California has enacted a new consumer privacy law aimed at offering more protections for minors, and amended two existing privacy and data security laws which may require website owners to modify privacy policies and adhere to more stringent disclosure mandates in the event of a data breach.
AB 370 –Do Not Track Amendment to CalOPPA: While the amendment does not force companies to comply with a consumer’s Do Not Track (DNT) designations, it does force website operators and application developers to inform users of how they address DNT signals.
“AB 370 focuses on transparency, but is also limited to the collection of ‘personally identifiable information’ as defined by CalOPPA. Due to this limitation, it is not clear whether the new disclosure obligations would apply to an operator or an authorized third party that collects log data, browser activity, or web protocol logs… separately from and not in connection with any personally identifiable information.
SB 46—Amendment to California’s Data Breach Notification Law: California became the first state to enact data breach disclosure laws in 2002, and SB 46 will strengthen those provisions by requiring anyone who possesses the data of California residents to disclose any breach of account information.
“The amendment creates specific notification options and requirements for breaches of online account information. The business may give electronic notice to the affected account holders by ‘promptly’ directing them to change their passwords, security questions or answers or to take ‘other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer,'” the attorneys noted.
Changes to privacy policies and data breach disclosure obligations under AB 370 and SB 46 come into effect in January of 2014.
SB 568—”Privacy Rights for California Minors in the Digital World”—The Minor “Eraser” Law:
This law requires website operators to allow anyone under 18 years of age to remove content they posted and provide instructions for doing so, and acknowledgement that some data may remain in existence. Exemptions include any data they are required to keep in compliance with state of federal law, or data the minor was compensated for providing, or of the individual fails to take all prescribed steps to remove the data.
“An operator must comply with the removal requirements if its website or mobile app is “directed to minors” (as opposed to general audiences) or if the operator has actual knowledge that a user is a minor. Operators are not required to collect or maintain age information under the new law, so operators that do not collect this information and operate general audience websites or mobile applications may not be affected,” the attorneys said.
The law becomes effective in January of 2015.
Read More Here…