Seeking greater transparency regarding data security, lawmakers in California and North Dakota recently signed legislation that better reveals how consumers' personal information is used and what constitutes compromised data.
California Governor Jerry Brown signed AB 370 into law on Friday, which amends the existing California Business & Professions Code Section 22575 (CalOPPA), as well as AB 1149 and SB 46.
Ultimately an addition to CalOPPA, the recently signed AB 370 bill requires operators of commercial websites or online services to disclose how they handle “do not track” signals – an HTTP header requesting that web applications disable user tracking – or any other similar method that offers individuals a choice on whether personal information is collected.
The amendment also requires that commercial website operators make consumers aware of whether third parties will collect personal data about their online activities and can offer a description of the updated policies in the form of a hyperlink.
“AB 370 makes the invisible practice of online tracking more transparent to consumers, and I applaud the Governor for signing this important bill,” California Attorney General Kamala Harris said in a release.
Amendment AB 1149 adds clearer communications for individuals who could be victims of identity theft, while SB 46 adds usernames, email addresses, passwords and security questions to what constitutes “personal information” in the event of a data breach.
“People have the right to know if their personal information has been stolen so they protect themselves from identity theft,” said Assemblywoman Nora Campos, D-Calif., sponsor of AB 1149.
In the event that a user's email address is not compromised in a data breach, the legislation is explicit in stating that individuals can be notified at that email address and should be prompted to change any affected credentials.
The legislation, which goes into effect on Jan. 1, 2014, continues California's legacy of being a frontrunner when it comes to progressive data security laws. AB 370 was introduced by Assemblyman Al Muratsuchi, D-Calif., and its signing marks a state first regarding consumer transparency in online tracking.
“Many consumers now conduct their day-to-day personal business online, including banking and paying bills, which creates more opportunities for sophisticated cyber criminals to access and steal their personal information,” said Senator Ellen Corbett, D-Calif., who introduced SB 46.
Meanwhile, regarding security breaches, North Dakota has also recently expanded its definition of “personal information” to include medical information and health insurance information. The law went into effect earlier last month.
Health insurance information includes a policy number, subscriber identification number or any unique identifier used by a health insurer. Medical information includes information regarding medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.