Governor Brown Ushers in a New Privacy Era in California and Beyond
Late Friday, Governor Jerry Brown of California signed into law the already infamous AB 370 as well as significant amendments to California's existing breach notification laws via SB 46 and AB 1149. These laws break new ground in the privacy legal landscape - and it will be interesting to see if other states follow suit, as they did with California's original breach notification law. AB 370 amends existing law, California Business & Professions Code Section 22575 ("CalOPPA"), to require an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to add new disclosures to its privacy policy. Despite all the hype surrounding this bill, the new portions of CalOPPA added by AB 370 constitute a total of three paragraphs - they are new subsections (5) through (7) of section 22575(b), and they read as follows:
[(b) The privacy policy required by subdivision (a) shall do all of the following: . . .]
(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.
Takeaway: Any organization with a website that collects personal information from California residents should determine whether its online privacy policy needs to be updated to comply with AB 370. (It is also worth noting that the California Attorney General, who pushed for the new bill, interprets existing CalOPPA to apply to mobile applications - it is far from clear if and how these changes are meant to apply to mobile apps.)
SB 46 and AB 1149 amend California's existing breach notification laws, California Civil Code sections 1798.82 (applicable to persons and businesses) and 1798.29 (applicable to agencies), respectively, to add to the list of data elements that constitute "personal information" that may trigger notification requirements in the event of a security breach "[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account."
The new laws provide that, in the event of a breach involving such information for an online account and no other personal information, the person or business may comply by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.
The law is also explicit that, in the event of a breach involving such information for login credentials of an email account furnished by the person or business, the person or business shall not comply by providing the security breach notification to that email address, but may, instead, comply with the law by providing notice by another method described in the law or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account.
Takeaway: Organizations experiencing a security breach involving a California resident's user name or email address, in combination with a password or security question and answer that would permit access to an online account, should evaluate the changes imposed by SB 46 and AB 1149 to determine what is required of them with respect to notices.