California Archives

California expands privacy protections for state residents

A perennial trendsetter with regard to data security and privacy, California has updated its state law with tweaks that expand the scope of the privacy protections for state residents.

A.B. 1710 made three changes to existing law that go into effect January 1, 2015: first, businesses that maintain “personal information” about California residents must “implement and maintain appropriate and reasonable security procedures and practices” to protect the data from “unauthorized access, destruction, use, modification, or disclosure.” Personal information is defined to include an individual’s first name or first initial and last name, Social Security number, driver’s license number, as well as medical and financial account information.

Second, if a person or business was “the source” of a data breach and offers to provide identity theft prevention and mitigation services to affected individuals, the business must offer the services at no cost for at least 12 months. Some controversy has swirled around this provision, with debate on whether the language actually requires businesses to provide one year of free identity theft protection and mitigation services or if the law simply requires that if the services are offered, they last for 12 months and are provided gratis. Additional guidance may be forthcoming.

Finally, the new legislation prohibits a business from “selling, offering for sale, or advertising for sale” Social Security numbers. Limited exceptions were noted in the bill, including “if the release

[not necessarily a sale] of the Social Security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose” or “for a purpose specifically authorized or specifically allowed by federal or state law.”

The law’s scope reaches well beyond the borders of California, as it applies to businesses that maintain any personal information about a state resident. Companies would be well advised to familiarize themselves with the new requirements.

To read AB 1710, click here.

December 3rd, 2014|Legislation, Privacy|

California’s A.B. 1710 enhances privacy protections for sensitive personal information

Effective January 1, 2015, A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws, generally outlined as follows:

provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information;
provides that if the person or business issuing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, be made at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached, if the breach exposed or may have exposed SSN and driver’s license numbers;
provides that a person or entity may not sell, advertise for sale, or offer to sell an individual’s SSN, except as permitted.

October 15th, 2014|Legislation, Security|

New law bans California employers from asking about dismissed criminal records

Effective January 1, 2014, SB 530, will ban most California employers from asking employees or applicants about arrests that did not result in conviction (except for arrests for which the individual is still awaiting trial) or about participation in a pretrial or post trial diversion program. Generally, the new law prohibits most employers from asking applicants to disclose, or use as a factor in employment decisions, any information concerning a conviction that has been judicially dismissed or ordered sealed.

December 10th, 2013|Employment Decisions, Legislation|

California passes two new data privacy laws

Effective January 1, 2014, California will have two new data privacy laws: AB 370, which mandates disclosure of “do not track” and other tracking practices in online privacy policies, and SB 46, which amends the state’s data security breach notification law.

AB 370 adds to the California Online Privacy Protection Act (“CalOPPA”) a requirement for companies that collect personally identifiable information online to include disclosures regarding (1) how they respond to a web browser’s “do not track” (DNT) signal, and (2) if third-parties can collect personal information across a network of sites. The law does not require websites to honor browser DNT signals or block third-party tracking; it simply tries to increase transparency about the site’s practices.

SB 46 adds a new category of data triggering California’s breach notification requirements, to wit: “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” The new law requires notification of unauthorized access to user credential information even if that information is encrypted.

October 25th, 2013|Educational Series, Legislation, Privacy|

Tenant screening laws update: passing background check costs to the applicants

The states of Washington and Oregon recently enacted laws in connection with tenant screening. Among the provisions in both Washington’s RCW §59.18.257 and Oregon’s OAS §90.295, is that the entire cost of the background check can be charged to the applicant, if the screening is performed by a consumer reporting agency (“CRA”). However, if the landlord conducts the background check, it may not charge in excess of the customary fees of the CRAs in its geographical area.

Notably, California’s Civil Code §1950.6(b) provides that a landlord cannot charge (or pass-through) to the applicant more than $30 for a background check. This application screening fee may be adjusted annually by the landlord or its agent commensurate with an increase in the Consumer Price Index. (The current adjusted amount is $41.50.)

September 12th, 2013|Business Transactions, Legislation|

Do you know about the Right to Know Act?

The recently introduced “Right to Know Act of 2013” (Assembly Bill 1291), would require any business that retains or shares personal information of California residents to provide, at no charge and within 30 days of receiving a request from the subject, all information retained about him/her, as well as the names and contact information for all third parties to whom that business has disclosed the information within the last 12 months. This legislation is a significant expansion of the rights provided under California’s 2003 Shine the Light law, which this bill would repeal.

May 6th, 2013|Legislation|

New California law requires efforts to ensure supply chains are free of slavery

Effective January 1, 2012, California SB657, known as The California Transparency in Supply Chains Act of 2010, will mandate retail sellers and manufacturers doing business in California with annual gross receipts exceeding $100 million to conspicuously and clearly disclose their efforts and policies for ensuring that their supply chains are free from human trafficking and slavery.

The targeted companies are required to make these disclosures on their websites; if a company does not have a website, the information must be provided in writing within 30 days of a consumer request. Although the Act does not mandate any specific language, the disclosure must be easily understood and explain the procedures, if any, that the company has in place, in reference to:

Evaluating and addressing the human trafficking and slavery risks in its product supply chains (disclosure must state whether or not the company is using a third-party to assess these risks);
Requiring direct suppliers to certify that the materials used in the products comply with slavery and human trafficking laws in the countries in which they are doing business;
Conducting supplier audits to evaluate compliance with company standards on trafficking and slavery (disclosure must state whether or not the audits are independent and unannounced);
Maintaining accountability standards and procedures for employees or contractors who fail to meet company standards regarding slavery and human trafficking;
Training employees and managers who have direct responsibility with supply chain management on the mitigation of human trafficking and slavery risks.

While the Act has gained significant attention by California companies, its expansive jurisdictional provisions make it applicable to many large retail sellers and manufacturers that are organized or domiciled outside of California, as the $100 million gross receipts threshold for compliance is based on worldwide sales revenue. And since the threshold is relatively low and set in dollar amounts, it can be as triggered by earning less than 1% of that revenue in the state, owning some property or having even one employee or contractor here (see CA Revenue and Taxation Code Section 23101 for a full definition of “doing business in California.”)

California SB657 is a disclosure law and does not require companies to do things differently, but its deceptive simplicity brings into focus the importance of proactive risk management. And for many companies, it is a call to action to move beyond this law’s mere disclosure compliance and implement or strengthen their risk management programs not only for brand equity protection but also in recognition of their corporate social responsibility.

In our products portfolio, SI offers specialized background investigations for vendor/third-party engagements which include elements and search strategies designed to find, among other criteria, indications or records of slavery and human trafficking in supply chains.

The Act is a disclosure law and does not impose any substantive regulation on supply chain activities. Nor, unlike the “conflict minerals” provisions of the Dodd-Frank regulatory reform law, 9 does it impose any affirmative obligations on companies to perform diligence regarding the existence of slavery or human trafficking in their supply chains. Nonetheless, as a matter of corporate social responsibility as well as public image, companies may wish to consider whether it is appropriate to adopt policies or procedures to mitigate the risk that slavery or human trafficking exist in their supply chains.

December 11th, 2011|Legislation|