Insight Center: Publications

California Privacy and Security Legislation Affects Entire Nation

Privacy and Security Law Update

Authors: Sharon R. Klein, Charles S. Marion, Dana T. Nguyen, Barbara L. Delaney and Tracey S. Pachman


California has enacted extensive legislation in the privacy, security, anti-spam and anti-spyware areas that effectively molds the national agenda for fighting identity theft, protecting personally identifiable information (especially for direct marketing purposes) and regulating the Internet. This article highlights the most important legislation, focusing on privacy and security statutes effective on January 1, 2005.

While these new bills only apply to California residents or their personally identifiable information, for the following reasons all businesses - regardless of location - should take heed:

  • Several of the statutes specifically address out-of-state businesses that do business with, or collect or store information from California residents.
  • The borderless nature of the Internet means that many businesses with an online presence will need to comply with California’s requirements.
  • California is an enormous market, with cutting-edge consumer protection laws that already are serving as a model for legislation by other states and the federal government.
  • National and multi-regional businesses desiring to create a comprehensive privacy and security policy may need to conform to the most restrictive state requirements in the country, which are California’s.
  • California law increasingly favors private causes of action, so a business that unwittingly violates these new requirements could face onerous litigation as well as any enforcement penalty.

SB 1436 - Restrictions on Installation of ‘Spyware’ on California Consumers’ Computers

Senate Bill 1436, the Consumer Protection Against Computer Spyware Act, effective January 1, 2005, prohibits the unauthorized installation of software on a California consumer’s computer. The Act also forbids the use of that software to deceptively modify that computer’s settings that may affect the computer’s access to or use of the Internet, including altering the consumer’s home page, default search page, or bookmarks; sending viruses; or taking control of an infected system as part of a distributed denial-of-service attack. The Act also outlaws the collection, “through intentionally deceptive means,” of “personally identifiable information” (such as user names and passwords) through keystroke-logging, tracking Web site visits or extraction of such information from a consumer’s hard drive.

Those seeking to install software on a California consumer’s computer must notify the consumer regarding what the software will do (for example, if it is a program that will collect information, the consumer must be told what type of information will be collected and what will be done with the information) and obtain the user’s consent to the installation. Consent can be obtained in various ways, including through an on-screen dialogue box advising the consumer that clicking “OK” will install the program.

The Act defines a consumer as “an individual who resides in [California] and who uses the computer in question primarily for personal, family or household purposes.” It does not require a software provider to obtain consent from every employee of a business when installing information-gathering software on the business’ computer system or network.

The Act also bans software that cannot be uninstalled or disabled, or that makes it seem as though the software has been uninstalled or disabled when it has not been. It also prohibits the installation of software which would remove or render inoperative security, anti-spyware or anti-virus software on the consumer’s computer. The law allows affected consumers to bring a lawsuit against the offending party and, if successful, recover damages of $1,000 per incident or violation, as well as attorney’s fees.

AB 1950 - Security Requirements for Personal Information About a California Resident

Assembly Bill 1950, effective January 1, 2005, mandates that owners or licensors of unencrypted personal information about California residents implement and maintain reasonable security procedures to protect personal information from unauthorized access, destruction, use, modification or disclosure.

To the extent that personal information about a California resident is disclosed to a nonaffiliated third party, a contract with such third party must mandate security and protect the personal information from unauthorized access, destruction, use, modification or disclosure. “Personal information” is defined as a person’s name combined with a social security number, driver’s license number, or California identification card number, account number and password, or medical history, treatment or diagnosis.

This bill supplements other California legislation regarding notice of breaches of security of personal information (SB 1386), but does not pre-empt federal or state legislation protecting personal financial or medical information such as the California Financial Information Privacy Act, the Confidentiality of Medical Information Act and the Health Insurance Portability and Accountability Act (HIPAA).

Additionally, the bill excludes entities subject to the confidentiality requirement of the Vehicle Code and any other business regulated by state or federal law providing greater protection to personal information than that provided by this bill.

SB 27 - Restrictions on the Disclosure of Personal Information to Direct Marketers

Senate Bill 27, effective January 1, 2005, imposes stringent new disclosure and notice requirements on entities that collect and share personal information about their California customers. Informally referred to as the Golden State’s “Shine the Light” law, SB 27 was drafted to address the growing privacy concerns of California residents and to combat increasing incidents of identity theft.

