Privacy Issues that Arise for Startups Doing Business in or with the Residents of California

As in many other areas of law, the State of California has been on the front line of bringing about aggressive changes in the laws concerning protection for online consumers. The economic power and size of California, in addition to being the primary locus for much of the startup activity in the technological world, means that the cost of doing business for many companies includes compliance with California privacy law. Many elements of privacy protection, which are merely recommended by the Federal Trade Commission and other regulatory bodies, are required by statute in California. A prime example is the Online Privacy Protection Act. Technology law scholars, Richard Raysman and Peter Brown, note that the law “requires that any collection of personally identifiable information from California residents through a Web site or online service for commercial purposes be done pursuant to a conspicuously posted privacy policy.” [1] Federal law creates no such requirement for disclosure.

In January of 2005, the state also passed the California Security of Information Law, which specifies businesses must ensure that personal information (defined by statute as name, driver license, Social Security Number, and any financial account numbers including credit cards) is properly protected. Although certain sections of this law has been preempted by federal information security regulations (under HIPAA, Gramm-Leach-Bliley Act, Fair and Accurate Credit Transactions Act, etc…), much of it is still in effect. In addition, Cal. Civ. Code § 1798.81.5, mandates that companies mandate appropriate security measures to protect personal information from unauthorized disclosure.[2] California also has more stringent requirements about the disclosure of information to direct marketers and, pursuant to Cal. Civ. Code § 1798.81.5, requires specific provisions in contracts between companies and thirds parties where private personal information will be communicated to a third party.

Furthermore, under Cal. Civ. Code § 1798.82, companies are liable for security breaches that occur as a result of third party service providers. Business must promptly notify California residents when their personal information was potentially compromised, whether or not they have any actual liability for the breach. Required disclosures for when breaches occur included specific information about the type of breach that occurred and the timing of the breach.[3] The state has assembly has since softened the notice requirement by allowing an entity to provide substitute notice by posting information about the breach on the company’s website. This measure has significantly reduced the cost of notice for startups and small businesses, but the cost of assessing the breach and what specific information was compromised still remains. California was also the first state to establish a centralized method of reporting, recording and cataloging security breaches.

Go to Brotman Tax Resolution Services

Go to The Brotman Virtual Law Office

Go to Resource Blog Homepage


[1] Richard Raysman and Peter Brown, Computer Law: Drafting and Negotiating Forms, CLDNF § 15.02 (2009).

[2] Jeffrey D. Neuburger, Technology, The Internet and Electronic Commerce: Staying Interactive in the High-Tech Environment, A Summary of Recent Developments in the Law. 927 PLI/Pat 699, (February-April 2008)

[3] Cal. Civ. Code §1798.83 et seq.

Brotman Law Featured in Inc. Magazine - Fastest Growing Law Firm in California