By Jennifer Archie, Kevin Boyle and Ghaith Mahmood

As the home of the largest online and mobile businesses and platforms, and no doubt seeking to maintain the  reputation of her state as one of those leading the nation in enactment and enforcement of privacy laws and regulations, California Attorney General Kamala D. Harris on Thursday announced the formation of a Privacy Enforcement and Protection Unit within the Office of the Attorney General.

The unit is intended to enforce laws related to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches. “[T]he Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others,” Harris said in the press release. The new unit combines various privacy functions of the California Department of Justice and will be part of the eCrime unit established in December 2011; it follows the shutdown of the California Office of Privacy Protection (OPP), which was eliminated in recent budget cuts. The Privacy Enforcement and Protection unit will be staffed with six prosecutors–double the number previously assigned. The former director of the OPP will join to lead the unit’s education and outreach efforts.

The formation of this unit comes a few months after the California Attorney General’s office reached an agreement on a statement of principles with Apple, Google, Research In Motion, Amazon, Hewlett-Packard, Microsoft, and later Facebook, to ensure that a mobile or social app that collects personal data from a user must conspicuously post a privacy policy or other statement describing the app’s privacy practices that provides clear and complete information regarding how personal data is collected, used and shared. Last fall, the FTC weighed in on this issue as well with a settlement concerning adequate disclosures about default privacy settings on mobile apps.

California has led the nation in many key areas touching upon the privacy and security of consumer data, including:

The California Online Privacy Protection Act (CA Business and Professions Code § 22575)

Requires that any operator of a commercial web site or online service that collects personally identifiable information through the Internet about consumers in California to conspicuously post a privacy policy explaining what personal information is collected, and how it is used.

CA Civil California’s “Shine the Light” law (CA Civil Code § 1798.83)

Lets consumers learn how their personal information is shared by companies for marketing purposes and encourages businesses to let their customers opt-out of such information sharing. In response to a customer request, a business must provide either: 1) a list of the categories of personal information disclosed to other companies for their marketing purposes during the preceding calendar year, or 2) a privacy statement giving the customer a cost-free opportunity to opt-out of such information sharing.

Security of Personal Information (CA Civil Code § 1798.81.5)

Requires specified businesses to use safeguards to ensure the security of Californians’ personal information (defined as name plus SSN, driver’s license/state ID, financial account number) and to contractually require third parties to do the same. It does not apply to businesses that are subject to certain other information security laws.

Security Breach Notice – (CA Civil Code §§ 1798.29, 1798.82, and 1798.84):

Requires a business or a State agency that maintains unencrypted computerized data that includes Californians’ personal information to notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  This law was amended in August 2011 to require specific content to be included in such breach notification letters, including: (i) specifying the types of personal information that are believed to have been the subject of the breach, (ii) the date range of the breach, (iii) a general description of the breach, (iv) whether a law enforcement agency investigation delayed notification of the breach; and also requiring that a sample letter must go to California’s Attorney General’s office is the breach is believed to affect more than 500 individuals.  


Social Security Number Confidentiality (CA Civil Code §§ 1798.85-1798.86, 1785.11.1, and 1785.11.6):

Restricts businesses and state and local agencies from publicly posting or displaying Social Security numbers. It also bans embedding SSNs on a card or document using a bar code, chip, magnetic strip or other technology, in place of removing the number as required by law.


Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011):

in this February 2011 decision, the California Supreme Court ruled that the definition of “personal identification information” in California’s Song-Beverly Credit Card Act of 1971 (CA Civil Code §§ 1747 -1748.95) includes a consumer’s ZIP code, and that a retailer may thus violate the Cred Card Act by requesting and recording a customer’s ZIP code in conjunction with a credit card purchase.