The California general assembly has enacted a series of new laws that apply to websites, mobile applications, and other online services (collectively referred to in this article as websites) that collect information about users who reside in California. Businesses nationwide need to be aware of these new laws and, if necessary, revise their privacy policies and data and security practices before these laws become effective.
Notification of Data Breaches (Effective January 1, 2014)
New law S.B. 46 will require businesses to review and update their procedures for when and how to notify users of data security breaches. Under existing law, businesses that keep personally identifiable information of users must notify users if that information is disclosed in a security breach. S.B. 46 expands the definition of “personally identifiable information” in this context to include information that would permit access to a user’s online account, such as a user name or email address in combination with a password or answer to a security question.
If there is a security breach involving email login information, S.B. 46 specifies that notification of the breach should not be directed to that email address. Businesses should ensure their response plans provide for appropriate methods of notification, specified in the statute (e.g., traditional notice or clear and conspicuous online notice).
Disclosure of Tracking Networks and “Do Not Track” Practices (Effective January 1, 2014)
New law A.B. 370 requires new disclosures by websites regarding how users are tracked online. First, website operators must disclose whether third parties collect personally identifiable information about a user’s online activities across different websites. This disclosure requirement will affect websites that participate in networks that track users’ behavior across different websites, such as to serve targeted ads (e.g., Google’s Adsense, Facebook’s FBX, and online advertising provider TribalFusion).
A.B. 370 also requires website privacy policies to disclose whether or not the website responds when a user turns on the “do not track” setting in a web browser. Even though most major web browsers offer users a “do not track” setting, Internet users may not know that many websites currently disregard this setting because the group working to define what “do not track” means (the World Wide Web Consortium or W3C) has not yet reached a consensus on the term.
An “Online Eraser” for Minors, Advertising of “Harmful” Products to Minors (Effective January 1, 2015)
New law S.B. 568 requires websites to implement special procedures when allowing California minors (defined as anyone under the age of 18) to post information or material online. The law gives minors an “online eraser” option to remove, or request removal of, any material they have posted (with certain limited exceptions). In addition, websites must also inform minors of these removal options and how to utilize them. Because S.B. 568 provides for notice provisions beyond currently existing data privacy laws and applies to older children than do such currently existing laws, many websites will need to review and update their site functionality and privacy policies in order to be in compliance with this new law.
Additionally, S.B. 568 prohibits operators of websites from knowingly advertising and marketing certain products to minors that the law deems “harmful” to them (such as firearms, tobacco, dietary supplements, and alcohol). The law also prohibits the use of a minor’s personal information for advertising and marketing of these products.
* * *
Axis Legal Counsel provides legal advice to numerous businesses with a variety of legal matters, including business administrations, corporate governance, operations, risk management / insurance, labor/employment matters, healthcare, and statutory/legal compliance. For information on retaining Axis Legal Counsel to represent your business in connection with any legal matter, contact firstname.lastname@example.org or call (213) 403-0130 for a confidential consultation.