California Tightens Privacy Protection

Assembly Bill 370, California's Privacy Policy Law, amends the California Online Privacy Protection Act (CalOPPA), Business and Professions Code '22575, to require additional disclosure in corporate privacy policies. Intended to facilitate transparency as to how a company tracks and shares user data, it requires disclosures dealing with three areas: 1) “do not track” signals; 2) third-party tracking; and 3) conspicuous opt-out notices.

'Do Not Track' Signals

A.B. 370 requires companies to disclose how they respond to “do not track” signals. A “do not track” signal is an HTTP header field emitted by an Internet browser that instructs websites to cease all tracking activity. The Federal Trade Commission has informally called for companies to honor “do not track” requests in its educational publications, although it has not introduced formal rules on the subject. Without a specific requirement to honor such signals, many companies choose to ignore them.

There are two notable features of this provision. First, the disclosure is not limited to “do not track” signals, but also includes “other [similar] mechanisms.” Companies should be careful to ensure that they are equipped to deal with other “opt-out” mechanisms as they become available. Second, by its terms this provision applies to all tracking activity, regardless of the motivation behind the tracking. As a result, a company must report tracking conducted for internal research and development in addition to tracking for other purposes such as marketing.

Third-Party Tracking

A.B. 370 requires companies to disclose whether third parties may collect personally identifiable information about a consumer's online activities. Previously, CalOPPA required companies to disclose only the “category” of third-parties with whom they share information that they themselves collected. Importantly, the amendment only requires companies to disclose whether third-parties collect information; not details regarding what information the third-parties track. Nonetheless, companies should ensure they fully understand whether and how third-parties track user activity on their web sites, and update their privacy policies accordingly.

Opt-Out Disclosures

A.B. 370 also permits a company to satisfy the “do not track” disclosure requirement by providing a “clear and conspicuous” hyperlink in its privacy policy to an explanation of the company's opt-out program, and a mechanism for the user to opt-out of the company's tracking practices. However, linking to opt-out procedures only satisfies a company's obligation to disclose how it treats “do not track” signals, and does not satisfy A.B. 370's third-party tracking disclosure requirement.

Ensuring Compliance

The law does not provide clear guidance as to its geographic scope. By its terms, it applies to any company that owns or operates a website and collects California residents' personally identifiable information (PII) over the Internet. This would presumably include all companies that collect PII, so long as the company's website has had a single visitor residing in California. In view of this provision's extraordinary scope, along with California's increased focus on privacy policies, companies nationwide should assess whether they comply with this law. See, “CA to App Devs: Get Privacy Policies or Risk $2500-Per-Download Fines,” Ars Technica.

Data Breach Notification Law

Senate Bill 46'broadens the scope of California's data breach notification statute. It enacts California Civil Code ”1798.29 (relating to government agencies), and 1798.82 (relating to persons and businesses), which require companies and government agencies to notify California residents when they experience a breach of user names or e-mail addresses that would allow access to the user's account.

California already requires businesses to notify consumers about the unauthorized acquisition of their PII. Its data breach notification statute, passed in 2002, served as model for a number of states that followed suit with nearly identical statutes.

S.B. 46 expands the definition of “personal information” in the statute to encompass credentials that would allow an unauthorized person to log into someone's online accounts. S.B. 46 requires businesses to notify consumers of any breach involving “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.”

The amendment also governs how a company must notify consumers about the unauthorized acquisition of their login credentials:

• For breaches of login credentials that would not allow access to an e-mail account, companies may provide consumers notice of the security breach via e-mail or any other permissible method.
• For security breaches that do involve e-mail login credentials, businesses cannot satisfy S.B. 46's notice requirement via e-mail notice. Instead, businesses must provide notice through one of several permissible methods:

o “Clear and conspicuous notice” to the user when he or she is connected to their online account from an IP address or online location from which the business knows the user customarily accesses their account.
o Written notice, which is often quite costly.
o Electronic (but non-e-mail) notice in compliance with federal law.

The amendments take effect Jan. 1, 2014. To ensure compliance, companies should investigate whether they keep track of user IP addresses or log-in locations.

