United States: California Continues To Lead The Nation In Consumer Data Protection

Last year, California was at the forefront of the movement to increase consumer privacy online. The state legislature updated its data breach notification law, bringing it in line with some of the most strict notification laws in the country by requiring, for example, companies that send notices of a data breach to more than 500 California residents to also give notice to the Attorney General.

California Attorney General Kamala Harris herself was also very active last year in data privacy, working with app platform developers to devise a "Statement of Principles" to protect mobile app users' personal information. She also established a privacy protection division in her office. AG Harris closed out 2012 by bringing suit under the California Online Privacy Protection Act (CalOPPA) against Delta Airlines for failing to include a privacy policy with its "Fly Delta" app.

This year, California lawmakers continue efforts to enhance consumer privacy, particularly online. AG Harris published a report in early January outlining recommendations to protect privacy in a society that increasingly uses mobile devices for business and personal purposes. In the legislature, two privacy-focused proposals are already on the legislative agenda:

• AB 242: CalOPPA requires an operator of a "commercial website" or "online services" that collect personally identifiable information to make its privacy policy and data collection and protection practices available to consumers. AB 242 would require that the published privacy policy be 100 words or less and be written in "clear and concise language" at or below an 8^th grade reading level.
• AB 257: AB 257 also would expand CalOPPA, requiring that entities that collect personal information enact certain safeguards to protect it. Currently, CalOPPA applies to operators of "commercial websites" or "online services." AB 257 would amend the current CalOPPA definitions of "online market" and "mobile application" to include apps intended for download onto a device, ensuring that app developers are also required to follow the strictures of CalOPPA. Finally, the bill governs advertisements on mobile apps, such as requiring the ad to identify the sponsor and  requiring consumer consent before displaying the ad.

The California Legislature is not alone in considering updates to enhance citizens' privacy protections. On the other side of the country, for example, Maryland AG Doug Gansler appealed to the Maryland Legislature to enact legislation that would allow him to bring federal COPPA claims in state courts as a violation of the state's Unfair and Deceptive Trade Practices Act.

Legislation increasing consumer protection is often spurred by AG activity in that area. The California and Maryland legislative proposals were both introduced following a year in which both states' AGs received significant publicity related to their efforts in the area of consumer and data privacy. Legislative proposals can also foreshadow areas of law that may see increasing AG enforcement; the Maryland and California legislative proposals, if passed, will provide more tools with which those states' AGs can target data-collecting practices that harm consumers. As legislative sessions continue in 2013, expect to see more legislation addressing Internet and data privacy in California, Maryland, and other states.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.