Last fall California passed two amendments to its privacy laws – one concerning how a website treats Do Not Track Requests and the other providing a “right to be forgotten” to minors. See Browns Signs 1 Data Breach and 2 Privacy Bills Into Law, along with an update expanding the reach of the state’s data breach disclosure bill. The laws go into effect on January 1, 2014 – except for the “right to be forgotten” legislation which goes into effect in 2015.
Privacy is a priority issue for California Attorney General Kamala Harris, who created a special privacy enforcement unit in 2012. Harris is preparing a compliance guide which is expected to be released shortly.
Attorney General Harris Sues Kaiser For Delayed Data Breach
California’s data breach law requires that disclosure to the consumer be made
in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Although the law does not define “most expedient time possible and without unreasonable delay, California’s Office of Privacy Protection recommends that notice be provided within ten (10) business days of an organization’s determination that personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Kaiser Health learned in September 2011 that an external hard drive with personal information had been inadvertently released to the public, it retrieved the hard drive in December 2011, inventoried it through February 2012 and provided notice in March 2012. The Attorney General has filed suit alleging that should have begun providing notice on a rolling basis while it was still completing its analysis of the hard drive rather than waiting several months to complete. Kaiser faces a civil penalty of up to $2,500 per record or $51.3 million.
California Senate Seeks to Reverse Apple Credit Card Privacy Decision
Last February, in Apple Inc. v. SuperiorCourt, 56 Cal. 4th 128 (2013), the California Supreme Court interpreted the privacy provisions of the Song Beverly Credit Card Act as not applying to online transactions for downloadable products. Last week, the California Senate passed a bill (SB 383) to reverse this holding and provide that an online merchant may only require address, zip code or other personal information in connection with a credit card transaction for a downloadable product to the extent needed for fraud prevention and then it may only hold such information for as long as it is needed for this purpose and may not use it for marketing. Additional information may be collected if obtained through express consent after disclosure that the information is not required for the transaction.
The bill’s author, Sen. Hannah-Beth Jackson (D-Santa Barbara) told the Los Angeles Times