The 'Delete Button' Law

On Sept. 23, California Governor Edmund “Jerry” Brown signed into law Senate Bill 568, “Privacy Rights for California Minors in a Digital World.” S.B. 568 includes a provision known as the “Delete Button” or “Eraser” law, which allows minors under 18 to request that companies delete specified information that the requestor had previously posted online.

California State Senator Pro Tem Darrell Steinberg, who sponsored the bill, said a motivating factor behind the law is that colleges and universities have the ability to research applicants' Facebook pages and web presence. See, “Author of California Online Eraser Law: It's Not Always Easy to Find the Delete Button,” Washington Post , Sept. 25, 2013.

The “Delete Button” law adds to a growing body of legislation aimed at regulating minors' Internet presence. New amendments to the Children's Online Privacy Protection Act, 15 U.S.C. ”6501'6506 ' the federal law governing Internet content available to children ' which broaden the swath of personal information that may not be collected without parental notification and consent, took effect on July 1, 2013.

The “Delete Button” law applies to companies operating websites, mobile and Internet-based “apps,” and to those providing online services. However, it only covers websites and apps “directed” to minors, or that have actual knowledge that a minor is using its site. The law defines a site “directed to minors” as one “created for the purpose” of reaching predominately those under 18. This definition is less specific than COPPA ' under the federal statute, regulators must consider a number of factors to determine what websites are “directed to children,” including language and advertising content, while S.B. 568 focuses on the intent of the website creator.

All covered companies must notify minors of their right to request removal of unwanted information posted by the minor on the company's website, and must remove such information upon request. Alternatively, companies can comply with this law by providing minors with clear instructions as to how to directly remove information that they posted.

The “Delete Button” law has a number of enumerated limits that affect its scope:

• Minors can only request deletion of information that they posted. S.B. 568 does not allow a minor to request deletion of information that was stored, republished or reposted by a third party (this limitation stands in contrast to COPPA, which permits parents to request deletion of their children's personal information, regardless of who originally posted the content).
• Only “registered users” of a company's website can request deletion.
• If a minor fails to follow the procedures for deletion, a company need not delete the information.
• Those receiving compensation for posted content cannot request deletion.
• Minors cannot request deletion of posted content that is inaccessible to third parties.

It is unclear to what extent the law will alter companies' current content-deletion practices, because most websites and apps already voluntarily allow users to remove their posts. Moreover, the law makes abundantly clear that companies need not collect age information about users to comply with the law; they need only respond after a user requesting deletion identifies himself or herself as a minor. As a result, the “Delete Button” law may incentivize companies not to determine whether a user is a minor.

The “Delete Button” law applies to minors under the age of 18 ' significantly different from COPPA, which applies only to children under 13. However, S.B. 568 does not explicitly address whether companies must provide “delete button” privileges to minors who lie about their age. This is a common phenomenon ' for example, Facebook requires all users to be 13 or older, but a 2011 McAfee study found that 37% of 10-12 year olds have a Facebook account. See, “Youth Online Behavior.” The same pre-teen who claims to be 21 to obtain a Facebook account may later ask Facebook to delete an embarrassing post. S.B. 568 does not appear to extend the “deletion” right to this pre-teen, because it only applies to companies that have “actual knowledge that a minor” is using its website. However, after the “21-year-old” pre-teen makes the deletion request, the website will have actual knowledge of the user's age. Companies that restrict access to minors may therefore be in a position where they honor deletion requests of these minors, and then delete their accounts.

The geographic reach of the law is ambiguous. S.B. 568 is silent about whether it regulates only those businesses with a brick-and-mortar presence in California, or all websites on which California minors might post information.

Codified at Business and Professions Code ”22581-22582, the “Delete Button” law becomes effective Jan. 1, 2015. This gives companies ample time to alter their websites and apps in accordance with the law; it also provides a significant amount of time to lodge legal challenges or introduce amendments.

Alexander Southwell is a partner and co-chair of the information technology and data privacy practice in the New York office of Gibson Dunn & Crutcher. He can be reached at [email protected]. California-based associates Joshua Jessen, Vivek Narayanadas, and Danielle Serbin contributed to this article.

California has a reputation of developing innovative regulation to address new technology ' such as designing and implementing a range of laws intended to safeguard the privacy of consumer data against phishing, malware and cyberbullying. Recently, the California legislature passed three laws that significantly alter the privacy landscape and impose a new set of responsibilities that arguably apply to any company doing business in the state.

