California enacts four laws impacting privacy and data security, awaits Governor’s signature on fifth

The California State Legislature delivered five bills impacting privacy and data security to the desk of Governor Jerry Brown before closing session on September 13, 2013. As of October 9, 2013, the governor has signed four of the five bills into law, and the expectation is that the remaining bill will receive similarly favorable treatment before the October 13 deadline. These bills govern a broad range of online activities and will require businesses that maintain an online presence to evaluate their online services, practices, and policies to ensure compliance with the new requirements under the law. Unless otherwise noted, the laws below become effective on January 1, 2014.

1. Privacy and Advertising to Minors on the Internet – Governor Brown signed S.B. 568 into law on September 23, 2013. Effective January 1, 2015, this law limits marketing to minors and facilitates a limited right for minors to request removal of content that they posted. Specifically, the law limits the use, disclosure, or compilation of personal information of a minor for the purpose of marketing products to a minor that the minor cannot legally purchase (including firearms, alcohol, and cigarettes). Only individuals under the age of 18 have the right to request the removal of content or information posted online. This removal right must be provided by any “operator of an Internet Web site, online service, online application, or mobile application directed to minors or an operator of an Internet Web site, online service, online application, or mobile application that has actual knowledge that a minor is using its Internet Web site, online service, online application, or mobile application.” The bill also requires operators to provide notice of this right to remove content. Operators are not required to erase or eliminate content when the content was posted by a third party other than the minor, the content is anonymized so that the minor cannot be individually identified, the minor received compensation or consideration for providing the content, or any other provision of state or federal law requires that the operator maintain the content. The statute does not set out what is required to show “actual knowledge,” but the legislative analysis cites federal guidelines set forth by the Federal Trade Commission (FTC) in the Children’s Online Privacy Protection Act of 1998 (COPPA). The FTC has acknowledged that establishing actual knowledge is a “highly fact-specific inquiry.” Such “Right to be Forgotten” initiatives have also been championed in Europe, although U.S. commentators have noted that the First Amendment may well include a “Right to Remember.”
2. Healthcare Records – On September 9, 2013 Governor Brown signed A.B. 658 into law. This bill amends California’s Confidentiality of Medical Information Act, Cal. Civ. Code § 56, which prohibits health care providers from sharing, selling, or using patient medical information without consent unless an exception applies. The amendment closes what was deemed a “loophole” thus ensuring that electronic personal health records and mobile apps are covered by the law’s requirements. Specifically, the law expands the definition of “provider of health care” to include “[a]ny business organized for the purpose of maintaining medical information…in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual.” The law also expands the confidentiality law to reach any “mobile application or other related device that is designed to maintain medical information.” Id. Medical information is defined as “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment.”
3. Breach Notification – Governor Brown signed S.B. 46 into law on September 27, 2013. This law expands the categories of information that, when compromised, mandate data breach notification. These additional categories include a user name or email address in combination with a password or security question and answer that would permit access to an online account. The bill also provides that for breaches that involve user names and passwords, notification may be sent electronically to advise affected data subjects to change passwords or security questions, or to take other appropriate precautions. However, if the breach compromised the credentials of an email account, then notice should not be sent to the affected email address, and clear and conspicuous notice must be provided through another means.
4. “Do Not Track” Disclosures – On September 27, 2013, Governor Brown signed A.B. 370 into law. This law amends California’s online privacy policy law to require that websites and other online services disclose how they respond to consumer “do not track” requests, including any program or protocol used to provide consumers with “choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.” The “do not track” disclosure may be satisfied simply by “providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.” A.B. 370 is the first law in the country to regulate “do not track” issues—although it does not actually require compliance with consumer requests not to track. It also is technology-neutral in terms of the choices businesses may offer on tracking. The bill comes at a time when the World Wide Web Consortium appears stymied on developing a multi-stakeholder consensus “do not track” standard, and federal “do not track” initiatives appear to have lost steam.
5. Warrant Requirements and Online Privacy – As of October 9, 2013, S.B. 467 is awaiting signature by Governor Brown. This bill would require a warrant for Californiastate government agency requests for communications content from electronic communications services, such as ISPs and cloud providers. Under existing law, some communications stored in the cloud, such as opened email older than 180 days, and communications stored by remote computing services, can be obtained by the government without a warrant. This bill incorporates language and definitions from the federal statute on point, the Electronic Communications Privacy Act (ECPA), and is intended to remedy perceived loopholes in the federal law. Although this bill would not affect requests from federal government officials, it enjoys support from privacy and civil liberties groups. In addition to the warrant standard, the bill would also mandates notice – including a copy of the warrant – by the state government agency to the subject of the data request within three days of receiving the information from the service provider. The law provides for a civil cause of action for violations, including statutory damages of $1,000 per violation, as well as punitive damages.

