Perennially leading the country — and challenging companies to keep up — California has, for the third time in three years, enacted several new data laws, including a groundbreaking digital privacy law and amendments to its data breach notification statute that expands the classes of data protected under the law, provides new standards for data encryption and establishes a template of breach notifications, among other changes. The new laws take effect on Jan. 1, 2016.
At the top of the list is the Electronic Communications Privacy Act, which gives Californians the strongest digital privacy rights in the U.S. by restricting how the government accesses digital information (including any metadata or digital communications — such as emails, texts, digital content and documents stored in the cloud), requiring law enforcement to obtain a search warrant or wiretap order before accessing private communications and location data stored on smartphones, tablets and other digital devices. Five other states have warrant protection for content, and nine others have warrant protection for GPS location tracking, but California is the first to enact a comprehensive law protecting location data, content, metadata and device searches. While the new warrant requirements do not have an immediate impact on nonpublic entities, they will have downstream effect, as companies that operate in California will have to re-evaluate their procedures for responding to data requests from law enforcement.
California’s data breach notification law has also been modified through a number of separate bills amending the existing law — already one of the nation’s most onerous. California law already requires companies that own or license data, including the personal information of California residents, to report data security breaches — generally the exposure of unencrypted data. One of the new amendments attempts to clarify an existing safe harbor for encrypted data by adding a definition of “encrypted information” as information “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Although the bill is intended to encourage encryption and clarify what constitutes acceptable encryption, the definition is worrisomely opaque. And because it requires that encryption be accomplished in a way that is “generally accepted in the field of technology,” companies must pay greater attention to how they secure personal data, and must evaluate their existing encryption system (if they have one) and implement industry-standard technology.
Another bill amends the state’s data privacy laws by adding to the definition of protected “personal information,” which has been expanded to include “a username or email address in combination with a password or security question and answer that would permit access to an online account.” The new law expands the reach of potential liability to information that doesn’t directly expose an individual user’s identity but may allow unauthorized access to private online accounts.
Yet another bill, SB 570, establishes a prescribed template for data breach notifications. The bill sets forth requirements for notifications, including that they are written in plain language, in a minimum font size, titled “Notice of Data Breach” and contain specific information organized under clearly and conspicuously displayed headings including “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do” and “For More Information.” The bill provides a model form for companies to use when a data breach occurs that triggers the notification requirements, and includes requirements as to the delivery method for the notice.
Finally, California Gov. Jerry Brown signed into law a bill requiring that smart-TV makers ensure voice-recognition features can’t be enabled without consumers’ consent, and barring makers from using recorded conversations for advertisement purposes. The legislation does not provide a private right of action, but empowers the state attorney general or a district attorney to prosecute manufacturers, as well as retailers, resellers, importers and any other entities that knowingly violate the law, and carries a civil penalty of up to $2,500 per violation.
In all, these amendments add to the complexity of state-level data privacy compliance. Companies operating in California (even if not based in the state) should be aware of the state’s evolving definition of “personal information” and consult with counsel to ensure that their privacy and data security policies meet California’s expanded requirements.