You Are Viewing California

Amendments to California Security Breach Law

Posted by fgilbert on October 19th, 2015

The Fall season often brings changes to California laws, and this year is no exception. Once again, the California Security Breach Disclosure Laws have been amended. During the first half of October, California Governor Jerry Brown signed three bills amending the State’s Security Breach Disclosure Laws. These amendments will be effective as of January 1, 2016.

New Category of Protected Information

The amendment resulting from the signature of SB 34 adds license plate information – specifically, “information or data collected through the use or operation of an automated license plate recognition system” – to the list of information deemed “personal information” protected under the Security Breach Disclosure Laws codified as Civ. Code Sections 1798.29 and 1798.82.

The amendment also creates Civ. Code Sections 1798.90.50 to 1798.90.55. New Section 1798.90.50 will require “automated license plate recognition end-users” or “ALPR end-users” to implement a usage and privacy policy in order to ensure that the collection, use, maintenance, sharing and dissemination of the ALPR information is consistent with California’s respect for individuals’ privacy and civil liberties. The resulting usage and privacy policy must be made available to the public in writing, and be posted conspicuously on the website (if any) of the ALPR end-user.

SB 34 identifies minimum requirements for the content of the required privacy policy. Among other things, the privacy policy must identify the methods used to ensure the security of the information and compliance with privacy laws.  Individuals who have been harmed by violations of these provisions, including breach of security and unauthorized access to, or use of, their information, are granted a private cause of action giving them the right to bring civil action against any person who knowingly caused the harm.

Definition of Encryption

Assembly bill AB 964, also signed into law by Governor Jerry Brown in early October, clarifies the meaning and scope of the term “encryption” used in the Security Breach Disclosure Laws. This is a welcome clarification, thirteen years after the enactment of the original law. During that period, the most common interpretation of the term “encryption” in the context of security breach disclosure laws was that it was intended to mean “strong encryption” as opposed to the use of passwords to limit access to a server.

The term “encrypted”data, under the AB 964 amendment, is defined as data that is “rendered unusable, unreadable or undecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” There is no indication of what criteria will be used to determine the extent to which a particular technology or methodology will be deemed “generally accepted” in the field of information security. Companies may consider turning to relevant publications by NIST, the US National Institute of Standards and Technology or standards established by well known organizations such as the International Organization for Standardization (ISO), an international standard setting body.

Required Format for Breach Notices

Finally, SB 570 amends the California Security Breach laws to require that a specific outline be used when preparing a Breach Disclosure Notices. While prior amendments to the California Security Breach Laws did specify the type of information that should be included in a breach notice, this amendment focuses on the readability of the document, provides a sequence in which the information must be provided, and the titles to be used for each section of the disclosure. The notice must be titled “Notice of Data Breach”. It must be broken into prescribed sections titled:

  • “What happened”;
  • “ What information was involved”;
  • “What we are doing”;
  • “ What you can do “; and
  • “For more information”.

The affected entities are given the freedom to supplement this information.

The amendment also requires, among other things, that the format of the notice be designed to call attention to the nature and significance of the information that it contains. The font used must be not smaller than 10-point type. A sample form is provided in the bill.

These amendments will be effective as of January 1, 2016. That leaves ten weeks to companies subject to California disclosure laws to update their security incident response plans and forms, and adjust their practices to the new amendments.

 

New California Right of Erasure

Posted by fgilbert on January 2nd, 2015

The “Privacy Rights for California Minors in the Digital World Act” came into effect as of January 1, 2015. Business & Professions Code §22581 creates a “right of erasure” which has numerous similarities with the “right to be forgotten” or “right of erasure” that is written into the proposed EU Data Protection Regulation.

The California law requires an operator of an internet website, online service, online or mobile application (web service) who has actual knowledge that minors are using its service to permit a minor who is a registered user of that web service to request and obtain the removal of content or information posted on the web service by that user.

The web service must inform its users of this right to remove or obtain the removal of content or information and provide clear instructions on how a user may remove or request and obtain the removal of such content or information.

The law only applies to content or information that the user has posted on the web service. It does not address content or information posted by a third party. Only content posted by users themselves can be removed at the request of the user.