This article explains the California Privacy Policy Law and amendments to California's Data Breach Notification Law, and suggests how companies might comply with the new requirements set forth in each. It also addresses the “Delete Button” law, which codifies minors' ability to request deletion of certain information posted online.

Privacy Policy Law

Assembly Bill 370, California's Privacy Policy Law, amends the California Online Privacy Protection Act (CalOPPA), Business and Professions Code '22575, to require additional disclosure in corporate privacy policies. Intended to facilitate transparency as to how a company tracks and shares user data, it requires disclosures dealing with three areas: 1) “do not track” signals; 2) third-party tracking; and 3) conspicuous opt-out notices.

'Do Not Track' Signals

A.B. 370 requires companies to disclose how they respond to “do not track” signals. A “do not track” signal is an HTTP header field emitted by an Internet browser that instructs websites to cease all tracking activity. The Federal Trade Commission has informally called for companies to honor “do not track” requests in its educational publications, although it has not introduced formal rules on the subject. Without a specific requirement to honor such signals, many companies choose to ignore them.

There are two notable features of this provision. First, the disclosure is not limited to “do not track” signals, but also includes “other [similar] mechanisms.” Companies should be careful to ensure that they are equipped to deal with other “opt-out” mechanisms as they become available. Second, by its terms this provision applies to all tracking activity, regardless of the motivation behind the tracking. As a result, a company must report tracking conducted for internal research and development in addition to tracking for other purposes such as marketing.

Third-Party Tracking

A.B. 370 requires companies to disclose whether third parties may collect personally identifiable information about a consumer's online activities. Previously, CalOPPA required companies to disclose only the “category” of third-parties with whom they share information that they themselves collected. Importantly, the amendment only requires companies to disclose whether third-parties collect information; not details regarding what information the third-parties track. Nonetheless, companies should ensure they fully understand whether and how third-parties track user activity on their web sites, and update their privacy policies accordingly.

Opt-Out Disclosures

A.B. 370 also permits a company to satisfy the “do not track” disclosure requirement by providing a “clear and conspicuous” hyperlink in its privacy policy to an explanation of the company's opt-out program, and a mechanism for the user to opt-out of the company's tracking practices. However, linking to opt-out procedures only satisfies a company's obligation to disclose how it treats “do not track” signals, and does not satisfy A.B. 370's third-party tracking disclosure requirement.

Ensuring Compliance

The law does not provide clear guidance as to its geographic scope. By its terms, it applies to any company that owns or operates a website and collects California residents' personally identifiable information (PII) over the Internet. This would presumably include all companies that collect PII, so long as the company's website has had a single visitor residing in California. In view of this provision's extraordinary scope, along with California's increased focus on privacy policies, companies nationwide should assess whether they comply with this law. See, “CA to App Devs: Get Privacy Policies or Risk $2500-Per-Download Fines,” Ars Technica.

Data Breach Notification Law

Senate Bill 46'broadens the scope of California's data breach notification statute. It enacts California Civil Code ”1798.29 (relating to government agencies), and 1798.82 (relating to persons and businesses), which require companies and government agencies to notify California residents when they experience a breach of user names or e-mail addresses that would allow access to the user's account.

California already requires businesses to notify consumers about the unauthorized acquisition of their PII. Its data breach notification statute, passed in 2002, served as model for a number of states that followed suit with nearly identical statutes.

S.B. 46 expands the definition of “personal information” in the statute to encompass credentials that would allow an unauthorized person to log into someone's online accounts. S.B. 46 requires businesses to notify consumers of any breach involving “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.”

The amendment also governs how a company must notify consumers about the unauthorized acquisition of their login credentials:

• For breaches of login credentials that would not allow access to an e-mail account, companies may provide consumers notice of the security breach via e-mail or any other permissible method.
• For security breaches that do involve e-mail login credentials, businesses cannot satisfy S.B. 46's notice requirement via e-mail notice. Instead, businesses must provide notice through one of several permissible methods:

o “Clear and conspicuous notice” to the user when he or she is connected to their online account from an IP address or online location from which the business knows the user customarily accesses their account.
o Written notice, which is often quite costly.
o Electronic (but non-e-mail) notice in compliance with federal law.

