Privacy & Information Security Law Blog

On September 30, 2014, California Governor Jerry Brown announced the recent signings of several bills that provide increased privacy protections to California residents. The newly-signed bills are aimed at protecting student privacy, increasing consumer protection in the wake of a data breach, and expanding the scope of California’s invasion of privacy and revenge porn laws. Unless otherwise noted, the laws will take effect on January 1, 2015.

New Student Privacy Laws 

On September 29, 2014, California Governor Jerry Brown signed into law bill (SB 1177) that places restrictions on the data practices of online educational services for K-12 schools. In general, the new law, the Student Online Personal Information Protection Act (“SOPIPA”), prohibits an “operator” of an online educational services for K-12 students from:

• Engaging in targeted advertising based on any information the operator acquired from usage of its online service;
• Assembling student profiles for non-educational purposes from information derived from the operator’s online service;
• Selling a student’s information; and
• Disclosing “covered information,” unless an exception applies.

Under SOPIPA, “covered information” is defined as personally identifiable information created or provided by a student or an employee of a K-12 educational institution, or descriptive or identifiable information gathered by an operator through the operation of its online service. The bill also requires operators to implement and maintain reasonable and appropriate security procedures and practices to safeguard covered information, and to delete a student’s covered information upon the request of the relevant educational institution. SOPIPA comes into effect on January 1, 2016.

Another bill (AB 1584) signed into law on September 29 regulates the usage of third party cloud services and other digital services related to student records management by California educational institutions. Under the new law, student records must remain the property of and under the control of the educational agency. The law also sets contractual requirements and restrictions relating to accessing, reviewing, using and securing the student records related these services.

In addition, Governor Brown signed into law on September 29 a bill (AB 1442) that requires school districts to first notify students and their parents before adopting any program that gathers or maintains information obtained from a student’s online social media. The new law also sets requirements related to a student’s right to review, correct and delete such social media information gathered by the school district, and imposes retention restrictions on this information.

Updates to California’s Data Breach Law

On Tuesday, September 30, Governor Brown signed into law a bill (AB 1710) that amends the California’s breach notification law, making three updates to the existing law:

• For a business providing notification that was the source of the breach, “an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months.”
• Businesses that maintain personal information about California residents (e.g., service providers) must employ reasonable and appropriate security procedures and practices for the personal information they maintain.
• The updated law strengthens the current restrictions on the use or disclosure of Social Security numbers by prohibiting businesses from selling, advertising for sale or offering to sell Social Security numbers, with limited exceptions.

Updated Invasion of Privacy Law

Governor Brown signed into law on September 30 a bill (AB 2306) that updates California’s invasion of privacy law. Under the existing law, a person can be liable for a constructive invasion of privacy if he or she uses a visual or auditory enhancing device to capture an unlawful image, sound or recording. The updated law expands the scope of liability for an invasion of privacy by making it unlawful to use any device to unreasonably capture an image, sound or recording of another person engaging in a personal or familial activity under circumstances in which the other person had a reasonable expectation of privacy.

Expansion of Revenge Porn Liability

Governor Brown signed into law on September 30 a bill (AB 2643) that enables victims to bring lawsuits for civil damages against violators of California’s revenge porn law. According to the bill, the updated law creates a “private right of action against a person who intentionally distributes a photograph or recorded image of another that exposes the intimate body parts...without his or her consent, knowing that the other person had a reasonable expectation that the material would remain private, if specified conditions are met.”