The California legislature is busily at work, staying at the forefront with the development of data privacy laws. More than 15 bills related to data privacy concerns are currently making their way through the legislature, and they are catching the attention of the business world.

Here’s a short synopsis of the more notable ones finding some traction:

• SB 568: Similar to the federal Children’s Online Privacy Protection Act (COPPA), SB 568 would require operators of Internet websites and online or mobile apps to permit minors to remove previously posted content, and give the minors notice of their right of removal. The bill would also limit operators’ ability to market or advertise certain products or services to minors, as well as prohibit operators from using, disclosing, or compiling certain personal information of the minor for marketing these same products or services. If enacted, operators will be required to implement these privacy protections by January 2015. Introduced by Senate President Pro Tem Darrell Steinberg (D), SB 568 has passed the Senate by a unanimous vote and has moved to the Assembly for consideration.
• Social Networking Privacy Act (SB 501): We wrote previously about SB 501, after the bill was introduced by Senate Majority Leader Ellen M. Corbett (D). SB 501 would require social networking websites to remove a registered user’s personal identifying information within 96 hours of a request from the user or, if the user is a minor, from the user’s parent or legal guardian. Facebook and Google are the familiar faces opposing this bill, but several other companies like Tumblr and Zynga have voiced their opposition as well, criticizing SB 501 for being unworkable. The Senate approved SB 501 early this month by an overwhelming majority vote, and the bill now sits before the Assembly for consideration.
• AB 370: AB 370 would amend the California Online Privacy Protection Act (“CalOPPA”) by requiring operators of commercial websites, or online services that collect personally identifiable information about consumers living in California, to disclose in their privacy policies whether they honor consumers’ requests to disable online tracking, and to disclose whether they allow third parties to conduct online tracking. Introduced by Assemblyman Al Muratsuchi (D) and sponsored by California Attorney General Kamala Harris, AB 370 passed the Assembly by a unanimous vote early this month and is now before the Senate for consideration.
• SB 383: SB 383 would amend the Song Beverly Credit Card Act of 1971 to allow retailers to require credit card users, as a condition of accepting payment by credit card, to provide their ZIP Code and the numerical portion of their street addresses to be used solely for the prevention of fraud, theft, or identity theft. This bill additionally requires that the retailer dispose of that information in a secure manner after it is no longer needed for the prevention of fraud, theft, or identity theft, and prohibits the retailer from selling or sharing it with a third party. The bill was drafted in response to the California Supreme Court’s decision in Apple Inc. v. Superior Court, 56 Cal. 4th 128 (2013), which held that the Song Beverly Credit Card Act did not apply to online transactions involving downloadable products. Introduced by Senator Hannah-Beth Jackson (D), SB 383 was passed by the Judiciary Committee earlier this month and will soon be voted on by the Senate.
• AB 242: AB 242 would amend CalOPPA by tightening the requirements for online privacy policies. We wrote about AB 242 earlier this year, after the bill was introduced by Assembly Member Ed Chau (D). AB 242 would require operators of websites or online services to limit their privacy policies to “no more than 100 words,” and to be written in “clear and concise language” at “no greater than an 8th grade reading level.” The bill would also require privacy policies to state whether “personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared.” AB 242 is currently being considered by the Judiciary Committee, and the Business, Professions and Consumer Protection Committee.
• The Right to Know Act of 2013 (AB 1291): We have written about AB 1291 several times before, most recently at the beginning of last month. The Right to Know Act would amend California’s Shine the Light law by requiring companies to provide, within 30 days of a customer’s request and at no charge, a copy of all personal information they retain about the customer, as well as the names and addresses of all third parties with access to that personal information in the previous 12 months. First introduced in February by Assemblywoman Bonnie Lowenthal (D), AB 1291 has recently been extended into a two-year bill, having faced fierce backlash from tech industry giants like Facebook Inc. and Google Inc. It will return to the Assembly for consideration in early 2014.
• AB 257: AB 257 would also amend CalOPPA to expressly include mobile applications, and would require operators to satisfy various privacy policy requirements for mobile applications, including allowing consumers to access their own collected and retained PII, imposing safeguards to protect PII, requiring a supplemental privacy policy if an application collects information not essential to the application’s basic function, and a requirement that the operator provide a special notice if the application accesses specified devices and information. This bill would also require mobile application markets and advertising networks to comply with specified privacy procedures. Introduced by Assembly Member Isadore Hall, III (D), AB 257 is currently before the Assembly Judiciary Committee.

As these swiftly moving measures show, the California legislature, for better or for worse, is pushing to be at the forefront in the development of data privacy law. If enacted, these laws will certainly impact those conducting business in the state, and may likely influence the development of data privacy laws elsewhere.

Client Alert 2013-134