Does your business operate a website, online service, application or database? California has a group of privacy and data security laws that apply to those types of businesses. Because most websites, applications and databases involve California residents, such laws effectively set a nationwide baseline.
Here are four California laws on privacy and what they mean for businesses:
1. Disclose “Do Not Track” Responses. Effective January 1, 2014. This law applies to any website, online service or mobile application that collects personally identifiable information from consumers residing in California. These services have been able to track users’ browsing history through the use of “cookies” and other tracking signals. Users can enable a “do not track” signal in their web browsers and that is now the default setting in some browsers. The law requires the operators of websites, online services and apps to disclose how or if they respond to “do not track” signals. The law does not require operators to comply with “do not track” signals. Site operators will need to explain in their privacy policies how they respond to “do not track” signals and whether third parties collect data on consumers through the site. This is a disclosure law only. The California Attorney General can enforce it and impose civil penalties. The law gives organizations 30 days in which to address alleged deficiencies communicated by the Attorney General. It is the first legislation in the world directly addressing “do not track.” (Cal. A.B. 370.)
2. Expand Data Breach Notices. Effective January 1, 2014. This expanded California’s previous data breach notification law. The previous law required database operators to notify consumers of data breaches involving various combinations of name, social security number, driver’s license number, financial account, medical information or health insurance information. The current law requires operators to also notify consumers of data breaches that involve user name or email address, in combination with a password or security question and answer. The data breach notification laws now also extend to local public agencies. (Cal. S.B. 46 and A.B. 1149.)
3. Restrict Online Advertising to Minors. Effective January 1, 2015. This law applies to any website, online service, online application or mobile application that is directed to minors or that has knowledge that minors use its service. It applies if the audience is “predominantly comprised of minors, and is not intended for a more general audience comprised of adults.” Site operators are prohibited from advertising or marketing to minors a list of specific products or services. Those include alcohol, firearms, tobacco and cigarettes (including electronic cigarettes), ultraviolet tanning devices, ephedra dietary supplements, permanent tattoos and dangerous fireworks. (Cal. S.B. 568.)
4. Allow Minors to Delete Their Own Content and Posts. Effective January 1, 2015. Part of the same law as the one immediately above requires websites and online services to allow minors to access and delete information that the minors posted. This allows the minor to delete embarrassing content that they later regret posting. Operators are not required to delete or erase the content, but instead may comply by making the content invisible to other users of the service and to the public. This “eraser button” law is also believed to be the first of its kind. (Cal. S.B. 568.)
Businesses that serve California consumers should assess their operations and policies on the topics above. Privacy and data security laws are a rapidly-changing landscape.