In case you missed it: We recently wrote here that over two dozen state privacy laws were passed in 2013. While little to nothing is happening in Congress – at least in terms of actual privacy legislation – state legislatures continue to fervently address the issue of privacy. Many new state laws became effective January 1st of this year. Here is just a sampling of those directly impacting both individuals’ privacy and technology.
1. Amendment to CalOPPA
The California Online Privacy Protection Act requires that operators of commercial websites and online services that collect California residents’ personally identifiable information (PII) conspicuously post a privacy policy, which must include:
- Identification of the categories of PII collected through the website or service along with the categories of third-party persons or entities with whom the PII may be shared,
- If the operator maintains a process for an individual user to review or request changes to any of his or her PII that is collected and a description of that process,
- Process by which the operator notifies individuals of material changes to the privacy policy for that operator’s website or service, and
- An effective date for the privacy policy.
California’s amendment to CalOPPA, which became effective January 1st, requires that operators of websites and online services that collect California residents’ PII to make the following additional disclosures in their privacy policies:
- How they respond to “do-not-track” signals or “other mechanisms that provide consumers the ability to exercise choice regarding the collection of” PII. Site and other online service operators must include an appropriate reference to this in their privacy policy, although the amendment does not specify the scope of “appropriate” disclosure, and
- Whether they allow third parties to collect PII when a consumer is using the operator’s service.
Although operators must disclose how they respond to “do-not-track”, CalOPPA does not require that operators honor users’ preferences.
2. Amendment to California Security Breach Notification Law
California’s Security Breach Notification law states that an entity must notify consumers following the discovery of a data breach involving the unauthorized acquisition of “personal information”. The law previously defined “personal information” as an individual’s first name or initial and last name in combination with one or more sensitive data elements, such as a social security number, medical information or a financial account number.
The amendment to this law became effective January 1, 2014 and expands the definition of “personal information” to include “a username or email address in combination with a password or security question and answer that could permit access to an online account.” In the event that any of the newly defined “personal information” is breached, affected consumers must be notified regardless of whether or not other sensitive data such as an individual’s name is also breached.
3. Amendment to Illinois (720 ILCS 5/) Criminal Code of 2012.
Illinois’ 720 ILCS 5/14-6 allowed for civil remedies for victims of eavesdropping to any conversation, covering conversations defined as “any oral communication between 2 or more persons regardless of whether one or more of the parties intended their communication to be of a private nature under circumstances justifying that expectation”. Remedies include:
(a) An injunction by the circuit court prohibiting further eavesdropping
(b) Actual damages and
(c) Punitive damages
Illinois’ 720 ILCS 5/14-6 previously did not address eavesdropping of electronic conversations. H.B. 3038, which became effective January 1, 2014, expanded the law to cover victims of eavesdropping whose electronic communications are unlawfully monitored.
4. Amendment to Illinois Right to Privacy in the Workplace Act
Illinois’ Right to Privacy in the Workplace Act previously prohibited an employer from inquiring in any way a password and/or account information related to an employee’s or prospective employee’s social media profile.
SB2306, which became effective January 1, 2014, amended this law to specify that an employer may in fact request a password and/or the account information of a social media profile from an employee or potential employee provided that the information requested relates to a professional account. The new law defines “professional account” as an account, service, or profile created maintained, used or accessed by a current or prospective employee for business purposes of the employer. However, the law still prohibits employers from requesting passwords or account information to any personal account of employees or prospective employees.
Add Comment