The law does not address content posted by third parties, such as “revenge porn.” The law provides for several exceptions to this right of erasure. They include, among others, where the content has been anonymized, where the minor has received compensation or consideration for providing the content, and where applicable law requires the web service to maintain the content or information.

A web service is deemed compliant with the law if it renders the content or information no longer visible to other users, even if the content or information remains on the web service’s servers in some form.

New Disclosures Required under Cal. AB 370

Posted by fgilbert on December 31st, 2013

 

At the end of September 2013, California’s governor, Jerry Brown, signed into law a series of bills that will significantly alter California’s privacy landscape, and are likely to affect, as well, the remainder of the United States. Among these bills, California’s Assembly Bill AB 370, sponsored by the California State Attorney General, becomes effective as of January 1, 2014.

Assembly Bill AB 370 amends the California Online Privacy Protection Act (CalOPPA), codified as Cal. Bus. & Prof. Code §§22575-22579, which, since 2004 has required each operator of a commercial website, mobile application or other online service that collects personal information of California residents  (“Online Service”) to post a privacy statement and provide specified information in that privacy statement. The provisions added by AB 370, to be codified as Cal Bus. & Prof. Code §22575(b)(5) to (b)(7), require additional disclosures. As a result, most privacy notices posted on Online Services directed at California residents will have to be revised.

Under the current version of CalOPPA, an Online Service must conspicuously display a privacy statement that discloses:

  • The categories of personally identifiable information that the operator collects;
  • The categories of third-parties with whom the operator may share that personally identifiable information;
  • The process, if any, that the operator maintains for an individual to review and request changes to the information so collected;
  • The process by which the operator notifies individuals of material changes to its privacy policy; and
  • The effective date of the privacy statement.

AB 370 increases the currently existing mandate under CalOPPA to require, in addition, the disclosure of:

  • How the Online Service responds to a browser’s do-not-track signal regarding the collection of information about online activities over time and across third party online services; and
  • Whether third parties may collect information about online activities over time and across different online services.
Clarity and Definitions Missing

On its face, AB 370 seems simple. Actually, its pithy provisions are especially difficult to interpret because of a lack of definitions. As written, the three additional sections are very broad. Despite extensive dialog between the digital marketing industry and the legislators, AB 370 ends up failing to address the specific issue of online behavioral advertising (OBA), a concern to many, while imposing on companies a set of confusing new rules.

AB 370 does not require companies to provide consumers with the ability to exercise choice regarding the collection of information about their online activities for advertising or other commercial purpose. Instead, it asks companies to indicate whether and how they respond to a “do not track” signal, but fails to specify what this “do not track” signal is. As a result, it is likely to burry the real issue of OBA amongst unnecessary disclosures that are likely to burden companies and clutter privacy notices without accomplishing the original goal of consumer protection.

The California State Attorney General is developing a set of “best practices” on how to respond to CalOPPA as amended, to be published in mid to late January. However, according to representatives of its office (with whom we met in early December) who are working on the document, this document will only identify “best practices”, which are likely to go beyond the actual requirements of the law, but will not clarify the meaning or scope of AB 370. The office of the California State Attorney General pointed that their role is not to interpret the law but to provide guidance to entities subject to the law. Unfortunately, since the document will only be published by mid to late January 2014, companies are left guessing what these “best practices” might be, and will not know clearly what they are expected to do or to disclose. A confidential, working draft of the Best Practices document has been released for comments, but its content may not be shared publicly.

Subsection (b)(5) Do Not Track Disclosure

The entire “do not track” section of AB 370 is only a few lines long and does not include any definitions other than those already existing in the original CalOPPA. Specifically, new Cal Bus. & Prof. Code §22575(b)(5) requires Online Services to disclose:

“how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third party Web sites or online services, if the operator engages in that collection.”

It is not clear what “do not track” or “other mechanisms that provide consumers the ability to exercise choice” is intended to mean or cover. This lack of definition is especially important because there have been otherwise extensive efforts to develop a definition of “do not track” or “tracking preference exception”, and that definition is still in development.

