Brown Inks Privacy Trifecta

Browns Signs 1 Data Breach and 2 Privacy Bills Into Law

jerry brown1

California Governor Brown has now signed a data breach and two privacy bills into law at the conclusion of the legislative session.  These are significant because the Attorney General has a newly minted privacy enforcement unit and has said that data breaches will be a priority for enforcement efforts.  You should review your current privacy and data breach policies to ensure compliance.

On the privacy side, Brown signed AB 370, the Do Not Track disclosure bill which amends the California Online Privacy Protection Act  to require that websites that collect personal information from California disclose

(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.

(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

Governor Brown had previously signed Privacy Rights for Minors in a Digital World Act (SB 568) which provided that a website or mobile application that has “actual knowledge” that a minor is using its site or app shall

(1) Permit  minor who is a registered user of the operator’s [website or app] to remove or, if the operator prefers, to request and obtain removal of, content or information posted on the operator’s Internet Web site, online service, online application, or mobile application by the user.
(2) Provide notice to a minor who is a registered user . . . that the minor may remove or, if the operator prefers, request and obtain removal of, content or information posted on the operator’s Internet Web site, online service, online application, or mobile application by the registered user.
(3) Provide clear instructions to a minor who is a registered user. . .  on how the user may remove or, if the operator prefers, request and obtain the removal of content or information posted on the operator’s Internet Web site, online service, online application, or mobile application.
(4) Provide notice to a minor who is a registered user . . . that the removal described under paragraph (1) does not ensure complete or comprehensive removal of the content or information posted on the operator’s Internet Web site . . .

This bill does not go into effect until 2015.

The final measure amends the state’s data breach notification requirements to expand the scope of “personal information,” for purposes of the breach notification statute, to include a user name or email address, acquired in combination with a password or security question and answer that permits access to an online account but provides that notification may be provided in electronic form.

flagca

flagca