United States: Recent Changes To Online Privacy Laws In California

California Online Protection Act

The California Online Protection Act (the "Act") requires a commercial Internet website or online service to conspicuously post a privacy policy on its website if it collects personally identifiable information¹ ("PII") about California residents who visit its website.² Currently, the privacy policy must disclose the categories of PII collected and the third-parties with whom the operator shares the PII; the process by which the operator notifies consumers who use or visit its commercial website or online service of material changes to the operator's privacy policy for that website or online service; the privacy policy's effective date; and, if the operator maintains a process for an individual consumer who uses or visits its commercial website or online service to review and request changes to any of his or her personally identifiable information that is collected, a description of that process.³

Effective January 1, 2014, privacy policies must provide two additional disclosures to comply with the recent amendments set forth in Assembly Bill 370. First, if an operator collects personally identifiable information about an individual consumer's online activities, including those across third-party websites or online services, the privacy policy must include information about how the website operator responds to "do not track" signals or other mechanisms that provide consumers with a choice regarding the collection of such PII.⁴ An operator may also satisfy this requirement by providing a hyperlink in its privacy policy to a webpage with a description, including the effects, of any program or protocol offered by the operator that provides consumers a choice regarding online tracking. Second, privacy policies must state whether other parties may collect PII when a consumer uses the operator's website or service.⁵

Although the Act and recent amendments apply only if the person visiting the website is a California resident, residence is not an easily identifiable trait. Geolocation techniques allow an operator to determine the location from which a person accesses its site but they do not tell the operator where that person resides. Accordingly, absent compliance with the new privacy policy requirements at all times and for all users, an operator risks liability under the law.

Expanded Notification Requirements for Data Breaches

Senate Bill 46 expands California's data breach law to encompass breaches of an individual's "user name or email address, in combination with a password or security question and answer that would permit access to an online account."⁶ Although California's existing data breach law in California Civil Code Section 1798.82 already requires businesses to provide notification of security breaches involving personal information,⁷ the amended data breach law expands the definition of personal information and prescribes specific notification procedures for breaches implicating user names and email addresses. Specifically, in the case of a breach involving a user name or email address where no personal information and no login credentials of an email account are compromised, the business may comply with the statutory data breach obligations by providing notification in electronic format, such as email or through the individual's online account, advising the individual to change his or her password and security credentials.⁸

Conversely, where a breach involves an individual's user name or email address and login credentials of an email account, the business cannot comply with the data breach obligations by providing notification to that email address, but may, instead, provide clear and conspicuous notice to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account.⁹ The business may also comply with the alternative notice obligations set forth in California Civil Code Section § 1798.82(j), e.g., written notice or, where certain requirements are met, substitute notice.¹⁰

The expanded data breach law takes effect January 1, 2014. Persons and business entities who conduct business in California and own or license computerized data containing California residents' personal information should be cognizant of the additional data breach notification requirements. To ensure compliance with the heightened obligations, such persons and business entities may wish to amend their existing privacy policy and data security procedures.

California's New COPPA-Like Law

Finally, in September of this year, Senate Bill 568 was signed into law by the Governor of California. The new law has two aims: 1) to limit children's exposure to certain types of advertising and 2) to provide a means for children to remove content they post online. The law goes into effect January 1, 2015.

With respect to advertising, the law prohibits websites and applications directed to minors from marketing products or services that minors cannot lawfully purchase (e.g., alcohol, weapons, lottery tickets, tobacco, etc.).¹¹ A website or application is "directed" to minors where it is "created for the purpose of reaching an audience that is predominately comprised of minors and is not intended for a more general audience comprised of adults."¹² Even if the website or application is not directed toward minors, the law requires operators to make a good faith effort not to market such products to minors whom the operator has knowledge are using its site or application.¹³ The law also prohibits an operator or third-party from using or disclosing a minor's personal information with knowledge that the information will be used to advertise such products to minors.¹⁴

The law also imposes several new responsibilities on operators in regard to content control. Most importantly, operators are required to allow minors to request and obtain removal of content they post to a website or application so long as they are registered users. Operators must also deliver notice of this allowance to minors, instructions on how they may request and obtain removal of content, and notice that removal may not be comprehensive.¹⁵ The removal of content is not required in some circumstances, including where the content was posted by a third party, where the operator anonymized the content, or where the minor received consideration for providing the content.¹⁶

In summary, this new law seeks to protect all minors, as opposed to COPPA, which is limited to minors under 13. Nevertheless, many of the same challenges and risk assessments apply. For example, whether a website or application is directed toward minors is not always obvious, and because liability in some circumstances depends on an operator's knowledge, it is advisable to avoid collecting age information unless necessary for business purposes.

Footnotes

1 Under the Act, "personally identifiable information" is defined as "individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

Cal. Bus. & Prof. Code § 22577(a).

2 Cal. Bus. & Prof. Code § 22575(a).

3 Id. at § 22575(b).

4 A.B. 370, 2013–2014 Leg., Reg. Sess. (Ca. 2013).

5 Id.

6 Cal. Civ. Code § 1798.82(h)(2) (Effective January 1, 2014).

7 Under existing law, "personal information" means:

Cal. Civ. Code. § 1798.82(h)(1).

8 Cal. Civ. Code § 1798(d)(4) (Effective January 1, 2014).

9 Cal. Civ. Code § 1798(d)(5) (Effective January 1, 2014).

10 Cal. Civ. Code § 1798(d)(5) (Effective January 1, 2014).

11 S.B. 568, 2013–2014 Leg., Reg. Sess. (Ca. 2013).

12 Id.

13 Id. § 22580(b).

14 Id. § 22580(c).

15 Id. § 22581(a).

16 Id. § 22581(b).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.