Web Sites Need New Privacy Policy as California Updates Their Laws
SUMMARY
On May 16, 2013, I posted a blog as a privacy policy overview – PRIVACY AND THE INTERNET (https://www.netlaws.us/2013/05/privacy-and-the-internet/). In that review I said that there are only three Federal laws relating to privacy — HIPPA regulations for health care information you store, COPPA regulations for visitors under the age of 13, and the Grahm-Leach-Biley Act for financial information. However, in the absence of Federal regulations, California has passed numerous laws affecting privacy to which those who want to reach California businesses or consumers must comply. Last month, the state of California enacted three new privacy laws which will require almost all web sites to update their Privacy Policies. Please note: The attorney general of California has determined that the California Privacy Policy Laws apply to mobile apps as well as web sites!
NEW CALIFORNIA LAWS
AB 370 –Do Not Track Amendment
This law requires web site operators to post their response to Do Not Track requests by a web site visitor. It does not require you to abide by the visitor’s wishes, only to notify them of your site’s response to the request – Therefore, you can still track with the proper notice to your visitors. This law is effective 1-1-14.
SB 46—Amendment to California’s Data Breach Notification Law
California has had a breach notification law since 2002. SB 46 increases the types of information that must be reported in a breach to include log in and security questions visitors have submitted. The law outlines how the breach notification is to be accomplished. This law is effective 1-1-14.
SB 568—”Privacy Rights for California Minors in the Digital World”—The Minor “Eraser” Law
This law allows minors (those under the age of 18) to erase posts that they have created which cast them in a bad light. Unfortunately, while this law is good in concept, it is poorly written, probably unconstitutional, and in all probability will be revoked, revised or amended before its effective date of 1-15-15. I have decided to ignore this law for now and address it a year from now if it is still effective or in a new form.
SOME OTHER CALIFORNIA LAWS CONCERNING WEB SITES AND PRIVACY
It is possible that you are unaware of some of California’s other laws which affects the Privacy Policy of your web site. Here is a quick summary:
1798.81 – “A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.” There are other sections of this act you need to be aware of. A web site owner should have a written standard operating procedure for keeping and disposing of records.
California’s Shine the Light Act – requires web site operators to inform users how the site shares their private information and how a user can change or remove their information on the site.
Security Breach Notification Laws – require web sites that have an information breach to notify the state, and under this year’s new law, to notify the web site users whose information was compromised. If this happens to your site, contact a lawyer to make sure your notifications are properly made.
YOUR SITE’S PRIVACY POLICY
If you have an e-commerce or informational site that caters to residents of California, you are going to need to update your Privacy Policy. You will need to include the new classes of information you store and how you respond to the Do-Not-Track requests.
How you post these new policies is going to look like a Chinese menu to you. You may decide that you will treat every visitor the same or you can split your policy by either creating a separate page for California residents, or by adding to your current policy by stating, “The following policies apply to California residents only.”
If I have previously written a Privacy Policy for your site, I will be contacting you to discuss your Privacy Policy and the changes you need. If I have not written a Privacy Policy for you, please note that I have an Introductory Special for new clients to write their TOS, Privacy Policy, etc. Please see my blog of August 30, 2013 – Are You Planning on Opening a New E-Commerce Website? https://www.netlaws.us/blog/page/2/#sthash.qB0kXFzd.dpuf
Please feel free to contact me with any questions you may have. I do not charge for initial consultations. Also, please feel free to share this blog with your friends who may be interested.