United States: California Significantly Expands Consumer Privacy Protections - But Email Warrant Protections Get Vetoed Again

From passing the first state breach notification requirements to third party marketing disclosure requirements, California has long been a consumer privacy bellwether. California lawmakers have built the nations most robust state-level privacy regime and California regulators are among the nation's most active in enforcement and influencing policy. The state shows no signs of letting up, extending consumer privacy protections through the recent adoption of three first-of-their-kind laws increasing transparency and consumer control over online data.

In contrast to these expansions, Governor Jerry Brown has again vetoed a bill that would require a warrant for law enforcement access to emails stored by a service provider.

Right of Content Removal for Minors

First, California has granted minors who are registered users of websites and mobile apps¹ the right to remove content they post online. The right does not extend to adults or to content posted by third parties, but nonetheless marks a significant departure from the "poster beware" approach that has traditionally dominated U.S. privacy law. The bill, SB 568, updates California's Business and Professional Code to:

• notify minor users of their right to remove content they have posted;
• provide clear instructions describing how content can be removed;
• permit minor users to remove or request removal of content they posted; and
• notify minor users that removing content posted by the user does not ensure complete removal of the content from the website or app.

The amendment contains several exceptions and limitations to the right of removal. Only websites directed to minors or who have actual knowledge that a minor is using the website or mobile app must comply. The right to request removal is further limited to minors, meaning the requestor must be a minor at the time of request and not merely at the time of posting. In addition, removal obligations do not override legal retention or maintenance requirements or include anonymized content, content posted by third parties, or content posted for compensation or other consideration.

Perhaps the most notable exception is for content posted for compensation or other consideration. Community-based sites and apps derive their value from community participation, which primarily consists of users posting content. It will be interesting to see if any websites or apps take the position that users get free access to their site in exchange for posting content and refuse to remove content under the consideration exception. It is too early for any clarification by courts or regulators, but if site access qualifies as consideration for posted content the removal requirements of SB 568 could be dead on arrival.

SB 568 also includes a prohibition on online advertising to minors of certain classes of products and services including alcohol, firearms, drug paraphernalia and obscene matter. While targeted at websites and mobile apps targeted to minors or with actual knowledge that a user is a minor, the categories of prohibited goods and services are broad and the prohibition applies to upstream advertising services. Operators of websites and mobile apps directed to minors can comply with the advertising prohibitions by notifying advertising services that they are directed to minors.

Notably, SB 568 does not take effect until January 1, 2015. Both parts of the law may see First Amendment challenges that could delay implementation or overturn the law.

Online Tracking Disclosures

Second, California has adopted disclosure requirements for websites and online services² regarding online tracking and targeted advertising. The bill, AB 370, expands the requirements of the California Online Privacy Protection Act³ ("CalOPPA") to include disclosures describing how operators of websites and mobile apps treat user choice mechanisms such as the "Do Not Track" flag now incorporated into all major browsers.

AB 370 applies to operators of websites and online services who collect or allow other parties to collect personally identifiable information ("PII") from consumers "over time and across third-party websites or online services." Covered operators must disclose in their privacy policy how they respond to Do Not Track or other mechanisms that provide user choice regarding collection of PII. In addition, operators must disclose whether other parties, such as advertising networks or other service providers, collect PII through consumers' use of the operator's website or online service.

CalOPPA defines PII to include names, addresses, email addresses, telephone numbers, social security numbers or other identifier that permits the physical or online contacting of a specific individual. Operators and advertisers that do not collect information in any of these categories may not collect PII as defined by CalOPPA.

AB 370 is further limited by its application only to the collection of PII over time and across third-party websites. CalOPPA may not apply to operators who do not leverage third-party advertising platforms or other third-party services.

Covered operators who follow programs or protocols, such as members of the Network Advertising Initiative, can comply with AB 370 by providing a clear and conspicuous link to an online description of the program or protocol.

Breach Notification for Usernames and Passwords

Finally, California has increased the scope of its breach notification provisions to include breaches of access credentials. The first state to include these categories of data in a breach notice statute, California has recognized the damage that can be caused by loss of user credentials that are often re-used across multiple sites.

Existing state breach notice laws focus on an individual's name in combination with other sensitive categories of data. The expansion of California's statute to include user names, passwords and similar credentials marks a significant departure from the PII-focused approach taken by all 46 states with breach notice laws.

The expanded breach notice law, SB 46, provides some flexibility in notification where only access credentials are breached. Breached entities can comply with the notification requirements through electronic notice that directs affected individuals to promptly change their access credentials or take other appropriate steps to protect their online accounts.

However, breached entities may not notify users of a breach involving an email address credential through that breached email address. Notification may be of a method described in the law or clear and conspicuous notice to the user when the user connects to the online account from a known online location or IP address.

Email Warrant Requirement

Rejecting overwhelming approval by the California legislature, Governor Jerry Brown vetoed SB 467, a measure that would require law enforcement to obtain a warrant before accessing email maintained by service providers. The veto, approved by margins of 73-3 in the Assembly and 33-1 in the Senate, marks Governor Brown's third block in as many years of warrant protections for emails held by third party service providers.

Governor brown cited concern over the impact of the bill on law enforcement, stating that notice requirements in the bill went beyond federal law and could impede ongoing investigations.

Many service providers, including Google and Facebook, have chosen to follow the Sixth Circuit decision in United States v. Warshak and require warrants before turning over the contents of user emails on Fourth Amendment grounds, despite the as-yet unresolved circuit split caused by the Warshak decision.

Client Impact

The changes in California privacy law have the potential to impact any organization with a website or mobile app. California privacy laws are generally regarded as the most rigorous in the nation and are viewed as the de facto standard for websites and online services in the US. A review of current data collection and use practices and privacy policies can help identify how your organization is impacted. Organization should consult counsel before making any determinations on how the California privacy law changes impact their operations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.