California to get tough on online privacy

The state's attorney general will establish an office dedicated to digital privacy and prosecutions

California's top legal official has put the tech industry on notice that she intends to get tough on digital privacy.

Attorney General Kamala Harris said Thursday she is forming a new group within the state's Justice Department, the Privacy Enforcement and Protection Unit, to oversee privacy issues and prosecute companies that run afoul of the state's strict privacy laws.

The new unit's impact could extend beyond California, because it will police not just companies based in the state but all companies that do business there.

"This means that their privacy practices are going to be scrutinized a lot more by the Attorney General's office," Travis LeBlanc, special assistant attorney general for technology, said in an interview.

"We are going to do outreach to companies, to make sure they know their obligations," he said. "And make sure that when there are violations of California privacy laws, we will enforce them."

The unit will also perform outreach and education campaigns for state residents.

California has some of the strictest privacy regulations in the U.S., and unlike in many other states, the right to privacy is spelled out in the state's constitution.

"Typically, we've been a bellwether state," said LeBlanc. "We were the first state to pass a 'do not call' list and the first to pass a law requiring data breaches are notified to consumers."

Formation of the unit puts California ahead of other states when it comes to online privacy, said Justin Brookman, director of consumer privacy at the Center for Democracy and Technology. Brookman worked in the New York Attorney General's office from 2004 to 2009.

"One advantage the states have is they can move more quickly on issues [than the U.S. Federal Trade Commission]," he said.

The FTC will generally take time to consider issues in detail, and that can mean it is more likely to get things right, but the states have the advantage when it comes to awarding large fines, he said.

State law often allows companies to be fined for each infraction they make, whereas the FTC will usually fine a company only after it has been found guilty and re-committed the same violation, said Brookman.

The unit will be part of the California Justice Department's electronic crimes unit, and its staff will include six prosecutors who specialize in privacy enforcement. Some staff have already been hired, and LeBlanc said he expects the unit to be fully staffed in a few months.

Announcement of the unit comes five months after the California attorney general said she had reached an agreement with Apple, Google, Research In Motion, Amazon, Hewlett-Packard and Microsoft, to ensure that users can read the privacy policies on all mobile applications before downloading and installing the apps. The group was joined by Facebook in June.

One of the unit's first tasks will be a check-in with the companies to see how they have lived up to the agreement.

"In terms of enforcement, we have targeted our efforts in the mobile space," said LeBlanc. "We're seeing lots of privacy concerns there. Some people see it as the wild, wild West. We intend to start enforcing the California Online Privacy Act."

In terms of the unit's impact beyond state borders, it could face challenges from companies under U.S. federal interstate commerce laws if it tries to make too big a change on digital business practices, said Brookman.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Martyn Williams

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place