California Updates Its Data Privacy And Security Laws For 2016

Everett Monroe
October 20, 2015

The end of the first year of California’s legislative session brings several bills that modify California’s data privacy and security regime. A number of these bills expand California’s protections for personal information and will affect how California businesses and government agencies protect, use, and disclose the data they collect. The bills will go into effect January 1, 2016.

Three new laws modify California’s data breach notification statute:

AB 964 defines “encrypted” information as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The new law provides a definition of encryption similar to that used by HIPAA.┬áNotification to consumers is not required if only encrypted data is breached.

SB 570 mandates that data breach notices sent to California residents have specific titles that are clearly and conspicuously in the notice, and the body of the notice can be in no less than 10 point font. It also provides an optional model form.

SB 34 includes Automatic License Plate Reader (“ALPR”) data in the personal information definition of the data breach statute, which means that ALPR operators would have to provide notice to California residents if they experience a data breach. This law also requires ALPR system operators to publish a privacy policy.

New laws on data collection and security will also affect businesses and government agencies in 2016.

SB 178 requires government agencies investigating crimes to obtain a search warrant to access information from an electronic device or electronic communications service. It also requires that the warrant specifically identify the time period and data sought. Anybody served with a warrant or order can move to have the order modified or voided if it does not meet the requirements of the new law.

AB 1116 restricts the use of voice data recorded from smart televisions to improve the service from being sold or used by advertisers, and requires clear and conspicuous notice of the voice recognition feature when the television is set up or installed.

AB 670 requires the California Office of Information Security to conduct security assessments of state agencies and entities (as defined in California Government Code Section 11546.1) each year. The Office will report findings of noncompliance to the Department of Technology and the Office of Emergency Services, and any findings of criminal activity to the Highway Patrol and Department of Justice.

SB 272 requires some local government agencies to compile information about software and systems they use to process data. The information compiled would include the types of data stored and processed by the system, the product and vendor used, and collection and updating practices. The information would be publicly available on the agency website and upon request.