Wednesday, February 06, 2008

Privacy Laws Proposed in California, New Jersey

This posting was written by Thomas Long, Editor of CCH Privacy Law in Marketing, and John W. Arden.

Bills that would impose further notice requirements for security breaches and restrict the collection and use of personal information of adolescents have been introduced in California and New Jersey, respectively.

Security Breach Notifications

California Senate Bill 364 would amend the California security breach notification law to require that notifications be written in plain language and include certain standard information.

The proposal, which passed the California Senate on January 30, would require that security breach notifications sent to California residents include (1) the toll free numbers and addresses of the major credit reporting agencies; (2) the name and contact information of the reporting agency, person, or business; (3) a list of the types of information, such as name or Social Security Number, that were or may have been the subject of a breach; (4) the date of the breach, if known, and the date of discovery of the breach, if known; (5) the date of the notification and whether the notification was delayed pursuant to current law for law enforcement purposes; (6) a general description of the breach incident; (7) the estimated number of persons affected by the breach; and (8) whether substitute notice was used.

The bill would also require electronic submission of breach notifications to the state’s Office of Information Security and Privacy Protection (formerly the Office of Privacy Protection).

The California Disclosure of Security Breach Law (California Civil Code Sec. 1798.82) appears at CCH Privacy Law in Marketing ¶30,500.California is one of 38 states with a specific data security breach law.

Adolescent Online Privacy Law

New Jersey Assembly Bill 108 would regulate the disclosure of personal information collected from adolescents by the operator of a website or online service. The proposed “Adolescents’ Online Privacy Protection Act” would apply to personal information of children over the age of 13 and under the age of 18. The measure is modeled on the federal Children’s Online Privacy Protection Act (CCH Privacy Law in Marketing ¶25,300), which applies only to children under the age of 13.

The bill would make it an unlawful practice under New Jersey’s Consumer Fraud Act to collect, use, or disclose an adolescent’s personal information in a manner that violates regulations to be adopted by the state Division of Consumer Affairs in the Department of Law and Public Safety.

Website operators would be required to obtain verifiable parental consent for the use and disclosure of personal information from adolescents and to provide for parental access to the personal information stored about the adolescent.

The proposal was introduced in the New Jersey Assembly on January 8.

No comments: