Written by Scott W. Pink and Carissa L. Bouwer
California has long been a leader in legislative efforts to protect online privacy rights of consumers. California passed the nation’s first security breach disclosure law, the first law requiring online privacy policies, and more recently, the first set of privacy guidelines for mobile app providers. This year California’s legislature is considering several new bills that, if passed, would further strengthen the privacy rights of California residents. It is important for all companies to monitor these bills because, if passed, they could significantly impact information collection practices.
AB 242
As we mentioned in a previous post, this bill is an attempt to force privacy policies to be written in plain English. Cal. Bus. & Prof. Code § 22575 presently requires operators of websites or online services that collect personal information from California residents to post a privacy policy describing the collection of personal information, including what is collected and how it is used. This bill would amend Section 22575 by requiring that the privacy policy be no more than 100 words, written in clear and precise language at no greater than an eighth grade reading level. It would also require the privacy policy to include a statement indicating whether the information collected may be sold or shared with others. If passed, this bill would require an overhaul of many privacy policies in order to meet the length restriction. The bill was introduced on February 6, 2013 and has since been referred to the Judiciary Committee and the Business, Professions and Consumer Protection Committee.
AB 257
Introduced February 7, this bill would amend Cal. Bus. & Prof. Code § 22577 and add three new sections to § 22575. The amendment to Section 22577 clarifies that the requirement to have a posted privacy policy applies to mobile app operators, the operators of mobile app markets, and mobile app advertisers. Section 22575.1 would require that privacy policies for such mobile applications specify information collection and retention policies, including the types of information collected, the use and retention period for each category of information, the categories of third parties with whom the information will be shared, and the choices a consumer has with regard to his or her personal information. It would also require a supplemental privacy policy if non-essential information is collected and a “special notice” if the application accesses text messages, call logs, the camera, the dialer, or the microphone, or collects location information, financial information, medical information, or passwords. In addition, mobile app operators would be required to use security safeguards to protect personally identifiable information from unauthorized access, use, disclosure, modification, or destruction.
Section 22575.2 would require mobile app markets, such as the Apple App Store or Google Play, to include a link to the privacy policy for each mobile app and to report apps that do not comply with the law. Under Section 22575.3, mobile app advertisers would be required to include a privacy policy, obtain consent before accessing personally identifiable information, and would be prohibited from using unchangeable device-specific identifiers. This bill was referred to the Judiciary Committee and the Business, Professions and Consumer Protection Committee on March 21, 2013.
AB 1291
Assembly Bill 1291 was introduced February 22 and would amend Cal. Civ. Code § 1798.83, commonly known as the “Shine the Light Law”. The law requires certain businesses that collect personal information and disclose it to third parties for their marketing purposes to provide those details to people it has had an established business relationship with upon request. Presently, violations result in civil penalties ranging from $500-3000, and civil actions to recover damages for injuries.
The bill would:
- Replace “established business relationship” with “customer”, which is defined broadly in the bill and would expand the number of California residents who can request information under this statute or bring a cause of action;
- Eliminate the need to prove actual injury, as all violations will be deemed to constitute an injury to the customer;
- Expand the definition of “personal information” to include alias, nicknames, user name, account name, driver’s license number, ID card number, passport number, sexual orientation, gender, gender status, gender identity, mental health, location information, IP address, texts, photos, audio or video recordings, and other material generated by the customer; and
- Give businesses three ways to comply with the law: 1) provide an address for requests and respond within 30 days providing detailed information about what personal information was shared and with who; 2) provide customers with notice prior to or immediately following a disclosure; or 3) providing a disclosure which complies both with the federal law for financial institutions, 15 U.S.C. § 6803, and the remaining provisions of § 1798.83.
AB 1291 was referred to the Judiciary Committee on March 11, 2013.
AB 319
The federal Children’s Online Privacy Protection Act, or COPPA, governs the online privacy rights of children under 13. In 2009, Maine passed a law that would have extended COPPA-like protections to all minors under 18. The Maine law went further than COPPA by prohibiting the collection of personal information of minors under the age of 18 without parental consent and prohibiting the sale or transfer of personal information about a minor if the information was unlawfully collected, identified the minor, or would be used for predatory marketing. After significant public outcry, including the Maine Attorney General publicly committing not to enforce the law, it was repealed in 2010.
Now, California is seeking to do the same with Assembly Bill 319. The bill would require operators that 1) have a website or online service directed at minors, or 2) have actual knowledge that they are collecting information from minors to provide notice on the website about what information is collected and how it will be used. The bill defines minors as persons under the age of 18. Parents would be allowed to refuse the operator’s further collection or use of the information, and operators would not be allowed to condition a minor’s participation on providing more information than is reasonably necessary. In addition it creates an obligation for those operators to establish and maintain reasonable procedures to protect any information collected from minors.
COPPA governs the collection of information from children under the age of 13 and contains a preemption clause for inconsistent state or local laws. 15 U.S.C. § 6502(d). The bill as written will likely be preempted by COPPA.