2015 Internet Law and Cybersecurity Law Updates - Part 2

As promised here are your new and exciting 2015 California law updates!

1) California Eraser Button Law (S.B. 568): This law specifically requires operators of websites, online services, or applications to provide notice to minors of their rights to remove their content, provide clear instructions on how to exercise these rights, and notify that removal of such content or information does not guarantee complete removal.  Covered under the new law, are operators of a site, service, or app that is intended to reach an audience primarily comprised of minors or operators the with actual knowledge that minors are using those sites, services, or apps.  While this may be great news for minors who can now delete regrettable posts, they must be aware that this does not protect them from information or content posted by others. 

Marketing Prohibitions: This new law also protects minors by prohibiting operators from advertising and marketing products and services that minors are not allowed to purchase by law.  Part of the enumerated list of products and services include firearms, tattoos, and alcohol.  

2) Amendment to A.B. 1710: In the wake of the recent string of corporate data breaches, this amendment was implemented so businesses would know exactly what their security obligations are. Businesses that hold personally identifiable information (PI) about California residents must beware. Effective January 1, 2015, the new amendment requires businesses to provide free identify theft protection services for at least 12 months, expands its scope to cover businesses that also maintain (not only own and license) this information, and prohibits anyone from selling social security numbers (SSN). 

Free Identity Theft Protection: Luckily for California residents, it seems our state is at the forefront being the first to require that “appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months…” if a breach involves that individual’s name, SSN, driver’s license number, or California identification card number.  However, there is much debate whether the “if any” means that it gives businesses a choice as to whether to provide identity protection and mitigation services, or whether it is absolutely required in the cases where the breach involves the release of the person’s name and SSN.  Additionally, the amendment fails to explain what constitutes “mitigation services.”  These ambiguities will have to be interpreted by the courts soon, but it seems that the industry standard requires businesses affected by a data breach to provide at least 12 months of free services to protect against identity theft. 

Businesses that Maintain “PI”: Now, those businesses that own, license, and maintain PI about California residents are required to implement reasonable security measures and procedures to protect against unauthorized disclosure of that information.  Also, they must contractually require third parties to whom they disclose PI to implement the same safeguards. 

Social Security Number Protections: The amended statute is expanded to prohibit anyone from selling, advertising for sale, or offering to sell an individual’s social security number. Exceptions include the release of a social security number as part of a larger transaction to accomplish a business purpose or a purpose specifically authorized or allowed by federal or state law.

* In short, businesses that collect PI about California residents should review their policies, security protocols, and incident response programs to ensure compliance with the new amendment.  Businesses should also ensure they are covered by insurance, and vendors must be aware that the amendment now directly subjects them to implementing safeguards to protect PI. 

ALG is staying well-informed of these and other Internet law and Intellectual Property law related matters to make sure we can properly counsel our clients. If you have any questions regarding this or any other Internet law or business law related matters, please contact Antoine Law Group, APC.

LEGAL DISCLAIMER: Materials on this web site are for informational purposes only. These materials do not constitute legal advice, should not be considered as legal authority, and do not create an attorney-client relationship. You should not act or rely upon these materials without seeking professional counsel. Please contact our office so we may evaluate the specific needs and discuss the facts and issues you may be experiencing. Sending e-mail also does not establish an attorney-client relationship. An attorney-client relationship can only be established by mutual written consent with an attorney. Unless and until an attorney-client relationship is established, e-mail and other communications sent may not be privileged. This site and the content herein may be considered an advertisement under regulations of the California State Bar.