It’s time for a compliance check on those website or mobile app privacy policies, before the California Attorney General comes knocking.

Attorney General Kamala D. Harris has announced the release of a new tool for consumers to report websites, mobile applications, and other online services that may be in violation of the California Online Privacy Protection Act (CalOPPA).  The form is available at  As a reminder, a website owner or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies that do not meet the requirements of the statute.

As we have previously written on this blog, the potential cost for not meeting the CalOPPA requirements can be substantial.  Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.

“In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Attorney General Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.”

Mobile app creators should be aware that the Attorney General’s office will not only be relying on consumers to identify non-compliant apps.  The Office is also partnering with the Usable Privacy Policy Project at Carnegie Mellon University to develop a tool that will identify mobile apps that may be in violation of CalOPPA by looking for discrepancies between disclosures in a given privacy policy and the mobile app’s actual data collection and sharing practices (for example, a company might share personal information with third parties but doesn’t disclose that in its privacy policies).

If you have any questions regarding CalOPPA compliance, please do not hesitate to contact the team at Mintz Levin.



Eager to retain its spot among the principal laboratories for domestic privacy legislation, California’s legislature is set to debate Senate Bill 178, legislation restricting state law enforcement agencies from requesting data without a warrant. Five other states have adopted similar legislation in recent months, and California’s proposal largely follows that trend. Continue Reading California May Limit Law Enforcement’s Warrantless Data Collection

Written by Jake Romero, CIPP/US

Following a string of high-profile data breaches and new data suggesting that approximately 21.3 million customer accounts have been exposed by data breach incidents over the past two years, the California legislature has introduced legislation aimed at making retailers responsible for certain costs in connection with data breach incidents.  If passed in its current form, Assembly Bill 1710, titled the Consumer Data Breach Protection Act, would have a substantial impact on retailers operating in California.  Continue Reading Target Becomes a Target: Proposed California Bill Aims to Make Retailers Liable for Data Breach Incidents

Written by Jake Romero, CIPP/US

When you think of catastrophic events that take place online and have a devastating effect on millions of people, you probably think of HBO Go crashing during the True Detective finale.  However, California Attorney General Kamala Harris wants to remind you that you should be thinking about data breaches.  New data and statements released by the office of Attorney General Harris disclose that more than 20 million customer accounts been affected over the past two years by the ever-increasing number of data breaches, and also provide insight into the central role the Attorney General’s office hopes to play in remedying the problem. Continue Reading Over 20 Million Customer Accounts Affected by Data Breaches in California; Attorney General Harris Promises Increased Enforcement

We hope that you remembered to “spring forward” over the weekend —

Today’s Privacy Monday is a bit longer than usual – but an important read, particularly if you are a mobile app developer.

California Public Utilities Commission Declines to Develop New Regulations and Standards for Wireless Carriers and Mobile App Providers  . . . for Now, at Least

Written by Jake Romero

Certain things in life are a certainty; death and taxes, for example, or Jennifer Lawrence falling down at the Oscars.  Until recently, a good argument could have been made that California agreeing to implement new data privacy regulations was one of those certainties.  At its January 16, 2014 meeting, however, the California Public Utilities Commission (“CPUC”) declined a request to develop privacy standards for wireless carriers and mobile applications.  The denial comes in response to a Petition for Rulemaking filed by a collection of consumer groups (the “Petition”) such as the Consumer Federation of California, the Privacy Rights Clearinghouse and the Utility Reform Network.  The CPUC Decision (which can be read in its entirety here) concludes that “[g]iven the lack of documented examples of actual breaches of customer privacy by telecommunications corporations, as well as the existence of a variety of laws and regulations governing the treatment of potentially sensitive customer information by businesses in general and telecommunications providers in particular, it is not clear that a review of the company privacy practices in California is needed at this time.”

The Petition, which was originally filed on November 8, 2012, requested that the CPUC (1) initiate a new rulemaking to review the customer information that telephone corporations collect or have access to, along with those companies’ practices in handling and using that information; (2) develop standards for the collection, handling, and sharing of customer information to ensure that customers are aware of what information may be collected and how that information may be used; and (3) extend the applicability of its privacy rules to third parties under contract with telecommunications providers, as well as other third parties that use the phone as a platform, such as mobile applications.  Had the CPUC agreed with the petitioners, the additional rules would have added to an already crowded regulatory mix in California.  However, the petitioners argued that additional rules are necessary because of the rapid development of communication technologies, and that any additional rules promulgated by the CPUC could help to update and modernize current regulations.

Opposition comments to the Petition were filed by CTIA, AT&T and its affiliated companies and MetroPCS California.  The opposing party comments made two primary arguments in favor of denying the Petition; one procedural and one substantive.  On procedural grounds, the opposing parties argued that the Petition attempts to reach non-regulated services and providers, over which the CPUC has limited authority, without clear justification.  Substantively, the opposition argued that additional rulemaking is unnecessary because existing laws and policies already protect the privacy of customer information available to telecommunications carriers, and carriers already have internal privacy policies in place to comply with California state law.

