As we near the turn of the year into 2015, organizations should keep an eye on laws taking effect on the West Coast. This year, the crop of new privacy statutes includes a few without precedent anywhere in the country. The focus? Kids and security. Following are a few examples of new California laws taking effect January 1 that will have an impact on the private sector and schools.

Kids

SB 568: This post will self-destruct in five seconds.

Well, not quite, but headed in that direction. Perhaps the most highly anticipated is California’s “eraser button” law, “Privacy Rights for California Minors in the Digital World,” Business & Professions Code §§ 22580-22582. As we previously posted, this law involves two parts. It:

  1. Requires organizations to provide an easy method for a California minor (under 18) registered with the organization’s website or online service (including an app) to remove material that the minor posted. As a practical matter, this means that any website that allows for the posting of user-generated content will want to include a statement somewhere – in Terms of Service, Privacy Policy, or both – explaining that any California residents under the age of 18 who have posted content or information on the site can request that such information be removed from the site and the method by which they can do so. The law does not apply to content or information posted by a third party or anonymized information.
  2. Prohibits organizations from marketing certain products to minors on websites and other online services that are directed to kids under 18, or if the organization has actual knowledge that minors are using its site or services, including alcohol, tobacco, and guns. This prohibition also applies to an advertising service if the website or online service operator notifies the advertising service that the service is directed to minors.

AB 1584: EdTech, we will make you an offer you cannot refuse.

The first of two significant education privacy laws to take effect (the other, SB 1177, the Student Online Personal Information Protection Act (SOPIPA), does not take effect until 2016), AB 1584 is codified as Section 49073.1 of the Education Code. It authorizes a local educational agency to enter into a contract with a third party to provide services for the digital storage, management, and retrieval of pupil records; provide digital educational software; or both. Such contracts are required to include specified provisions, including a statement that the pupil records continue to be the property of and under the control of the local educational agency; a description of the actions the third party will take to ensure the security and confidentiality of pupil records; and a description of how the local educational agency and the third party will jointly ensure compliance with the federal Family Educational Rights and Privacy Act.

In 2016, SOPIPA will impose a number of additional restrictions on the third-party EdTech providers themselves, including prohibitions on use of information for targeted advertising and the requirement that such providers implement appropriate security controls. More on that next year.

AB 1442: Every step you take, we’ll be watching you

Codified at Education Code section 49073.6, this law requires schools to notify pupils and parents if they consider gathering or maintaining information about their pupils from social media, and to provide an opportunity for public comment. The law requires that any such information collected relate to safety and that pupils have access to, and an opportunity to correct or delete, their own information. It also places certain other limits on the use and disclosure of such information, including that the information be destroyed within one year after the pupil turns 18 or is no longer enrolled.

Security

No need for us to rehash here what has been a brutal year from a security perspective. California continues to make incremental – and controversial – changes to its data breach notification and data security laws, and it remains to be seen if other states will follow suit.

AB 1710: To give credit monitoring or not, that is the question.

Taking effect January 1 are the amendments set forth in AB 1710 (about which we previously posted) that:

  1. require that businesses that “maintain” personal information about California residents implement and maintain reasonable security measures to protect residents’ personal information;
  2. prohibit the sale, advertisement, or offer to sell an individual’s Social Security number (“SSN”); and
  3. (confusingly) require that, “[i]f the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed” an SSN or driver’s license number.

AB 1755: On your marks, get set [breathe deeply], notify!

As we recently wrote, this law amends section 1280.15 of the Health & Safety Code so that a clinic, health facility, home health agency, or hospice licensed by the State Department of Public Health now has 15 business days, instead of only five, to notify the affected patients and the Department of unauthorized access to, or disclosure of, a patient’s medical information.

Other

SB 828: Fallout continues from the Snowden affair.

The law, codified at Government Code section 7599, prohibits the State of California from providing “material support, participation, or assistance in response to a request from a federal agency or employee of a federal agency to collect stored information or metadata of any person if the state has actual knowledge that the request constitutes an illegal collection of electronically stored information or metadata.”

AB 2306: It’s making California a more private place (well, if paparazzi follow you around).

This bill expands existing law imposing liability for constructive invasion of privacy. AB 2306 removes the existing limitation that a person must use a visual or auditory enhancing device in order to be liable for a constructive invasion of privacy. Liability may now be imposed regardless of the type of device used to attempt to capture, in a manner that is offensive to a reasonable person, any type of visual image, sound recording, or other physical impression of another person engaging in a personal or familial activity under circumstances in which the other person had a reasonable expectation of privacy.

SB 1255: Put down the mobile phone and slowly step away from the naked selfies.

The bill amends Penal Code section 647 to define as disorderly conduct the intentional distribution of an image of another person’s intimate body parts or depicting engagement in specified sexual acts under circumstances in which the persons agree or understand that the image(s) remain private; the person distributing the image knows or should have known that distribution of the image will cause serious emotional distress; and the person depicted suffers that distress.