October 8, 2013
The California legislature has been busy, some might say spending California tax dollars on frivolous new laws that are muddied with ambiguity, unnecessarily over-burdensome, potentially violative of the First Amendment, and not likely to amount to significant consumer protection. Two new privacy laws, scheduled to take effect in 2014 and 2015 are likely to pose challenges for website owners, and – for at least one — face challenges in the courts.
On September 23, 2013, Governor Jerry Brown approved Senate Bill 568. Dubbed the “Eraser Act” the bill allows minors to use an “online eraser” to eviscerate any posts that common sense and discretion – or maturity – might otherwise have kept from being made public. Days later, on September 27, 2013, Jerry Brown signed into law and amendment to the existing California Online Privacy Protection Act (CalOPPA) that raises the burden on websites that collect information from consumers to make greater disclosures about what they do with that information and how they handle the new FTC-endorsed Do-Not-Track guidelines. Both have raised significant issues – and headaches – for companies who have an online presence.
The Eraser Act
Under the “Eraser Act”, websites directed at users under 18 (or sites that know they have collected information from a minor) must allow registered users to remove (or have removed) content posted publicly. While the sentiment behind the bill is admirable – kids make mistakes online that should not jeopardize their futures – analysis of Act’s language leaves too many question unanswered, and may place too great a burden on website owners to “know” who is on their sites (particularly in light of the new privacy bill in California, which effectively discourages collection of personal information).
One of the biggest issues website owners will face is defining what it means to direct a site to “people 18 and under.” Websites can take guidance from the Children’s Online Privacy Protection Act for what it means to appeal to children under 13, but there is no guidance on sites directed at children under 18. We expect – if the law survives whatever constitutional and other legal challenges are forthcoming – websites will likely change their privacy policies to appeal to those over 18, and/or remove the ability for anyone who is under 18 to publicly post under their registered user status. Certain sites, like online gaming sites which cannot reasonably argue they are not targeting minors, will be stuck wading through the tangled language.
A second significant issue not made clear in the new law is timing: how long does a minor have to exercise the eraser right, and does the timing change a website’s archiving responsibilities for the content? Neither of these is addressed. Assuming the law is intended to recognize the “knucklehead” logic of a child, one assumes the right to erase survives into adulthood, when the erstwhile kid has the common sense to recognize that what s/he wrote could be detrimental. On the other hand, once a child is in adulthood, s/he is not covered under the Act. Does that mean websites do not have to honor requests made by adults for postings made when they were kids? The law is not clear.
Finally, and perhaps most importantly, the Act simply does not take into account that the Internet is forever: one screenshot by anyone of the offending content means the eraser has missed its mark, making the law effectively moot. Even if the Act accounted for this by making the erased content a de jure disappearance, it would place undue archival burdens on website owners to track – and save – each request. Besides, that photograph of little Gertrude smoking a spliff was already forwarded to the admissions director.
Given the Act only applies to publicly posted content of registered users, one solution for website owners is simply to disallow content to be posted publicly on sites that clearly attract minors. Sites like Facebook, for instance, might disable the ability of a minor to change privacy settings. In the alternative, since the Act seems also to only apply to content posted by “registered” users, sites may only allow public postings that are anonymous.
The law is not due to go into effect until 2015, leaving plenty of time for legal challenges, clarifications, and changes to it. We encourage Eraser Act enthusiasts to follow the discussion – and other legal problems the Act will face – on Eric Goldman’s Marketing and Technology Law blog Until then, the better defense against child indiscretions is good parenting.
Assembly Bill 370’s Amendment to CalOPPA
The September 27th Amendment to CalOPPA, California’s privacy act does not suffer from the same significant legal and clerical challenges of the Eraser Act, but it may leave many website operators scratching their heads about just how to comply.
The amendment, which officially goes into affect this January, 2013, requires any website or mobile operator that collects certain personal information from residents of California to do two – seemingly innocuous, but potentially difficult — things: 1) explain how they respond to do-not-track signals, and 2) disclose whether third parties collect personal information from the site or mobile interface.
First, notwithstanding the FTC’s support of do-not-track legislation relating to behavioral marketing, experts have struggled with the fluctuating definition of “tracking,” giving rise to questions about a website holder’s responsibility under the amendment. These definitional questions can make it difficult for website owners to accurately describe to consumers exactly what their response is, as mandated under the new law. Moreover, given that some browsers have an automatic “do-not-track” setting that does not reflect a consumer preference, website operators may not actually be responding to a consumer request at all and – depending upon the changes in technology – may not be able adequately explain how they handle the tracking signal.
It is important to note the additional reporting requirement under the amendment does not necessarily require websites to change their policies. Indeed, as an explanation-only mandate, neither does it confer a greater right – other than a right-to-know – on the consumer than the consumer had under the original California law. That said, in order to comply, website operators will have to understand the technology and the definition of tracking before they can make an appropriate disclosure to consumers. Moreover, it may require companies to adopt a new policy if only to quell any public relations outcry that it does nothing in response to do-not-track signals. Query whether enforcement efforts will be fruitful under a scenario where website and mobile operators have various definitions of tracking, none of which have a foundational meaning, and where websites are not necessarily required to do anything in any case.
The law does have a “safe harbor” of sorts, allowing websites to link to a third party monitoring or collective trade site such as the Digital Advertising Alliance, which defines and explains behavioral advertising (tracking). While the powers that be continue to refine those definitions, this practice seems the safest course of action for companies, provided they adhere to the principles outlined in them.
The second requirement under the amendment is that website owners disclose whether third parties on their sites collect personal information. It sounds simple enough, but it expands the previous language in a way that may make it impossible for owners to comply, because it removes the word “share” from the equation.
Under the existing law, website owners were already required to disclose what they shared with third parties, a simple enough requirement, and one without a lot of ambiguity: if you provide third parties with personal information, you must disclose who those third parties are and what they are receiving. The new language suggests that a website owner has a responsibility to know what any third party has access to, regardless of whether the website owner has shared the information or has a contractual relationship with the third party. If a website integrates third party content through a portal, for instance, the language technically requires the website owner to know what technology the third party is using and what sort of personal information that portal site collects. Given the definition of personal information in California, the task of unwinding who has access to what could be daunting.
The amendments to CalOPPA are set to take effect January 1, 2013. Because no glaring legal issues have been brought forth – unlike the Eraser Act – it is likely website operators will have to comply with its provisions. Operators should begin to familiarize themselves with the provisions and make efforts now to comply by the deadline. One important decision will be whether whatever new provisions take place will apply only to California residents.
Privacy is the new black in the Internet world. Whether it’s an interest in protecting teenagers from themselves, or allowing consumers a choice in whether they can be tracked across websites, the law seems to be making an effort to catch up with marketing and technology practices, if somewhat late in the game. In an era where digital content – practically speaking – is forever, and the Internet is only free for a price, perhaps Mr. Zuckerberg had it right: privacy is dead.