In denying the Petition, the CPUC agreed with the opposing parties that federal and state laws governing the protection and use of, among other things, information that relates to the use of telecommunications services, already address privacy issues related to customer data, and that such laws had been updated and revised on an ongoing basis in response to further technological development.  The CPUC noted that the Petition was specifically focused on third-party applications, but found that the Petition was unable to identify types of information collected or accessible by these parties that would not already be covered by federal or state privacy laws.  Moreover, the application of the federal and state laws applicable to mobile application providers are primary enforced by entities other than the CPUC, such as the Federal Trade Commission or States’ Attorneys General.  In the absence of “clearer documentation of gaps in existing privacy laws and regulations, as well as examples of actual harm from such privacy violations” the CPUC denied the Petition.

There are a few key takeaways from the CPUC decision.  First, notwithstanding its conclusions, the CPUC left the door open for the petitioners to return with further information and developments in the future.  The CPUC noted that because of rapid changes in communications technology, it is possible that concerns may develop that would need to be addressed.    Second, the Petition’s focus on mobile applications is yet another indication that concerns about mobile privacy and continuing to grow.  Following months of front-page news stories about data breaches and Apple’s own high-profile security update, it is unlikely that these concerns will diminish any time soon.  On the other hand, online service providers just recently dealt with a barrage of new California regulations.  The CPUC’s decision not to add to the regulatory web at this point will likely be welcome news for online service providers.

Written by Jake Romero

The California Senate has passed a bill restricting the information that certain online retailers can collect in connection with consumer purchases.  Senate Bill 383 would amend Sections 1747.02 and 1747.08 of the California Civil Code to address the collection of customer information in connection with credit card purchases in online transactions for downloadable products.  The bill aims to close a perceived gap in the data privacy protections afforded to California residents, by placing these types of transactions within the scope of California’s Song-Beverly Credit Card Act, which prohibits retailers from requiring certain customer personally identifiable information as a condition to accepting credit card payment.

Does this all sound vaguely familiar?  If so, that is likely because SB 383, in its current form, is just the latest development in a series of efforts to adapt Song-Beverly, a law that pre-dates the modern internet, to current retail and data collection practices.  Continue Reading California Moves to Restrict Collection of Consumer Personal Information Online: the Process, History and Politics Behind Senate Bill 383

Well, the headlines don’t exactly work with the traditional tune, but blame the editor for that…..

Written by Jake Romero, CIPP/US

2013 was a busy year for California.  We passed a budget with a surplus, let Kim and Kanye get engaged in one of our stadiums and panicked over possibly losing Sriracha sauce.  At the same time, we also passed a number of significant pieces of legislation related to data privacy, the effects of which will be felt throughout the year.

  • Happy New Year!  Consumer Notification Laws Effective as of January 1, 2014 – “Do Not Track” and Data Breach Notification

Two laws going into effect on the first of the year will require additional notifications to consumers.  The first, A.B. 370, amends Section 22575 of California’s Business and Professions Code to require any operator of an online service to disclose in its privacy policy (1) how it responds to “Do Not Track” signals or similar tools and settings and (2) whether third parties are permitted to collect personally identifiable information about consumer online activities over time and across different websites when a consumer uses that online service.

As we discussed earlier this year, the absence of a universal industry standard for “Do Not Track” (which is not defined in the statute), may create pitfalls for unwary online service operators as they attempt to comply with the law’s requirements.  A full, clear and accurate description of an online service’s interpretation of Do Not Track signals will likely require significant review and diligence by, among others, that service’s operational and technical managers and support staff.  An online service that inaccurately describes the additional disclosures required by A.B. 370, or fails to update those disclosures in a timely manner following operational changes, may incur liability for engaging in deceptive practices.  On the other hand, a blanket disclosure stating that the service does not honor Do Not Track signals may ward off potential customers and damage the service’s reputation.

Under A.B. 370, online service operators are deemed to have satisfied the requirement to disclose the service’s interpretation of Do Not Track signals (but not the required disclosure regarding tracking by third parties), by linking to a description of a program or protocol that the operator follows that allows the consumer to exercise choice regarding collection of personally identifiable information.  Note that this option is only effective if the operator follows and complies with the protocol to which it directs consumers.  This may be problematic because many protocols, including the Digital Advertising Alliance (previously discussed here), require that all third party advertisers on the service be members of the program.  An online service operator hoping to take advantage of this option will need to have policies in place to assess compliance on an ongoing basis, including with respect to its third party advertisers.

The other consumer notification law going into effect is S.B. 46, which expands California’s data breach notification requirements to include incidents involving certain types of online data.  S.B. 46 amends Sections 1798.29 and 1798.82 of the California Civil Code to expand the definition of “personal information” to include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

As we previously discussed, this expansion of California’s notification requirement could significantly increase the number of reportable incidents in two ways.  First, California’s data breach notification requirements will apply to many more online service providers, as this type of online account information is commonly collected by websites.  Second, websites that only collect online account information may not have the type of robust safeguards and policies that an online service that collects other types of personal information, such as social security numbers, driver’s license numbers or credit card, medical or health insurance information, has already put in place.  We recommend that online services that collect “personal identification” as defined under that term’s expanded definition review our recommendations for preparing to comply with the new law here.

