California is at again! Recently, the state has enacted a wave of new online privacy laws that website, online service, application or database operators that collect personally identifiable information must follow. Of course, many websites, apps and online services are made available to a national and/or global audience, including residents of California.>
There are 4 main new legal requirements relating to the online privacy of California residents that may apply to you or your business. Here is a very brief summary of these new laws:
-Operators of websites, online services and apps must disclose how or if they respond to “do not track” signals. Some website and app users will enable a “do not track” signal in their web browsers. California recently amended its Online Privacy Protection Act (OPPA), which is now in effect, to require that website, online service or mobile application operators that collect personally identifiable information from California residents will need to explain in their privacy policies how they respond to “do not track” signals. If your website, app or service collects users’ browsing history through the use of “cookies” and other automatic collection tools, this new law may apply to you or your business. If you are unsure about whether your website, app or service collects data using automatic collection tools, you should talk to your web developer/administrator. Some commentators have pointed out that this is the first known legislation that addresses the do not track feature (Cal. A.B. 370.)
-You must now allow minors to delete their own content and posts. This new law is known as the “eraser button” law. It now requires website operators and online service providers to allow minors to access and delete information that the minor previously has posted using the site/service. Operators are free to allow permanent deletion or removal of the content, or they can simply make the content invisible to other users and the public. This new law isn’t effective until January 1st, 2015. (Cal S.B. 568.)
-There are new restrictions on online advertising to minors. Effective January 1st, 2015, a new law will restrict the operators of any website, online service or app that is directed towards minors or where the operators have knowledge that minors use the site or service from advertising or marketing to minors a list of specific products or services. This law applies when the website visitors are “predominantly comprised of minors, and is not intended for a more general audience comprised of adults.” The list of restricted items includes alcohol, firearms, tobacco and cigarettes (including electronic cigarettes), ultraviolet tanning devices, ephedra dietary supplements, permanent tattoos and dangerous fireworks. (Cal. S.B. 568.)
-Any ‘Data Breach Notice’ needs to now include notice of breaches involving user-name or email addresses in combination with password or security question/answer. California currently has data breach notification laws on its books and this new law is an expansion of that legislation. The current law requires database operators to notify consumers of data breaches involving various combinations of personally identifiable information, such as name, social security number, driver’s license number, financial account, medical information or health insurance information. The law has now been expanded to require database operators to notify consumers of data breaches that involve user names or email addresses in combination with a password or security question and answer. This expanded part of the law focuses on the types of information that consumers use to access their accounts. The data breach notification laws will now also extend to local public agencies. This law won’t go into effect until January 1, 2014. (Cal. S.B. 46 and A.B. 1149.)