currently exist for credit card transactions in California. Certain exceptions would apply: For example, personal information could be collected if the debit or credit card was being used in a layaway transaction; to prevent fraud or theft; to enforce terms of sale; or if the cardholder has consented and it is clear that providing personal information is not a condition of the card being accepted as payment.

Online Credit Card Purchases (pending): S.B. 383 would create a new exception to the Song-Beverly Credit Card Act, which generally regulates credit card transactions and restricts the collection and use of personal information relating to them. This bill would authorize, for online transactions, the collection of the ZIP code and street address number associated with a card if that information will be used strictly to prevent theft, fraud or identity theft. However, such information would need to be securely disposed of after it has ceased serving those functions, and businesses would be prohibited from aggregating it with any other personal information or sharing it with any other entity.

Regardless of whether and when these new legislative proposals will pass, it is clear that strong winds of change are already blowing from California and will impact privacy practices across the nation.