At a time when advocates for issues of every sort are lamenting the gridlock in Congress, privacy advocates have found solace in California. Fortifying the state’s place at the cutting edge of privacy policymaking, California governor Jerry Brown signed several bills into law last week addressing a variety of privacy, security breach notification and surveillance concerns. These bills impose limitations on activities as diverse as identity theft protection and monitoring, the distribution of sexually explicit images without the subject’s consent, aggressive journalism tactics, the warrantless collection of phone records by government agencies, and – in what may be the most momentous of last week’s privacy wave – the collection and use of student data.
Online Student Data
Heralded as a landmark privacy bill, the Student Online Personal Information Protection Act (SOPIPA or Senate Bill 1177), proposed by Sen. Darrell Steinberg, restricts information collection and marketing uses in online educational services. Privacy in K-12 education is a red-hot topic on the national stage, with legislative proposals in the U.S. Senate, more than 100 legislative bills in dozens of states, and the very public demise of ed tech leader inBloom in face of withering criticism.
SOPIPA requires online operators to use student information strictly for school purposes and to delete student information when it is no longer needed for the original school purpose. It prohibits online operators from selling student data, amassing student profiles for non-educational purposes, or using students’ personal information to target advertising to students or their parents – on the operators’ own site and on any other site or service. Operators are not permitted to disclose student information except under narrowly specified circumstances; de-identified information in aggregate may be shared to develop and improve educational sites. SOPIPA further requires operators to safeguard students’ personal information with adequate security protections, and it holds website operators liable for SOPIPA violations by service providers operating on their site. Given the scope and significance of SB 1177, it is understandable that some anticipate a revolutionary effect on the education technology market.
Getting less attention but closely following in the student data protection trend, Gov. Brown also signed Assembly Bill 1442, submitted by Mike Gatto, which addresses the monitoring and collection of information about students from social media accounts. Proposed in response to a California school’s pilot program to track students’ posts on social media, the law requires schools to be more transparent about tracking activities and to delete any information within a year of a student leaving the school.
Identity Theft Prevention
Assembly Bill 1710, proposed by Assemblymember Roger Dickinson, makes three amendments to California’s original security breach notification law. It has been closely watched by industry given the 2003 law’s pedigree as the first security breach notification act in the nation and around the world. The first change expands the application of the law from businesses that own or license personal information about a California resident to ones that merely maintain such personal information. This expands the scope of companies subject to the statutory obligation to “implement and maintain reasonable security procedures and practices” to protect a resident’s personal information from being accessed without authorization, destroyed, used, modified or disclosed. The second amendment expands the protections for a California resident’s social security number. In addition to the law’s original prohibition against posting or displaying a SSN, it is now illegal for a person or entity to sell, advertise for sale, or offer to sell an individual’s SSN.
Significantly, the third change appears to require breached companies to offer one year of identity theft prevention and monitoring to California residents affected by an information security breach. Already an industry best practice for security breach remediation, this practice is now formally sanctioned by law. However, critics have highlighted the ambiguous language of the amendment, which states that if a company is the source of a breach, “an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months” (emphasis added). The words “if any” could imply that companies are not obliged to provide remediation, while the meaning of “appropriate” prevention and mitigation services will no doubt also be the subject of debate. It is worth noting that as originally proposed, the law would clearly have obliged breached companies to offer two years of identity theft prevention and mitigation services at no cost to affected consumers. That language was “softened” before the bill became law.
Given that California has led the way in security breach legislation, it is plausible that other states will now follow its lead in this round of changes as well.
Revenge Porn, Round Two
SB 1255 and AB 2643 expand on the prohibitions of SB 255, the first bill California passed to curb what has become known as “revenge porn,” the practice of publicly sharing sexually explicit material online (typically by an ex-partner) without the consent of the individual pictured. In 2013, SB 255 made it illegal to distribute sexually explicit photographs or video with the intent to cause emotional distress when the images were taken in situations that the parties expected to remain private. Senate Bill 1255, introduced by Sen. Anthony Cannella, broadens the scope of protected images to include “selfies” – photos that people take of themselves – thereby making it illegal, “to distribute revenge porn regardless of who created the image.” In addition, Assembly Bill 2643, introduced by Assemblymember Bob Wieckowski, enables a victim of revenge porn to bring a civil action against the distributor of the image or video. The private right of action grants victims the ability to seek damages and a restraining order to cease distribution of the image.
Aggressive Paparazzi
As befits the state of Hollywood and celebrity tourism, three of California’s new privacy bills are intended to curb aggressive surveillance and photography, aka paparazzi. Assembly Bill 1256, introduced by Assemblymember Richard Bloom, seeks to create a zone of privacy around the entries and exits of public facilities, such as medical centers or schools, to prevent the blocking or intimidation of visitors. It also prohibits trespass with intent to photograph or record a person engaging in private or familial activities. The law provides a private cause of action against violators for compensatory and punitive damages. It was one of the two bills introduced by Assemblymember Bloom to address the paparazzi, both of which are now law. The second, Assembly Bill 1356, expands the definition of “stalking” to include lingering outside a home, school or workplace, essentially putting an individual under surveillance without a legitimate purpose.
These bills go hand-in-hand with Assembly Bill 2306, introduced by Assemblymember Ed Chau, which amends the language of existing privacy law to cover invasion of privacy using any type of device – not just a visual or auditory enhancing device – to capture another person in circumstances under which they have a reasonable expectation of privacy. This expansion of terminology is intended to adapt the Golden State’s existing privacy legislation to rapid technological innovation (think drones).
Warrantless Information Collection
In what amounts to a reproach of federal agency overreach with regard to information collection, Gov. Brown signed Senate Bill 828, introduced by Sen. Ted Lieu, which prohibits California from supporting a federal agency’s request to collect digital personal data or metadata if the request is illegal or unconstitutional. This comes shortly after Gov. Brown vetoed a bill prohibiting warrantless use of drone surveillance, arguing that exemptions to the prohibition were too narrowly conceived.
Government Websites
In addition to these bills, which have sent the privacy world into a buzz, Gov. Brown signed an additional privacy bill to significantly less fanfare. Not to be overlooked, however, Assembly Bill 928, by Assemblymember Kristin Olsen, requires each state agency and its departments to post a conspicuous privacy policy on their website.
Conclusion
In November 2013, the IAPP Westin Research Center published an article dubbing the legislative activity in California a “privacy tidal wave from the Pacific.” With the new measures signed into law, California continues to draw new lines in the sand for privacy policy in other states, in Washington, and around the globe. The new laws expand privacy protections across a broad range of issues, from granting a private right of action against privacy intrusions that were previously addressed only by criminal law to safeguarding Fourth Amendment protections in view of technological advances. As has often been the case in the past, California provides a yardstick for the future of privacy legislation in the U.S. and around the world. Don’t be surprised if this latest wave washes across the country in the years to come.