California Governor Edmund G. Brown has been busy over the last year and a half, signing several bills into law that strengthen California’s privacy laws in various areas. The bills range in scope from invasion of privacy and distribution of sexually explicit materials to student privacy and Internet privacy for minors. Many of the changes, which are summarized below, take effect January 1, 2015.
1. Constructive Invasion of Privacy
AB 2306, signed into law on September 30, 2014, updates and expands California’s existing definition of “constructive invasion of privacy.” The law previously held a person liable for constructive invasion of privacy when a person attempted to capture, in a manner offensive to a reasonable person, any type of visual image, sound recording or other physical impression, through the use of a visual or auditory enhancing device, of another person engaging in a personal or familial activity under circumstances where that person had a reasonable expectation of privacy. The statute subjects violators to specified damages and civil fines. Under the law as amended by AB 2306, the reference to “visual or auditory enhancing devices” has been removed from the statute, thus expanding the definition of a constructive invasion of privacy to include the use of any device.
The expansion of the law stems from the fact that many new technologies could permit an invasion of privacy without a physical trespass, even though those devices might not technically qualify as a “visual or auditory enhancing device,” e.g., a drone with a standard (not enhanced) camera or microphone.
Additionally, the law now applies to the capture of any private, personal or familial activity. The bill clarified the definition of “private, personal or familial activity” by providing some nonexclusive examples, such as intimate details of a person’s life, interactions with family members and significant others and activities occurring when minors are present or in a residential property. Of course, in all cases, the victim must have had a reasonable expectation of privacy. The changes are effective January 1, 2015.
2. Privacy Rights for California Minors in the Digital World
In September 2013, SB 568 was signed into law; it is effective January 1, 2015. A part of this bill known as the “California erasure law” requires the operator of a website, online service, online application, or mobile application to permit a minor, who is a registered user of the operator’s website, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the website, service, or application by the minor. This requirement applies unless the content or information was posted by a third party, any other provision of state or federal law requires the operator or third party to maintain the content or information, or the operator anonymizes the content or information. The bill also requires the operator to provide notice to a minor that the minor may remove the content or information.
This bill makes it illegal for an operator of a website, online service, online application, or mobile application to market or advertise specified types of products or services to a minor (such as alcohol and firearms, among a laundry list of other items). The bill further bans an operator from knowingly using, disclosing, compiling, or allowing a third party to use, disclose or compile, the personal information of a minor for the purpose of marketing or advertising specified types of products or services. The bill also makes this prohibition applicable to an advertising service that is notified by an operator of a website, online service, online application or mobile application that the site, service or application is directed to a minor.
3. Student Privacy
California passed three bills addressing student privacy on September 29, 2014.
The first bill, SB 1177, created the Student Online Personal Information Protection Act (SOPIPA). SOPIPA prohibits operators of websites, online services, online applications or mobile applications from knowingly engaging in any of the following activities if they have actual knowledge that the site, service or application is used primarily for K–12 school purposes, and was designed and marketed for K–12 school purposes:
targeting advertising based on any information acquired because of the use of the site, service or application
using information created or gathered by the site, service or application to amass a profile about a K–12 student, except in furtherance of K–12 school purposes
selling or disclosing a student’s information
disclosing personally identifiable information or material that is generally input, created or gathered through such sites, services or applications (with some exceptions).
Further, operators of covered sites must implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information and must protect personal information from unauthorized access, destruction, use, modification or disclosure. SOPIPA becomes effective January 1, 2016.
The second bill, AB 1584, regulates agreements between educational agencies and third parties that provide services (including cloud-based services) relating to digital storage, management and retrieval of pupil records or that provide digital educational software. Under the new law, such agreements must include the following specified provisions:
a statement that the pupil records continue to be the property of, and under the control of, the educational agency
a description of the means by which pupils may retain possession and control of their own pupil-generated content, including options by which a pupil may transfer such content to a personal account
a prohibition against the third-party service provider using any information in the pupil record for any purpose other than those required or specifically permitted by the contract
a description of the procedures by which a parent, guardian or pupil may review the pupil’s personally identifiable information and correct it if erroneous
a description of the actions the third-party service provider will take to ensure the security and confidentiality of pupil records and the notification process if there is an unauthorized disclosure
a prohibition against using the personally identifiable information in pupil records to engage in targeted advertising
a description of how the educational agency and the third-party service provider will jointly ensure compliance with the Family Educational Rights and Privacy Act.
Failure to meet these standards may result in the contract being rendered void. The law is effective on January 1, 2015.
Finally, AB 1442 (1) requires a school district that gathers and maintains information about a student from social media to notify students and parents, (2) limits the information that it may collect to information that pertains directly to school or student safety and (3) requires the school district to destroy the information when it is no longer needed. Further, the district must provide students with access to any personal information about the student that is has gathered or maintained and obtained from social medial and must give the student an opportunity to correct or delete such information. The law is effective on January 1, 2015.
4. Distribution of Sexually Explicit Materials
AB 2643, signed into law on September 30, 2014, creates a private right of action against a person who intentionally distributes a sexually explicit photograph or other image or recording of another person without the consent of that person. For liability to attach (1) the violator must have known that the victim had a reasonable expectation of privacy, (2) the distributed material must expose an intimate body part of the victim or show the victim engaging in an act of intercourse, oral copulation, sodomy or other act of sexual penetration and (3) the victim must suffer general or special damages. Certain exceptions apply, e.g., where consent is obtained or where the subject matter is a matter of public concern.
The bill authorizes the court to order equitable relief enjoining or otherwise ordering the violator to remove the material. In addition, the court may award reasonable attorney’s fees and costs. The victim may also file an action with a pseudonym and may redact certain identifying characteristics from the pleadings. The provisions are effective July 1, 2015.
For further reading, please see the following client alerts:
California Data Breaches Require Identity Protection Services (and More)
California Privacy Initiatives Go into Effect January 1, 2014 – Are You Ready?
FTC Strengthens Laws to Protect Children’s Privacy