Governor Brown Expands Privacy Laws with Respect to Electronic Information
On October 6, 2015, Governor Brown signed five privacy bills into law. The laws add protections and procedures for the collection and maintenance of electronic identifying information by law enforcement, automated license plate readers, and voice-activated smart-TVs. The laws also define the term “encryption” and change the method of data breach notifications by businesses, agencies, and individuals. Most of the bills amend Civil Code Sections 1798.29 and 1798.82 in addition to creating or modifying the sections described below.
Collection of Data by Law Enforcement
The first of the bills, The Electronic Communications Privacy Act (S.B. 178), constricts law enforcement’s ability to collect electronic information without either a warrant or wiretap order. Law enforcement is prohibited from compelling either a service provider, entity, or person from producing or providing access to electronic information or communications for the purposes of investigation and prosecuting a crime without court approval. Law enforcement can obtain the same information by subpoena, if for purposes other than criminal investigation or prosecution. In addition to the warrant or order, law enforcement may access an electronic device or information if: (1) there is specific consent of the owner; (2) the device was lost and the owner’s specific consent is obtained; (3) a good faith belief exists that an emergency involving death or serious bodily harm will occur requiring access to the device; (4) the device is believed to be lost and accessed only for identification purposes; (5) the device is seized from an inmate in a correctional facility. In addition to the warrant protections, law enforcement is required to notify the individual who’s information is sought. (https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160SB178.)
Breach Notification Laws
Next on the list, is the amendments to California’s Data Breach Notification laws (S.B. 570). The changes in the law are not significant, but make notice of data breaches that are made to consumers, more conspicuous. The amendments also provide model forms for issuing notices of data breaches for business, agencies, and individuals. (https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160SB570)
“Encrypted” has now received a formal definition under AB-964, also amending Civil Code 1798.29. Under the bill, “Encrypted” is defined as: rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security. (https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201520160AB964)
Automated License Plate Readers
With respect to automated license plate readers, S.B. 34 adds Civil Code sections 1798.90.50-1798.90.55, as well as language to Sections 1798.29 and 1798.82. The changes from this bill impose specific privacy requirements on an “ALPR operator” to maintain reasonable security procedures and practices to protect identifying individual information. The amendments also require an ALPR operator to maintain access logs and require that any information accessed only be used for authorized purposes. If a violation occurs, ALPR operators are subject to private actions, including statutory damages of $2,500, punitive damages, attorney’s fees, and other preliminary and equitable relief awarded by the court. Finally, any data breaches must also comply with the notification laws referenced above. (https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160SB34)
Last on the list of the privacy laws, A.B. 1116, modifies Business and Professions Code Sections 22948.20-22948.25. Although existing law requires manufacturers of voice-recognition TVs to obtain affirmative consumer action before the voice-recognition is activated, the new law adds more protection concerning the use and dissemination of any voice-recordings. Actual recordings, even for the purpose of improving the voice-recognition technology are prohibited. Manufacturer’s are also prohibited from creating software for the purpose of criminal investigation or law enforcement monitoring. However, the law loses a lot of strength, by limiting a manufacturer’s liability to the functionality at the time of sale. If the user installs updates or applications that violate the law, the manufacturer cannot be held liable. (https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201520160AB1116).
Although many privacy laws protect individual consumer information with respect to the areas described above, these amendments further those protections, and exceed federal standards ensuring the citizens of California additional safeguards to electronic information and communications.