California has enacted three laws, two of which went into effect on January 1, 2015, designed to protect online data security and privacy for residents. The state has expanded its privacy and security laws by (i) requiring free identity theft protection for those affected by a data breach; (ii) extending the requirement for a regulated business to maintain “reasonable security procedures and practices” to third parties that receive information from the regulated business; and (iii) prohibiting the sale of individual social security numbers. The new laws also protect children by enacting groundbreaking student data privacy rules, imposing a narrow “right to be forgotten” for minors and limiting advertising targeted to minors.
Assembly Bill 1710
A.B. 1710, effective January 1, 2015, expands California’s data breach notification laws. Existing law requires a person or business that owns or licenses computerized data to notify any California resident whose personal information was acquired by an unauthorized person. A.B. 1710 expands this notification requirement by requiring the person or business that is the source of the breach to offer free identity theft prevention and mitigation services for at least 12 months.
Pre-existing law required a business that owns or licenses personal information about a California resident to maintain “reasonable security procedures and practices.” Now, when that business discloses the personal information to a third party, A.B. 1710 requires the business to require by contract that the third party also maintain reasonable security procedures and practices.
Finally, A.B. 1710 prohibits the sale, advertisement for sale or offer to sell an individual’s social security number. There are exceptions, including “if the release of the social security number is incidental to a larger transaction” and is necessary “to accomplish a legitimate business purpose.” The release of social security numbers for marketing purposes, however, is prohibited.
An affected customer may bring a civil action for damages or seek injunctive relief. A customer also may seek civil penalties for a willful, reckless or intentional violation of the identity theft provision or the requirement to maintain reasonable security procedures.
Senate Bill 1177
S.B. 1177, which takes effect January 1, 2016, enacts the Student Online Personal Information Protection Act (“SOPIPA”), designed to protect the data privacy of students in grades K-12. The law prohibits an operator of an Internet website, online service, online application or mobile application from (i) targeted advertising to students or parents; (ii) using personally identifiable information (“PII”) to amass a profile about a K–12 student; or (iii) selling or disclosing a student’s PII. The law protects PII that is created by a student, parent or school employee in the course of the operator’s service for school purposes, or information gathered by the operator that identifies or describes a student. The operator may use anonymous student information to develop its own educational products and services. The operator must maintain reasonable security procedures and practices to protect a student’s PII. Although other states have enacted student privacy laws, SOPIPA is groundbreaking because it covers a wider range of websites, services and applications, regardless of whether the operator has a contract with state educational agencies.
While SOPIPA itself does not contain enforcement provisions, it is expected to be enforced through California’s Unfair Competition Law, which permits injunctive relief and civil penalties.
Senate Bill 568
S.B. 568, effective January 1, 2015, allows minors a narrow right to request removal of their content online, which is also referred to as a “right to be forgotten.” The operator of an Internet website, online service, online application or mobile application must permit a minor to request and obtain removal of content posted by the minor and must provide notice and instructions to the minor on how to obtain removal. This right is limited because an operator does not have to remove content posted by a third party, even if the content is a reposting of the minor’s post. In addition, an operator is not required to remove content where the minor received compensation for providing the content or where the operator anonymizes the content so that the minor cannot be individually identified.
S.B. 568 also prohibits an operator from marketing or advertising to minors certain products or services that that a minor cannot lawfully purchase, including alcohol, tobacco, handguns and obscene matter.
Although S.B. 568 itself does not contain enforcement provisions, it is expected to be enforced through California’s Unfair Competition Law, which permits injunctive relief and civil penalties.