California Adopts Three New Data Privacy and Security Laws Affecting Online Companies
In September 2013, California signed into effect three new laws relating to privacy and data breach. The first is online privacy bill A.B. 370 which amends the California Online Protection Act to add privacy policy disclosure requirements regarding online tracking activity by website operators. This amendment goes into effect on January 1, 2014.
Under current California law, operators of commercial websites or online services (including mobile applications) that collect personally identifiable information (commonly referred to as “PII”) through the Internet about consumers residing in California who use or visit their commercial website or online service to conspicuously post a privacy policy on its website or online service and to comply with that policy. The privacy policy is required to disclose the categories of PII that are collected and the categories of entities with whom such information is shared.
The 2013 law requires an operator that collects PII concerning a consumer’s online activities now also to disclose (1) how it responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of a PII, and (2) whether third parties may also collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.
To be compliant with the new law, a privacy policy must not meet all of the following requirements:
The second new law is S.B. 46, which adds to the current data security breach notification requirements a new category of data triggering these notification requirements: A user name or email address, in combination with a password or security question and answer that would permit access to an online account. The new law also provides more guidance on how website operators can satisfy disclosure obligations when a breach involves personal information that allows access to an online or email account. This law also goes into effect on January 1, 2014.
Finally, S.B. 568, relates to online privacy protection for minors. This law will prohibit online marketing or advertising of certain products and services (such as alcohol, tobacco, and U/V tanning products) to children and teenagers under 18. This law goes into effect on January 1, 2015.
Impacted companies must take the opportunity presented before these laws come into effect to examine their data collection, data privacy, and security policies and practices to determine whether they demand any updates. If you have any questions about this topic, please feel free to email us.