California has enacted extensive legislation in the privacy, security, anti-spam and anti-spyware areas that effectively molds the national agenda for fighting identity theft, protecting personally identifiable information (especially for direct marketing purposes) and regulating the Internet. This article highlights the most important legislation, focusing on privacy and security statutes effective on January 1, 2005.
While these new bills only apply to California residents or their personally identifiable information, for the following reasons all businesses - regardless of location - should take heed:
SB 1436 - Restrictions on Installation of ‘Spyware’ on California Consumers’ Computers
Senate Bill 1436, the Consumer Protection Against Computer Spyware Act, effective January 1, 2005, prohibits the unauthorized installation of software on a California consumer’s computer. The Act also forbids the use of that software to deceptively modify that computer’s settings that may affect the computer’s access to or use of the Internet, including altering the consumer’s home page, default search page, or bookmarks; sending viruses; or taking control of an infected system as part of a distributed denial-of-service attack. The Act also outlaws the collection, “through intentionally deceptive means,” of “personally identifiable information” (such as user names and passwords) through keystroke-logging, tracking Web site visits or extraction of such information from a consumer’s hard drive.
Those seeking to install software on a California consumer’s computer must notify the consumer regarding what the software will do (for example, if it is a program that will collect information, the consumer must be told what type of information will be collected and what will be done with the information) and obtain the user’s consent to the installation. Consent can be obtained in various ways, including through an on-screen dialogue box advising the consumer that clicking “OK” will install the program.
The Act defines a consumer as “an individual who resides in [California] and who uses the computer in question primarily for personal, family or household purposes.” It does not require a software provider to obtain consent from every employee of a business when installing information-gathering software on the business’ computer system or network.
The Act also bans software that cannot be uninstalled or disabled, or that makes it seem as though the software has been uninstalled or disabled when it has not been. It also prohibits the installation of software which would remove or render inoperative security, anti-spyware or anti-virus software on the consumer’s computer. The law allows affected consumers to bring a lawsuit against the offending party and, if successful, recover damages of $1,000 per incident or violation, as well as attorney’s fees.
AB 1950 - Security Requirements for Personal Information About a California Resident
Assembly Bill 1950, effective January 1, 2005, mandates that owners or licensors of unencrypted personal information about California residents implement and maintain reasonable security procedures to protect personal information from unauthorized access, destruction, use, modification or disclosure.
To the extent that personal information about a California resident is disclosed to a nonaffiliated third party, a contract with such third party must mandate security and protect the personal information from unauthorized access, destruction, use, modification or disclosure. “Personal information” is defined as a person’s name combined with a social security number, driver’s license number, or California identification card number, account number and password, or medical history, treatment or diagnosis.
This bill supplements other California legislation regarding notice of breaches of security of personal information (SB 1386), but does not pre-empt federal or state legislation protecting personal financial or medical information such as the California Financial Information Privacy Act, the Confidentiality of Medical Information Act and the Health Insurance Portability and Accountability Act (HIPAA).
Additionally, the bill excludes entities subject to the confidentiality requirement of the Vehicle Code and any other business regulated by state or federal law providing greater protection to personal information than that provided by this bill.
SB 27 - Restrictions on the Disclosure of Personal Information to Direct Marketers
Senate Bill 27, effective January 1, 2005, imposes stringent new disclosure and notice requirements on entities that collect and share personal information about their California customers. Informally referred to as the Golden State’s “Shine the Light” law, SB 27 was drafted to address the growing privacy concerns of California residents and to combat increasing incidents of identity theft.
Under the new statute, a business that discloses a California customer’s personal information to a third party for direct marketing purposes must either provide the customer a free opt-out procedure that will prevent sharing of that customer’s information, or, upon request, identify the recipients of the information and describe the categories of information disclosed during the previous calendar year.
SB 27 specifically covers business relationships created over the Internet and through mail order activities, so it does not just affect businesses located in California. Entities outside the state that collect personal information on California residents using Web sites and other alternative marketing channels and then disclose that information also are subject to the statute’s provisions.
“Personal information” is defined expansively to include a wide range of customer data, including name, address, phone number, e-mail address, physical description, products purchased, payment history and creditworthiness. Similarly, the definition of “third parties” is far-reaching and includes entity affiliates if the affiliates are separate legal entities.
Fortunately, the statute only applies to situations where a business knows or reasonably should have known that a third party would use the personal information disclosed for its own direct marketing purposes. If a business shares customer information with independent contractors, service providers or other third parties acting on its behalf, these disclosures do not trigger the requirements of the statute, as long as the third parties receiving the information don’t use the information for their own direct marketing efforts.
A business subject to SB 27’s disclosure requirements must adopt one of two compliance procedures. The first is to provide its California customers with a free method for opting out of its information-sharing practices. In that case, the company must provide notice of a customer’s opt-out rights using one of several specified methods.
In the alternative, an entity must provide, upon customer request, a detailed disclosure of its information-sharing activities during the previous calendar year. The disclosure need not list the recipients of the particular customer’s information, but it must list the categories of information shared and the names and addresses of the recipients. It also must describe the recipient’s business, if that is not obvious from the recipient’s name.
If a covered business fails to comply with SB 27’s requirements, a California customer has a private right of action. The customer may recover actual damages, costs, attorneys’ fees, and a “civil penalty” of $500 (increased to $3,000 if the court finds that the violation was reckless, willful or intentional).
