New California Laws Target Breaches, Hackers, TVs

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Laura Mahoney

Oct. 8 — California's landmark data breach notification statute has a new definition of “encrypted,” more specific requirements for breach notices to consumers, and applies to data gathered with automated license plate readers under three bills signed by Gov. Jerry Brown (D).

(Click image to enlarge.)


The bills were tied together so that each would become law only if the governor signed all three. Brown signed them Oct. 6, and they take effect Jan. 1, 2016.

A.B. 964 by Assemblyman Ed Chau (D) defines the word “encrypted” under the 2003 data breach law as data that is rendered unusable, unreadable or undecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security. According to Chau, including the definition will encourage businesses and state entities to adopt encryption standards.

“This legislation proves that California really has become a model for protecting personal privacy in a digital era where cyber security is becoming a growing issue of concern in our society, because of the serious threat it poses to governments, private industries, and individuals,” Chau said in an Oct. 7 news release.

Breach Notice Changes

The 2003 breach notification law requires businesses or state agencies to notify consumers if their computerized but unencrypted data is breached.

S.B. 570 by Sen. Hannah-Beth Jackson (D) specifies what data breach notices to consumers must say. Notices must be titled “Notice of Data Breach” and be broken into sections titled “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” It also provides a model security breach notification form that complies with the format requirements.

S.B. 34 by Sen. Jerry Hill (D) treats information collected with automated license plate recognition systems as personal information that falls under the data breach notification law, and it establishes privacy policy requirements for operators and users of the data and systems. It also provides a private cause of action to individuals who are harmed by violations of the law.

Hackers, Televisions

Brown also signed a bill Oct. 7 that criminalizes “hackers for hire.” A.B. 195 by Chau makes it a misdemeanor to solicit a person to aid in gaining unauthorized access to computer systems. According to Chau, it is already a crime to hack into a computer network, but it’s not illegal to hire another person to do the hacking.

Brown signed a bill Oct. 6 that requires television manufacturers to inform consumers with prominent notices if televisions that connect to the Internet have voice-recognition features that could record private conversations and transmit them back to the manufacturer or third parties. Amendments to A.B. 1116 by the Assembly Committee on Privacy and Consumer Protection before it reached the governor's desk in September eliminated a requirement that consumers must opt in to use the feature before it could be activated.

The bill also prohibits manufacturers or others from using or selling the recordings for advertising purposes.

“Smart TVs and voice-recognition technologies are innovative and convenient tools, but giving up our right to privacy in the home because we want to utilize voice-command features to change the channel is simply unacceptable,” Gatto said in an Oct. 7 statement.

Several privacy-related bills remain on the governor's desk, including a measure to require law enforcement officials to obtain warrants to access personal digital information. He must sign or veto them by Oct. 11.

To contact the reporter on this story: Laura Mahoney in Sacramento, Calif., at

To contact the editor responsible for this story: Joseph Wright at