Halloween is over. Thanksgiving, Black Friday, and Christmas are right around the corner. For many that means spending time with family, holiday parties, and lots of shopping, but hopefully not all at the last minute. But for those in the privacy world, it also means that January 1, 2015 is looming – a date on which many new privacy laws take effect. Will you be ready? Here are a few of the more important and interesting privacy laws that will be taking effect on January 1, 2015. As usual, California leads the way.
Revisions to California Data Breach Notification Law
An annual pattern of revisions seems to be developing with California’s data breach notification law. Last year, the breach notification law was amended to expand the definition of “personal information” to include a user name or email address in combination with a password or security question and answer that would permit access to an online account. Those new provisions took effect on January 1, 2014. Our post from last year provides more information.
Similarly, this year, the law was amended once again placing new, albeit somewhat ambiguous requirements, on companies to offer identity theft prevention and mitigation services to those affected by data breaches. The amendment also expands its application from companies that “own or license” personal data to companies that “maintain such information.” Thus, third parties, like cloud service providers that maintain personal information, are now required to have reasonable security practices and are subject to the breach notification requirement. The amendment also prohibits the sale, advertisement for sale, or offer to sell, an individual’s Social Security number, other than as permitted by law. The identity theft provisions are confusing. It is not clear whether companies that are the source of a breach must offer identity theft prevention services, or whether the amendment simply explains how companies that choose to offer such services must do it. Ideally, the California Attorney General will provide some guidance in the near future.
California Digital Eraser Law
We previously blogged on SB 568, commonly referred to as the “Digital Eraser Law.” While the law was approved over a year ago by California Governor Jerry Brown, it will finally take effect on New Year’s Day 2015. The law prohibits advertising certain high risk items (such as tobacco, firearms, tanning beds) on websites and other online services, like apps, that are directed to minors (kids under 18) or sites that have actual knowledge that minors are using their services. It also requires website operators to permit or enable minors to delete/erase content they posted. Determining whether your site or app is “directed to minors,” or whether you have actual knowledge of minors using your site or app, is key for determining whether this new law will affect your business. Other important questions remain unanswered, such as whether operators need to edit photos in order to comply with a user’s request to anonymize personal data and whether a user who is no longer a minor is permitted to have content removed that was created when they were a minor. Operators are anxiously awaiting further guidance from the California Attorney General, who in the past has weighed in with guidance on other California privacy laws – see our posts concerning Do-Not-Track and Mobile Privacy.
Updates to California’s Invasion of Privacy and Revenge Porn Laws
AB 2306 updates California’s invasion of privacy law by making it unlawful to use any device to unreasonably capture an image, sound or recording of another person engaging in a personal or familial activity under circumstances in which the other person had a reasonable expectation of privacy.
AB 2643 updates California’s revenge porn law by creating a private right of action against a person who intentionally distributes a photograph or recorded image of another that exposes intimate body parts, if such distribution is without consent and with knowledge that the other person had a reasonable expectation that the material would remain private.
Delaware Data Destruction Law
California is not the only state enacting new privacy laws on New Year’s day. Delaware’s new data destruction law will require commercial entities to take reasonable steps to destroy records containing consumers’ “personal identifying information” by shredding, erasing, otherwise destroying or modifying such information to make it unreadable or indecipherable.
“Personal identifying information” has a similar definition to many of the state data breach notification laws. It includes a consumer’s first name or first initial and last name in combination with any of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted: Social Security number, passport number, driver’s license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information including all information relating to a patient’s health care history, diagnosis, condition, treatment, or evaluation. As the most popular state for incorporation, this law could impact a large number of companies that maintain users’ records.
California Student Online Personal Information Protection Act
And to get you prepared for January 2016, here’s a preview of an interesting law that takes effect then. The Student Online Personal Information Protection Act (SOPIPA) restricts operators of online services primarily used by, and designed and marketed for, K-12 schools from using a student’s activity to create a profile on the student for any non-school purpose. SOPIPA also prevents these operators from using, or allowing a third party to use any information that the operator has acquired from a student’s use of their online service to engage in targeted advertising or to sell such information outside of an acquisition or change of control transaction. These operators also must maintain “reasonable security procedures and practices” to protect students’ information and must, upon request of the school, delete a student’s information.
Photo by UFV Graphic and Digital Design Program from Flickr