California attorney general adds unit to protect our privacy


California has some of the nation’s toughest privacy laws. Even so, millions of state residents struggle daily with identity theft, online security breaches and control of their personal information.

Atty. Gen. Kamala D. Harris recognized the problem and has created a new Privacy Enforcement and Protection Unit within her office to get tougher on those who would trespass on people’s right to be left alone.

Whether a new layer of bureaucracy will actually change anything remains to be seen.

“In the 21st century, we share and store our most sensitive personal information on phones, computers and even the [online] cloud,” Harris said. “It is imperative that consumers are empowered to understand how these innovations use personal information so that we can all make informed choices about what information we want to share.”

The new division, she said, “will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.”

Privacy rights have become a moving target in the digital age. Businesses and their lobbyists have worked tirelessly to water down privacy regulations at the state and the federal levels. For example, you still have to “opt out” from having your personal info shared, rather than getting the more consumer-friendly choice to “opt in.”

Meanwhile, the culture of online openness spawned by the likes of Facebook and Twitter has lessened privacy expectations among many people, particularly younger Internet users. There’s a sense among many folks that information is going to waste unless it’s being passed around.

California has long been at the forefront of efforts to guarantee a degree of privacy to state residents and to hold businesses accountable for wayward data. The state Constitution was amended in 1972 to include privacy as a right.

Federal privacy laws cover a number of issues, including medical records and treatment of Internet users under the age of 13. But such laws can be difficult to enforce and may lack the teeth of more restrictive state rules.

In 2003, for example, California lawmakers approved the Online Privacy Protection Act. It was the first state law in the U.S. to require operators of commercial websites to post a link to a privacy policy from the home page. It also required disclosure of how people’s personal information might be shared.

Noncompliance with the law, even by companies outside the state, can result in civil penalties.

This year, California laws regarding notification of online security breaches were improved by a requirement that any such incident involving more than 500 Californians must be reported to the attorney general’s office.

Travis LeBlanc, the special assistant attorney general who oversees tech matters, told me this was a key reason Harris wanted to beef up the state’s privacy enforcement capabilities.

“We’re going to be investigating all those things now,” he said. “This is something new.”

In a sense, the new privacy division is a reshuffling of deck chairs in the attorney general’s office. No new laws are on the books. No new funds have been allocated by lawmakers.

But the move reflects a growing awareness on the part of law enforcement officials that not enough was being done in the past to keep consumers safe or to crack down on data-leaking businesses.

Previously, LeBlanc said, only a handful of officials were able to work even part time on privacy matters. Now, at least half a dozen prosecutors will be committed full time to enforcing state privacy laws.

“There were tons of privacy issues that came up before that we couldn’t effectively manage,” LeBlanc said. “This is a game changer.”

Another potential game changer is moving Joanne McNabb from her former role heading up California’s largely toothless Office of Privacy Protection to a gig as director of privacy education and policy in the new division.

McNabb told me she’ll now focus on educating consumers and companies about the regulatory landscape and helping both keep confidential info under lock and key. The trick, of course, will be getting businesses to step up their game.

“I’ll be reaching out to businesses in a respectful way about things they can do better,” McNabb said. For example, she’ll try to get app developers to disclose how a user’s data could be exploited before the software is downloaded.

Privacy advocates are pleased.

“There are a lot of laws on the books in California, but enforcement can be spotty,” said Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse in San Diego. “This new office provides an ability to enhance the enforcement mechanism.”

The proof will be in the pudding. California does indeed have plenty of privacy laws, so there’s no shortage of ammunition for our data cops. The real question is whether there’s a will to seriously crack down on companies and organizations that don’t go far enough in safeguarding their records.

LeBlanc said we can expect the new division to take its first enforcement action within months. Beyond that, I’d like to see a greater emphasis on providing consumers with more details about security breaches, such as where the breach transpired and under what circumstances.

I’d also like to see fines imposed for lost data. Businesses won’t take their stewardship of our info seriously until they have money on the line. A $500 fine for every person affected by a breach would get their attention.

And I’d certainly like to see a more concerted effort to teach people that the stuff they post on Facebook today can and will come back to haunt them later when, say, they’re applying for a new job. The Internet mantra may be that all information wants to be free. But some truly wants to be kept under wraps.

Generally speaking, though, Harris is to be commended for placing a new emphasis on privacy protection. It’s an example all other states should follow.

David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @LATlazarus. Send tips or feedback to