SAN FRANCISCO – California has always been at the forefront of data security, but three recent updates to the Electronic Communications Privacy Act have left some legal experts wondering if the state has gone too far.
“Startup companies that grow up in California under our very stringent and privacy-friendly laws are better prepared for compliance with laws and customer expectations in other parts of the world,” Lothar Determann, a partner at Baker and Mackenzie LLP, told the Northern California Record recently. “Tech companies that make it here under California privacy and security laws can address the requirements of other countries much better, which are usually far behind technological, social and legal developments.”
While California initially enacted the Electronic Communications Privacy Act in 2002, as technology has grown, the state has had to revise the law.
The most recent changes include enacting Senate Bill 570, which provides companies with a model template for reporting data breaches. In addition, the new law sets a minimum font size for data breach notices and requires the title, “Notice of Data Breach." The notice also must include information under six key headings, including: "What Happened?"; What information was involved?"; “What are we doing?”; “What you can do?”; and “Other Important Information."
In addition, Assembly Bill 964 clarifies the state’s definition of what data can be defined as encrypted as information that is “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”
Senate Bill 34 also prescribes data breach requirements for users of Automated License Plate Recognition Systems (ALPR).
While consumer notification is important as related to ALPR system breaches, the state took it a step further, stating that individuals have the right to file private lawsuits against companies involved in data breaches for minimum damages of $2,500.
Determann, who counsels companies on data-related issues and teaches data privacy law, is particularly wary of SB 34.
“Personally, a notification duty alone would have been plenty to address potential concerns," Determann said. "A separate cause of action with damages was unnecessary and imposes too much additional liability on companies that want to operate or use automated license plate scanning technologies for security purposes."
Updates to the Electronic Communications Privacy Act can make companies better prepared if customer information is stolen, but also can hold them liable if a breach occurs.
While it’s important for a state to protect its citizens and their privacy, will it serve as a deterrent to businesses rather than a motivating factor?
“My sense is that businesses are unreasonably challenged by the increasing number of sector-specific privacy laws in the United States,” Determann said. “It is difficult and costly for companies in California and elsewhere in the country to keep up with California privacy laws.”