The California legislature has enacted a flurry of privacy-related laws over the past few months.   Still more bills are pending.  This post provides a brief overview of new privacy laws enacted in California in 2013, including measures that will become effective on January 1, 2014.  For a more detailed look at some of these key laws, please see our recent client alert

  • A.B. 370 “Do-Not-Track” Amendment to California Online Privacy Protection Act (effective Jan. 1, 2014).  The California Online Privacy Protection Act (“CalOPPA”) requires that operators of commercial websites and online services that collect personal information conspicuously post a privacy policy disclosing certain information.  This amendment requires operators to further disclose (1) how they respond to “do-not-track” signals or “other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information,” and (2) whether they allow other parties to collect personally identifiable information when a consumer uses the operator’s service.  An operator may satisfy the first disclosure requirement by providing in its privacy policy a conspicuous link to a description of a program or protocol that offers consumers a choice regarding the collection of their personally identifiable information.
  • S.B. 46 Amendment to California’s Security Breach Notification Law (effective Jan. 1, 2014).  California’s existing breach notification law requires an entity to notify consumers following discovery of a data breach involving the unauthorized acquisition of “personal information.”  The law defines “personal information” as an individual’s first name or initial and last name in combination with one or more sensitive data elements, such as Social Security number, financial account number, or medical information.  This amendment expands the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account,” regardless of whether name and/or other sensitive data elements are breached.


Continue Reading Roundup of Recently Enacted Privacy Legislation in California; Some Measures Will Become Effective on January 1, 2014

Updated on October 1, 2012 to add information about Chairman Leibowitz’s response to the nine Representatives’ letter. 

As we previously noted, in March of this year the Federal Trade Commission called for the implementation of a Do Not Track (DNT) system that allows consumers to opt out of the collection of all online behavioral data other than data needed for certain limited purposes, such as preventing fraud.  Much of the debate over DNT has been taking place within the World Wide Web Consortium (W3C), which has been convening talks to develop a standard for what it means to honor a consumer’s DNT preference. 

According to media reports, advocacy groups are now asking the FTC to become more actively involved in the W3C discussions.  In a letter to FTC Chairman Jon Leibowitz, the Center for Digital Democracy, Consumer Watchdog, and the Electronic Frontier Foundation wrote, “The W3C talks have reached a point where a clear statement from the FTC will play a decisive role in reaching consensus.”  The organizations want the FTC to support a proposal that would permit the collection of analytics information only if the data cannot be linked to specific users or devices, as well as a proposal that websites should honor DNT irrespective of whether the DNT setting is turned on by default — an issue we blogged about here

Meanwhile, nine House members have reportedly written to the FTC to raise concerns about the agency’s role in the W3C process.  The lawmakers questioned whether the FTC and W3C have adequately considered DNT’s potential effect on third-party advertising networks and publishers.  The members also requested information about the agency’s authority to participate in the W3C discussions, studies the agency considered before advocating for DNT, and other information.  Rep. Mick Mulvaney (R-SC) today sent a separate letter to Chairman Leibowitz, asking for similar information and criticizing the FTC for “acting outside the scope of Congressional intent” by seeking to create government policy in an area reserved for Congress.

Edit:  Chairman Leibowitz responded to the Representatives’ letter by emphasizing that the FTC’s role in W3C “in no way usurps the legislative process or imposes a burden on industry” because any DNT standard adopted by the W3C would be self-regulatory and voluntary.  The nine House members’ letter is available here, and Chairman Leibowitz’s response is available here.

Continue Reading FTC’s Role in “Do Not Track” Discussions Under Debate

Yesterday, Microsoft announced that users of Windows 8 and Internet Explorer 10 will have a “first run” option to disable the default “Do Not Track” privacy setting.  A first run option occurs during the software set-up process.  If users take no action, the DNT setting will be enabled by default.

Shortly after the Federal Trade