At the end of September, California Governor Jerry Brown approved six bills designed to enhance and expand California’s privacy laws. These new laws are scheduled to take effect in 2015 and 2016. It will be important to be mindful of these new laws and their respective requirements when dealing with personal information and when responding to data breaches.
Expansion of Protection for California Residents’ Personal Information – AB 1710
Under current law, any business that owns or licenses certain personal information about a California resident must implement reasonable security measures to protect the information and, in the event of a data or system breach, must notify affected persons. See Cal. Civil Code §§ 1798.81.5-1798.83. Current law also prohibits individuals and entities from posting, displaying, or printing an individual’s social security number, or requiring individuals to use or transmit their social security number, unless certain requirements are met. See Cal. Civil Code § 1798.85.
The bill makes three notable changes to these laws. First, in addition to businesses that own and license personal information, businesses that maintain personal information must comply with the law’s security and notification requirements. Second, in the event of a security breach, businesses now must not only notify affected persons, but also provide “appropriate identity theft prevention and mitigation services” to the affected persons at no cost for at least 12 months, if the breach exposed or may have exposed specified personal information. Third, in addition to the current restrictions on the use of social security numbers, individuals and entities now also may not sell, advertise to sell, or offer to sell any individual’s social security number.
Expansion of Constructive Invasion of Privacy Liability – AB 2306
Under current law, a person can be liable for constructive invasion of privacy if the person uses a visual or auditory enhancing device and attempts to capture any type of visual image, sound recording, or other physical impression of the person in a personal or familial activity under circumstances in which the person had a reasonable expectation of privacy. See Cal. Civil Code § 1708.8.
The bill expands the reach of the current law by removing the limitation requiring the use of a “visual or auditory enhancing device” and imposing liability if the person uses any device to capture a visual image, sound recording, or other physical impression of a person in a personal or familial activity under circumstances in which the person had a reasonable expectation of privacy.
The law will also continue to impose liability on those who acquire the image, sound recording, or physical impression of the other person, knowing that it was unlawfully obtained. Those found liable under the law may be subject to treble damages, punitive damages, disgorgement of profits and civil fines.
Protection of Personal Images and Videos (“Revenge Porn” Liability)– AB 2643
Assembly Bill 2643 creates a private right of action against a person who intentionally distributes by any means, without consent, material that exposes a person’s intimate body parts or the person engaging in certain sexual acts, with knowledge that the victim had a reasonable expectation that the material would remain private.
Protection of Student’s Online Personal Information – The Student Online Personal Information Protection Act – SB 1177
The Student Online Personal Information Protection Act (SOPIPA) prohibits an operator of an Internet website, online service, online application or mobile application that is used, designed and marketed primarily for K-12 school purposes from (1) knowingly engaging in targeted advertising to students or their parents or guardians on the site, service, or application, (2) engaging in targeted advertising on a different site, service, or application using any information that was acquired from the operator’s site, service or application, (3) using information created or gathered by the operator’s site, service, or application to generate a profile about a student, (4) selling a student’s information, and (5) disclosing certain information pertaining to a student. The law also requires the operator to maintain reasonable security measures to protect the student’s information from unauthorized access, destruction, use, modification or disclosure.
Protection of Students’ Social Media Information – AB 1442
Assembly Bill 1442 regulates the use of students’ social media information. If a school intends to implement a program to gather students’ social media information, the school must notify students and parents or guardians about the proposed program and provide an opportunity for public comment. If the program is adopted, the school must only gather or maintain information that pertains directly to school or student safety, provide the student with access to his or her information and an opportunity to correct or delete such information, destroy information after the student turns 18 or is no longer enrolled at the school, and notify each parent or guardian that the student’s social media information is being collected.
It is important to note that the law also imposes requirements on third parties that are retained by schools to gather the social media information of students. Under the law, a third party may not use the information for any purpose other than to satisfy the contract, may not sell or share the information and must destroy the information immediately upon conclusion of the contract.
Protection of Students’ Records in Digital Storage Services – AB 1584
Assembly Bill 1584 permits a school to use a third party for the digital storage, management, and retrieval of student records, or to provide digital educational software or both. In order to protect those records, any such contract with a third party must contain certain provisions, including a statement that all of the records remain the property of and under the control of the school, a description of the procedures that will be used to notify affected students, parents or guardians in the event of any unauthorized disclosure, a prohibition against using any students’ information for any purposes other than those required by the contract, and a certification that students’ information will not be available to the third party upon completion of the contract.
California continues to be a leader when it comes to protecting data privacy. Given these recent expansions to California’s privacy laws, it is and will continue to be important when dealing with any individualized personal information to be aware of the type of information involved, the source of the information, security measures in place to protect the information and the appropriate steps that will need to be taken if any security measures are compromised.