California continues to lead the way in passing new or updating existing data protection legislation.

The weekly disclosure of new data breaches that involve retail and other corporations has focused the general public and state legislatures on privacy maintenance and the proper handling of consumer notifications for the breaches. Amid this climate, California continues to lead the way in passing new or updating existing data protection legislation. This LawFlash summarizes some of the new California statutory standards that will mostly take effect in 2015.

California: Bellwether State on Data Notification Standards

California has long been considered a bellwether state that initiates new trends. This leadership role has been true on data privacy matters.

For example, in 2002, California enacted the first data security breach notification law, which became effective in July 2003.[1] Today, 47 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have breach notification laws.[2]

In October 2014, the California Attorney General issued the California Data Breach Report, which revealed a startling increase in data breaches. Among other issues, the report “recommended that companies should offer mitigation products or provide information on the security freeze to victims of breaches of Social Security numbers or driver’s license numbers.”[3]

California continues to break ground on new data breach standards. It will be critical to watch, therefore, whether the new statutes and standards, summarized below, may be adopted in other jurisdictions.

New California Privacy Statutes for 2015

Reflecting the focused public interest in privacy in the state, the California State Legislature recently passed a range of privacy-related bills affecting private sector activities in the last few months alone. The new privacy statutes include the following:

  • Privacy Rights for California Minors in the Digital World (SB 568): A new online statute for minors’ rights takes effect on January 1, 2015 that applies to California residents under 18 years of age. The statute prohibits marketing or advertising specified products and services (including alcoholic beverages, firearms, and tobacco) to minors and from knowingly using, disclosing, or compiling a minor’s personal information (or permitting a third party to do so). The statute also permits a minor to request the removal of certain content posted by the minor to various websites. This statute was intended to exceed existing online standards under the federal Children's Online Privacy Protection Act of 1998 (COPPA).[4] For example, a minor is defined by the new state law under SB 568 as any person under 18 years of age, whereas COPPA applies only to those under 13.[5]
  • Data Breach Notification Amendments (AB 1710): Modifies the current data breach notification statutes in two primary respects. First, if a business “maintains” personal information about a California resident, the business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” This expands current law, which previously applied to a business that “owns or licenses” personal information about a California resident.

Second, where the notifying entity was the source of a breach involving the disclosure of Social Security or driver’s license numbers, and “if any” offer to provide identity-theft prevention or mitigation services is made, it must be made at no cost to the affected person for no less than 12 months along with all information necessary to take advantage of the offer. This bill takes effect on January 1, 2015.[6]

  • Medical Information Breach Notification Period (AB 1755): Eases the reporting notification period on licensed clinics, health facilities, home health agencies, and hospices by expanding the time permitted to report breaches or disclosures of patients’ medical information to the state’s Department of Public Health from 5 to 15 days. Also, expands the time permitted to notify affected parties by the same period (unless certain law enforcement purposes justify a delay), and permits notification via email rather than mailing to the last known address upon written agreement by the patient.[7] This bill goes into effect on January 1, 2015.
  • Safeguarding Pupil Digital Records (AB 1584): Establishes a new section to the Education Code to provide local educational agencies (including school districts, county offices of education, and charter schools) with control to contract with third parties that provide digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of pupil records.  Safeguards are required that limit the use of the pupil records, ensuring compliance with the federal Family Educational Rights and Privacy Act,[8] describing breach disclosure procedures, and more. This bill goes into effect on January 1, 2015.[9]
  • Pupil Records and Social Media (AB 1442): Restricts a school district, county education office, or charter school that gathers information from an enrolled pupil on social media from using such information for other than contractually obligated purposes, establishes certain prohibitions on the selling or sharing of information, and imposes other requirements related to the destruction of information. This bill goes into effect on January 1, 2015.[10]
  • Student Online Personal Information Protection Act (SB 1177): Prohibits operators of websites and online services and applications used primarily for K–12 school purposes, and designed and marketed for those purposes, from pursuing targeted advertising to students and their parents or legal guardians.[11] It also prohibits using covered information to build a profile of K–12 students, selling a student’s information, and disclosing certain types of information. The bill also imposes an obligation for operators to maintain reasonable security procedures and practices and to delete information requested by a school or district in certain circumstances. This bill goes into effect on January 1, 2016.

Conclusion

Because of California’s leading role in setting privacy standards nationwide, it remains to be seen whether a range of similar laws in other states may follow. This rising complexity, coupled with the potential for future federal engagement in this space, underline the urgency, even for smaller entities, of seeking ongoing counsel to develop and manage adequate compliance regimes that can be adapted to the evolving landscape and to maintain real-time awareness of that evolution.