California Enacts New Data Privacy Legislation

California is once again initiating significant changes to protect informational privacy in the digital world. Governor Jerry Brown recently signed several pieces of legislation in an attempt to protect individuals against invasions of privacy connected with personal data collection. California’s new legislation will regulate the collection and use of student data and amend the privacy requirements for businesses who collect personal data.

Over the last ten years, California has passed numerous laws protecting personal data.  As recently as 2013, California enacted two laws addressing digital privacy: one regarding how websites respond to citizens who ask the site not to monitor their personal behavioral information and the other relating to the ability for minors under the age of 18 to erase portions of their social media accounts.  These laws were the first of their kind in the country and, together with the newly passed legislation, have earned California a reputation for being one of, if not the, most prominent states guarding its citizens’ data privacy.

Student Online Personal Information Protection Act (SOPIPA)

As technology becomes more central to student educational experience, the issue of protecting student personal data becomes more challenging. California’s SOPIPA attempts to balance the benefits of increased technology in education with concerns over abuse and misuse of personal information. SOPIPA makes significant changes to the way personal information of students in grades K-12 can be collected, stored, and used.

Websites, apps, and online services play a significant role in the modern classroom but many of these educational services require, or allow, for student grades, disciplinary history, and other personal information to be stored and analyzed by service providers. These providers often use student data to create new services and products that can be offered to K-12 students. SOPIPA protects student information in two significant ways: 1) operators providing K-12 services may not compile, share, or disclose student information for any reason other than those related to K-12 purposes, and 2) operators may not use student information for targeted advertising or marketing to K-12 students, their parents, or their families.

Notably, the law does carve out an exception for service providers to store anonymous student data to be used solely for the development and maintenance of its own educational products. In essence, the law tries to ensure that student information only be used for school-related purposes.

The full text of Senate Bill 1177 (SOPIPA) can be found HERE.

Amendments Protecting Personal Information and Identity

Recent amendments to California’s data breach notification requirement places new burdens on companies that suffer a breach in their electronic data security system. Previously, California law required only those persons or businesses who owned or licensed personal data to give notice to citizens when their system was breached. Under the new amendments, any business who maintains computerized data about a California resident must implement “reasonable security procedures,” and if breached they must notify any resident whose information was compromised.

Another major change requires that “[i]f the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months.”

Commentators have given considerable attention to the words “if any” found in this provision.  Some are concerned that these words may be interpreted to mean that only businesses who previously provided identity theft prevention and mitigation services will be required to continue those services after a data breach. This ambiguity may be left for the judiciary to resolve.

Lastly, the amendments also address how a California resident’s social security number may be used by other people and businesses. Prior to the amendment, a person or entity was prohibited from posting or displaying a citizen’s social security number or doing any act that may compromise the security of an individual’s social security number. Now, in addition to these prohibitions, a social security number may not be sold, offered for sale, or advertised for sale by any person or business. This provision strengthens the protections afforded to California citizens and clearly attempts to restrain the opportunity for identity theft.

The full text of Assembly Bill 1710 can be found HERE.

About The Authors

Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.

Posted in Data Security, Legislation, Privacy

Leave a Reply

Your email address will not be published. Required fields are marked *


About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates


Cozen O’Connor Blogs