Skip to content

California Amends Its Security Breach Law and German Privacy Agency Limits Social Media Marketing by Businesses

California Amends Its Security Breach Notification Law
Beginning January 1, 2012, any business that is required, under California's security breach notification law, to provide notice to individuals must include in the notice a list of the types of personal information that were the subject of the breach, the date of the breach, a general description of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies. The amended law also requires businesses that are required to provide notice to more than 500 California residents as the result of a single breach to provide a sample copy of the notice to the Office of the Attorney General. The provision concerning substitute notice (which applies when a business demonstrates that the cost of providing notice would exceed $250,000 or that the affected class exceeds 500,000 individuals or when the business does not have sufficient contact information) has been amended to require, among other things, notice to California's Office of Privacy Protection. Businesses that are in compliance with HIPAA's security breach notification requirements will be deemed to be in compliance with California's law. A copy of Senate Bill 24 is available here.

German Privacy Agency Seeks to Ban Facebook "Like" Feature on Business Sites
The data protection authority (DPA) for the German state of Schleswig-Holstein has ordered businesses within that region to "shut down their fan pages on Facebook and remove social plug-ins such as the 'like'-button from their websites." The DPA conducted an analysis of the data collection activities using these features and concluded that such activities violate German and European privacy laws. "By using the Facebook service[,] traffic and content data are transferred into the USA and a qualified feedback is sent back to the website owner concerning the web page usage, the so called web analytics." According to the DPA, Facebook builds personal profiles of Facebook users and "such profiling infringes German and European data protection law." The DPA is asking businesses to deactivate these features by the end of September 2011.

This alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.

Circular 230 Disclosure: To ensure compliance with Treasury Department rules governing tax practice, we inform you that any advice contained herein (including any attachments) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer; and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.