Taken together, these bills represent a significant effort by California’s Legislature to continue its leadership on privacy issues. It is likely these new laws will result in increased compliance costs for business interests across a variety of sectors, and they may well be subject to constitutional challenge. Organizations doing business in California or with California residents must evaluate whether their online services are “directed to minors” or have actual knowledge of minor’s posting content on their services, and whether language in existing privacy policies is sufficient to disclose their approach towards expressed “do not track” preferences. The organizations must also provide breach notification upon the compromise of data outside the traditional definitional boundaries of “personally identifiable information,” and providers of health care, including those companies in the business of maintaining medical information to allow individuals to manage their medical information, must ensure that mobile applications are compliant with California’s Confidentiality of Medical Information Act. 

California’s active response on these issues, especially when viewed in conjunction with similar legislative activity in Texas, may signify the continuation of a trend towards privacy regulation at the state level. 

Privacy and Advertising to Minors on the Internet

S.B. 568 
Status: Signed into law 9/23/13 
Effective Date: 1/1/2015 

Contextual Background 

The Children’s Online Privacy Protection Act of 1998 (COPPA) is a federal law that governs online collection, use, or disclosure of personal information of children under 13 years of age. The Federal Trade Commission, the agency charged with rulemaking and enforcement under the law, implemented stricter standards effective July 2013. The new rules broadened the types of information that could not be collected, streamlined parental consent procedures, strengthened data security requirements, and closed loopholes in the existing rule. However, COPPA’s reach extends only to those websites or online services directed to children (albeit including plug-ins and ad services provided as part of such a website or service) under 13. 

Key Provisions of S.B. 568 

Note: S.B. 568 defines “Operator” as “any person or entity that owns an “Internet Web site, online service, online application, or mobile application”

• Operators of a service “directed to minors” shall not market or advertise products or services from a banned list (which includes, inter alia, firearms, tobacco, drug paraphernalia, tanning services, and dietary supplements).
• Operators with actual knowledge that a minor is using their service shall not knowingly use, disclose, or compile the personal information of a minor, or allow a third party to do so, for purposes of marketing or advertising products or services from the banned list.
• Operators must permit minors who are registered users of their service to remove, or to request and obtain removal of, content or information posted by the minor, unless the minor was compensated for providing the content, the content is anonymized, the content was posted by a third party, or as otherwise required by law.
• Operators must provide notice to registered minors that such removal procedures exist; clear instructions on how to utilize them; and also to notify the minor that use of such a procedure does not guarantee complete or comprehensive removal of the content.

Takeaway

S.B. 568 imposes some COPPA-like requirements on websites that are directed to minors under 18. Websites or online services must undertake a review of operations to determine whether they could reasonably be found to be “directed to minors,” as this could restrict class of goods that can be marketed or advertised. The law also requires that websites or services, upon actual knowledge of the minority of the poster of content, provide a mechanism for the removal of this content upon the request of the minor. 

Importantly, the scope of the right provided under this law pales in comparison to the “Right to be Forgotten” as proposed in the European Union; notably, the platform upon which the content was originally posted is not responsible for the takedown of content that may have been replicated by third parties. The law has been criticized in some circles for being unconstitutionally vague and for potentially infringing upon the First Amendment rights of websites. 

