Two California laws in effect as of Jan. 1 will make it tougher for law enforcement to demand data from hotels, resorts and bus companies, and boost security requirements for credit reporting bureaus such as Equifax Inc.
California lawmakers are likely to pass even more sector-specific privacy laws during 2019, before the state’s broad new privacy law takes effect Jan. 1, 2020, privacy attorneys said. Such new laws would boost the private-sector pressure on Congress to enact a federal privacy law that pre-empts California’s efforts.
The first law in effect in 2019 will require authorities to obtain a subpoena, court order, or warrant for data on California customers of hotels, resorts, and bus operators doing business in the state. California lawmakers passed that law largely to curb U.S. Immigration and Customs Enforcement and Immigration and Naturalization Service efforts to round up people suspected of being in the U.S. illegally, privacy attorneys practicing in the state told Bloomberg Law.
Federal authorities have been able to access those records using the third-party doctrine, under which personal data held by businesses is deemed subject to less privacy protection because it was already given to another entity.
INS and ICE agents will be required under the new law to prove to a judge that they need to access data such as hotel records to halt illegal immigration, privacy attorneys said. If they don’t, the companies could point to the California law as a reason not to comply.
“Invasions of privacy have been particularly devastating for immigrant communities, where this disclosure has resulted in arrests and deportations across the country,” Sen. Ricardo Lara (D), the author of the bill, said in a statement after the law was passed.
Immigrants turn over personal information when they stay at hotels or use transportation services, Hanley Chew, privacy and cybersecurity of counsel at Fenwick & West and former Assistant U.S. Attorney in the Northern District of California, said. The law will help limit ICE and INS efforts in California by making it harder for them to obtain immigrants’ sensitive personal data, he said.
The change will likely mean fewer government demands for data, and thus fewer compliance costs, for Hilton Worldwide Holdings Inc., The Walt Disney Co., and other companies in the sectors, privacy attorneys said.
Government authorities rarely have had to get a subpoena or a warrant for personal data in investigations of civil matters such as immigration violations, Chew said. Federal authorities routinely obtain court orders in criminal proceedings in case they have to defend their data demands, he said.
“The hotel/bus law protects privacy by making it harder for the government to get access to certain sensitive personal information,” Kirk J. Nahra, privacy partner at Wiley Rein LLP, said.
Law enforcement agencies have tried to access data by relying on third parties. For example, hotels like Hilton and online booking websites like Airbnb often get served with government data requests to tie alleged crimes or civil wrongdoings to those who rented or stayed at properties.
Californians have shared increasing amounts of data with hotels and resorts in recent years, according to the law. State legislators said they wanted to ensure that California’s constitutional privacy protections aren’t eroded.
“California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information by third parties,” state lawmakers wrote in the legislation.
Credit Bureau Security
The credit reporting bureau security update is aimed at protecting consumers’ privacy by requiring them to patch system vulnerabilities as soon as possible. Equifax, TransUnion, and other credit bureaus will likely have to pay more to meet the law’s burdens, privacy attorneys said.
Credit bureaus doing business in California will have to follow “reasonable” practices that would keep data secure if an industry-wide hack makes their computer systems vulnerable under the law. They must also implement back-up data security standards in the case of a prolonged cyberattack.
“The credit reporting agency law essentially makes it a legal requirement for these agencies to take reasonable steps when there is a security issue,” Nahra said.
The pressure on credit bureaus stems from Equifax’s data breach that impacted 145 million U.S. consumers, Chew said. Credit reporting bureaus face an increased risk for cyberattacks due to the sensitive nature of data they collect, including Social Security numbers, banking records, and other identifying information, he said.
A data breach at any major credit reporting bureau, and the hundreds of others that operate in California, could allow a cybercriminal to steal the identities of millions of individuals and easily cash in on the stolen data, privacy attorneys said.