By Joyce E. Cutler, Privacy & Security Law Report
Reproduced with permission from Privacy & Security Law Report, 12 PVLR 521 (March 25, 2013). Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) <http://www.bna.com>
PALO ALTO, Calif.–Looking to move beyond its mobile applications
privacy enforcement efforts, the California Office of the Attorney
General is focusing its consumer protection efforts on health
as well as investigating data breaches, Special Assistant
Attorney General for Technology Travis LeBlanc said March 21.
The Office of the Attorney General this spring will be releasing
two reports–one on medical identity theft and a second analyzing
breach notifications to the AG, LeBlanc, who is senior advisor on
technology, privacy, and cybersecurity to AG Kamala Harris (D),
lawyers and technologists at a University of California Berkeley
Center for Law & Technology privacy symposium.
“AG Harris is paying close attention to how providers and
record management companies are accomplishing the move to digital
medical records,” he said.
“We’re also redoubling efforts to protect Californians from
the dangerous effects of data breaches,” he said. Under a law
enacted in August 2011, covered entities must report data breaches
affecting more than 500 residents, LeBlanc explained.
percentage of mobile apps with privacy policies rose from 40 percent
to 84 percent in less than a year, according to Travis LeBlanc,
special assistant California attorney general for technology.
He said 160 breaches were reported to the AG in the first year
after the new law took effect Jan. 1, 2012.
Centralized reporting allows the AG to analyze trends about what
practices and what sectors are more susceptible to breaches,
said. The forthcoming data breach report will focus on the results
that analysis, he said.
“We plan to use the report to determine which among these
breaches merit further investigation, and where appropriate,
enforcement actions,” he said, adding that additional
enforcement is coming “this
Mobile Apps Compliance, New Legislation.
principles for mobile applications have meant the
percentage of mobile apps with privacy policies rose from 40
to 84 percent in less than a year, LeBlanc said, adding that they
aiming for 100 percent compliance.
“Ultimately, in my view, our mobile apps best practices
document reflects elementary principles of ethics: be honest;
greedy; allow people to exercise their autonomy; [and] be
Just as brick-and-mortar stores should be concerned about what
activity takes place on their premises and what billboards are
on their buildings, “an online business, a mobile app, should
concern itself with what activity is ongoing through its platform
its app, what it’s facilitating, what advertising is taking place
its site,” LeBlanc said.
“Conversely, apps should take responsibility for what is
happening with the advertisers themselves who may be collecting
information through their apps. Business should not support bad
in the online world just as they wouldn’t in the offline world,”
LeBlanc noted that several digital privacy bills introduced this
year in the California Legislature seek either to amend
Online Privacy Protection Act (OPPA) or to regulate some facet of
digital privacy .
LeBlanc said the AG supports
370, which would amend the OPPA to include in the terms of
whether an operator of a commercial website or online service that
collects personally identifiable information will honor do not
signals from browsers.
He noted that another bill this session
257) would establish minimum privacy protections for users
mobile apps in California.
The AG is examining legislation
46) that would require the reporting of password breaches in
certain circumstances, LeBlanc said.
The bill would extend the state’s data breach notification law to
apply to passwords, user names, and security questions and answers
accounts other than financial accounts.
S.B. 46 recognizes “that digital privacy is not just a civil
liberty concern, but is also a cybersecurity and public safety
concern. It is especially important to identify passwords and
credentials breaches because so many people use their password for
multiple websites, and those passwords are only as safe as the
security questions,” LeBlanc said.
Unique Legal, Technology Position.
California has a unique legal position with a constitutional
to privacy, LeBlanc noted. Moreover, the California Online Privacy
Protection Act, Cal. Bus. & Prof. Code §§ 22575-22579,
requires commercial operators of online services, including mobile
users of what personally identifiable information is being
and how it will be used.
In the absence of a federal standard “it really is incumbent
to the states to step in and serve as the laboratories for
innovation,” LeBlanc said.
“California is the ninth largest economy in the world. The
vast majority of technology that we’re talking about is developed
here. The companies behind it are headquartered here,” LeBlanc
California has a special relationship with modern technology.
“There is no question at least in my mind that the engine of
innovation combusts in California,” LeBlanc said.
Just as the New York attorney general is often called the sheriff
of Wall Street, “the attorney general of California has a
comparable perch from which to ensure Silicon Valley treats
fairly, respects their rights, and protects their safety online
off,” LeBlanc said.
Yet the traditional tools of legislation, regulation, and
litigation insufficient to deal with digital age innovation,
said. “The velocity of innovation has outpaced the inertia of
our regulatory system,” he said.
And regulators must adapt how they regulate, which is why the AG
engaging in cooperative efforts educating attorneys, developers,
consumers, reporting results, and partnering with industry,
By Joyce E. Cutler
Copyright 2013, The Bureau of National Affairs, Inc.