  • Sector-Specific Regulations Effective as of January 1, 2014 – Medical Information and Customer Electrical or National Gas Usage Data

In addition to the generally applicable laws described above, two pieces of industry-specific legislation will also go in effect.  A.B. 658 amends Section 56.06 of the California Civil Code, which is part of the “Confidentiality of Medical Information Act” (or “CMIA”).  The CMIA prohibits providers of health care or recipients of individually identifiable medical information from using or disclosing medical information for any purpose not necessary to provide health care services to patients, without first obtaining authorization.  A.B. 658 will expand the definition of “provider of health care” so that this prohibition will also apply to “[a]ny business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual . . .”  This change to the CMIA should be of particular concern to mobile application developers and operators.  With the use of mobile applications generally on the rise, health care related applications are expected to play a part in promoting wellness and addressing a number of issues, including rural access to health care.  However, as compared to the average website, mobile applications typically require a more complex system of third party service providers that may have access to data, and can be an inherently challenging platform for displaying notices.

As of January 1, we will also see new regulations applicable to businesses that use “smart meter” data.  For the past three years, utilities have been prohibited from sharing or disclosing data regarding individual consumption or use of electricity or natural gas by an individual without that individual’s prior consent.  A.B. 1274, extends this prohibition to non-utility businesses, and requires that such businesses disclose any third parties with whom they share such information and how it will be used.  In addition, A.B. 1274 requires businesses to use reasonable security procedures and practices to protect usage data from unauthorized access or disclosure, and put in place contractual requirements with any third parties who receive usage data requiring those third parties to do the same.  A.B. 1274 also requires certain steps to be taken when disposing of usage data, and prohibits businesses from offering incentives to consumers who allow their information to be accessed without prior consent.

  • Looking Ahead – Children’s Privacy Rights

The supporters of the ballot initiative known as the California Personal Privacy Initiative may have dropped their efforts, but we expect that in 2014 California will continue its aggressive push to increase data privacy regulation and enforcement.  We will also be tracking preparations for S.B. 568, which goes into effect on January 1, 2015.  S.B. 568 prohibits operators of online services directed toward minors under the age of 18 (as well as online services not directed toward minors, if the operator of the service has actual knowledge of a minor using the service and advertisements are specifically directed to that minor based on information the minor has provided) from marketing certain products (including alcoholic beverages, firearms, ammunition, spray paint, cigarettes, fireworks, tanning devices, lottery tickets, tattoos, drug paraphernalia and obscene materials).  S.B. 568 also requires that these types of online services permit minors to remove or request the removal of content or information posted by that minor and provide certain specific disclosures regarding deletion of online information.  We discuss S.B. 568 in further detail and provide recommendations for preparing to comply with the new requirements here.



The federal government may be completely unable to pass laws, but that certainly isn’t the case with the State of California, which has just completed a data privacy hat trick by passing three significant laws addressing a broad subset of data privacy issues. The big question: is your online and/or mobile business ready for the coming changes?

Read the latest Mintz Levin Privacy Alert analyzing what effect these new laws will have on business and how you should be preparing to comply.


As we all ponder the potential for the first U.S. government shut down in 18 years, here are some Monday privacy tidbits to change the subject a bit.

September Mintz Matrix

As our readers know, we maintain a summary of the US state data breach notification laws, which we refer to as the “Mintz Matrix.”   We update the Mintz Matrix on a quarterly basis, or more frequently if developments dictate.

We’ve updated the Mintz Levin State Data Breach Notification Matrix to reflect changes to California’s law.   The Mintz Matrix is available here.

California SB 46 and AB 1149 have brought about the following changes:

(1)   The definition of PI has been expanded to include username or email in combination with password or security question and answer that would permit access to an online account.

(2)   The law specifies when electronic notice can be provided.

Now, for today’s disclaimer: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

Press Roundup

Last week was a busy one for members of the Mintz Levin privacy team – here’s a peek at our clipping file:

Law360 (registration may be required) – Va. Tech Breach Reveals Info on 145K Job Applicants – quotes Cynthia Larose

FierceCIO – How a decent risk assessment could save you a lot of money – Interview with Cynthia Larose

Law 360 (registration may be required) – Calif. Initiative Could Unleash Wave of Privacy Fights – quotes Jake Romero

E-Commerce Times – Judge Cuts Google No Slack in Gmail Wiretap Case – quotes Cynthia Larose





Two data privacy bills, Assembly Bill 370 and Senate Bill 568 have been sent to California Governor Jerry Brown for signature.  As we previously reported, A.B. 370 would require commercial websites or online services that collect personally identifiable information to disclose how that site or service responds to “do not track” signals or similar mechanisms.  S.B. 568 would require that the operator of any website or online service remove all content or information submitted to the site or service by a minor at that minor’s request.

Governor Brown is expected to sign both bills.  Our Privacy & Security Matters blog will continue to provide updates, including information regarding implementation and compliance deadlines, as they become available.