October 21, 2013
In September 2013, California Governor Jerry Brown signed three new laws affecting privacy and data breach. These laws concern (1) Do Not Track disclosures, (2) privacy and marketing and advertising to minors, and (3) data breach involving information that would allow access to an online account.
The law also requires an operator to “[d]isclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”5 The amendment goes into effect on January 1, 2014.
On September 23, Governor Brown signed S.B. 568, a law directed at protecting the online privacy of minors. This bill, which becomes effective on January 1, 2015, prohibits online marketing or advertising of certain products and services (such as alcoholic beverages, tobacco, and tanning in an ultraviolet tanning device) to children and teenagers under 18.6 It also requires operators to allow registered minors to remove or request removal of posted content or information, except in certain circumstances. Operators must give minors notice of their ability to remove such data.7
Finally, California amended its data breach notification law through S.B. 46, which also becomes effective on January 1, 2014. The law expands the existing definition of “personal information” for which notification is required to include certain information that could allow individuals access to an online account. The new legislation also discusses how entities can satisfy disclosure obligations when a breach involves personal information that allows access to an online or email account.
Impacted entities should review their policies and procedures to ensure that they are in compliance with these laws prior to their respective effective dates.
- Cal. Bus. & Prof. Code §§ 22575-79.↵
- The term “personally identifiable information” as defined by CalOPPA means “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name. (2) A home or other physical address, including street name and name of a city or town. (3) An e-mail address. (4) A telephone number. (5) A social security number. (6) Any other identifier that permits the physical or online contacting of a specific individual. (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.” Id. § 22577(a).↵
- California A.B. 370 Assembly Floor Analysis, 2 (Aug. 23, 2013), available athttp://leginfo.legislature.ca.gov/faces/billNavClient.xhtml (quoting author’s statement regarding A.B. 370).↵
- Cal. Bus. & Prof. Code § 22575(b)(6).↵
- Id. § 22580.↵
- Id. § 22581.↵