The California Legislature was active in August and early
September in the area of privacy and data protection, with three
separate bills making their way through both houses and currently
awaiting the Governor's approval. California has long been on
the forefront of privacy and data protection development, and these
bills are the latest steps to strengthen consumer privacy
protection.
A.B. 370, a bill amending the California Online Privacy Protection
Act ("CalOPPA") was unanimously passed by the California
Senate and Assembly in late August ("Do-Not-Track Bill").
In general, the Do-Not-Track Bill adds new disclosure requirements
for operators of commercial websites and online services to
disclose (i) how they respond to "do not track"
mechanisms exercised by consumers, and (ii) whether third parties
may collect personally identifiable information on their websites
when a consumer uses such a website.
S.B. 46, a bill amending California's current data breach
notification law (as codified in California Civil Code
§§1798. 29 and 1798.82) also was passed by
both houses in California in late August ("Breach Notice
Bill"). The Breach Notice Bill requires consumer notification
if an individual's user name or email address, in combination
with a password or security question and answer that would permit
access to an online account, has been exposed. The Breach Notice
Bill also addresses the methods of data breach notice
options.
S.B. 365, a bill entitled the "Privacy Rights for California
Minors in the Digital World," adds two new sections to the
California Business & Professions Code and was unanimously
passed by the California Senate in the first week of September,
after previously clearing the California Assembly
("Minors' Privacy Bill"). The Minors' Privacy
Bill prohibits certain types of marketing to individuals under the
age of 18 years residing in California and allows minors to delete
materials they have posted online under specified
circumstances.
Do-Not-Track Bill
- The Do-Not-Track Bill aims to boost consumer awareness of online behavioral tracking by adding the following two disclosure requirements for operators of commercial websites and online services that collect personal information from consumers who visit their sites:
- Disclose how the operator responds "to 'do not track' signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across different Web sites or online services" and
- "Disclose whether other parties may collect personally identifiable information about an individual consumer's online activities when a consumer uses the operator's Web site or service."
In its current form, CalOPPA generally requires the conspicuous
posting of a privacy policy that describes (i) the categories of
personally identifiable information that the operator collects
about individual consumers who use or visit its website or online
service, (ii) third parties with whom the operator shares the
information, (iii) the process by which consumers can review and
change the collected personally identifiable information, and (iv)
the process by which it will notify consumers of changes to its
website's privacy policy. Enforcement action will be taken only
if a party fails to post its privacy policy within 30 days after
being notified of noncompliance.
Although this bill is popularly referred to as the "Do Not
Track" legislation, its amendments do not actually impose a
"do not track" ("DNT") standard on websites.
The bill merely calls for the disclosure of how a website or online
service operator will respond to such a DNT signal, should a
consumer exercise choice regarding the collection of the relevant
personally identifiable information. The Do-Not-Track Bill also
permits disclosure through the website's privacy policy of the
"do not track" signal response through a hyperlink to an
online location of the program the website uses to offer its
consumers that choice.
Breach Notice Bill
The Breach Notice Bill extends protections for consumers by
requiring breach notifications for additional categories of data.
Currently, breach notification in California is triggered by the
unauthorized acquisition of an individual's first name or
initial and last name in combination with one or more of the
following unencrypted types of data: Social Security number;
driver's license or state identification number; account,
credit card, or debit card number in combination with any required
security or access codes; medical information; or health
information. The Breach Notice Bill adds the following to this
list: a "user name or email address, in combination with a
password or security question and answer that would permit access
to an online account."
In addition, the Breach Notice Bill allows for notification in an
electronic form when the exposed identifying information involves
only the personal information for an online account, i.e., the user
name or email address in combination with password or security
question and answer. The Breach Notice Bill also specifies that
when the breached information is the login credentials for an email
account, the notification must not be provided to that exposed
email address, but the notification requirement must be complied
with by another specified method or "by clear and conspicuous
notice delivered to the resident online when the resident is
connected to the online account from an Internet Protocol address
or online location from which the agency knows the resident
customarily accesses the account."
Minors' Privacy Bill
- The Minors' Privacy Bill adds specific provisions aimed at protecting California's children. Specifically, the bill prohibits an online operator from:
- Marketing or advertising specified types of products or services, such as ammunition, alcohol, tobacco, "etching cream," drug paraphernalia, etc. to a minor, either directly or through a third party; and
- Using, disclosing, or compiling, or allowing a third party to use, disclose, or compile, a minor's personal information for marketing and advertising the specified products or services.
- These prohibitions do not, however, apply to the "incidental placement of products or services embedded in content, if the content is not distributed by or at the direction of the operator primarily for the purposes of marketing and advertising the enumerated products or services." The bill defines "marketing or advertising" as requiring an "exchange for monetary compensation" in order "to make a communication to one or more individuals, or to arrange for the dissemination to the public of a communication, about a product or service the primary purpose of which is to encourage recipients of the communication to purchase or use the product or service."
This bill also requires a website operator to:
- Permit a minor to remove or request the removal of content or information that the minor posted on the website;
- Provide notice to a minor about the options he/she has to remove information, along with instructions on how to remove content; and
- Specify in the notice to be provided to the minor that removing one's content "does not ensure complete or comprehensive removal ... posted on the operator's Internet Web site, online service, online application, or mobile application" by the registered user.
Finally, the Minors' Privacy Bill lists specific circumstances under which a website operator or third party is exempt from enabling the erasure of information: (i) the law requires the information to be maintained, (ii) the information was posted on the website by a third party, (iii) the operator makes anonymous the information posted, (iv) the minor is compensated for providing content, or (v) the minor did not follow instructions regarding removing the posted content.
Recommendations
In the event that these bills are enacted into law, operators of a website or online service accessible to California residents and who collect personal information should:
- Acquaint themselves with the three bills and how they may affect their business;
- Ensure that their privacy policy complies with the provisions related to the new disclosure requirements in the Do-Not-Track Bill;
- Conduct an assessment of current practices and adopt standards and procedures for responding to and notifying personal data breaches, keeping in mind the new requirements related to online credentials in the Breach Notice Bill; and
- Evaluate their marketing and advertising mechanisms, both direct and through third parties, to ensure that they comply with the new requirements enumerated in the Minors' Privacy Bill.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.