The State of California, long the most proactive U.S. state in enacting data privacy laws, has again modified its breach notification and data protection laws. This week, Governor Jerry Brown signed two privacy bills into law: SOPIPA (SB 1177), aimed at regulating the use of student data, and AB 1710, targeting data protection more broadly. Taken together, these bills highlight the continuing compliance challenges facing American businesses which must conform not only to state-specific privacy standards, but also monitor and adapt to the frequent and substantive changes each state introduces.
On September 30, Governor Brown signed Assembly Bill 1710, extending California’s breach notification and security requirements to additional sets of data held by companies doing business in California. The new law, which goes into effect on January 1, 2015, aims at both preventing data breaches and protecting consumers in the wake of breaches.
While California’s data protection law (Cal. Civ. Code § 1798.80 et seq.) had required businesses that “own or license” personally identifiable information to adopt reasonable security practices, the amended statute expands that requirement to business that may also “maintain” such information. This amendment eliminates any exceptions which may have existed for business which possess, but do not “own or license” personal information; now regardless of who owns the information, if your business controls such data you must have reasonable security practices in place. Those security practices must be sufficient, given the nature of the information, to protect the information from “unauthorized access, destruction, use, modification, or disclosure.”
California also has new requirements when a breach does occur. When an entity whose systems or databases have been breached provides a mandated notice to consumers, any offer to provide identity theft prevention and mitigation services must be provided at no cost for 12 months. Barring a judicial interpretation to the contrary, this provision, which was amended from a more demanding earlier version, appears to set a minimum standard when monitoring is offered, but does not require monitoring to be offered in the first place. The legislative history is, as is often the case, imprecise. The Assembly Committee on Banking and Finance wrotecomments on the bill in which it described the provision as follows: “under this measure, the person … would be required to offer appropriate identity theft prevention and mitigation services, if any are available.” While the statutory language is far less clear, a court may be persuaded by the legislative intent demonstrated by this passage. Expect debate on the meaning of this provision if post-breach services are not offered.
Regardless, while offering monitoring has become common practice in large breaches, California is the first state to legislate on the length of ID monitoring required. The law applies only to businesses that are the “source of the breach,” a seemingly simple distinction that, in practice, can take weeks or longer to unravel. Another significant limitation is the application of the services requirement only when a Social Security number, driver’s license number, or California identification card number is compromised. This effectively exempts many businesses from the length of ID monitoring requirement, as point of sale systems and other customer records likely include financial data (such as credit and debit card numbers), but not SSNs or ID numbers. This distinction makes sense, as card replacement mitigates consumer losses, but loss of secrecy of government ID numbers risks identity theft or fraud where monitoring services can be important to mitigating loss.
Assembly Bill 1710 also modifies existing law to prevent the “sale” or Social Security numbers. While it has been illegal in California to display, print, transmit, or require SSNs, it is now illegal to “sell, advertise for sale, or offer to sell” SSNs unless incidental to a larger transaction or necessary for identifying the individual.
Earlier in the week, on September 29, Governor Brown signed SB 1177 the Student Online Personal Information Protection Act, or SOPIPA, which will add new Sections 22584 and 22585 to the California Business and Professions Code). Set to take effect on January 1, 2015, SOPIPA puts limits on operators of online services primarily used by, and designed and marketed for, K-12 school purposes (which purposes include “instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school”).
The law prevents these operators from using a student’s activity data or unique identifiers to create a “profile” of that student for any non-school purpose. Moreover, it prevents these operators from using, or allowing a third party to use, any information that the operator has acquired from a student’s use of their online service to engage in targeted advertising or to sell such information outside of an acquisition or change of control transaction.
SOPIPA also places security and data deletion requirements on operators providing online services to schools. First, operators of student-targeted online services must implement and maintain “reasonable security procedures and practices” to protect students’ “covered information” (a term defined broadly to include any information created by a student, parent, or school employee, or any information that is in any way “descriptive of a student” and that was gathered through use of the online service or otherwise provided to the operator). And second, such operators must delete a student’s covered information upon request of the school (note thatprior versions of SOPIPA also mandated removal under the students’ request as well, but this requirement was removed from the final version).
SOPIPA contains some notable limitations about its application. A student’s covered information that has been “deidentified” may still be used by the operator to demonstrate the effectiveness of their products or services or to improve their own educational products. Such deidentified information may also be shared as aggregated deintified data “for the development and improvement of educational sites, services or applications.” Second, SOPIPA does not prohibit an operator of an online service from marketing educational products directly to parents so long as the marketing does not result from the use of a student’s personally identifiable information obtained from a website primarily directed to students.