At the end of September, California passed two new amendments to existing data privacy laws aimed to protect California consumers. The first focuses on the collection of personal information and requires companies engaged in such practices to disclose whether they honor web browser “do not track” signals. The second amends the existing data breach notification obligations for companies doing business in California by expanding the categories of information that are considered “personal information” and changing the notification mechanisms that may be used. 

New Do-Not-Track Disclosure Requirements for Companies Doing Business with California Residents

Assembly Bill 370 (AB 370), which was adopted to increase the transparency of company practices related to web browser do-not-track signals, is an amendment to the California Online Privacy Protection Act (COPPA) (Cal. Bus. & Prof. Code § 22575). The amendment applies to any company that collects personally identifiable information (PII) from California consumers. The legislation arrived on the governor’s desk as efforts to establish standards for online tracking have stalled at the World Wide Web Consortium.

Companies that collect PII regarding consumer online activities over time, or across third-party websites or online services, are required to disclose how they will respond to web browser “do-not-track” signals and similar mechanisms giving consumers a choice over the collection of their information. Companies are also required to disclose whether they allow PII about a consumer’s use of their websites to be collected by third parties. These disclosures are in addition to the standard privacy practice disclosures already required under California laws and federal laws such as COPPA, the Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act. The disclosures must be part of a company’s privacy policy posted on the company’s website. If a company does not remedy a deficiency in its policy within 30 days of being notified of such deficiency, it is subject to enforcement action.

AB 370 does not prohibit the collection of PII nor does it require companies to honor do-not-track requests from web browsers. Please see the full text of AB 370 for complete details.

Expanded Breach Notification Responsibilities for Companies Doing Business with California Residents

Senate Bill 46 (SB 46) amends California’s data breach notification law (Cal. Civ. Code §§ 1798.29 and 1798.82),  which currently applies to any company doing business in California that experiences a security breach exposing unencrypted personal information of California residents. The amendment expands the categories of information that are considered “personal information” and makes changes to the notification mechanisms that may be used in certain circumstances.

Specifically, SB 46 adds the following items to the already substantial list of categories of information that, if exposed, triggers breach notification requirements: a “user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

Existing law already required notification to California residents if any of the following information is acquired or reasonably believed to have been acquired, in unencrypted form, by an unauthorized party:

  • An individual’s first name or initial and last name in combination with the individual’s Social Security number;
  • Driver’s license or state identification card number;
  • Account, credit card, or debit card number in combination with any required access codes or passwords;
  • Medical information; or
  • Health insurance information.

Under SB 46, affected individuals would be notified electronically only if the personal information that was compromised falls into the newly added category, i.e., user name or email address along with a password or security question and answer. The electronic notification simply needs to direct the individual to promptly change his or her password or security question and answer, as applicable, or otherwise take steps to protect the compromised account and any other online accounts in which the individual has used the same credentials. If the individual’s email address was exposed, SB 46 prohibits sending the breach notification to the affected email address. Other means of notice must be used.

Residents of California injured by a violation of the breach notification law may file a private civil action to recover damages.

Please see the full text of SB 46 for complete details.