California has everything: big cities, small towns, tall mountains, dry deserts, farms, factories, miners, fishermen, surfers, hipsters, yuppies, startups, and people of all walks of life. You can look at the state of California and see everything that makes America great. Unsurprisingly, California also has some of the most comprehensive privacy laws in the country. The Golden State is a national leader when it comes to privacy legislation. California was the first state to pass a breach notification law, and other states soon followed suit. State privacy laws from coast to coast are often modeled, in some way or another, after California legislative precedents. So goes California, so goes the nation.
Currently, a handful of privacy bills have made their way through committees and at least one house of the state legislature. These bills reflect an evolving attitude towards the protection of more data from new technological services We can expect that within the next year each bill will come up for a vote, possibly expanding privacy rights for all Californians. Because of California’s leadership on the privacy issue, businesses and consumers across the country may expect to see their own states adopt several of California’s protections.
The legislation on the table ranges from data breach response protocols and geo-location policies, to tech “eavesdropping” prohibitions and drone guidelines. As we end July and enter the dog days of August, let us take a look at the innovative legislation California is considering:
Breach Response Requirements
In the event of a breach, many companies offer their customers one or two years of identity theft protection free of charge (depending upon the state, the company may be required by law to do so). Assembly Bill 259 requires a government agency that suffers a data breach to offer at least a year of identity theft prevention and mitigation services free of charge to affected consumers. Notably, California was the first state to pass a data security and breach notification law, and this bill borrows language from an existing California law that requires companies to offer “appropriate identity theft and mitigation services, if any,” to affected individuals at no cost. This bill, if passed, could begin a trend across the country of holding governmental agencies to the same standards as private businesses in the aftermath of a breach.
Geo-Location Tracking Laws
Assembly Bill 83 seeks to supplement the list of personal information that businesses must protect to include geophysical location data. This bill was actually conceived, in part, by suggestions from California citizens through an open bill-writing process on a “wiki-style” website. The bill would require businesses to enhance privacy standards for the storage of all personal information, and identify reasonably foreseeable internal and external risks to privacy and security of personal information, establish safeguards that would protect against unauthorized use, and routinely assess the sufficiency of such safeguards. For example, businesses would need to increase protections for social security numbers, driver’s license numbers, financial information, medical information, and geo-location travel information that could be found on an individual’s Uber or Lyft trip log. Basically, if a business is able to track your location, the bill would require it to make certain that information is highly protected.
Similarly, Senate Bill 576 builds on the California Online Privacy Protection Act. The bill would require mobile application operators to provide “clear and conspicuous notice” to consumers on the collection of geo-location information. You might notice that sometimes when you open an app on your phone, a message will appear warning that “ZSH App would like to know your location. Accept?” This is an example of the app seeking your consent to use your geo-location information. The bill would require mobile application operators to obtain users’ “affirmative express consent” before collecting and sharing location data. As a result, Californians could expect to see myriad new notifications asking for permission before an application makes use of your device’s internal GPS.
Users of the iPhone’s Siri or Amazon Echo’s Alexa products may have noticed that after saying “surely” or “excellent” (depending upon the product), their digital assistant activates ready to heed your beckon call. When that happens, Pandora’s Box opens with fears that your personal conversations may be “overheard” by the device, collected, and then used for some purpose such as advertising. California legislators have identified smart tv’s, in particular, as a possible device capable of “eavesdropping” and then using the information it collects for some purpose. Assembly Bill 1116 would require smart-TV makers to ensure that voice-recognition features cannot be enabled without the consumer’s consent, and would bar companies from using recorded conversations for advertisement purposes. We are all familiar with how our online shopping could lead to targeted advertisements as we surf the web, but we may be shocked to learn that some appliances in our own homes (such as a television) could be targeting advertisements based on our private conversations. This bill would work to curb those fears when it comes to the twenty-first century television set, and could possibly encourage further legislation to develop similar safeguards from other devices.
Senate Bill 178, also known as the California Electronic Communications Privacy Act, would require law enforcement to obtain a search warrant or wiretap order before accessing private communications and location data stored on smartphones, tablets, and other digital devices. Law enforcement, under the bill, would be prohibited from accessing a person’s digital information, which the proposed bill broadly defines to encompass personal messages, passwords, personal identification numbers, photos, financial information, GPS data, medical information, contacts, and metadata, without a warrant based on probable cause. Although a similar bill was vetoed by Governor Jerry Brown in 2013, this bill has support from companies and organizations lobbying for stronger privacy laws governing online and offline communications. Although some warn that the bill’s notice requirements could impede ongoing criminal investigations, the bill appears to have bi-partisan support: it has already passed the California Senate with a 39-0 vote. We could see similar legislation across the country also inform our twenty-first century understanding of Fourth Amendment protections from unreasonable search and seizure.
Two bills in particular are making their way through the legislature that would address the growing popularity of both government-owned and privately-owned unmanned aircraft systems. First, Senate Bill 142 broadens the definition of trespassing to include using drones “below navigable airspace of 400 feet on private property without permission” and would subject violators to civil damages. Second, Assembly Bill 14 creates a task force to establish policies for unmanned aircraft systems. The task force would exist to recommend comprehensive policy that could drive the structure of legislation addressing drones in the future. Because the bill does not specifically identify what a separate task force would provide, it has been held over as a two-year bill and will be heard in January 2016. In any event, both bills signal that California lawmakers are listening to constituent concerns over how camera-enables unmanned aircrafts invade privacy. Both bills, however, signal concerns lawmakers have over drones and their intended usage. Do not expect this issue to go away any time soon as technology evolves and manufacturers find ways of marketing more affordable models.
2015 and 2016 are shaping up to be exciting years developments in data privacy laws in California. Adoption of any combination of these laws could encourage other states to examine their laws and find avenues for increased protection. We will eagerly keep an eye on how other state legislatures react to California’s attempts to pass new privacy laws. Will others follow California? We can only wait and see. Until then, we will just have to keep dreamin’.