At the end of September, California enacted several laws placing additional obligations on operators of websites, mobile applications, and other online services (collectively referred to in this article as websites) that collect information about users who reside in California. Although these laws only apply to California residents, given the sheer size of the California marketplace, the heightened internet data privacy and security requirements imposed by these laws could well become a de-facto national standard. Businesses nationwide need to be aware of these new laws and, if necessary, revise their privacy policies and data and security practices before these laws become effective.
Notification of Data Breaches (Effective January 1, 2014)
S.B. 46 will require businesses to review and update their procedures for when and how to notify users of data security breaches. Under existing law, businesses that keep personally identifiable information of users must notify users if that information is disclosed in a security breach. S.B. 46 expands the definition of “personally identifiable information” in this context to include information that would permit access to a user’s online account, such as a user name or email address in combination with a password or answer to a security question.
If there is a security breach involving email login information, S.B. 46 specifies that notification of the breach should not be directed to that email address. Businesses should ensure their response plans provide for appropriate methods of notification, specified in the statute (e.g., traditional notice or clear and conspicuous online notice).
Disclosure of Tracking Networks and “Do Not Track” Practices (Effective January 1, 2014)
A.B. 370 requires new disclosures by websites regarding how users are tracked online. First, website operators must disclose whether third parties collect personally identifiable information about a user’s online activities across different websites. This disclosure requirement will affect websites that participate in networks that track users’ behavior across different websites, such as to serve targeted ads (e.g., Google’s Adsense, Facebook’s FBX, and online advertising provider TribalFusion).
A.B. 370 also requires website privacy policies to disclose whether or not the website responds when a user turns on the “do not track” setting in a web browser. Even though most major web browsers offer users a “do not track” setting, Internet users may not know that many websites currently disregard this setting because the group working to define what “do not track” means (the World Wide Web Consortium or W3C) has not yet reached a consensus on the term.
An “Online Eraser” for Minors, Advertising of “Harmful” Products to Minors (Effective January 1, 2015)
S.B. 568 requires websites to implement special procedures when allowing California minors (defined as anyone under the age of 18) to post information or material online. The law gives minors an “online eraser” option to remove, or request removal of, any material they have posted (with certain limited exceptions). In addition, websites must also inform minors of these removal options and how to utilize them. Because S.B. 568 provides for notice provisions beyond currently existing data privacy laws and applies to older children than do such currently existing laws, many websites will need to review and update their site functionality and privacy policies in order to be in compliance with this new law.
Additionally, S.B. 568 prohibits operators of websites from knowingly advertising and marketing certain products to minors that the law deems “harmful” to them (such as firearms, tobacco, certain dietary supplements, and alcohol). The law also prohibits the use of a minor’s personal information for advertising and marketing of these products.