This guide provides a quick reference overview of the new laws on the books. Businesses that operate websites, online services and mobile applications must ensure that they are prepared for the coming changes. The laws—both new and old—apply to California businesses and any business that reaches and collects information on even just one California resident.

1. Getting Prepped for California &
Federal Privacy Law Changes: 2014
California leads the country in implementing data privacy laws. The state
takes a proactive and stricter approach than most when it comes to ensuring
consumer privacy protection online, including cracking down on companies
that do not comply with state and federal data privacy law and
recommending best practices for mobile applications. California recently
implemented new changes, many of which will be effective on January 1,
2014.
This guide provides a quick reference overview of the new laws on the
books. Businesses that operate websites, online services and mobile
applications must ensure that they are prepared for the coming changes. The
laws—both new and old—apply to California businesses and any business
that reaches and collects information on even just one California resident.
The
Do
Not
Track
Law
(Bus.
&
Prof.
Code
§§
22575
et
seq.)
“Do Not Track” has been a hot topic of discussion at the federal level, but
California took steps this year to make it law. Starting January 1, 2014, if you
operate a commercial website or online service, you must provide
consumers with two additional pieces of information:
What’s
the
Current
Law
in
California?:
CollecIng
PII
All businesses that operate commercial
websites or online services that collect
personally identifiable information (“PII”)
from California residents must post a
privacy policy, identify its effective date,
describe how users are notified about
changes to the policy and identify the
categories of PII that are collected and
with whom the PII is shared. Under
current law, PII is defined as identifiable
information about a consumer that the
operator collects online and maintains in
an accessible form, including:
1.
First and last name;
2.
Home or other physical address,
including street name and name
of a city or town;
One, you must now disclose how they “respond to web browser ‘do not
track’ signals or other mechanisms that provide consumers the ability to
exercise choice regarding the collection of PII about an individual consumer’s
online activities over time and across third-party Web sites or online
services.”
3.
Email address;
4.
Telephone number;
Two, you must now disclose whether other parties collect PII about a
consumer’s “online activities over time and across different websites” when
that consumer uses a business’s website or online service.
The law is intended to increase consumer awareness of the practice of
online tracking, especially by ad networks like Google AdSense and
Facebook’s FBX, and allow consumers to make informed decision about
using particular websites or services through knowledge of whether the
business honor a Do Not Track signal.
The
BoAom
Line:
Businesses must be sure to include in their privacy
policies:
1.
A clear and conspicuous hyperlink to a description of protocols your
business takes that offers your consumers the choice to opt-out of
Internet tracking; and
2.
Whether third parties collect PII about individual consumers online
activities when consumers use your website or online service.
5.
Social security number; and
6.
Any other identifier that permits
the physical or online contacting
of a specific individual.
Are
we
talking
about
you?
Yes.
If you are providing a website, web
platform or mobile application to the
public, this likely applies to you. Whether
it is geolocation or someone’s score
record in a gaming app, it is data and
needs to be accompanied by appropriate
practices and policies.
A GAMA White Paper produced by Chris4na Gagnier & Nicole Nord © 2013. Gagnier Margossian LLP. All rights reserved.

2. Amendments
to
CA’s
Data
Breach
NoIficaIon
Law
2015:
The
Online
Eraser
for
Minors
Effective January 1, 2015, businesses
operating websites and online services,
website applications or mobile applications
directed at minors (any individual under
the age of 18) must implement special
safeguards when allowing California
minors to post material online.
This year, California Governor Jerry Brown signed into law amendments to
California’s data breach notification requirements.
Currently, businesses that collect consumers’ “personal information” must
notify consumers of data breach when the information accessed includes an
individual’s name and the individual’s:
1.
Social security number;
2.
Driver’s license or California ID number;
3.
Account, credit or debit card number and coinciding
security or access code;
Website operators must provide minors
with the option of an “online eraser” to
remove, or request to remove, from public
view any material that the minors
themselves have posted.
Website operators must also inform
minors of these removal options and how
to utilize them. Notably, websites are not
required to permanently delete the
information nor remove information that a
third party reposted.
Additionally, the new law restricts website
operators from knowingly advertising and
marketing certain “harmful” products to
minors. “Harmful” products include things
like firearms, tobacco and tobacco related
products, drug paraphernalia, cer tain
dietary supplements and alcohol. The law
also prohibits the use of minors’ personal
information for advertising and marketing
of these products.
Businesses directed at children should
create a timely internal process for
executing minors’ requests to remove
posts from public view and include in their
privacy policies instructions how to
remove information.
Businesses should also compare the types
of products they advertise or market with
the list of prohibited products to ensure
full compliance with the law.
4.
Medical information; or
5.
Health information, where either the name or other piece
of information is not encrypted.
Starting January 1, 2014, the scope of personal information and the means to
notify consumers affected by data breach will expand. The definition of
personal information will expand to include an individual’s online account
credentials—
“a user name or email address, in combination with password or security
question and answer that would permit access to an online account.”
You will be required to provide notification to an individual(s) when his or
her online account credentials have been compromised as a result of breach.
As long as the compromised information includes only online account
credentials (and not other personal information), the amended law also
expands the means which the company may use to notify the individual: A
company may notify the affected individual(s) through an electronic or other
form that directs the individual to take appropriate steps to protect his or
her online accounts, including by changing his or her password and security
questions and answers on accounts that use the same login credentials. An
exception to the new notification requirement is if the breach involves the
individual’s email credentials, in which case the company may not use email
to notify that individual but the company may provide notice through other
electronic means as defined through the law. The law applies to companies
that are personally breached and companies that released the data to a third
party and that third party experienced security breach.
The
BoAom
Line: Businesses must ensure that they have sufficient
safeguards in place to prevent data breaches as well as response plans that
provide for appropriate methods of notification, specified in the statute (e.g.,
traditional notice or clear and conspicuous online notice).
Need help with this stuff? Just don’t want to worry about it?
GAMA’s got your back. Our firm specializes in information privacy and security. Whether you are just operating in the United
States or expanding internationally, our practice is equipped to meet all privacy needs on all budgets.
Working in a unique or heavily regulated industry like healthcare or finance? We got you too.