Under the new statute, a business that discloses a California customer’s personal information to a third party for direct marketing purposes must either provide the customer a free opt-out procedure that will prevent sharing of that customer’s information, or, upon request, identify the recipients of the information and describe the categories of information disclosed during the previous calendar year.

SB 27 specifically covers business relationships created over the Internet and through mail order activities, so it does not just affect businesses located in California. Entities outside the state that collect personal information on California residents using Web sites and other alternative marketing channels and then disclose that information also are subject to the statute’s provisions.

“Personal information” is defined expansively to include a wide range of customer data, including name, address, phone number, e-mail address, physical description, products purchased, payment history and creditworthiness. Similarly, the definition of “third parties” is far-reaching and includes entity affiliates if the affiliates are separate legal entities.

Fortunately, the statute only applies to situations where a business knows or reasonably should have known that a third party would use the personal information disclosed for its own direct marketing purposes. If a business shares customer information with independent contractors, service providers or other third parties acting on its behalf, these disclosures do not trigger the requirements of the statute, as long as the third parties receiving the information don’t use the information for their own direct marketing efforts.

A business subject to SB 27’s disclosure requirements must adopt one of two compliance procedures. The first is to provide its California customers with a free method for opting out of its information-sharing practices. In that case, the company must provide notice of a customer’s opt-out rights using one of several specified methods.

In the alternative, an entity must provide, upon customer request, a detailed disclosure of its information-sharing activities during the previous calendar year. The disclosure need not list the recipients of the particular customer’s information, but it must list the categories of information shared and the names and addresses of the recipients. It also must describe the recipient’s business, if that is not obvious from the recipient’s name.

If a covered business fails to comply with SB 27’s requirements, a California customer has a private right of action. The customer may recover actual damages, costs, attorneys’ fees, and a “civil penalty” of $500 (increased to $3,000 if the court finds that the violation was reckless, willful or intentional).

SB 1633 - Restrictions on Obtaining Medical Information for Direct Marketing Purposes

Senate Bill 1633, effective January 1, 2005, prohibits obtaining medical information directly from an individual for marketing purposes without providing certain disclosures and obtaining that person’s consent. “Direct marketing purposes” means the use of personal information for marketing or advertising products, goods or services but does not include use to effect charitable or political contributions.

Consent may be oral or in writing. Oral requests to use medical information for direct marketing purposes must be accompanied by an oral disclosure of the purpose to obtain information to market or advertise products, goods or services, and the individual must consent. The entire conversation must be recorded and kept for two years.

If consent is in writing, it must be accompanied by a disclosure of the direct marketing purpose in clear and conspicuous manner, and the written consent must permit medical information to be used or shared to market or to advertise products, goods or services to the individual.

The bill exempts businesses that are already subject to the Confidentiality of Medical Information Act, certain telephone companies and insurance companies.

AB 68 - California Online Privacy Protection Act of 2003

Assembly Bill 68, or the “Online Privacy Protection Act of 2003” (OPPA) took effect on July 1, 2004, imposing requirements for the content and placement of privacy policies on Web sites or online services if they collect the personally identifiable information of consumers residing in California. Web site operators - wherever located - that collect personally identifiable information about individual consumers who reside in California via the Internet for commercial purposes must conspicuously post on their Web sites a privacy policy that meets the requirements of OPPA.

OPPA requires that such privacy policies describe: (1) the categories of personally identifiable information collected about individual consumers; (2) the categories of third parties (individuals or entities) with whom the personally identifiable information may be shared; (3) how an individual may review and request changes to his or her personally identifiable information; (4) how consumers using or visiting a Web site or online service will be notified of material changes to the privacy policy; and (5) the effective date of the privacy policy.

Be cautious in how you address each of these elements in your privacy policies, as you could face civil suits for unfair business practices under OPPA, as well as deceptive or unfair trade practices charges by the Federal Trade Commission, if you fail to comply with your posted privacy policies.

OPPA describes several ways to “conspicuously post” a privacy policy:

  • Post an icon on your Web site’s home page or first significant page that contains the word “Privacy” and is a contrasting color from your Web page or is otherwise distinguishable, and is linked to your privacy policy.
  • Post a text link to your privacy policy on your home page that contains the word “Privacy,” and is written in capital letters or in contrasting type, size, font or color.
  • Use any other hyperlink to the privacy policy that is displayed so “that a reasonable person would notice it.”
  • Post the entire text of the privacy policy on your home page.

