Written by Scott W. Pink and Carissa L. Bouwer
California has long been a leader in legislative efforts to protect online privacy rights of consumers. California passed the nation’s first security breach disclosure law, the first law requiring online privacy policies, and more recently, the first set of privacy guidelines for mobile app providers. This year California’s legislature is considering several new bills that, if passed, would further strengthen the privacy rights of California residents. It is important for all companies to monitor these bills because, if passed, they could significantly impact information collection practices.
Assembly Bill 1291 was introduced February 22 and would amend Cal. Civ. Code § 1798.83, commonly known as the “Shine the Light Law”. The law requires certain businesses that collect personal information and disclose it to third parties for their marketing purposes to provide those details to people it has had an established business relationship with upon request. Presently, violations result in civil penalties ranging from $500-3000, and civil actions to recover damages for injuries.
The bill would:
- Replace “established business relationship” with “customer”, which is defined broadly in the bill and would expand the number of California residents who can request information under this statute or bring a cause of action;
- Eliminate the need to prove actual injury, as all violations will be deemed to constitute an injury to the customer;
- Expand the definition of “personal information” to include alias, nicknames, user name, account name, driver’s license number, ID card number, passport number, sexual orientation, gender, gender status, gender identity, mental health, location information, IP address, texts, photos, audio or video recordings, and other material generated by the customer; and
- Give businesses three ways to comply with the law: 1) provide an address for requests and respond within 30 days providing detailed information about what personal information was shared and with who; 2) provide customers with notice prior to or immediately following a disclosure; or 3) providing a disclosure which complies both with the federal law for financial institutions, 15 U.S.C. § 6803, and the remaining provisions of § 1798.83.
AB 1291 was referred to the Judiciary Committee on March 11, 2013.
The federal Children’s Online Privacy Protection Act, or COPPA, governs the online privacy rights of children under 13. In 2009, Maine passed a law that would have extended COPPA-like protections to all minors under 18. The Maine law went further than COPPA by prohibiting the collection of personal information of minors under the age of 18 without parental consent and prohibiting the sale or transfer of personal information about a minor if the information was unlawfully collected, identified the minor, or would be used for predatory marketing. After significant public outcry, including the Maine Attorney General publicly committing not to enforce the law, it was repealed in 2010.
Now, California is seeking to do the same with Assembly Bill 319. The bill would require operators that 1) have a website or online service directed at minors, or 2) have actual knowledge that they are collecting information from minors to provide notice on the website about what information is collected and how it will be used. The bill defines minors as persons under the age of 18. Parents would be allowed to refuse the operator’s further collection or use of the information, and operators would not be allowed to condition a minor’s participation on providing more information than is reasonably necessary. In addition it creates an obligation for those operators to establish and maintain reasonable procedures to protect any information collected from minors.
COPPA governs the collection of information from children under the age of 13 and contains a preemption clause for inconsistent state or local laws. 15 U.S.C. § 6502(d). The bill as written will likely be preempted by COPPA.