3. Privacy
By
Design
&
a
“No
Surprise”
Approach
for
Mobile
ApplicaIons
Last January 2013, California Attorney General Kamala D. Harris issued a data
privacy protection guideline for mobile application (“app”) developers as well as
app platform providers, mobile ad networks, operating system developers and
mobile carriers. The guideline—“Privacy on the Go: Recommendations for the
Mobile Ecosystem”—takes a proactive “privacy by design” and “no surprises”
approach to consumer privacy protection on mobile apps.
The “privacy by design” approach echoes the Federal Trade Commission’s push for
mobile applications to incorporate best privacy practices from the very beginning.
App developers should incorporate privacy practices from the get-go of app
development.
Complying
with
the
FTC’s
New
COPPA
Revisions
The Federal Trade Commission (FTC)
recently revised the Children’s Online
Privacy Protection Act (COPPA). COPPA
regulates the collection, use and
disclosure of information of children
under the age of 13.
The guideline recommends that app developers ensure that every piece of PII
that a mobile app collects and retains is necessary for the functionality of the app
and create privacy policies and corresponding practices only after identifying and
understanding the nature of the PII collected.
The revised law became effective July 1,
2013, and applies primarily to businesses
operating website and online services
(“operators”) that direct its services to
children under age 13 and collect, or let
others collect, personal information on
children.
The “no surprises” approach emphasizes privacy policies and practices that are
front and center to an app. Mobile app developers should implement “enhanced
measures” if the app collects data that is likely to be “unexpected” by the user
because the data is sensitive or not essential to the app’s basic functionality.
“Enhanced measures” can be implemented through:
Businesses operating websites or online
services that collect, or allow others to
collect, information on children under 13
must ensure that their sites and privacy
policies comply with COPPA:
•
Special notices that provide clear, short, contextual, “just-in-time” (i.e., just
before the specific information is to be collected) alerts for data
practices; or
•
A short privacy policy that describes the unexpected data practices and
user privacy controls that allow users to make and revise decisions about
the collection of their PII.
Check whether your business collects any
information on children that counts as
personal information under the new
definition;
The
BoAom
Line: Businesses developing and operating mobile apps should
incorporate proactive privacy practices from the very beginning of an app’s
design, including:
•
Collection and retention of only PII that is necessary to the app’s
functionality;
•
User access to the PII that the mobile app collects and retains about that
user;
•
A general privacy policy that describes your data privacy practices and
that is transparent, easy to find, easy to read and readily available; and
•
Enhanced measures through special notices or a short privacy policy and
user control.
Be
mindful that your business is liable for
the conduct of third-par ty ser vice
provider s that collect per sonal
information through your website or
online service.
Deletion of unnecessary PII in a timely fashion;
•
Ensure your practices for notifying and
obtaining consent from parents and
retaining and disposing of data comply
with the revised law; and
Internet
Intellectual Property
Privacy
Social Media
Technology
The Good Stuff
Where
do
you
start?
Start by figuring what data you collect.
Creating a comprehensive list of the data
collected through your website or
application is an important first step to
appropriate data management practices.
#nerdlawyers
Los Angeles
Sacramento
T: 415.766.4591
F: 909.972.1639
E: consult@gamallp.com
gamallp.com
@gamallp
San Francisco