Indeed, for the past two years, the Tracking Protection Working Group of the World Wide Web Consortium (W3C) – the international organization that established international standards such as XML or HTML – has been convening regular meetings to which notable global organizations, such as Apple, Microsoft, Mozilla, Nielsen, Yahoo, and the Digital Advertising Association have been participating. In early November 2013, however, W3C announced its inability to establish a standard definition of “do not track” or “Tracking Preference Exception” (in W3C lingo). As a result, there is not yet a commonly accepted definition of “do not track”.

Without a proper definition of “do not track”, it is difficult to interpret California’s AB 370. For example, does “targeting” cover specific targeting (e.g. “interested in a new car”) or only general profile categories (e.g.,” interested in cars”)? Is “tracking” limited to the use of information in connection with online behavioral advertising, or does it also include the tracking technologies that are used for other purposes, that are less privacy intrusive, such as analytics or fraud detection?

Other crucial definitions are missing, as well, such as that of “other parties.” Does “other parties” include affiliates and subsidiaries in addition to service providers and business partners? Is a subsidiary an “other party”, such that, for example, eBay cannot share its information with PayPal, or Zappos with Amazon?

Representatives of the California State Attorney General’s office in meetings held in December 2013 indicated that, in their view, the term “tracking” is intended to include all forms of tracking – while concurrently stating that they have no authority to interpret the new law, and can only suggest best practices.

An interpretation of AB 370 in this manner – i.e. including, without discrimination all forms of tracking, such as tracking for fraud detection or analytics purposes – would unnecessarily complicate the disclosure required by AB 370. It would require longer, more complex disclosures, which would lengthen privacy statements, making them more difficult to comprehend for the average consumer. The recent implementation of the “Cookie Laws” in Europe provides an example of the confusion, wasted time, and lengthy disclosures that can result when a law is too broad, and companies scramble to interpret it. Let us hope that the same confusion does not result from the implementation of AB 370 on this side of the ocean.

Subsection (b)(7) – Safe Harbor

New Cal Bus. & Prof. Code §22575(b)(7) creates a safe harbor or an alternative to Subsection (b)(5). New subsection (b)(7) provides that the operator of an Online Service may satisfy the requirement above by providing a clear and conspicuous hyperlink in its privacy statement to “a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice” (i.e., the ability to make a choice regarding the collection of personally identifiable information about the individual’s online activities over time or across third party Web sites or online services).

In other words, Subsection (b)(7) offers Online Services the ability not to disclose whether they respond to a – yet-to-be-defined – “do not track” signal by providing users of their service a method for opting-out of the tracking.

At this point, Subsection (b)(7) might be the most elegant and practicable alternative for companies, but it may require extensive programming and development of new application to address in a user friendly manner the numerous choices that might to be made available to users. Indeed, user friendly designs and interfaces will likely be needed so that an Online Service can shape its interaction with a user to allow the user to make granular choices while the Online Service retains the ability to conduct the collection and analysis that it needs to remain profitable and continue to receive the necessary level of traffic to generate revenues.

Subsection (b)(6) – Third Party Tracking Disclosure

The other change brought by the enactment of AB 370 focuses on third party tracking mechanisms. So far, privacy statements posted on Online Services have generally disclosed the existence of cookies or other tracking technologies such as tags, but many have failed to clearly disclose the existence or effect of third parties tracking. When they do make these disclosures, some of these statements indicate that the use of third party tracking technologies is subject to third parties privacy policies over which the Online Service has no control.

Starting on January 1, 2014, Online Services must also disclose in their privacy notices:

 “Whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s Web site or service”

This provision, to be added to the existing law as Cal Bus. & Prof. Code §22575(b)(6), is unnecessarily broad, does not distinguish between website analytics and behavioral advertising, and in the absence of proper guidance from the legislator or the enforcers, is likely to give rise to litigation.

Interestingly, or unfortunately, this additional provision regarding third-party tracking technologies is not balanced by a safe harbor provision as is the case for the “do-not-track” disclosure under new Subsection (b)(5). Thus, the disclosure is required whether or not the Online Service offers users information about opting-out of the collection of information by third parties.

Under Subsection (b)(6), Online Services must only disclose the existence of third parties tracking tools. They are not required to describe the purpose for which the third parties may use the collected information, i.e., whether these uses are limited to those disclosed in the privacy statement of the Online Service itself, or whether other uses might be possible under the separate privacy policies of these third parties.

