Summary of Privacy Policy and Breach Notification Requirements in California
The California Online Privacy Protection Act of 2003 (OPPA)
Cal. Bus. & Prof. Code §§ 22575-22579, requires all commercial operators of websites or online services (including mobile apps) that collect personally identifiable information from California residents to conspicuously post and comply with a privacy policy.
What Is PII?
The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
- A first and last name.
- A home or other physical address, including street name and name of a city or town.
- An e-mail address.
- A telephone number.
- A social security number.
- Any other identifier that permits the physical or online contacting of a specific individual.
- Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
Requirements of the Act
- Privacy policy must be distinctive and easily found.
- Must detail the kinds of information gathered by the website, how the information may be shared with other parties, and how users can use to review and make changes to their stored information. It also must include the policy's effective date and a description of any changes since then.
- Recent amendments added the following requirements: Policy must state whether the website owner responds to “Do-Not-Track” settings on browsers, and whether the owner allows third-party tracking on her Web site or online service.
30 Day Notice
The owner of a website can be subject to legal actions under OPPA within 30 days of being notified for not posting the privacy policy or not meeting the law's criteria.
This is enforced through Business and Professions code 17200.
What Is Conspicuously Posted?
A privacy policy can be “conspicuously posted” if the website’s home page contains an icon or text link that includes the word “privacy” and is linked to the privacy policy. Another way a privacy policy can be “conspicuously posted” is if the text link to the privacy policy is either written in capital letters that are at least the same size as the surrounding text or is otherwise written in way that calls attention to the link (e.g., written in a larger type than the surrounding text, in a contrasting type, font or color, or set off from the surrounding text by symbols or other marks).
Consequences of Non-compliance
OPPA is expected to be enforced through California’s Unfair Competition Law (UCL), which prohibits unlawful, unfair or fraudulent business acts or practices. UCL may be enforced for violations of OPPA by government officials seeking civil penalties or equitable relief, or by private parties seeking private claims.
Breach Notification Laws
California Civil Code Section 1789.82 (2003) requires notification of a breach if you meet the following criteria:
Any business that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Amendments (CC Section 1789.82 (G)) add:
If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).
Personal information for the purposes of Section (G) means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Social security number.
- Driver's license number or California Identification Card number.
- Account number, credit or debit card number…
- in combination with any required security code, access code, or password that would permit access to an individual's financial account.
- Medical information.
- Health insurance information.
- A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
Corporations can determine whether they are subject to this statute by reviewing the following questions:
- Does their data include "personal information" as defined by the statute?
- Does that "personal information" relate to a California resident?
- Was the "personal information" unencrypted?
- Was there a "breach of the security" of the data as defined by the statute? (‘‘Breach of the security of the system’’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency.)
- Was the "personal information" acquired, or is reasonably believed to have been acquired, by an unauthorized person?
A corporation that answers yes to all five of these questions must report.
How Do You Give the Notice?
“Notice” may be provided by one of the following methods:
- Written notice.
- Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.
- Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of the following:
- E-mail notice when the agency has an e-mail address for the subject persons.
- Conspicuous posting of the notice on the agency’s Web site page, if the agency maintains one.
- Notification to major statewide media.
Notwithstanding subdivision, an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.
Remedies?
- Injunction
- Damages
SEC. 3. Section 1798.82 of the Civil Code
The statute does not apply to "encrypted" information. Thus one way to avoid reporting is to encrypt all "personal information." A corporation can also avoid reporting if its data does not contain "personal information" relating to a California resident.
"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Social security number.
- Driver's license number or California Identification Card number.
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Resources
For a video discussion on this topic including the Attorney General's thoughts, please seemyrecorded chatwith marketing expert Leona Laurie and Joanne McNabb of the Privacy Unit in the California Attorney General's Office.
Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy is available on the Business Resources page at: http://oag.ca.gov/privacy/business-privacy.
The online form for submitting notices of data breaches affecting more than 500 Californians is at: http://oag.ca.gov/ecrime/databreach/reporting.