New California Law for Minors Went Into Effect Jan. 1: What You Need to Know to Comply

February.03.2015

California S.B. 568, “Privacy Rights for California Minors in the Digital World” (Cal. Bus. & Prof. Code § 22580-22581) took effect on Jan. 1, 2015. Enacted as an amendment to CalOPPA, the law contains two main provisions: 1) the right for a California minor to request the removal of content or information posted online (nicknamed the “Internet Eraser Law”), and 2) restrictions on the advertising of certain products and services to minors.

The Internet Eraser Law

The law requires any online service (which is defined broadly to include any “Internet Web site, online service, online application, or mobile application”) to permit minors to remove or request the removal of posted content or information. The law applies to online services that are directed to minors (meaning that the service, either in whole or in part, targets minors as its intended audience) or an online service that has actual knowledge that a minor is using the service (which would include any company that collects a birth date of a user), and only applies to online services with minors who are “registered users” of the service. The online service must post notice and instructions to direct the minor how to delete the information. Additionally, the online service must provide notice if “complete and comprehensive” removal of the content is not possible.

Key points to remember:

The law applies to any online service that registers a California user under the age of 18, even if the company is physically located outside California.
The minor may request deletion only of content that was posted by the minor, and the deletion request must come from the minor who posted the content (not the parent, or another person identified in the content).
The online service may anonymize rather than delete the content, so that the minor cannot be identified by other users of the service or by the general public.
There is no requirement to delete the content permanently from the company’s systems. The company may maintain the information subject to the removal request for internal purposes, as long as that content is no longer visible or identifiable to other members of the online service or to the general public.
Similarly, there is no requirement to delete or anonymize information that was copied or reposted by another member of the site. The company will be deemed in compliance with the statute if it makes the original posting by the minor invisible or anonymized, even if it does not take steps to delete or anonymize the portion of the minor’s content that has been copied or reposted by the third party.

Advertising Restrictions

The Privacy Rights for California Minors law also prohibits online services from advertising certain products such as alcoholic beverages, firearms and ammunition, tobacco products, tattoos, tanning beds, fireworks, aerosol paint containers, lottery tickets, dietary supplements containing ephedrine, drug paraphernalia and obscene matter if the online service is directed to minors or if the operator has actual knowledge that the online service is being used by a minor. The law also applies to targeted advertising and prohibits advertising of the enumerated products to minors “based on information specific to that minor, including” information such as “the minor’s profile, activity, address or location.” Operators of online services are also prohibited from providing minors’ personal information to a third party or allowing a third party to collect minors’ personal information for the purpose of advertising any of the specified products or services.

Key points to remember:

A company will not run afoul of the marketing provisions of the law solely because the listed products or services are shown on the operator’s online service if the products are not placed there “primarily for the purposes of marketing and advertising” the prohibited products or services.
Services that are directed to minors and that use a third-party advertising service may notify the advertising service that the online service is directed to minors. Once notified, third-party advertising services are prohibited from marketing any of the listed products or services on the operator’s online service.

Compliance Steps

If an online service is directed to minors or has actual knowledge that minors are registering with the service, the company should take the following actions toward compliance:

1. Update its online Privacy Policy to provide notice that a minor may delete or anonymize information that the minor posts to the site. The notice should include instructions on how the minor may delete or request the deletion of such information, and must note if it is not possible to “completely and comprehensively” remove all content.

2. Develop an internal procedure and policy to determine how the company will handle deletion requests. Will content be deleted permanently or be retained internally? Will content be deleted or anonymized? Will the company provide a deletion mechanism through the “settings” or must the user contact customer service to request content be deleted?

3. If the online service is directed to minors, notify in writing any third-party advertising partners (including advertising firms, ad networks and the like) that the online service is directed to minors. Keep a record of that notification.

4. If the online service has actual knowledge that minors are using its service, take “reasonable actions in good faith” to avoid marketing or advertising the prohibited products listed above.

5. Develop standard contractual provisions and consider addenda to existing contracts to restrict the collection and use of data from the company’s online services by third-party ad partners.

Enforcement

Violations of the new law will likely be enforced by the California Attorney General under the state’s unfair competition law, which provides for a penalty of $2,500 per violation.

******

Orrick’s Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.

For more information about these developments, please contact the authors of this alert or your Orrick relationship partner.

Authors

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.