It will be up to companies to decide the extent of the disclosures or explanation they want to provide about the scope of the activities of the third parties that they invite or allow to collect information on their Online Service. It remains to be seen whether companies will opt for a generic sentence such as “third parties may be conducting activities over time and across different websites”, or will provide more specific, user-friendly disclosures.

What Personal Information is at Stake?

The disclosures required above apply to the collection of “personally identifiable information”, a term that is defined in CalOPPA, Cal bus. & Prof. Code §22577(a) to include (1) first and last name; (2) physical address; (3) e-mail address; (4) telephone number; (5) social security number; (6) Any other identifier that permits the physical or online contacting of a specific individual; and (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described above.

While the first part of the definition – subsections (a)(1) to (5) – is clear and specific, the second part – subsections (a)(6) and (7) is a catchall provision that could be interpreted broadly. So far, the extent of these subsections has not been fully tested. There is little information about the meaning and scope of the term “identifier that permits the physical or online contacting of a specific individual.” In an era where most devices are personal to a user, and each instance of use is labeled with cookies, tags, IP addresses, and in many cases, location, Subsection (a)(6) might be interpreted very broadly. Does the ability to post advertisements on a user’s screen based on cookies that identify that specific user – without knowing the user’s actual identity – fit within the scope of the new provision? In the new AB 370 era, we should expect the plaintiff’s bar to argue that it does.

The passage of AB 370 reopens the door to the interpretation of the definition of “personally identifiable information” under CalOPPA. Unfortunately, the definition has not been sufficiently tested previously, and it may have aged as technology has evolved significantly in the ten years that have elapsed since CalOPPA’s enactment in 2004. An unintended consequence of the passage of CalOPPA might be the expansion of CalOPPA’s definition of “personally identifiable information” to a concept that be closer to the definition of “personal data” under the data protection laws of the European Union Member States.

Enforcement

AB 370 does not contain new provisions regarding the enforcement of these amendments. The current enforcement provisions of CalOPPA remain untouched. CalOPPA allows operators of Online Services 30 days to correct deficiencies after receiving a notice of non-compliance before the Attorney General can take action. (Cal. Bus. & Prof. Code §22575(a)). Failure to comply with the CalOPPA requirements or the provisions of the posted privacy policy, if knowing and willful, or negligent and material, is actionable under California’s Unfair Competition Law and may result in penalties of up to $2,500 for each violation.

Conclusion

California’s AB 370 does not prohibit tracking. It only requires that operators of Online Services disclose how they respond to a do-not-track signal, and whether third party service providers have the ability to collect personal information from individuals during their visit of that Online Service and follow that individual over time and on other Online Services. The new law has been criticized for its lack of clarity, and it is our hope that the California State Attorney General will provide practical guidance on how to implement this new requirement. In the meantime, the new provisions fail to define what is intended by “do not track,” or to clarify the type of “personally identifiable information” that is to be protected.

While the new requirement under AB 370 focuses only on the “mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information,” it fails to recognize the many forms and the different uses of tracking, some of which are beneficial to the users. AB 370 is also based on a pre-existing definition of “personally identifiable information” that is broad and not yet fully tested, which may create further confusion.

At this point, we are left with provisions that are difficult to interpret, lack definition, and are so broad that they have the potential of causing significant harm to companies and burden users with unnecessary disclosures that might be hard to decipher. It is likely that the meaning and scope of the AB 370 amendments to CalOPPA will remain uncertain until courts are called upon to interpret the new provisions.

California Privacy Enforcement and Protection Unit Created

Posted by fgilbert on July 19th, 2012

California will increase its privacy and data protection enforcement efforts with the creation of the Privacy Enforcement and Protection Unit, announced by California’s Attorney General, Kamala D. Harris on July 19, 2012. The Privacy Unit, which will be housed in the eCrime Unit of the California Department of Justice, will combine the various privacy functions of the Department of Justice into a single enforcement and education unit with privacy expertise.

Joanne McNabb, currently Chief of the California Office of Privacy Protection, will serve as the Director of Privacy Education and Policy, and will oversee the Privacy Unit’s education and outreach efforts.

Travis LeBlanc, Special Assistant Attorney General for Technology for California will head up the enforcement division.  Six prosecutors will concentrate on enforcement of the laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government, including laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.