Healthcare Records

A.B. 658
Status: Signed into law 9/9/13 

Contextual Background

Existing federal law, including the Health Insurance Portability and Accountability Act (HIPAA), provides privacy protections for individuals with regard to specific health information. HIPAA requires organizations to develop and follow procedures to ensure the confidentiality and security of protected health information held by “covered entities” and “business associates.” California’s Confidentiality of Medical Information Act supplements HIPAA and prohibits a provider of health care, a health care service plan, contractor, or corporation and its subsidiaries and affiliates from intentionally sharing, selling, using for marketing, or other use using any medical information for any purpose not necessary to provide health care services to a patient, except as expressly authorized or otherwise required by law. 

However, existing definitions of covered organizations under state and federal law may not include those that provide technological solutions – whether they are hardware, software, or mobile – for the maintenance of medical information. Rapid developments in mobile health (mHealth) and widespread adoption of such products led the California to pass this clarifying law. 

Key Provisions of A.B. 658

• “Any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information…in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of” the California Confidentiality of Medical Information Act.
• However, “providers of health care” that solely qualify as such due to the amended definition above are exempted from requirements imposed on “providers” by any other California laws or requirements that apply to providers of health care generally.

Takeaway

Expanding the scope of California’s medical information confidentiality law to explicitly include businesses that offer software, hardware, or mobile applications to maintain medical information will undoubtedly have an impact on businesses producing, developing, or supporting such solutions. While it is unlikely that such businesses have not considered the regulatory requirements of HIPAA or existing California state law, explicit coverage under the statute mandates a review of existing businesses practices to ensure compliance. Among other things, the California Confidentiality of Medical Information Act places limitations the use and disclosure of medical information by providers of health care in the absence of authorization by the patient, enrollee, or subscriber, or as otherwise required or authorized by law. 

Breach Notification 

S.B. 46 
Status: Signed into law 9/27/13

Contextual Background

In the past 18 months, there have been several high profile data breaches that involved the compromise of user passwords. Data breach statutes, which vary from state to state, typically mandate notification only when “personally identifiable information,” or a similarly defined analog, is compromised. The compromise of email addresses, usernames, and passwords has historically not risen to the level of requiring compliance with data breach notification statutes. Despite repeated cautioning against sharing passwords across platforms, consumers continue to do so and to expose themselves to potential harm when passwords and usernames are compromised. Like other privacy legislation, S.B. 46 was championed by California Attorney General Kamala Harris. It seeks to reduce the potential for consumer harm by lowering the threshold for mandatory breach notification. 

Key Provisions of S.B. 46

• Within the existing data breach notification statute, the definition of “personally identifiable information” is expanded to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account,” thus requiring notification when such information is compromised.
• In the event of a data breach of an online account that does not involve the compromise of an email account, in addition to existing methods of notification, businesses may fulfill the notification requirement by directing “the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the agency and all other online accounts for which the person uses the same user name or email address and password or security question or answer.
• In the event of a data breach of an online account that involves the compromise of email address/password or security question/answer, the business may “not comply with” the notification requirement “by providing the security breach notification to that email address, but may, instead, comply with this section by providing” existing, traditionally defined notice “or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the agency knows the resident customarily accesses the account.”

Takeaway

Data breaches involving the compromise of information such as passwords, usernames, and email addresses are likely to be far more common than those which compromise of personally identifiable information. Businesses will need to ensure that compliance mechanisms and resources are in place to allow the internal investigation to quickly and definitively ascertain whether email accounts were compromised so as to provide notice to the user in as quick and cost effective a manner as permissible under the revised language of the statute. 

“Do Not Track” Disclosures 

A.B. 370 
Status: Signed into law 9/27/13 
Effective Date: 1/1/2014 

Contextual Background

“Do not track,” a Web browser privacy standard under development by the World Wide Web Consortium (W3C), is intended to allow consumers to indicate to websites and online advertisers that they do not wish to be monitored. “Do not track” functionality has theoretically been enabled in all major browsers; however, the lack of a uniform standard has hampered efficacy. The opt-out functionality of “do not track” is not mandatory, and evidence suggests that many websites and advertisers disregard the consumer’s expressed preference in order to provide targeted services. Recently, the Digital Advertising Alliance, a major advertising trade organization, left the W3C’s “do not track” effort, prompting the W3C working group to appoint new leadership. At the moment, it remains to be seen whether “do not track” will develop into an effective technical standard. 

