The state continues to lead the United States in the data privacy and security field by giving minors an Internet “delete” option and requiring disclosures about “do not track” practices.
In September 2013, California Governor Jerry Brown signed two important new laws that affect data privacy and security. California Senate Bill 568 (S.B. 568), signed by Governor Brown on September 24, requires that websites, social media sites, and applications (apps) provide California minors with the ability to delete online material. Additionally, on September 27, Governor Brown signed California Assembly Bill 370 (A.B. 370), which requires operators of websites or online services that collect personal information about California residents to disclose whether they will honor “do not track” signals. Both laws will have implications for any company with a website or application that can be accessed by California residents.
California Senate Bill 568
By signing S.B. 568 into law, Governor Brown attempted to give California minors a way to remove information they post online. As of its effective date of January 1, 2015, the law will require operators of Internet websites, online services, online apps, or mobile apps to permit a minor (defined in this law as anyone under 18) who is a registered user of their service or site to remove, or request removal of, information posted by the minor. The operators must also provide notice of this “delete” option to minors and the fact that using this “delete” option does not guarantee complete removal of the content.
S.B. 568 also prohibits certain marketing and advertising activities. For instance, operators of Internet websites, online services, online apps, or mobile apps are prohibited from marketing or advertising certain types of products (e.g., firearms, tobacco, or dietary supplements) to minors or from knowingly using or disclosing the personal information of a minor for marketing or advertising purposes.
While this new law is designed to protect California minors, any company with a website or app that is accessible by California residents must find a way to comply. Companies with a Web presence or app that may be directed to or used by minors should already have systems in place to determine whether a user is a minor in order to comply with the Children’s Online Privacy Protection Act (COPPA). However, “minor” is defined differently in each law: a minor is defined as anyone under 13 in COPPA and as anyone under 18 in S.B. 568. This age difference, as well as the added marketing restrictions and notice provisions in S.B. 568, means that the user identification procedures, data collection practices, user preference election and tracking, and notices that may satisfy COPPA will not also satisfy S.B. 568.
The practical effect is that companies now face a patchwork of regulations regarding minors with differing requirements, which will potentially result in the need for practices, notices, and policies for three distinct user groups—those under 13, those under 18, and those 18 or over. Any company whose website, online app, or mobile app may be accessed by a California resident—which includes virtually every company with an online presence in the United States—will, at the very least, have to analyze its target and actual audiences, as well as any practices, notices, and policies already in place as a result of COPPA, to determine how to comply with S.B. 568 by January 1, 2015.
California Assembly Bill 370
Although discussions have stalled in the World Wide Web Consortium’s attempt to establish a uniform “do not track” Web browser mechanism—which would allow a consumer to universally opt out of Web tracking over time and across websites—California has forged ahead on this issue by approving A.B. 370, which takes effect on January 1, 2014. Specifically, A.B. 370 requires disclosure of “do not track” practices by adding new privacy policy content requirements to the existing California Online Privacy Protection Act (CalOPPA).
CalOPPA requires operators of commercial websites and online services that collect personally identifiable information from California residents to conspicuously post, and comply with, their privacy policy. It also requires that specific content be included in the privacy policy (e.g., the operator must identify the categories of personally identifiable information collected as well as the third parties with whom it may share that information). As a result of A.B. 370, these privacy policies must also disclose whether the website or online service operator will honor “do not track” signals from Web browsers (for example, Mozilla and Microsoft allow online consumers to enable “do not track” features). While A.B. 370 requires disclosure regarding “do not track” practices, it does not go as far as to require compliance with a “do not track” signal. A.B. 370 also requires that operators include information about whether other parties may collect personal information about the California consumer’s online activities over time and across websites when the consumer is using the operator’s website or service.
While California is the only state at the forefront of this privacy issue so far, other states may follow its lead, and companies with a website presence or online service in the United States should review and consider revising their existing privacy policies in light of A.B. 370—particularly if they have previously determined the need to comply with CalOPPA’s other requirements.