Skip to main content

Four California Privacy Laws and What They Mean for Businesses

| 3 min read
Former Partner
  • Email
  • Linkedin

Does your business operate a website,  online service, application or database? California has a group of privacy and data security laws that apply to those types of businesses. Because most websites, applications and databases involve California residents, such laws effectively set a nationwide baseline.

Here are four California laws on privacy  and what they mean for businesses:

1. Disclose “Do Not Track” Responses. Effective January 1, 2014. This law applies  to any website, online service or mobile application that collects personally  identifiable information from consumers residing in California. These services have been able to track users’ browsing history through the use of “cookies”  and other tracking signals. Users can enable a “do not track” signal in their  web browsers and that is now the default setting in some browsers. The law requires the operators of websites, online services and apps to disclose how or  if they respond to “do not track” signals. The law does not require operators  to comply with “do not track” signals. Site operators will need to explain in  their privacy policies how they respond to “do not track” signals and whether third  parties collect data on consumers through the site. This is a disclosure law  only. The California Attorney General can enforce it and impose civil  penalties. The law gives organizations 30 days in which to address alleged deficiencies communicated by the Attorney General. It is the first legislation  in the world directly addressing “do not track.” (Cal. A.B. 370.)

2. Expand Data Breach Notices. Effective January 1, 2014. This expanded California’s previous data breach notification law. The previous law required database operators to notify consumers of data breaches involving  various combinations of name, social security number, driver’s license number,  financial account, medical information or health insurance information. The current law requires operators to also notify consumers of data breaches that involve user name or email address, in combination with a password or security question and  answer. The data breach notification laws now also extend to local public agencies. (Cal. S.B. 46 and A.B. 1149.)

3. Restrict Online Advertising to Minors. Effective January 1,  2015. This law applies to any website, online service, online application  or mobile application that is directed to minors or that has knowledge that minors use its service. It applies if the audience is “predominantly comprised  of minors, and is not intended for a more general audience comprised of  adults.” Site operators are prohibited from advertising or marketing to minors a  list of specific products or services. Those include alcohol, firearms, tobacco  and cigarettes (including electronic cigarettes), ultraviolet tanning devices, ephedra dietary supplements, permanent tattoos and dangerous fireworks. (Cal. S.B.  568.)

4. Allow Minors to Delete Their Own  Content and Posts. Effective  January 1, 2015. Part of the same law as the one immediately above requires websites and online services to allow minors to access and delete information that the minors posted. This allows the minor to delete  embarrassing content that they later regret posting. Operators are not required to delete or erase the content, but instead may comply by making the content invisible to other users of the service and to the public. This “eraser button”  law is also believed to be the first of its kind. (Cal. S.B. 568.)

Businesses that serve California consumers should assess their operations and policies on  the topics above. Privacy and data security laws are a rapidly-changing landscape.