The New 2013 California Privacy Laws for Websites

California often leads the nation when it comes to groundbreaking legislation. The state is indeed proving to be the leader again when it comes to legislation related to online privacy by passing a variety of new laws applicable to new California privacy lawsdata collection on the web.

Why California?

California is passing new laws because the federal government is unable to in light of the current political climate. You only have to look at the recent shutdown to realize not much has been getting done at the federal level of government nor will it be moving forward.

Privacy is a tricky subject when it comes to federal law. There is still a serious debate as to whether a right to privacy exists at all under federal law. There is no language regarding privacy rights in the United States Constitution. The Supreme Court, however, has ruled the right can be inferred from the Constitution pursuant to its decision in Roe v. Wade.

Yes, that slightly controversial case.

Even if certain conservative politicians are interested in passing privacy laws, it’s hard to do so without indirectly validating the Roe v. Wade decision. In short, don’t hold your breath when waiting for action by the federal government.

The story in California is different. The constitution of the state specifically includes a right of privacy for all citizens of the state. This inclusion bypasses the biggest hurdle in most privacy law debates in the state. The only question is how the right applies to real world situations such as website data collection and the storage of medical records.

The new 2013 California privacy laws seek to provide an answer to this question. Unfortunately, the new legislation is so poorly thought out and drafted that it fails to meet this goal.

Apply To Websites Not Based In California?

The new privacy laws apply to California businesses, but what about online companies located in other states? The answer may surprise and disappoint you. The application of these laws is dependent not on the location of your business, but on whether you collect personally identifiable information from residents in California.

Let’s assume you sell products online through your website. California residents represent 3 percent of your total customers. Must you comply with the California privacy laws? Yes.

Is this legal? The merits of this “long arm of the law” approach hasn’t been addressed as of yet by the courts. My personal view is it is unconstitutional because only the federal government has the right to regulate commerce across state lines.

While unique, California’s approach invites chaos. Imagine if Florida passes a law contradicting a California law and includes a similar provision requiring websites to comply with the Florida law if the site collects personal information from even a single resident of Florida. Which state law prevails? Online operators would face a no-win situation.

The commerce clause of the U.S. Constitution is designed to prevent this from happening. Of course, one or more online businesses are going to have to pony up the million dollars or so to challenge the California approach. Expect such an effort in the near future.

The New California Privacy Laws

The new California privacy laws of 2013 are a rather impressive collection of half measures and useless efforts that invite protracted court battles. Let’s take a closer look.

A. California Revenge Porn Law

Revenge porn is the act of posting images of a person you were formerly intimate with online to shame them. It is the rare website that allows users to post this type of content,  so why bring the new law up? This law is a perfect example of how these new privacy laws are poorly thought out and poorly written.

In the case of revenge porn, the problem is the precise definition of the type of images covered under the law. The revenge porn law excludes “selfies,” which are images a person takes of themselves. Studies have shown between 60 and 80 percent of all revenge porn postings are selfies. Put another way, this law may not apply in 60 to 80 percent of all revenge porn cases!  The other new California privacy laws passed in 2013 are not much better.

B. Disclosing How You Respond To Do Not Track Signals

Private companies and regulators have been going round and round on the topic of “do not track” signals. After years of trying to reach an agreement, it is pretty clear the effort is futile. Given this, California has passed laws in the area, but with language likely to lead to litigation.

On September 27, 2013, Governor Jerry Brown signed Assembly Bill 370 into law. Read the bill here.  The bill amended a pre-existing state privacy law known as the California Online Privacy Protection Act. The new amendment adds language to the law that forces online businesses to disclose how they react to do not track signals from browsers.

Do not track signals? Yes. Major browsers now allow users to indicate whether they wish to be tracked or not.  The browser then sends a  “do not track” signal to the server for each website the person visits while using the browser. You can read more about the signals here.

The new California law requires websites to indicate whether they comply with such browser signals. Every privacy policy for every site you run must now be amended to comply with the new disclosure requirement. Mind you, websites are not required to comply with the do not track signals under the law. They must simply disclose whether they comply or not.

There is a significant concern among internet lawyers regarding this new do not track disclosure requirement. One can reasonably predict plaintiff attorneys will do their best to argue there is a common law duty for websites to comply with such signals, despite the fact the law only requires a disclosure. Whether such lawsuits will prevail or not is questionable, but the mere cost of defending a flood of lawsuits could force many online operators to settle such claims in an effort to avoid bankruptcy.

                    AB 370, Part II

The AB370 amendment also carries a second provision many are finding difficult to understand when applied to the web. Essentially, a website operator must determine if any other party with access to their site can collect information over a variety of websites and periods of time to create consumer profiles. If so, this must be disclosed in the privacy policy.

Who else would be able to track visitors through your site? Many affiliate programs will do behavioral tracking. Free Google products such as the Analytics and Fonts services do so as well. Every website operator is charged with contacting these parties and obtaining information on what the companies are doing in relation to user data collection. This information must then be disclosed to site visitors in your privacy policy.

C. Privacy Laws For Minors – Eraser, etc.

Who will protect the children?! Apparently, California is going to try. The state has passed new laws prohibiting the marketing of certain products to kids who are minors if the website in question is primarily aimed at minors as a target audience. Since this area of the law is complex and most sites don’t focus on the under 18 audience, I am skipping it for now. If your site is focused on minors, contact me to discuss the new provisions.

Moving along, we are presented with the “eraser” element of the new law applying to minors. This provision does not go into effect until January 1, 2015, but you need to start thinking about it now. The provision requires websites to create a method by which minors under 18 can remove or request the removal of anything they have uploaded to a site be it comments, narratives, videos, graphics or what have you. The key is to make sure your website has the functionality in place to process the removal.

This “eraser” law points out the rather bizarre nature of the new California laws. Ask yourself a simple question. Does removing user generated content from a website erase it from the web? It does not. In fact, it doesn’t even come close to doing so. Other sites ranging from search engines to the Way Back Machine will keep copies of the content and a simple search on Google will usually bring up a list of sites where the content can be found.

Does this render the eraser law useless? Yes, for the most part. The authors of the bill even seem to admit as much since part of the bill requires you, the website operator, to alert minors to the fact the removal of the content on your website does not mean it can’t be found in other areas of the web.


Your Problem and Solution

These new California privacy laws, while misguided, still must be complied with by any online business collecting information from even a single person located in California. If this is not done, you face potential criminal prosecution by the California Attorney General or lawsuits by plaintiffs’ attorneys seeking monetary compensation. Neither will make your day.

The solution to this new risk is rather obvious – get in compliance.  January 1, 2014 is the deadline for compliance. Contact me today to get your site in compliance before the deadline.

Richard A. Chapo, Esq.