Although the idea of a right to privacy was first expressed in an 1890 Harvard Law Review article by Louis Brandeis and Samuel Warren, it is only over the past few decades that the concept of privacy has spread like wildfire. Some businesses have landed in legal trouble for failing to provide adequate security or proper notifications in the event of a security breach. U.S. states have become more proactive in crafting and enforcing information privacy laws to protect their citizens.
The State of California is among the forerunners with its enactment of numerous privacy laws over the past decade. A company need not maintain a physical presence in California in order to be affected by California’s privacy laws.
Due to the widespread accessibility of the Internet, any business that collects personal information on a California resident must comply with many privacy laws, including the following laws, which become effective January 1, 2015.
Digital eraser law
Nicknamed the “Eraser Button Law,” California Senate bill 568 will require the operator of a website, online service or mobile application that is directed towards California minors, or has actual knowledge that minors use the site or service, to remove any content posted or submitted by a minor at the request of that minor. Clear instructions on how to erase or request removal of posted content must be provided to all minors using the site or service.
However, the law is silent as to when the minor must request removal. Whether a user of the age of majority could request removal of content posted while the user was a minor is unclear.
Additionally, SB 568 prohibits website or online service operators from marketing, or allowing third parties to market certain prohibited products or services to minors. The list of prohibited products and services includes, without limitation, alcohol, tobacco and paraphernalia, firearms, spray paint, fireworks and tanning beds.
Amendments to personal data laws
Assembly bill 1710 (AB 1710) contains three amendments to current California privacy laws pertaining to data breaches and identity theft prevention. The bill will amend portions of Title 1.81 of the California Civil Code, which regulates the maintenance and use of customer records including the following three aspects.
1. Application of security requirements
Under current California law, businesses that own or license personal information about a California resident are required to implement and maintain reasonable security procedures and practices to prevent unauthorized disclosure or use of the personal information. AB 1710 extends the current requirements to apply not just to businesses that own or license personal information but also to businesses that merely maintain personal data about a California resident.
The term “maintain” as used in the bill is vague and is identified as “personal information that a business maintains but does not own or license.” According to the Civil Code, a business owns or licenses personal data when it is part of a customer account or transaction. Businesses that maintain personal information and will be subject to the new law include third-party service providers and data storage providers. Therefore, this amendment will drastically increase the number of businesses required to implement security procedures.
2. Identity theft mitigation services
AB 1710 also amends California’s requirements for data breach notification. In the event the computerized data owned, licensed or maintained by a business or person conducting business in California is breached, the person or business is required under current law to give notice to any California resident whose information was accessed, or was believed to have been accessed, during the breach.
AB 1710 will require businesses or persons providing notice pursuant to a data breach, if the business or person is offering identity theft prevention and mitigation services, to offer those services at no cost for a minimum of 12 months to all persons affected by the breach. However, AB 1710 only applies if the person or business that has been breached was the source of the breach.
It appears from the text of AB 1710 that persons and businesses that have been breached are not required to offer mitigation services, but must meet the requirements in the event they opt to offer such services. However, the language of the bill is unclear and may be the subject of future litigation.
3. Prohibition on sale of Social Security number
Lastly, AB 1710 extends the prohibited uses of an individual’s Social Security number. Currently, a person or business cannot publicly post or display a California resident’s Social Security number. The amendment will also prohibit a business or individual from selling, advertising the sale of, or offering to sell the Social Security number of a California resident.
As the end of the year approaches and the deadline for compliance nears, any business that maintains personal information about a California resident should review its business operations and data storage practices to confirm compliance.
Lindsay Junck is an associate attorney at the Lotus Law Center, where she practices business, privacy and intellectual property law. The Lotus Law Center was founded as a way to make legal services affordable for all sizes of businesses. Focusing on the practice of business and technology law, the Lotus Law Center provides premium personal and professional responses to the legal needs of business clients at an affordable fixed or hourly rate. Contact her at lindsay@lotuslawcenter.com.