At the end of September, California Governor Edmund G. Brown, Jr. approved six bills designed to enhance and expand California’s privacy laws. These new laws are scheduled to take effect in 2015 and 2016. It will be important to be mindful of these new laws and their respective requirements when dealing with personal information and when responding to data breaches.
Expansion of Protection for California Residents’ Personal Information – AB 1710
Under current law, any business that owns or licenses certain personal information about a California resident must implement reasonable security measures to protect the information and, in the event of a data or system breach, must notify affected persons. See Cal. Civil Code §§ 1798.81.5-1798.83. Current law also prohibits individuals and entities from posting, displaying, or printing an individual’s social security number, or requiring individuals to use or transmit their social security number, unless certain requirements are met. See Cal. Civil Code § 1798.85.
The bill makes three notable changes to these laws. First, in addition to businesses that own and license personal information, businesses that maintain personal information must comply with the law’s security and notification requirements. Second, in the event of a security breach, businesses now must not only notify affected persons, but also provide “appropriate identity theft prevention and mitigation services” to the affected persons at no cost for at least 12 months, if the breach exposed or may have exposed specified personal information. Third, in addition to the current restrictions on the use of social security numbers, individuals and entities now also may not sell, advertise to sell, or offer to sell any individual’s social security number.
Expansion of Constructive Invasion of Privacy Liability – AB 2306
Under current law, a person can be liable for constructive invasion of privacy if the person uses a visual or auditory enhancing device and attempts to capture any type of visual image, sound recording, or other physical impression of the person in a personal or familial activity under circumstances in which the person had a reasonable expectation of privacy. See Cal. Civil Code § 1708.8.
The bill expands the reach of the current law by removing the limitation requiring the use of a “visual or auditory enhancing device” and imposing liability if the person uses any device to capture a visual image, sound recording, or other physical impression of a person in a personal or familial activity under circumstances in which the person had a reasonable expectation of privacy.
The law will also continue to impose liability on those who acquire the image, sound recording, or physical impression of the other person, knowing that it was unlawfully obtained. Those found liable under the law may be subject to treble damages, punitive damages, disgorgement of profits and civil fines.
Protection of Personal Images and Videos (“Revenge Porn” Liability)– AB 2643
Assembly Bill 2643 creates a private right of action against a person who intentionally distributes by any means, without consent, material that exposes a person’s intimate body parts or the [...]