Back in May, we highlighted several bills the California legislature was actively considering in the area of data privacy. Recently, three bills have found their way to the governor’s desk and are waiting to be signed into law. They all give reasons for the business world to take a moment to stop and review their privacy policies and online practices. The following is a synopsis of the three bills.

  • AB 370: AB 370 amends the California Online Privacy Protection Act (“CalOPPA”), California’s Business and Professions Code section 22575 et seq., which is the original law that mandated that websites – and more recently mobile applications – have a privacy policy. The amendment requires that a privacy policy specifically disclose how the website (or mobile app) “responds to Web browser ‘do not track’ signals” or other consumer choice mechanisms regarding the collection of personally identifiable information and the tracking of consumer behavior across websites. (Currently, some Internet browsers, such as Internet Explorer, Firefox, and Safari, offer a Do Not Track (DNT) option that indicates to companies that the user has elected not to have information about their web browsing activities monitored or collected. Whether such information is actually collected or not depends on whether the companies in fact honor the DNT option.)

Further, a privacy policy would also have to affirmatively disclose whether third parties operating on the site (or in the app) can collect personally identifiable information or other information about the consumer’s online activities across websites over time. This would require that operators do a full and ongoing accounting of all third parties operating on their websites and mobile apps, and have a complete understanding of those third parties’ data collection capabilities and practices.

AB 370 could become the first law in the country that addresses the issue of tracking consumers online. Assemblyman Al Muratsuchi (D) introduced the bill. Both the California Assembly and the Senate unanimously passed it. It was sent to Gov. Brown September 3.

  • SB 568: Similar to the federal Children’s Online Privacy Protection Act (“COPPA”), SB 568 would require the operator of a website, online service, online application, or mobile application to permit anyone under the age of 18 to remove, or to request and obtain removal of, any content or information posted online. This means all websites, social media sites, and apps would be legally required to allow minors to remove pictures and other content they posted in the past, absent particular exceptions. The bill would also require operators to give minors notice of their right to remove any content or information.

Furthermore, SB 568 would prohibit operators from marketing or advertising products or services to a minor that a minor cannot legally purchase, and prohibit operators from using, disclosing, or compiling certain personal information of the minor for marketing these same products or services. Some of the products and services to which the bill applies are alcoholic beverages, firearms and ammunition, and dietary supplements, but this list is not exhaustive.

Businesses will need to assess to what extent minors access their website, mobile apps, and services, and adjust their practices accordingly, especially in regard to their marketing and advertising revenue sources.

SB 568 was introduced by Sen. Darrell Steinberg (D). SB 568 was unanimously passed in the Senate and the House and sent to Gov. Brown September 3. If signed into law, it will become effective January 1, 2015.

  • SB 467: SB 467 would require law enforcement to obtain a warrant in order to get emails on a provider’s server, regardless of how long an email was stored and whether or not it had been opened. The bill even applies to social media messages, such as messages sent through Facebook and Twitter. Previously, a warrant was only required for unopened emails or emails stored on a provider’s server for 180 days or fewer. However, a search warrant would still not be required with the user consent, or if necessary to avoid death or serious injury.

Email service providers should revise their privacy policies to inform users of the change, especially in light of the fact that the new bill would provide users with greater privacy protection.

If SB 467 becomes law, California will be following in the footsteps of Texas, which just passed HB 2268, which created a blanket warrant requirement for all electronic customer data stored both inside and outside the state by a service provider. SB 467 was introduced by Sen. Mark Leno (D). It passed in both the Senate and the Assembly, and was sent to Gov. Brown September 10.