Expanded Notification Requirements for Data Breaches
Senate Bill 46 expands California’s data breach law to encompass breaches of an individual’s “user name or email address, in combination with a password or security question and answer that would permit access to an online account.”6 Although California’s existing data breach law in California Civil Code Section 1798.82 already requires businesses to provide notification of security breaches involving personal information,7 the amended data breach law expands the definition of personal information and prescribes specific notification procedures for breaches implicating user names and email addresses. Specifically, in the case of a breach involving a user name or email address where no personal information and no login credentials of an email account are compromised, the business may comply with the statutory data breach obligations by providing notification in electronic format, such as email or through the individual’s online account, advising the individual to change his or her password and security credentials.8
Conversely, where a breach involves an individual’s user name or email address and login credentials of an email account, the business cannot comply with the data breach obligations by providing notification to that email address, but may, instead, provide clear and conspicuous notice to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account.9 The business may also comply with the alternative notice obligations set forth in California Civil Code Section § 1798.82(j), e.g., written notice or, where certain requirements are met, substitute notice.10
California’s New COPPA-Like Law
Finally, in September of this year, Senate Bill 568 was signed into law by the Governor of California. The new law has two aims: 1) to limit children’s exposure to certain types of advertising and 2) to provide a means for children to remove content they post online. The law goes into effect January 1, 2015.
With respect to advertising, the law prohibits websites and applications directed to minors from marketing products or services that minors cannot lawfully purchase (e.g., alcohol, weapons, lottery tickets, tobacco, etc.).11 A website or application is “directed” to minors where it is “created for the purpose of reaching an audience that is predominately comprised of minors and is not intended for a more general audience comprised of adults.”12 Even if the website or application is not directed toward minors, the law requires operators to make a good faith effort not to market such products to minors whom the operator has knowledge are using its site or application.13 The law also prohibits an operator or third-party from using or disclosing a minor’s personal information with knowledge that the information will be used to advertise such products to minors.14
The law also imposes several new responsibilities on operators in regard to content control. Most importantly, operators are required to allow minors to request and obtain removal of content they post to a website or application so long as they are registered users. Operators must also deliver notice of this allowance to minors, instructions on how they may request and obtain removal of content, and notice that removal may not be comprehensive.15 The removal of content is not required in some circumstances, including where the content was posted by a third party, where the operator anonymized the content, or where the minor received consideration for providing the content.16
In summary, this new law seeks to protect all minors, as opposed to COPPA, which is limited to minors under 13. Nevertheless, many of the same challenges and risk assessments apply. For example, whether a website or application is directed toward minors is not always obvious, and because liability in some circumstances depends on an operator’s knowledge, it is advisable to avoid collecting age information unless necessary for business purposes.
1Under the Act, “personally identifiable information” is defined as “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
Cal. Bus. & Prof. Code § 22577(a).
2Cal. Bus. & Prof. Code § 22575(a).
3Id. at § 22575(b).
4A.B. 370, 2013–2014 Leg., Reg. Sess. (Ca. 2013).
6Cal. Civ. Code § 1798.82(h)(2) (Effective January 1, 2014).
7Under existing law, “personal information” means:
1. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
A. Social security number.
B. Driver’s license number of California identification card number.
C. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
D. Medical information.
E. Health insurance information.
Cal. Civ. Code. § 1798.82(h)(1).
8Cal. Civ. Code § 1798(d)(4) (Effective January 1, 2014).
9Cal. Civ. Code § 1798(d)(5) (Effective January 1, 2014).
10Cal. Civ. Code § 1798(d)(5) (Effective January 1, 2014).
11S.B. 568, 2013–2014 Leg., Reg. Sess. (Ca. 2013).
13Id. § 22580(b).
14Id. § 22580(c).
15Id. § 22581(a).
16Id. § 22581(b).