California's Three New Privacy and Data Breach Laws – Including 'Do Not Track' Disclosure

In September 2013, California Governor Jerry Brown signed three new laws affecting privacy and data breach. These laws concern (1) Do Not Track disclosures, (2) privacy and marketing and advertising to minors, and (3) data breach involving information that would allow access to an online account.

Signed on September 27, online privacy bill A.B. 370 amends the California Online Protection Act (CalOPPA)1 to add privacy policy disclosure requirements regarding online tracking activity by website operators. In general, CalOPPA requires operators of commercial websites or online services that collect personally identifiable information2 (PII) to conspicuously post a privacy policy that must, among other things, disclose the categories of PII that is collected and the categories of entities with whom such information is shared. The California Attorney General, in Notices of Non-Compliance sent in October 2012 to leading mobile application operators, announced that the office would interpret the scope of “online services” covered by CalOPPA to include mobile applications.

The new law requires an operator that collects PII concerning a consumer’s “online activities over time and across third-party Web sites or online services” to disclose “how the operator responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of [such PII].”3 The legislative analysis of the law explains that one of the purposes of the amendment is to “allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal.”4

The law also requires an operator to “[d]isclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”5 The amendment goes into effect on January 1, 2014.

On September 23, Governor Brown signed S.B. 568, a law directed at protecting the online privacy of minors. This bill, which becomes effective on January 1, 2015, prohibits online marketing or advertising of certain products and services (such as alcoholic beverages, tobacco, and tanning in an ultraviolet tanning device) to children and teenagers under 18.6 It also requires operators to allow registered minors to remove or request removal of posted content or information, except in certain circumstances. Operators must give minors notice of their ability to remove such data.7

Finally, California amended its data breach notification law through S.B. 46, which also becomes effective on January 1, 2014. The law expands the existing definition of “personal information” for which notification is required to include certain information that could allow individuals access to an online account. The new legislation also discusses how entities can satisfy disclosure obligations when a breach involves personal information that allows access to an online or email account.

Impacted entities should review their policies and procedures to ensure that they are in compliance with these laws prior to their respective effective dates.

Endnotes    (↵ returns to text)
  1. Cal. Bus. & Prof. Code §§ 22575-79.
  2.  The term “personally identifiable information” as defined by CalOPPA means “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name. (2) A home or other physical address, including street name and name of a city or town. (3) An e-mail address. (4) A telephone number. (5) A social security number. (6) Any other identifier that permits the physical or online contacting of a specific individual. (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.” Id. § 22577(a).
  3.  Id. § 22575(b)(5). The law provides that this requirement may be satisfied “by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.” Id. § 22575(b)(7).
  4.  California A.B. 370 Assembly Floor Analysis, 2 (Aug. 23, 2013), available at (quoting author’s statement regarding A.B. 370).
  5.  Cal. Bus. & Prof. Code § 22575(b)(6).
  6.  Id. § 22580.
  7.  Id. § 22581.