Busy at Work: California Legislature Addressing Data Privacy Concerns with Data Privacy Law

by Reed Smith

The California legislature is busily at work, staying at the forefront with the development of data privacy laws. More than 15 bills related to data privacy concerns are currently making their way through the legislature, and they are catching the attention of the business world.

Here’s a short synopsis of the more notable ones finding some traction:

  • SB 568: Similar to the federal Children’s Online Privacy Protection Act (COPPA), SB 568 would require operators of Internet websites and online or mobile apps to permit minors to remove previously posted content, and give the minors notice of their right of removal. The bill would also limit operators’ ability to market or advertise certain products or services to minors, as well as prohibit operators from using, disclosing, or compiling certain personal information of the minor for marketing these same products or services. If enacted, operators will be required to implement these privacy protections by January 2015. Introduced by Senate President Pro Tem Darrell Steinberg (D), SB 568 has passed the Senate by a unanimous vote and has moved to the Assembly for consideration.
  • Social Networking Privacy Act (SB 501): We wrote previously about SB 501, after the bill was introduced by Senate Majority Leader Ellen M. Corbett (D). SB 501 would require social networking websites to remove a registered user’s personal identifying information within 96 hours of a request from the user or, if the user is a minor, from the user’s parent or legal guardian. Facebook and Google are the familiar faces opposing this bill, but several other companies like Tumblr and Zynga have voiced their opposition as well, criticizing SB 501 for being unworkable. The Senate approved SB 501 early this month by an overwhelming majority vote, and the bill now sits before the Assembly for consideration.
  • AB 370: AB 370 would amend the California Online Privacy Protection Act (“CalOPPA”) by requiring operators of commercial websites, or online services that collect personally identifiable information about consumers living in California, to disclose in their privacy policies whether they honor consumers’ requests to disable online tracking, and to disclose whether they allow third parties to conduct online tracking. Introduced by Assemblyman Al Muratsuchi (D) and sponsored by California Attorney General Kamala Harris, AB 370 passed the Assembly by a unanimous vote early this month and is now before the Senate for consideration.
  • SB 383: SB 383 would amend the Song Beverly Credit Card Act of 1971 to allow retailers to require credit card users, as a condition of accepting payment by credit card, to provide their ZIP Code and the numerical portion of their street addresses to be used solely for the prevention of fraud, theft, or identity theft. This bill additionally requires that the retailer dispose of that information in a secure manner after it is no longer needed for the prevention of fraud, theft, or identity theft, and prohibits the retailer from selling or sharing it with a third party. The bill was drafted in response to the California Supreme Court’s decision in Apple Inc. v. Superior Court, 56 Cal. 4th 128 (2013), which held that the Song Beverly Credit Card Act did not apply to online transactions involving downloadable products. Introduced by Senator Hannah-Beth Jackson (D), SB 383 was passed by the Judiciary Committee earlier this month and will soon be voted on by the Senate.
  • AB 242: AB 242 would amend CalOPPA by tightening the requirements for online privacy policies. We wrote about AB 242 earlier this year, after the bill was introduced by Assembly Member Ed Chau (D). AB 242 would require operators of websites or online services to limit their privacy policies to “no more than 100 words,” and to be written in “clear and concise language” at “no greater than an 8th grade reading level.” The bill would also require privacy policies to state whether “personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared.” AB 242 is currently being considered by the Judiciary Committee, and the Business, Professions and Consumer Protection Committee.
  • The Right to Know Act of 2013 (AB 1291): We have written about AB 1291 several times before, most recently at the beginning of last month. The Right to Know Act would amend California’s Shine the Light law by requiring companies to provide, within 30 days of a customer’s request and at no charge, a copy of all personal information they retain about the customer, as well as the names and addresses of all third parties with access to that personal information in the previous 12 months. First introduced in February by Assemblywoman Bonnie Lowenthal (D), AB 1291 has recently been extended into a two-year bill, having faced fierce backlash from tech industry giants like Facebook Inc. and Google Inc. It will return to the Assembly for consideration in early 2014.
  • AB 257: AB 257 would also amend CalOPPA to expressly include mobile applications, and would require operators to satisfy various privacy policy requirements for mobile applications, including allowing consumers to access their own collected and retained PII, imposing safeguards to protect PII, requiring a supplemental privacy policy if an application collects information not essential to the application’s basic function, and a requirement that the operator provide a special notice if the application accesses specified devices and information. This bill would also require mobile application markets and advertising networks to comply with specified privacy procedures. Introduced by Assembly Member Isadore Hall, III (D), AB 257 is currently before the Assembly Judiciary Committee.

As these swiftly moving measures show, the California legislature, for better or for worse, is pushing to be at the forefront in the development of data privacy law. If enacted, these laws will certainly impact those conducting business in the state, and may likely influence the development of data privacy laws elsewhere.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Reed Smith | Attorney Advertising

Written by:

Reed Smith

Reed Smith on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.