The California legislature has enacted a flurry of privacy-related laws over the past few months.   Still more bills are pending.  This post provides a brief overview of new privacy laws enacted in California in 2013, including measures that will become effective on January 1, 2014.  For a more detailed look at some of these key laws, please see our recent client alert

  • A.B. 370 – “Do-Not-Track” Amendment to California Online Privacy Protection Act (effective Jan. 1, 2014).  The California Online Privacy Protection Act (“CalOPPA”) requires that operators of commercial websites and online services that collect personal information conspicuously post a privacy policy disclosing certain information.  This amendment requires operators to further disclose (1) how they respond to “do-not-track” signals or “other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information,” and (2) whether they allow other parties to collect personally identifiable information when a consumer uses the operator’s service.  An operator may satisfy the first disclosure requirement by providing in its privacy policy a conspicuous link to a description of a program or protocol that offers consumers a choice regarding the collection of their personally identifiable information.
  • S.B. 46 – Amendment to California’s Security Breach Notification Law (effective Jan. 1, 2014).  California’s existing breach notification law requires an entity to notify consumers following discovery of a data breach involving the unauthorized acquisition of “personal information.”  The law defines “personal information” as an individual’s first name or initial and last name in combination with one or more sensitive data elements, such as Social Security number, financial account number, or medical information.  This amendment expands the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account,” regardless of whether name and/or other sensitive data elements are breached.
  • A.B. 658 – Amendment to California’s Confidentiality of Medical Information Act (effective Jan. 1, 2014).  The Confidentiality of Medical Information Act (“CMIA”) prohibits health care providers from intentionally sharing, selling, or otherwise using medical information for any purpose not necessary to provide health care services to a patient, except as expressly authorized by the patient or by law.  This amendment broadens the scope of the CMIA to cover businesses that offer software or hardware to consumers for purposes of allowing an individual to manage his or her health information or for the diagnosis, treatment or management of a medical condition.
  • A.B. 1274 – Privacy of Customer Electrical or Natural Gas Usage Data (effective Jan. 1, 2014).  California law currently prohibits gas and electricity providers from disclosing a customer’s home energy usage, and requires a utility provider to use reasonable security procedures to protect a customer’s usage data.  In order to protect the privacy of customers using “smart grid” technologies that communicate usage data, this new law prohibits utility providers from sharing usage data without (1) conspicuously disclosing with whom the data will be shared and how the data will be used and (2) obtaining express customer consent.  The law further requires that the provider contractually require third parties to use reasonable security measures to protect the data from unauthorized disclosure and to reasonably dispose of data when it is no longer required.  The law also prohibits a utility company from providing an incentive to a customer to permit access to data without the customer’s prior consent.
  • S.B. 568 – Privacy Rights for California Minors in the Digital World (effective Jan. 1, 2015).  This law adds two new sections to the California Business & Professions Code.  The first prohibits websites, mobile applications, and other online services from marketing to minors certain enumerated products or services that minors cannot legally purchase or use, such as alcohol, firearms, and tobacco.  The second creates a deletion right for minors who are registered users of a website, mobile application, or other online service, to request and obtain removal of information posted by the minor.  This section also requires that online service providers notify minors of their deletion rights.