Several California privacy laws that took effect at the beginning of 2015 may affect a wide range of businesses in the state. One new law expands the duties a business owes to consumers affected by data breaches, including provision of identity theft protection services. Another new law gives minors a limited “right to be forgotten” online. Additional laws apply to breaches of medical information, the use of student records, and the use of student information gathered by school officials.
Assembly Bill 1710, signed by the governor on September 30, 2014, took effect on January 1, 2015. The law applies to individuals, businesses, and organizations that collect consumers’ personal information, generally defined to include names, addresses, dates of birth, Social Security numbers, and other information that could be used to personally identify someone. It requires a business to notify anyone whose unencrypted personal information was or might have been compromised in a data breach as soon as the business learns of the breach. If the business was “the source of the breach,” it must offer at least 12 months of “appropriate identity theft prevention and mitigation services” to affected individuals free of charge.
The law also expands the legal requirements for “reasonable security procedures and practices” for personal information. Under previous state law, this requirement applied to any business “that owns or licenses information about a California resident.” AB 1710 expands this to include “businesses that own, license, or maintain personal information about a California resident.” Finally, the law expands the current prohibition on the publication of any individual’s Social Security number to include prohibitions on advertising, offering to sell, or selling an individual’s Social Security number.
A law that allows minors to delete information they posted online, Senate Bill 568, was enacted on September 23, 2013 and took effect at the beginning of 2015. The law provides a limited “right to be forgotten” to minors in California, although it should be stressed that the right is very limited. State Senator Darrell Steinberg described the law as protecting “kids who often act impetuously…before they think through the consequences.” It only applies to materials posted by the minors themselves, not information posted by others, so it may end up imposing additional obligations on web service providers without offering much of the intended protection.
Health care businesses, including clinics, hospices, and home health care agencies, may see certain obligations under state law loosened by AB 1755, which was signed into law on September 18, 2014 and took effect in January. In the event of a breach of patient medical information, a health care business must make a report to the California Department of Public Health within 15 days. Previously, the reporting deadline was five days.
Several new laws may apply to businesses that work with California schools and school districts:
– AB 1584 gives school districts and other local education officials the authority to contract with third parties to provide various services related to the storage and management of student records, including cloud storage, and prescribes safeguards to protect the security of those records.
– SB 1177 prohibits businesses that operate online services for K-12 students from employing targeted advertising aimed at those students or their parents.
– AB 1442 applies to school officials who use social media to gather information on students, restricting their ability to use, share, or sell any information.
If you or your business is involved in a dispute, a knowledgeable and experienced commercial law attorney can help you protect your interests and advise you of your rights. James G. Schwartz has represented businesses and business owners in the San Francisco Bay Area for nearly 40 years. To schedule a free and confidential consultation to discuss your case, contact us today online or at (925) 463-1073.
More Blog Posts:
Ninth Circuit Holds that Businesses Providing Services via the Internet Are Not “Public Accommodations” Subject to the ADA, Pleasanton Business & Commercial Law Blog, April 15, 2015
Judge Rules in Favor of eBook Retailer in Copyright Claim Brought by Publishers, Pleasanton Business & Commercial Law Blog, January 30, 2015
Lawsuits, Regulators Target Allegedly Deceptive Online Conduct by California Businesses, Pleasanton Business & Commercial Law Blog, October 15, 2014