Does your business operate a website, online service, application or database? California has passed a group of privacy and data security laws that apply to those types of businesses. The new laws are either effective already or will be soon. Because most websites, applications and databases involve California residents, such new laws effectively set a nationwide baseline.
Here are four incoming laws on privacy and what they mean for businesses:
Disclose “Do Not Track” Responses. This new law is now in effect. It applies to any website, online service or mobile application that collects personally identifiable information from consumers residing in California. These services have been able to track users’ browsing history through the use of “cookies” and other tracking signals. Users can enable a “do not track” signal in their web browsers and that is now the default setting in some browsers. The new law requires the operators of websites, online services and apps to disclose how or if they respond to “do not track” signals. The law does not require operators to comply with “do not track” signals. Site operators will need to explain in their privacy policies how they respond to “do not track” signals and whether third parties collect data on consumers through the site. This is a disclosure law only. The California Attorney General can enforce it and impose civil penalties. The law gives organizations 30 days in which to address alleged deficiencies communicated by the Attorney General. It is the first legislation in the world directly addressing “do not track.” (Cal. A.B. 370.)
Expand Data Breach Notices. Effective January 1, 2014. This is an expansion of California’s current data breach notification law. The current law requires database operators to notify consumers of data breaches involving various combinations of name, social security number, driver’s license number, financial account, medical information or health insurance information. The expanded law requires operators to notify consumers of data breaches that involve user name or email address, in combination with a password or security question and answer. This expanded part of the law focuses on the types of information that consumers use to access their accounts. The data breach notification laws will now also extend to local public agencies. (Cal. S.B. 46 and A.B. 1149.)
Restrict Online Advertising to Minors. Effective January 1, 2015. This new law applies to any website, online service, online application or mobile application that is directed to minors or that has knowledge that minors use its service. It applies if the audience is “predominantly comprised of minors, and is not intended for a more general audience comprised of adults.” Site operators are prohibited from advertising or marketing to minors a list of specific products or services. Those include alcohol, firearms, tobacco and cigarettes (including electronic cigarettes), ultraviolet tanning devices, ephedra dietary supplements, permanent tattoos and dangerous fireworks. (Cal. S.B. 568.)
Allow Minors to Delete Their Own Content and Posts. Effective January 1, 2015. Part of the same new law as the one immediately above will require websites and online services to allow minors to access and delete information that the minors posted. This allows the minor to delete embarrassing content that they later regret posting. Operators are not required to delete or erase the content, but instead may comply by making the content invisible to other users of the service and to the public. This “eraser button” law is also believed to be the first of its kind. (Cal. S.B. 568.)
Businesses that serve California consumers should assess their operations and policies on the topics above, and update and prepare by the applicable deadlines. Privacy and data security laws are a rapidly-changing landscape.