New California Data Breach and Privacy Amendments

Within the last few weeks, California Governor Jerry Brown signed into law two new data privacy bills: S.B. 46 amending California’s data security breach notification statute and A.B. 370 addressing the disclosure of “do not track” and other related practices in online privacy policies. Both laws will go into effect on January 1, 2014.

New Data Security Breach Notification Triggers

California law already requires the provision of notice to affected customers of unauthorized access to, or disclosure of, personal information in various circumstances. S.B. 46 adds to the current breach notification requirements a new category of breach triggering these requirements: a user name or email address, in combination with a password or security question and answer, that would permit access to any online account.

However, when the information subject to a breach falls under this new category only, companies may notify affected customers in electronic or another form that directs these customers to promptly change their passwords and security questions or answers, or to take any other steps that may be appropriate to protect the affected online account and any other online accounts for which that customer uses the same user name or email address and password or security question or answer. In those situations involving login credentials for email accounts provided by the company, the company must not send the notification to the implicated email address, but rather must provide the required notice via one of the other methods provided for by California law, or by “clear and conspicuous notice” delivered to the affected user online when the user is connected to the online account from an IP address or online location from which the company knows the user ordinarily accesses the affected account.

Breach notification in California is currently triggered only by the unauthorized acquisition of an individual’s first name or initial and last name in combination with one or more of the following data elements (when either the name or the data elements are unencrypted): social security number; driver’s license or state identification number; account, credit card or debit card number in combination with any related security or access codes; medical information; or health information. As a result, S.B. 46 expands the categories of information the disclosure of which may trigger the requirement for notification – however, it fails to apply the existing exception for encrypted data to the user credential information subject to this amendment. Thus, even if a breach is related solely to online access data that is itself encrypted, the amendment will nevertheless still require notification. It is unclear whether this omission was intentional or not. As a result, S.B. 46 is a significant expansion of the circumstances in which notification may be required.

New Disclosure Requirements For Online Tracking Practices

A.B. 370 amends the California Online Privacy Protection Act (CalOPPA) to require companies that collect personally identifiable information (PII) online to disclose how they respond to “do not track” signals, in addition to other information about their collection and use of PII. These new disclosures include:

• How the company responds to “do not track” signals or other mechanisms that allow consumers to choose how their PII is collected as to their online activities over time and across third-party websites or online services, if the company collects such information; and
• Whether third parties may collect PII about a consumer’s online activities over time and across different websites when that consumer uses the company’s website.

These disclosures must be included in a company’s privacy policy. To comply with the first requirement above, companies may provide a “clear and conspicuous” hyperlink in their privacy policy to an online description of any protocol that the company uses that provides the user that choice, including its effects on functionality and service.

Finally, note that CalOPPA’s application is very broad. In particular, it applies to any “operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service.” In view of the inherent difficulty of doing business online without attracting users residing in California, these provisions will almost certainly apply to most online businesses.

Recommended Best Practices

To comply with these recent amendments, companies should review their data privacy and security policies and practices to determine whether updates are needed. Companies should review and revise as necessary their data security breach contingency plans now to include the newly added notification triggers as well as the new notification protocols allowed when only that data is at issue. Similarly, companies that collect PII online or through mobile applications should review their online tracking activities and all applicable privacy policies (i.e., website and mobile apps) to determine whether and to what extent revisions may be required by January 1, 2014.

In this way, necessary revisions can be thoughtfully prepared and implemented into all related documentation, thereby avoiding last-minute implementation miscues and/or public relations nightmares arising from unnecessary/embarrassing dealings next year with the California Attorney General’s office.