On September 27, California Governor Jerry Brown signed into law two bills—both to take effect January 1, 2014—that expand the online privacy protections for California residents. These two new laws were the second and third enacted during September, as the Governor signed a bill imposing restrictions on the advertising of certain products marketed to minors earlier that week, and demonstrate that the California legislature continues to prioritize consumer privacy by amending its legislation to reflect changes in the way websites collect, and consumers provide, personal information online.
“Do Not Track” Disclosures
Data Breach Notification for Disclosure of Online Account Access Information
The second bill, SB 46, amends California’s data breach notification law (Cal. Civ. Code § 1798 et seq.), adding to the definition of “personal information” certain information that would permit access to an online account, and imposing additional disclosure requirements if a breach involves personal information that would permit access to an online account or email account. Specifically, the legislation adds to the definition of personal information “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” A breach of this information, if unencrypted, of any California resident would trigger the state’s data breach notification obligations.
In the case of disclosure of this type of personal information, however, a company will be permitted to notify affected California residents by alternative means. If the breach involves no other personal information, a company may notify the affected resident in electronic or other form that directs the resident to change his/her password and security question or answer, as applicable, or to take other steps appropriate to protect the affected online account and all other online accounts with the same user name or email address and password or security question and answer.
However, if the breach involves the login credentials of an email account furnished by the company, it cannot provide notification to that email address, but may provide notice by: (1) one of the methods currently permitted under the law for notification of a breach of unencrypted personal information; or (2) by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the company knows the resident customarily accesses the account.