United States: California Amends Its Security Breach Law And German Privacy Agency Limits Social Media Marketing By Businesses

California Amends Its Security Breach Notification Law

Beginning January 1, 2012, any business that is required, under California's security breach notification law, to provide notice to individuals must include in the notice a list of the types of personal information that were the subject of the breach, the date of the breach, a general description of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies. The amended law also requires businesses that are required to provide notice to more than 500 California residents as the result of a single breach to provide a sample copy of the notice to the Office of the Attorney General. The provision concerning substitute notice (which applies when a business demonstrates that the cost of providing notice would exceed $250,000 or that the affected class exceeds 500,000 individuals or when the business does not have sufficient contact information) has been amended to require, among other things, notice to California's Office of Privacy Protection. Businesses that are in compliance with HIPAA's security breach notification requirements will be deemed to be in compliance with California's law. A copy of Senate Bill 24 is available here.

German Privacy Agency Seeks to Ban Facebook "Like" Feature on Business Sites

The data protection authority (DPA) for the German state of Schleswig-Holstein has ordered businesses within that region to "shut down their fan pages on Facebook and remove social plug-ins such as the 'like'-button from their websites." The DPA conducted an analysis of the data collection activities using these features and concluded that such activities violate German and European privacy laws. "By using the Facebook service[,] traffic and content data are transferred into the USA and a qualified feedback is sent back to the website owner concerning the web page usage, the so called web analytics." According to the DPA, Facebook builds personal profiles of Facebook users and "such profiling infringes German and European data protection law." The DPA is asking businesses to deactivate these features by the end of September 2011. An English copy of the DPA's order is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.