California to get tough on online privacy

California’s top legal official has put the tech industry on notice that she intends to get tough on digital privacy.

Attorney General Kamala Harris said Thursday she is forming a new group within the state’s Justice Department, the Privacy Enforcement and Protection Unit, to oversee privacy issues and prosecute companies that run afoul of the state’s strict privacy laws.

The new unit’s impact could extend beyond California, because it will police not just companies based in the state but all companies that do business there.

“This means that their privacy practices are going to be scrutinized a lot more by the Attorney General’s office,” Travis LeBlanc, special assistant attorney general for technology, said in an interview.

“We are going to do outreach to companies, to make sure they know their obligations,” he said. “And make sure that when there are violations of California privacy laws, we will enforce them.”

The unit will also perform outreach and education campaigns for state residents.

California has some of the strictest privacy regulations in the U.S., and unlike in many other states, the right to privacy is spelled out in the state’s constitution.

“Typically, we’ve been a bellwether state,” said LeBlanc. “We were the first state to pass a ‘do not call’ list and the first to pass a law requiring data breaches are notified to consumers.”

Formation of the unit puts California ahead of other states when it comes to online privacy, said Justin Brookman, director of consumer privacy at the Center for Democracy and Technology. Brookman worked in the New York Attorney General’s office from 2004 to 2009.

“One advantage the states have is they can move more quickly on issues [than the U.S. Federal Trade Commission],” he said.

The FTC will generally take time to consider issues in detail, and that can mean it is more likely to get things right, but the states have the advantage when it comes to awarding large fines, he said.

State law often allows companies to be fined for each infraction they make, whereas the FTC will usually fine a company only after it has been found guilty and re-committed the same violation, said Brookman.

The unit will be part of the California Justice Department’s electronic crimes unit, and its staff will include six prosecutors who specialize in privacy enforcement. Some staff have already been hired, and LeBlanc said he expects the unit to be fully staffed in a few months.

Announcement of the unit comes five months after the California attorney general said she had reached an agreement with Apple, Google, Research In Motion, Amazon, Hewlett-Packard and Microsoft, to ensure that users can read the privacy policies on all mobile applications before downloading and installing the apps. The group was joined by Facebook in June.

One of the unit’s first tasks will be a check-in with the companies to see how they have lived up to the agreement.

“In terms of enforcement, we have targeted our efforts in the mobile space,” said LeBlanc. “We’re seeing lots of privacy concerns there. Some people see it as the wild, wild West. We intend to start enforcing the California Online Privacy Act.”

In terms of the unit’s impact beyond state borders, it could face challenges from companies under U.S. federal interstate commerce laws if it tries to make too big a change on digital business practices, said Brookman.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn’s e-mail address is martyn_williams@idg.com