California AG’s Office Attorney Shares Views on Office’s Privacy and Security Enforcement Priorities; Recent California Privacy and Cybersecurity Laws
On Tuesday, a high ranking attorney in California’s Attorney General’s Office made clear that the office has maintained its laser focus on data privacy and security issues and has been paying close attention to the California legislature’s recent flurry of privacy and security related legislation. In a wide-ranging TRUSTe webinar, Joanne McNabb, the California AG’s Office Director of Privacy Education and Policy provided her take on these new laws – including the much discussed “teen digital erasure” (Cal SB 586) and “do not track disclosure” (Cal AB 370) laws. Perhaps of greater interest to the website operators, advertising networks, and other online service providers who need to comply with these laws, McNabb also shed some light on the California AG Office’s data privacy and security enforcement priorities.
The following presents some key takeaways from the presentation, including some steps companies can take to reduce their chances of ending up on the California AG’s Office’s radar – and, for that matter, the radar of any other state AGs looking to follow California’s lead.
According to McNabb, the California AG’s Office’s Privacy Unit likes to focus on the “three E’s”: (i) enforcing state and federal privacy laws, (ii) empowering consumers with information and strategies, and (iii) encouraging businesses and organization to follow best practices. But, as McNabb also noted, the California AG’s Office’s enforcement activities probably count as E number one – particularly for companies that want to do business with California residents.
So where do the California AG Office’s enforcement priorities lie? We were able to cull three specific areas of note from McNabb’s presentation: (i) mobile privacy; (ii) data encryption; and (iii) securing medical health records.
McNabb shared that the California AG’s Office is in “various stages” of queries, investigations, and enforcement actions involving a number of mobile privacy issues, though she declined to be more specific for obvious confidentiality related reasons. Notably, mobile privacy was the first topic that McNabb discussed while discussing the office’s enforcement activities, so the issue is clearly front of mind for attorneys in the California AG’s Office.
Takeaway: Mobile app developers and service providers otherwise operating within the mobile ecosystem would be well advised to review the California AG’s Office’s recent guidance on mobile best practices, Privacy on the Go. Of course, mobile service providers should note that meeting business challenges while complying with California’s mobile mandates will require a much more careful analysis of how their actual mobile practices compare to applicable California laws and requirements.
McNabb, somewhat incredulously, referenced the continued failure of many businesses to use well-known encryption techniques to safeguard personal and sensitive consumer data that the businesses have in their possession. She noted a finding from California’s 2012 breach report that over half of people put at risk because of a data breach would not have been put at risk if data had been encrypted, and re-iterated that Cal SB 1386 provides a safe harbor for companies that have suffered a breach where the breach involved encrypted data. But she also warned that encryption, or rather the lack thereof, will be an area of increased enforcement activity.
Takeaway: This is a clear message to entities doing business with California residents that they need to review their data encryption practices, analyze their obligations under California law, and make sure that their practices are in accord with California’s requirements. For example, in California, it is not enough to encrypt data while it is being stored, entities also need to, in many instances, need to ensure that data is encrypted while it is transit.
Electronic Medical Health Records
Electronic medical health record security will also be a major focus for the California AG’s Office – as, according to McNabb, corruption of such data is closely connected to medical identity theft. Specifically, she noted that AB 658 (effective 1-1-14) extends the electronic medical health records security and confidentiality mandates of the California Medical Information Act (CMIA) to any business that offers medical app software designed to maintain medical information and make such in available to individuals or providers for managing the info or medical condition.
Takeaway: Thanks to AB 658, a business providing such medical app software need not be organized solely for this purpose to be captured under CMIA. In other words, a general app software developer that produces, amongst other products, medical app software must is covered as a provider under CMIA and must meet that acts data security and confidentiality requirements.
Cal AG’s Office Interpretations of, and Suggested Best Practices For, Complying With Recently Passed Laws
McNabb also provided her some insights concerning some of California’s recently passed data privacy legislation, and we provide a brief analysis of these statements below.