Existing California law requires websites or online services that collect personally identifiable information to conspicuously post a privacy policy, identify the categories of personally identifiable information collected, third parties with whom such information may be shared, and describe notification procedures in place for material changes to the privacy policy. This legislation amends that law to require disclosure to consumers regarding how the online service operator responds to a consumer’s “do not track” preference and presumably will be enforced by the Attorney General through California’s Unfair Competition Law. 

Key Provisions of A.B. 370

• Commercial website or online service operators must disclose in privacy policies how they respond “to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if operator engages in that collection.”
• Requires operators to “disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

Takeaway

Companies should review their privacy policies to determine that the conspicuously posted policy discloses (1) what types of data are collected on the site, (2) what types of third parties may collect personal information from the site, (3) any process to review and request changes to the personal information collected on the site, (4) how consumers will be notified of material changes to the privacy policy, (5) an effective date for the policy, (6) how the operator responds to web browser “do-not-track” signals or other mechanism to exercise choice regarding the collection of online activity over time and across third party sites or services “if the operator engages in that collection,” which may be satisfied by a clear and conspicuous link to a program for tracking choice, such as the Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising, and (7) whether any third parties track consumer behavior over time across third party sites or services “when a customer uses the operator’s Web site or service.” Also, for practical purposes, the California Shine the Light law adds another disclosure requirement on the sharing of personal data with third parties for marketing purposes.

Warrant Requirements and Online Privacy

S.B. 467 
Status: Submitted by Legislature to Governor 9/10/13; awaiting gubernatorial action 

Contextual Background

The Electronic Communications Privacy Act of 1986 was intended to provide restrictions on law enforcement surveillance or interception of electronic data, including stored communications. The advent of cloud computing paired with slowly evolving jurisprudence, led to widely-criticized (as of recently, even by the Department of Justice) but regularly used loopholes in the law permitting, for example, the government to access any opened, cloud-based email over 180 days old without a warrant. Federal legislation to reform ECPA to apply a uniform warrant standard for communications stored in the cloud, led by Senator Leahy (D-VT), have stalled among a broader federal legislative impasse. At the same time, the Snowden NSA leaks revealed an extensive government surveillance program operating under separate authorities. In the course of the public debate, there has been significant conflation of the distinct issues of government access electronic communications information law enforcement and national security purposes. 

Key Provisions of S.B. 467

• Requires state governmental entities to obtain a valid search warrant (in accordance with established warrant procedures) to obtain the contents of a wire or electronic communication from a provider of electronic communications services or remote computing services.
• Requires that within three days of the government’s receipt of the duly requested content, the subscriber/user/customer whose data was requested must be served with a copy of the warrant and notice.
• Prohibits a provider of electronic communication services or remote computing services from knowingly divulging the contents of a communication that is stored or maintained by that service provider without consent.
• Creates a civil cause of action against any violator of the statute that may be brought by the aggrieved party.

Takeaway

The federal legislative impasse on ECPA reform, combined with the clamor for more protection from governmental overreach post-Snowden has led states to pass such legislation. Questions have been raised – including in the legislative record – regarding the potential issue of federal preemption. However, the implementation of a similar statute in Texas (H.B. 2256), which was signed into law in June 2013, indicates that this is unlikely to imperil the constitutionality of S.B. 467. 

Compliance with this law would not be overly burdensome on companies; the most frequent recipients of subpoenas or warrants issued under ECPA or similar statutes already have knowledgeable compliance departments. While the wholesale importation of outdated ECPA language – including that of “Remote Computing Service” and “Electronic Communications Service” – may not advance legislative clarity, the use of federal language should provide a relatively familiar standard for California state law enforcement. 

Finally, complaints have been raised about the lack of statutorily defined defenses to the civil claim created under the statute, as well as the absence of a clearly defined statute of limitations. It remains to be seen how this newly created right of action will be used.