SB 1633 - Restrictions on Obtaining Medical Information for Direct Marketing Purposes
Senate Bill 1633, effective January 1, 2005, prohibits obtaining medical information directly from an individual for marketing purposes without providing certain disclosures and obtaining that person’s consent. “Direct marketing purposes” means the use of personal information for marketing or advertising products, goods or services but does not include use to effect charitable or political contributions.
Consent may be oral or in writing. Oral requests to use medical information for direct marketing purposes must be accompanied by an oral disclosure of the purpose to obtain information to market or advertise products, goods or services, and the individual must consent. The entire conversation must be recorded and kept for two years.
If consent is in writing, it must be accompanied by a disclosure of the direct marketing purpose in clear and conspicuous manner, and the written consent must permit medical information to be used or shared to market or to advertise products, goods or services to the individual.
The bill exempts businesses that are already subject to the Confidentiality of Medical Information Act, certain telephone companies and insurance companies.
AB 68 - California Online Privacy Protection Act of 2003
Be cautious in how you address each of these elements in your privacy policies, as you could face civil suits for unfair business practices under OPPA, as well as deceptive or unfair trade practices charges by the Federal Trade Commission, if you fail to comply with your posted privacy policies.
Based on these guidelines, the common practice of placing a miniscule text link at the bottom of a long, scrolling home page is likely insufficient to meet the OPPA standards.
SB 1457 - Unlawful Commercial E-mail Advertisements
California’s original CAN-SPAM legislation was pre-empted by the federal CAN-SPAM Act of 2003, effective January 1, 2004. Undeterred, California passed subsequent legislation in September 2004 to add teeth to the SPAM legislation by re-introducing private cause of action and damages provisions, which California had in its original legislation.
Under California law, the attorney general, electronic mail service provider or recipient of unsolicited commercial e-mail advertisements may sue for SPAM violations. Sanctions of $1,000 for each unlawful advertisement transmitted, not to exceed $1 million per incident, are available as damages for such SPAM violations; however, if sound practices and procedures were implemented, such sanctions would be reduced to $100 per unlawful transmission not to exceed $100,000 per incident. Prevailing party attorneys’ fees also are allowed.
AB 2840 - Electronic Surveillance Technology in Rented Vehicles
Don’t mess with Californians and their cars.
That’s the message sent when California signed into law in August 2004 legislation prohibiting vehicle renting companies from using, accessing or obtaining information obtained through technological means relating to the renter’s use of the vehicle.
This bill was prompted by rental companies fining customers thousands of dollars if the GPS system tracked that a rental car was used outside a designated driving area. Information on a renter’s use of the car by electronic surveillance technology is prohibited except to locate a stolen, abandoned or missing car after the rental agency has notified law enforcement, or one week after the contracted return date.
Additionally, electronic technology can be used for such things as remote locking/unlocking of a car, to provide roadside assistance, to calculate the total mileage and fuel consumption, as long as the information collected by the technology is not used for other purposes. No fines or surcharges may be imposed based on tracking technology. The renter may file a private cause of action and prevailing party attorneys’ fees are allowed.
AB 1733 - Cell Phone Numbers Protection Act
Assembly Bill 1733, effective January 1, 2005, allows cell phone owners to protect their privacy and the confidentiality of their cell phone numbers and gives them control over whether their cell phone number gets published in a directory and sold to telemarketers.
Cell phone companies are now required to get separate written permission from users before adding their cell phone numbers to a directory or directory database. Because cell phone users pay for all incoming calls, either on a per-minute basis or a fixed rate, this legislation aims to prevent telemarketers from forcing unwanted sales pitches and text message spam into users’ cell phones.
Most cell phone companies already have included in their standard contracts a specific clause that gives them the right to publish numbers. For example, T-Mobile’s service contract reads: “Unless you make other arrangements with us and pay any required fee, we may list your name, address, and number in a public directory.” With this new law, cell phone companies are required to get separate written consent to include subscribers’ numbers in a directory.
SB 1618 - Social Security Numbers on Paychecks
Effective January 1, 2008, California Senate Bill 1618 gives employers the option of showing only the last four digits of the employee’s social security number on wage statements, or, alternatively, an existing employee identification number that is other than the employee’s social security number.
Existing law in California requires that the employee’s name and social security number be printed on each pay stub provided to employees at the time wages are paid. Because the amended legislation states that “by January 1, 2008 only the last four digits of his or her social security number . . . may be shown on the check,” it is ambiguous whether an employer who makes this change now will be considered in violation of the current law. Although it may be safer practice to continue displaying the employee’s entire social security number until January 1, 2008, employers should begin considering the logistics (e.g., timing, cost, complexity) involved in implementing such changes by January 1, 2008.
What You Should Do
If you transact business with California residents, you should implement the following steps to comply with the new laws and avoid potential liability:
Businesses failing to comply could face:
Even if you do not transact business in California, consider implementing company-wide policies that comply with California law. Compliance with those more stringent standards should make it unnecessary to adopt multiple policies to meet the varying requirements of different jurisdictions.
Dana T. Nguyen, Barbara L. Delaney, Tracey S. Pachman, Sharon R. Klein and Charles S. Marion
This article is informational only and should not be construed as legal advice or legal opinion on specific facts.