California is preparing to adopt several additional privacy and data breach notification laws this month. These include S.B. 46, a notification requirement for breaches of an individual’s user name or email address; SB 568, which extends the federal COPPA rules to all children under 18 years of age; and A.B. 370, a do-not-track disclosure law requiring disclosure about behavioral tracking. These laws affect not only companies based in the state, but all companies that do business within the state.
The state of California has some of the strictest privacy regulations in the United States. Similar to Florida, but unlike many other states, California’s right to privacy is expressly codified in the state constitution.
S.B. 46 requires notification requierments for breaches of an individual’s user name or email address, when acquired in combination with a password or otherwise security question and answer breach that would permit access to that individual’s account. The new law amends existing California data breach notification law, California Civil Code Sec. 1798.82, which already requires the notification of consumers when a security breach occurs involving an individual’s name, in combination with: (1) social security number; (2) driver’s license or California Identification number; (3) account number, credit, or debit card number; (4) medical information; or (5) health insurance information. Additionally, because email notification would not be appropriate for individuals whose email account was comprised, the statute requires other types of notification to be used. S.B. 46 will become effective as of January 1, 2014.
S.B. 568 expands the federal Children’s Online Privacy Protection Act (COPPA), which requires companies to obtain parental consent before collecting personal information from children under 13 years of age, to both children and teens under 18 years of age. Additionally, the law, with few exceptions, prohibit the knowing advertising to a minor a broad range of products including alcohol, firearms, spray paint, tobacco products, fireworks, tanning services, dietary supplements, lotery tickts, tatoos, drug paraphernalia and obscene matter, among others. The law also requires service and website operators to notify minors of their rights to remove content or information they posted, and to honor their requests to remove such data, subject to specified conditions and exceptions. S.B. 568 will become effective as of January 1, 2015.
A.B. 370 amends California’s existing Online Protection Act (CalOPPA) to require additional privacy policy disclosure for web sites, online services, and mobile apps regarding behavioral tracking of its users. Specifically, businesses are now required to disclose how a website or online service “responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personall identifiable information about an individual consumer’s online activities over time and across third-party Websites or online services.” Additionally, businses are required to disclose whether third parties may collect on a business’s website or online service any personally identifiable information about a consumer’s online activities over time and across different websites. A.B. 370 will become effective as of January 1, 2014.