Based on these guidelines, the common practice of placing a miniscule text link at the bottom of a long, scrolling home page is likely insufficient to meet the OPPA standards.

SB 1457 - Unlawful Commercial E-mail Advertisements

California’s original CAN-SPAM legislation was pre-empted by the federal CAN-SPAM Act of 2003, effective January 1, 2004. Undeterred, California passed subsequent legislation in September 2004 to add teeth to the SPAM legislation by re-introducing private cause of action and damages provisions, which California had in its original legislation.

Under California law, the attorney general, electronic mail service provider or recipient of unsolicited commercial e-mail advertisements may sue for SPAM violations. Sanctions of $1,000 for each unlawful advertisement transmitted, not to exceed $1 million per incident, are available as damages for such SPAM violations; however, if sound practices and procedures were implemented, such sanctions would be reduced to $100 per unlawful transmission not to exceed $100,000 per incident. Prevailing party attorneys’ fees also are allowed.

AB 2840 - Electronic Surveillance Technology in Rented Vehicles

Don’t mess with Californians and their cars.

That’s the message sent when California signed into law in August 2004 legislation prohibiting vehicle renting companies from using, accessing or obtaining information obtained through technological means relating to the renter’s use of the vehicle.

This bill was prompted by rental companies fining customers thousands of dollars if the GPS system tracked that a rental car was used outside a designated driving area. Information on a renter’s use of the car by electronic surveillance technology is prohibited except to locate a stolen, abandoned or missing car after the rental agency has notified law enforcement, or one week after the contracted return date.

Additionally, electronic technology can be used for such things as remote locking/unlocking of a car, to provide roadside assistance, to calculate the total mileage and fuel consumption, as long as the information collected by the technology is not used for other purposes. No fines or surcharges may be imposed based on tracking technology. The renter may file a private cause of action and prevailing party attorneys’ fees are allowed.

AB 1733 - Cell Phone Numbers Protection Act

Assembly Bill 1733, effective January 1, 2005, allows cell phone owners to protect their privacy and the confidentiality of their cell phone numbers and gives them control over whether their cell phone number gets published in a directory and sold to telemarketers.

Cell phone companies are now required to get separate written permission from users before adding their cell phone numbers to a directory or directory database. Because cell phone users pay for all incoming calls, either on a per-minute basis or a fixed rate, this legislation aims to prevent telemarketers from forcing unwanted sales pitches and text message spam into users’ cell phones.

Most cell phone companies already have included in their standard contracts a specific clause that gives them the right to publish numbers. For example, T-Mobile’s service contract reads: “Unless you make other arrangements with us and pay any required fee, we may list your name, address, and number in a public directory.” With this new law, cell phone companies are required to get separate written consent to include subscribers’ numbers in a directory.

SB 1618 - Social Security Numbers on Paychecks

Effective January 1, 2008, California Senate Bill 1618 gives employers the option of showing only the last four digits of the employee’s social security number on wage statements, or, alternatively, an existing employee identification number that is other than the employee’s social security number.

Existing law in California requires that the employee’s name and social security number be printed on each pay stub provided to employees at the time wages are paid. Because the amended legislation states that “by January 1, 2008 only the last four digits of his or her social security number . . . may be shown on the check,” it is ambiguous whether an employer who makes this change now will be considered in violation of the current law. Although it may be safer practice to continue displaying the employee’s entire social security number until January 1, 2008, employers should begin considering the logistics (e.g., timing, cost, complexity) involved in implementing such changes by January 1, 2008.

What You Should Do

If you transact business with California residents, you should implement the following steps to comply with the new laws and avoid potential liability:

  • increase your understanding of these new requirements
  • immediately revise your policies and procedures - for online and offline business - as needed
  • provide seminars to train employees on new policies and procedures
  • update contracts, including information-sharing agreements
  • update employee handbooks
  • educate your customers on the new requirements
  • consult with your attorney to ensure compliance.

Businesses failing to comply could face:

  • monetary sanctions
  • private causes of action
  • damage to business reputation.

Even if you do not transact business in California, consider implementing company-wide policies that comply with California law. Compliance with those more stringent standards should make it unnecessary to adopt multiple policies to meet the varying requirements of different jurisdictions.

Dana T. Nguyen, Barbara L. Delaney, Tracey S. Pachman, Sharon R. Klein and Charles S. Marion

This article is informational only and should not be construed as legal advice or legal opinion on specific facts.