California Legislature Active on Privacy and Data Protection

The California Legislature was active in August and early September in the area of privacy and data protection, with three separate bills making their way through both houses and currently awaiting the Governor's approval. California has long been on the forefront of privacy and data protection development, and these bills are the latest steps to strengthen consumer privacy protection.

A.B. 370, a bill amending the California Online Privacy Protection Act ("CalOPPA") was unanimously passed by the California Senate and Assembly in late August ("Do-Not-Track Bill"). In general, the Do-Not-Track Bill adds new disclosure requirements for operators of commercial websites and online services to disclose (i) how they respond to "do not track" mechanisms exercised by consumers, and (ii) whether third parties may collect personally identifiable information on their websites when a consumer uses such a website.

S.B. 46, a bill amending California's current data breach notification law (as codified in California Civil Code §§1798. 29 and 1798.82) also was passed by both houses in California in late August ("Breach Notice Bill"). The Breach Notice Bill requires consumer notification if an individual's user name or email address, in combination with a password or security question and answer that would permit access to an online account, has been exposed. The Breach Notice Bill also addresses the methods of data breach notice options.

S.B. 568, a bill entitled the "Privacy Rights for California Minors in the Digital World," adds two new sections to the California Business & Professions Code and was unanimously passed by the California Senate in the first week of September, after previously clearing the California Assembly ("Minors' Privacy Bill"). The Minors' Privacy Bill prohibits certain types of marketing to individuals under the age of 18 years residing in California and allows minors to delete materials they have posted online under specified circumstances.

Do-Not-Track Bill

The Do-Not-Track Bill aims to boost consumer awareness of online behavioral tracking by adding the following two disclosure requirements for operators of commercial websites and online services that collect personal information from consumers who visit their sites:

• Disclose how the operator responds "to 'do not track' signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across different Web sites or online services" and
• "Disclose whether other parties may collect personally identifiable information about an individual consumer's online activities when a consumer uses the operator's Web site or service."

In its current form, CalOPPA generally requires the conspicuous posting of a privacy policy that describes (i) the categories of personally identifiable information that the operator collects about individual consumers who use or visit its website or online service, (ii) third parties with whom the operator shares the information, (iii) the process by which consumers can review and change the collected personally identifiable information, and (iv) the process by which it will notify consumers of changes to its website's privacy policy. Enforcement action will be taken only if a party fails to post its privacy policy within 30 days after being notified of noncompliance.

Although this bill is popularly referred to as the "Do Not Track" legislation, its amendments do not actually impose a "do not track" ("DNT") standard on websites. The bill merely calls for the disclosure of how a website or online service operator will respond to such a DNT signal, should a consumer exercise choice regarding the collection of the relevant personally identifiable information. The Do-Not-Track Bill also permits disclosure through the website's privacy policy of the "do not track" signal response through a hyperlink to an online location of the program the website uses to offer its consumers that choice.

Breach Notice Bill

The Breach Notice Bill extends protections for consumers by requiring breach notifications for additional categories of data. Currently, breach notification in California is triggered by the unauthorized acquisition of an individual's first name or initial and last name in combination with one or more of the following unencrypted types of data: Social Security number; driver's license or state identification number; account, credit card, or debit card number in combination with any required security or access codes; medical information; or health information. The Breach Notice Bill adds the following to this list: a "user name or email address, in combination with a password or security question and answer that would permit access to an online account."

In addition, the Breach Notice Bill allows for notification in an electronic form when the exposed identifying information involves only the personal information for an online account, i.e., the user name or email address in combination with password or security question and answer. The Breach Notice Bill also specifies that when the breached information is the login credentials for an email account, the notification must not be provided to that exposed email address, but the notification requirement must be complied with by another specified method or "by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the agency knows the resident customarily accesses the account."

Minors' Privacy Bill

The Minors' Privacy Bill adds specific provisions aimed at protecting California's children. Specifically, the bill prohibits an online operator from:

• Marketing or advertising specified types of products or services, such as ammunition, alcohol, tobacco, "etching cream," drug paraphernalia, etc. to a minor, either directly or through a third party; and
• Using, disclosing, or compiling, or allowing a third party to use, disclose, or compile, a minor's personal information for marketing and advertising the specified products or services.

These prohibitions do not, however, apply to the "incidental placement of products or services embedded in content, if the content is not distributed by or at the direction of the operator primarily for the purposes of marketing and advertising the enumerated products or services." The bill defines "marketing or advertising" as requiring an "exchange for monetary compensation" in order "to make a communication to one or more individuals, or to arrange for the dissemination to the public of a communication, about a product or service the primary purpose of which is to encourage recipients of the communication to purchase or use the product or service."

This bill also requires a website operator to:

• Permit a minor to remove or request the removal of content or information that the minor posted on the website;
• Provide notice to a minor about the options he/she has to remove information, along with instructions on how to remove content; and
• Specify in the notice to be provided to the minor that removing one's content "does not ensure complete or comprehensive removal … posted on the operator's Internet Web site, online service, online application, or mobile application" by the registered user.

Finally, the Minors' Privacy Bill lists specific circumstances under which a website operator or third party is exempt from enabling the erasure of information: (i) the law requires the information to be maintained, (ii) the information was posted on the website by a third party, (iii) the operator makes anonymous the information posted, (iv) the minor is compensated for providing content, or (v) the minor did not follow instructions regarding removing the posted content.

Recommendations

In the event that these bills are enacted into law, operators of a website or online service accessible to California residents and who collect personal information should:

• Acquaint themselves with the three bills and how they may affect their business;
• Ensure that their privacy policy complies with the provisions related to the new disclosure requirements in the Do-Not-Track Bill;
• Conduct an assessment of current practices and adopt standards and procedures for responding to and notifying personal data breaches, keeping in mind the new requirements related to online credentials in the Breach Notice Bill; and
• Evaluate their marketing and advertising mechanisms, both direct and through third parties, to ensure that they comply with the new requirements enumerated in the Minors' Privacy Bill.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.

Mauricio F. Paez
New York
+1.212.326.7889
mfpaez@jonesday.com

Katherine S. Ritchey
San Francisco
+1.415.875.5728
ksritchey@jonesday.com

Nandini Iyer, an associate in the Silicon Valley Office, assisted in the preparation of this Alert.

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.