The California legislature has enacted a flurry of privacy-related laws over the past few months. Still more bills are pending. This post provides a brief overview of new privacy laws enacted in California in 2013, including measures that will become effective on January 1, 2014. For a more detailed look at some of these key laws, please see our recent client alert.
- A.B. 370 – “Do-Not-Track” Amendment to California Online Privacy Protection Act (effective Jan. 1, 2014). The California Online Privacy Protection Act (“CalOPPA”) requires that operators of commercial websites and online services that collect personal information conspicuously post a privacy policy disclosing certain information. This amendment requires operators to further disclose (1) how they respond to “do-not-track” signals or “other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information,” and (2) whether they allow other parties to collect personally identifiable information when a consumer uses the operator’s service. An operator may satisfy the first disclosure requirement by providing in its privacy policy a conspicuous link to a description of a program or protocol that offers consumers a choice regarding the collection of their personally identifiable information.
- S.B. 46 – Amendment to California’s Security Breach Notification Law (effective Jan. 1, 2014). California’s existing breach notification law requires an entity to notify consumers following discovery of a data breach involving the unauthorized acquisition of “personal information.” The law defines “personal information” as an individual’s first name or initial and last name in combination with one or more sensitive data elements, such as Social Security number, financial account number, or medical information. This amendment expands the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account,” regardless of whether name and/or other sensitive data elements are breached.