California Enacts Law Protecting Student Privacy and Amends Data Breach Statute | Practical Law

California Enacts Law Protecting Student Privacy and Amends Data Breach Statute | Practical Law

California has amended several privacy statutes, including amending its data breach notification statute to add provisions relating to offering credit monitoring or other identity theft services to affected persons. In addition, California enacted the nation's most stringent student privacy protection statute.

California Enacts Law Protecting Student Privacy and Amends Data Breach Statute

Practical Law Legal Update 3-583-2646 (Approx. 4 pages)

California Enacts Law Protecting Student Privacy and Amends Data Breach Statute

by Practical Law Intellectual Property & Technology
Published on 01 Oct 2014California
California has amended several privacy statutes, including amending its data breach notification statute to add provisions relating to offering credit monitoring or other identity theft services to affected persons. In addition, California enacted the nation's most stringent student privacy protection statute.
On September 29 and 30, 2014, California Governor Jerry Brown signed several bills directed at protecting consumer privacy and personal information. In addition to signing bills that require state agencies to post their privacy policies on their websites, extending the expiration date of the California wiretap law and limiting schools' monitoring of student social media accounts, Governor Brown signed Cal. Assembly Bill No. 1710, which amends provisions of the California Information Practice Act (CIPA), including certain data breach notification requirements (Cal. Civ. Code § 1798). Governor Brown also signed into law the nation's toughest student privacy protection law, the Student Online Personal Information Protection Act (SOPIPA).

The Student Online Personal Information Protection Act

Effective January 1, 2016, SOPIPA applies to an operator of a website, online service, online application or mobile application and authorizes disclosure of a student's covered information under specified circumstances. SOPIPA prohibits:
  • Knowingly engaging in targeted advertising to students or their guardians.
  • Using covered information to amass a profile about a K-12 student.
  • Selling a student's information.
  • Disclosing covered information.
Additionally, SOPIPA requires an operator to:
  • Implement and maintain reasonable security procedures and practices.
  • Protect student information from unauthorized access, destruction, use, modification or disclosure.
  • Delete a student's covered information upon request of a school or district.
(Cal. Senate Bill No. 1177.)

Data Breach Notification Statute

Most significantly, the amendments to CIPA include amendments to the California data breach notification statute that:
  • Provide that if the entity providing the notification was the source of the breach that "an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months" if the breach exposed or may have exposed certain personal information.
  • Expand certain provisions to include businesses that maintain personal information about a California resident.
In addition, California has amended CIPA to prohibit the sale, advertisement for sale or offer to sell of an individual's social security number. (Cal. Assembly Bill No. 1710.)