Cal AB 370 (Effective 1-1-14)
Many have followed AB 370, which we summarized in this earlier post, with rapt attention throughout its entire legislative process, but questions still remain about the meaning of some of the laws key provisions. McNabb did not provide answers to all of those questions yesterday, but she did share some helpful clarifications.
First, companies can meet the law’s tracking disclosures requirements by linking to a webpage that provides users the opportunity to opt-out of third party consumer tracking; but, according to McNabb, that webpage should provide users with a meaningful description of the actual effects of that tracking.
In a particularly telling example, McNabb noted that if the link is to a program that offers a mechanism to opt-out of receiving behavioral advertising, it should also describe whether the user’s exercise of that opt-out will effect third party collection of personally identifiable information.
Takeaway: As the California AG’s Office sees it, website operators cannot comply with AB 370’s tracking disclosure requirements merely by linking to a webpage that provides users with the opportunity to opt-out of behavioral if that webpage does not also tell users about the effect of that opt-out on third party collection of their data across websites and overtime.
Second, AB 370 is not meant to capture the tracking of users across affiliated websites that fall under the same corporate umbrella. According to McNabb, that AB 370 uses the term “third party” websites was not an accident: collecting info over websites that are not “third party” sites (i.e., under the same corporate umbrella) does not constitute online tracking under AB 370.
Takeaway: Companies – even those that think users are tracked only across sites that fall under the same corporate umbrella – will still need to inventory just who does collect user info and analyze whether the sites across which user info is collected do all, in fact, fall under the same “corporate umbrella” and would not be considered third party sites. Here, McNabb was notably silent on the issue of just exactly who is a third party and who is an affiliate, so it looks like this something companies are going to have to analyze on their own, at least for now.
Cal SB 568 (Effective 1-1-15)
As an initial matter, there is a key difference between SB 568, which creates certain advertising restrictions and data disposal obligations for websites directed at minors, and the federal law governing the online collection of information from children (commonly referred to as COPPA): COPPA covers only the collection of information from children under 13, while SB 568 applies to all minors under the age of 18.
SB 568 does not required covered websites (websites directed at kids under the age of 18) to notify third parties that might collect info from visitors to the covered website (such as ad network) of their status as a covered website. But these websites remain responsible for ensuring that information collected from minors on their website is treated in a manner that complies with SB 568.
Takeaway: Here, McNabb affirmed that covered websites may comply with this obligation merely by informing third parties of their status as a covered website.
Once they do so, the obligation to treat the minor’s information in a manner that’s compliant with SB 568 rests entirely with the third party entities and not the site operator.
Cal SB 46 (Effective 1-1-14)
If you have suffered a breach that triggers notification requirements, you can meet those notification requirement by sending an email to the affected individual. Not surprisingly, there is an exception to this general rule for email service providers that have suffered a breach. They may not meet their notification obligations by sending an email to the breached account, but rather they may do so by placing a notice about the breach on the email login page, provided that the login page is being accessed from the same IP address from which the affected individual normally accesses the page.
Takeaway: We note here that the California AG’s Office is looking for more suggestions as to how provide electronic breach notifications to affected individuals, so companies have an opportunity to share their ideas for efficient and effective electronic notification mechanisms.
It is a well-known fact that the California AG’s Office has taken privacy and security issues seriously. During Tuesday’s TRUSTe webinar, McNabb left little doubt that this fact will not change, if anything, companies should expect the office to be even more active in enforcing the privacy and security requirements it deems important to the protection of California’s residents.
One final note to keep in mind: California is not the only state with an AG’s office that is looking to focus its attention and enforcement activity. According to McNabb, each year the National Association of Attorney’s General – NAAG for short – allows the presiding AG to propose a major annual project for the organization and its members. The focus of last year’s project? Privacy. The focus of this year’s project? Cybersecurity.