The Law and Business of Social Media
October 13, 2015 - Data Security, Privacy

California Passes Four Bills Protecting Privacy Rights

California Passes Four Bills Protecting Privacy Rights

Last week was a big one for California’s privacy regime.

In a landmark move, Governor Jerry Brown signed into law four bills further protecting Californians’ privacy rights: Three strengthen the state’s data breach notification statute and impose restrictions on operators of automated license plate recognition systems (ALPRs), and one requires law enforcement to obtain a warrant for the collection of digital records and location.

A.B. 964, S.B. 570 and S.B. 34

California passed the nation’s first data breach notification law in 2003, and it has since incrementally increased the scope of personal data subject to the law and heightened obligations in the event of a breach.

Continuing this trend, on October 6, 2015, Governor Brown signed into law three amendments.

The first, A.B. 964, adds to the law a definition for the term “encrypted.” According to Assemblyman Ed Chau, the addition is meant to encourage businesses to adopt encryption standards.

The second amendment, S.B. 570, specifies the form and content of the notices that must be sent to consumers in the event of a breach. Notices must, for example, be titled “Notice of Data Breach” and present information under prescribed headings, such as “What Happened,” “What We Are Doing,” and “What You Can Do.”

The last bill in the trifecta, S.B. 34, includes information collected from ALPRs, when used in combination with an individual’s name, within the scope of personal information that falls under the breach notification law. That bill also requires ALPR operators to have reasonable security procedures and practices, as well as a privacy policy. S.B. 34 provides for a private cause of action for individuals harmed by violations.

S.B. 178

Just two days later, on October 8, 2015, Governor Brown signed CalECPA, which bars a state law enforcement agency or other investigative entity from compelling a business to turn over any metadata or digital communications—including emails, texts, or documents stored in the cloud—without a warrant.

The law also requires a warrant to track the location of electronic devices like mobile phones, or to search them.

Though a handful of states have warrant protection for digital content or for GPS location tracking, California is the first to enact a comprehensive law protecting location data, content, metadata, and device searches.