Reaffirming California’s place as a nationwide leader in consumer privacy law, Governor Brown signed three privacy bills into law on September 27. This comes just days after he signed SB 568 into law, making it illegal to advertise certain products to minors and requiring Internet operators to remove content or information uploaded to websites by minors at their request.
AB 370, introduced by Asm. Al Muratsuchi, amends Section 22575 of the Business and Professions Code to require website operators to disclose whether third parties may collect personal information about a consumer while using their website. The new law also requires that website operators openly disclose how they will respond to a “do not track” signal from an internet browser. This is particularly significant because the W3C’s Tracking Protection Working Group (TPWG), tasked with defining tracking and creating a self-regulatory system regarding Do Not Track, has made little progress since its inception two years ago. Last month, the Digital Advertising Alliance, a leading national advertising trade group, left the TPWG due to its lack of faith in the ability of the group to reach any consensus. AB 370 does not create government regulation of Do Not Track; however, it requires that operators now pick a side and let Californian’s know whether they will honor a signal of Do Not Track and can be held responsible if they don’t stick to their word.
By enacting SB 46, introduced by Sen. Ellen Corbett, California also updated the definition of “personal information” under Section 1798.29 of the Civil Code to include a username and password. Now a data breach notification via letter or email will be required whenever there is a breach of only an online username and password, even when no other traditional forms of personal identifying information are exposed. This is important as more people are doing more confidential communications and transactions online, whether they are managing investment portfolios and bank accounts or simply social media profiles and personal email accounts that may contain vital personal information.
Introduced by Asm. Nora Campos, AB 1149 was also signed into law amending Section 1798.29 of the Civil Code to change the definition of agency to include local agencies. Prior to this law, the term agency under this section included state offices and agencies, but specifically excluded local agencies. With AB 1149, local agencies will be held to the same data breach notification requirements as all other state agencies in California.
California continues to push the envelope when it comes to consumer privacy and often influences federal legislation and other state laws. With the future of the TPWG uncertain, more laws like AB 370 may pop up in other states in an attempt to give their consumers some clarity when it comes to how they are tracked on the web.
“New Privacy Laws Abound in California” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.