Almost every business has a website, and a large amount of businesses conduct business or offer online services via their websites. Therefore, business owners should be aware of changes in requirements for California commercial websites and online service providers so they may ensure compliance with the law and prevent any possible penalties.
On January 1, 2014, two new laws went into effect regarding Internet privacy. A third important website privacy law is set to take effect on January 1, 2015. The following are brief overviews of each of the three new laws.
AB 370 – “Do Not Track” Law
AB 370 amended the California Online Privacy Protection Act (CalOPPA) regarding Do Not Track (DNT) signals, which indicate an Internet user’s preference to opt-out of tracking by third party websites. The law does not prohibit information tracking, but instead revolves around a business website’s responsibility to alert visitors if they track “personally identifiable information,” such as names, physical addresses, email addresses, social security numbers, or other types of contact information. If a business’s website tracks any of this type of information, owners should take the following action:
- Determine how your web service handles DNT signals and the service’s tracking methods;
- Determine whether third parties track information from your site;
Privacy policies were all supposed to be updated by January 1, 2014, so if you have not yet done so, you should make sure your policy and website is in compliance as soon as possible.
SB 46 – Amendment to California’s Data Breach Notification Law
California law previously required businesses to report any electronic data breaches to consumers if the breach involved personal information of residents of California. As of January 1, 2014, businesses must now further report any electronic data breaches that include user account information, such as usernames, email addresses, passwords, or security questions. As a business owner, you must report such a breach in the following ways:
- If only a username, password, or security question/answer was breached, you may promptly notify the consumer via email to change their settings to protect the account.
- If an email address was breached, you may not notify the consumer via email. Instead, you may either post a conspicuous notification on the online account when the site detects the user is logged in to the account from a trusted address or mobile device that regularly accesses the account.
- If any other personal information was breached, you must follow the notification procedures in Section 1798.82(j) of the California Code.
SB 568 – Privacy Rights for California Minors in the Digital World
This law will go into effect in 2015, however business owners with websites may begin to prepare during this year. This law will require websites to allow minors under the age of 18 to request to remove any content the minor posted on the website. Your business must then remove the content from public view unless certain exceptions apply. Furthermore, the law will prohibit businesses from advertising certain products (alcohol, guns, tobacco, tattoos, lottery, drug paraphernalia, etc.) to minors based on that minor’s internet activity or tracked information.
It is always important to keep in compliance with the changing laws in California. If you have any questions regarding business laws, do not hesitate to contact an experienced business attorney for help.