Data Protection Report - Norton Rose Fulbright

This month, California Governor Jerry Brown signed into law five new privacy bills that the Governor said are intended to strengthen data protections for the state’s residents. The laws, effective as of January 1, 2016, implement California’s Electronic Communications Privacy Act and amend the state’s breach notification statute, among other things.

In this post, our Data Protection, Privacy & Cybersecurity team members discuss these new laws and what they mean for companies.

California Electronic Communications Privacy Act

The Electronic Communications Privacy Act (CalECPA), S.B. 178, severely restricts the ability of government authorities to seek electronic communication information for law enforcement purposes. Government authorities must now obtain a warrant or court order before requiring a company to produce or provide access to communications data such as the content of a user’s communications, header/routing information, location information, or metadata. The government cannot simply request such information for the purpose of investigating or prosecuting a crime. Unless an exception applies, CalECPA also requires the government to obtain a warrant, wiretap order, or specific consent from the owner or authorized possessor, before it can access an electronic device (e.g., hardware or storage media).

CalECPA’s restrictions represent a major departure from the federal standard under ECPA, in which information older than 180 days can be obtained for law enforcement purposes with only a subpoena.

Breach Notification Changes

Three separate laws amend the California data breach notification law. These amendments require changes to the appearance of breach notification letters, define “encryption” (such that some technologies may not qualify under the definition), and cover automated license plate recognition (ALPR) system data

Breach Notification Letter Changes

S.B. 570 requires that data breach notifications are titled “Notice of Data Breach” and clearly and conspicuously display the following headings:

  • What happened
  • What information was involved
  • What we are doing
  • What you can do
  • For more information

The format of the notice must “be designed to call attention to the nature and significance of the information it contains,” and it must be printed in at least 10-point font. California has provided a model security breach notification form to demonstrate what it deems compliant.

These changes will require companies to reassess the content of their breach notices. While a single letter can often be drafted to satisfy the requirements of multiple state breach notice laws, businesses will now need to determine whether some or all of their notices should follow California’s standard, or whether a separate letter should be created for California residents.

Encryption

Under A.B. 964, “encrypted” is now defined for purposes of California’s breach notification law as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” This creates a potentially vague standard as to what type of technology or methodology is “generally accepted in the field of information security,” which is likely to shift over time.

Companies should assess whether their current encryption solution meets – or is likely to meet – California’s new standard. If the encryption standard used to protect data turns out not to be “generally accepted,” a breach of that data may require notification in California once A.B. 964 takes effect.

Automated License Plate Recognition (ALPR) System Data

S.B. 34 amends the definition of “personal information” under the breach notification law to include information or data collected through the use or operation of an ALPR system (i.e., fixed or mobile cameras that are able to recognize a license plate through optical character recognition technology). This means that a license plate number – if obtained from an ALPR system – is now a data element (if combined with an individual’s first name or initial and last name) subject to breach notification in California.

It may be surprisingly common for a company to maintain ALPR data. Although ALPR technology is often discussed in connection with privacy and civil liberties concerns surrounding the government’s ability to track individuals’ movements, such systems are also used for premises security in the private sector, such as to determine the vehicle tags that enter or exit the premises. If a California company uses an ALPR system to recognize a plate as being associated with an employee by name, and that data is subject to a breach, a notification obligation will likely attach.

It may therefore be prudent for companies that use ALPR technology to determine whether names (as opposed to, for example, employee ID numbers) are associated with that data, and whether the amendment necessitates any changes to company practices to ensure that data is protected in accordance with the new substantive requirements imposed on ALPR technology (discussed below).

Technology Regulation – ALPR and Connected Televisions

Finally, a variety of new requirements have been enacted to regulate operators and users of ALPR technology, and the operation of voice recognition features of connected televisions.

ALPR Technology

California S.B. 34 imposes requirements on an operator and user of an automated license plate recognition system. In relevant part, under the new law, both the operator and user of an ALPR system (which may be the same entity) must maintain reasonable security procedures and practices to protect ALPR data, and operators must maintain APLR access logs. The law also requires operators and users to implement a usage and privacy policy, to ensure that access, use, sharing and dissemination of ALPR information “is consistent with respect for individuals’ privacy and civil liberties.” The policy must be made available to the public in writing and posted conspicuously to the operator/user’s website (if any). Operators are responsible for ensuring that ALPR data is used only for authorized purposes disclosed in its privacy policy.

The law authorizes a private civil action against a person who “knowingly caused” harm by violating the law. The law sets a floor of $2,500 statutory damages, but allows the recovery of actual damages and authorizes punitive damages, attorneys’ fees, and equitable relief.

Companies should ensure that their policies and procedures applicable to any APLR system in place within the organization comply with S.B. 34. This may necessitate updating website privacy policies to cover ALPR use. Although the new law does not require the security procedures and practices to be documented in writing, corporations maintaining comprehensive written information security policies may wish to address ALPR systems during their next scheduled review cycle.

Voice Recognition Features of Connected Televisions

California A.B. 1116 imposes a variety of privacy-protective restrictions on voice recognition features of connected televisions. The law requires a “person or entity” that provides “the operation of a voice recognition feature” of a connected television to inform users, upon installation or setup, of the voice recognition feature. Voice recordings collected by the television’s manufacturer or contractor “for the purpose of improving the voice recognition feature” may not be sold or used for advertising.

The new law further provides that a manufacturer is liable only for functionality provided at the time of the original sale, and not for applications that the user chooses to use or install. This provision seems to provide a giant back-door to the law’s restrictions if the manufacturer subsequently pushes a firmware or software update that provides it with rights or abilities that were not available at the time of the original sale. However, such conduct presumably could be challenged under other legal grounds, such as under an unfair or deceptive trade practices statute.

The law does not create a private right of action; it may be enforced only by the California Attorney General or a district attorney. The law permits a court to issue an injunction and authorizes a civil penalty not to exceed $2,500 for each connected television sold or leased in violation of the law.

Our Take

These new laws are yet another indication of California’s leadership on privacy legislation.  We will continue to monitor state privacy laws to see if other states follow California’s lead in enacting similar changes and protections. 

To subscribe for updates from our Data Protection Report blogvisit the email sign-up page.

Have a question about this post? Email it here.