California Strengthens Privacy Laws with Additional Data Breach Provisions and SOPIPA

On September 30, 2014, Gov. Jerry Brown signed into law CA AB 1710, which expands data breach provisions already in place in California.  The new law provides for credit monitoring standards for those entities who offer it to their data breach victims, expands protections to include businesses that maintain personal information about California residents, and prohibits the sale of an individual’s social security number.

Businesses that own, license, or maintain personal information of California residents are required to have reasonable security measures, depending on the type of information they have.  Businesses that share personal information with non-affiliated third parties are required to have in their contracts that the non-affiliated third party also has reasonable security measures.  Health care providers and financial institutions are exempt from this section but are regulated by other statutes.

The law was further amended to require businesses who caused a breach and are offering identity theft protection services do so for 12 months or more.  Unfortunately, there are many reports that the law requires all businesses to provide 12 months of identity theft protection.  This is not the case.  The statute is clear that only businesses offering these services must do so for no less than 12 months.  The statute also requires such businesses provide all the necessary information for individuals to take advantage of the offer.

Lastly, the statute was amended to prohibit the sale of an individual’s Social Security Number (SSN).  SSNs cannot be disclosed for marketing purposes.  However, it is not considered a sale if the SSN if the inclusion of the SSN is secondary to a larger transaction and is necessary for identification of the individual in furtherance of a legitimate business purpose.  For example, if a mortgage broker sells a mortgage and the mortgagee’s SSN is included in the information necessary as part of the transaction, the prohibition does not apply.

SSNs may be used as allowed by state or federal law.  They may be used for administrative purposes.  SSNs may also be used for internal verification purposes.  Finally, the adult penal system may disclose SSNs to county or federal Veterans’ services to determine an inmate’s status as a veteran or eligibility for veterans’ benefits.

CA AB 1710 becomes effective Jan. 1, 2015.

___________________________________________________________________________________

CA SB 1177, Student Online Personal Information Protection Act (SOPIPA), was signed into law on September 29, 2014.  SOPIPA prohibits operators of websites, online services, and mobile apps used for K-12 school purposes from: (1)  engaging in targeted advertising using personal information or persistent unique identifiers; (2) creating dossiers on a K-12 student except for school purposes; (3) seling student information, except when an operator is purchased or merges with another entity; or (4) disclosing personal information unless for school administrative, compliance, operational, judicial, or security purposes.

This statute does not apply to general audience websites.  It does not prohibit students from creating their own content or documents.  The statute does not prohibit operators from marketing educational products to parents so long as a student’s personal information was not used to market the product.

Operators may use student data for adaptive or customized student learning purposes.  They may disclose data as permitted by state and federal law and for research purposes subject to law.  Operators may also use anonymatized student data for improvement of the site or service or to demonstrate effectiveness of site or service.

Operators are required to maintain reasonable security procedures to protect student data and must delete student data at the request of the school or district.  Interestingly, there is no provision requiring operators to delete data at the parents’ request.

SOPIPA becomes operative on January 1, 2016.