The amendments take effect Jan. 1, 2014. To ensure compliance, companies should investigate whether they keep track of user IP addresses or log-in locations.

The 'Delete Button' Law

On Sept. 23, California Governor Edmund “Jerry” Brown signed into law Senate Bill 568, “Privacy Rights for California Minors in a Digital World.” S.B. 568 includes a provision known as the “Delete Button” or “Eraser” law, which allows minors under 18 to request that companies delete specified information that the requestor had previously posted online.

California State Senator Pro Tem Darrell Steinberg, who sponsored the bill, said a motivating factor behind the law is that colleges and universities have the ability to research applicants' Facebook pages and web presence. See, “Author of California Online Eraser Law: It's Not Always Easy to Find the Delete Button,” Washington Post , Sept. 25, 2013.

The “Delete Button” law adds to a growing body of legislation aimed at regulating minors' Internet presence. New amendments to the Children's Online Privacy Protection Act, 15 U.S.C. ”6501'6506 ' the federal law governing Internet content available to children ' which broaden the swath of personal information that may not be collected without parental notification and consent, took effect on July 1, 2013.

The “Delete Button” law applies to companies operating websites, mobile and Internet-based “apps,” and to those providing online services. However, it only covers websites and apps “directed” to minors, or that have actual knowledge that a minor is using its site. The law defines a site “directed to minors” as one “created for the purpose” of reaching predominately those under 18. This definition is less specific than COPPA ' under the federal statute, regulators must consider a number of factors to determine what websites are “directed to children,” including language and advertising content, while S.B. 568 focuses on the intent of the website creator.

All covered companies must notify minors of their right to request removal of unwanted information posted by the minor on the company's website, and must remove such information upon request. Alternatively, companies can comply with this law by providing minors with clear instructions as to how to directly remove information that they posted.

The “Delete Button” law has a number of enumerated limits that affect its scope:

• Minors can only request deletion of information that they posted. S.B. 568 does not allow a minor to request deletion of information that was stored, republished or reposted by a third party (this limitation stands in contrast to COPPA, which permits parents to request deletion of their children's personal information, regardless of who originally posted the content).
• Only “registered users” of a company's website can request deletion.
• If a minor fails to follow the procedures for deletion, a company need not delete the information.
• Those receiving compensation for posted content cannot request deletion.
• Minors cannot request deletion of posted content that is inaccessible to third parties.

It is unclear to what extent the law will alter companies' current content-deletion practices, because most websites and apps already voluntarily allow users to remove their posts. Moreover, the law makes abundantly clear that companies need not collect age information about users to comply with the law; they need only respond after a user requesting deletion identifies himself or herself as a minor. As a result, the “Delete Button” law may incentivize companies not to determine whether a user is a minor.

The “Delete Button” law applies to minors under the age of 18 ' significantly different from COPPA, which applies only to children under 13. However, S.B. 568 does not explicitly address whether companies must provide “delete button” privileges to minors who lie about their age. This is a common phenomenon ' for example, Facebook requires all users to be 13 or older, but a 2011 McAfee study found that 37% of 10-12 year olds have a Facebook account. See, “Youth Online Behavior.” The same pre-teen who claims to be 21 to obtain a Facebook account may later ask Facebook to delete an embarrassing post. S.B. 568 does not appear to extend the “deletion” right to this pre-teen, because it only applies to companies that have “actual knowledge that a minor” is using its website. However, after the “21-year-old” pre-teen makes the deletion request, the website will have actual knowledge of the user's age. Companies that restrict access to minors may therefore be in a position where they honor deletion requests of these minors, and then delete their accounts.

The geographic reach of the law is ambiguous. S.B. 568 is silent about whether it regulates only those businesses with a brick-and-mortar presence in California, or all websites on which California minors might post information.

Codified at Business and Professions Code ”22581-22582, the “Delete Button” law becomes effective Jan. 1, 2015. This gives companies ample time to alter their websites and apps in accordance with the law; it also provides a significant amount of time to lodge legal challenges or introduce amendments.

Alexander Southwell is a partner and co-chair of the information technology and data privacy practice in the New York office of Gibson Dunn & Crutcher. He can be reached at [email protected]. California-based associates Joshua Jessen, Vivek Narayanadas, and Danielle Serbin contributed to this article.