Slew of Privacy Bills Will Keep CA Lawyers Busy

When California lawmakers sent a host of online privacy bills to the governor in the final weeks of the session, consumer groups generally reacted with a “ho-hum.”

But with the measures' potential to require a wide range of companies to at least tweak their Internet practices, some attorneys are responding with a pointed “ahem” to their clients.

Bills on the governor's desk address employees' control of social media passwords, data breach notifications and search warrants for electronic communications. Governor Jerry Brown is expected to sign most, if not all, of them. He has already approved so-called “eraser button” legislation allowing minors to retract online posts they come to regret as well as a bill about online tracking.

“This is a pretty big deal,” says Tanya Forsheit, a founding partner of InfoLawGroup. “We haven't seen a lot of new privacy legislation in California recently. This seems to be a pretty big year.”

A common thread among the privacy legislation is consumer notification. The bills generally require site operators to tell users something, like how they can erase regretted posts or how they respond to requests not to track consumers' online activity. The legislation does not, however, usually bar a company from certain action, a distinction disappointing a lot of consumer advocates.

“These are all important bills, but they're relatively incremental in nature,” says Paul Stephens, director of policy and advocacy for the nonprofit Privacy Rights Clearinghouse.

What some may consider incremental changes, however, are burdensome to others. Take AB 370, the subject of a lot of recent law firm client alerts. The bill, sponsored by the attorney general's office and signed by the governor on Sept. 27, does not require website operators to comply with do-not-track signals. But it would require operators to disclose how, or if, they respond to them and whether third parties collect data on consumers using the site.

To address Internet industry concerns, AB 370's author, Assemblyman Al Muratsuchi (D-Torrance), dropped specific language defining what “do not track” means. It may seem like a simple phrase, but even a worldwide standards consortium working for years on a definition has been unable to reach consensus. See, “Do-Not-Track on the Ropes as Ad Industry Ditches W3C,” AdAge.

In light of that, Baker & McKenzie partner and privacy expert Lothar Determann says such tracking legislation may not be ripe yet. Without any wide-ranging agreement on do-not-track language, he says, companies “will have to disclose a lot more than I think this law wishes to disclose.”

Possible online tracking disclosures could be so long and complicated that confused or bored consumers will get little benefit from them.

“This broad law will be handled with broad language,” Determann says.

In contrast, he says, a number of privacy bills sent to the governor are so narrowly crafted that they're either unnecessary or an invitation to unforeseen problems. He pointed to the eraser-button bill allowing teens to delete online posts. Most websites already offer a delete feature, he says, and exemptions listed in the bill may be difficult for companies to interpret and implement.

“Such overly detailed, narrow and specific laws impose a significant compliance burden on companies that may not be justified by the benefits,” Determann says. “Company lawyers have to read new legislation, plaintiffs firms and regulators want to try them in court and some of the statutes do not really advance privacy agendas.”

Stephens and others say the tech industry was largely successful in limiting the scope of many of the bills that were passed. Assemblywoman Bonnie Lowenthal (D-Long Beach) shelved her Right to Know Act, AB 1291'which would have required businesses to disclose to individual customers what consumer information they retain and share with third parties.

Another bill, SB 383, a response to Apple v. Superior Court, No. S199384, (Ca. Sup. Ct. 2013), decided earlier this year, would have forced e-retailers to erase consumers' ZIP codes and other information after performing identity theft checks. It fizzled in May. And AB 242, which would have limited online privacy policies to 100 words, never made it to a committee vote.

“Certainly from an economic standpoint the tech industry is very important in California, and they're exercising that clout,” Stephens says.

Naturally, the tech lobby has a different take. James Hawley, a Sacramento lobbyist for the industry group TechNet, says the package of privacy bills on the governor's desk is substantive but also respects the needs of Silicon Valley.

“This is an area where you have a lot of different business models, and you have to be careful that you're not hindering innovation,” Hawley says. “Everybody really wants to come up with things that don't hamper young, innovative companies.”

Significant privacy bills passed by the Legislature in 2013:

• AB 25: Clarifies that the ban on requiring a worker or prospective employee to disclose their social media user names or passwords applies to both public and private employers.
  
• AB 370: Requires website operators to disclose how they respond to do-not-track signals. (Signed by governor.)
  
• AB 1149: Extends the provisions of California's data bre- ach notification laws to local public agencies.
  
• SB 46: Expands the scope of personal information subject to existing security breach disclosures. (Signed by governor.)
  
• SB 467: Requires law enforcement to obtain a search warrant to secure electronic communications stored by a provider.
  
• SB 568: Requires website operators to allow and to tell minors how to delete posts. Also restricts certain online advertising to children. (Signed by governor.)
  

Cheryl Miller is a Reporter for The Recorder, the San Franciso-based ALM affiliate of Internet Law & Strategy. She can be reached at [email protected].

When California lawmakers sent a host of online privacy bills to the governor in the final weeks of the session, consumer groups generally reacted with a “ho-hum.”

But with the measures' potential to require a wide range of companies to at least tweak their Internet practices, some attorneys are responding with a pointed “ahem” to their clients.

Bills on the governor's desk address employees' control of social media passwords, data breach notifications and search warrants for electronic communications. Governor Jerry Brown is expected to sign most, if not all, of them. He has already approved so-called “eraser button” legislation allowing minors to retract online posts they come to regret as well as a bill about online tracking.

“This is a pretty big deal,” says Tanya Forsheit, a founding partner of InfoLawGroup. “We haven't seen a lot of new privacy legislation in California recently. This seems to be a pretty big year.”

A common thread among the privacy legislation is consumer notification. The bills generally require site operators to tell users something, like how they can erase regretted posts or how they respond to requests not to track consumers' online activity. The legislation does not, however, usually bar a company from certain action, a distinction disappointing a lot of consumer advocates.

“These are all important bills, but they're relatively incremental in nature,” says Paul Stephens, director of policy and advocacy for the nonprofit Privacy Rights Clearinghouse.

What some may consider incremental changes, however, are burdensome to others. Take AB 370, the subject of a lot of recent law firm client alerts. The bill, sponsored by the attorney general's office and signed by the governor on Sept. 27, does not require website operators to comply with do-not-track signals. But it would require operators to disclose how, or if, they respond to them and whether third parties collect data on consumers using the site.

To address Internet industry concerns, AB 370's author, Assemblyman Al Muratsuchi (D-Torrance), dropped specific language defining what “do not track” means. It may seem like a simple phrase, but even a worldwide standards consortium working for years on a definition has been unable to reach consensus. See, “Do-Not-Track on the Ropes as Ad Industry Ditches W3C,” AdAge.

In light of that, Baker & McKenzie partner and privacy expert Lothar Determann says such tracking legislation may not be ripe yet. Without any wide-ranging agreement on do-not-track language, he says, companies “will have to disclose a lot more than I think this law wishes to disclose.”

Possible online tracking disclosures could be so long and complicated that confused or bored consumers will get little benefit from them.

“This broad law will be handled with broad language,” Determann says.

In contrast, he says, a number of privacy bills sent to the governor are so narrowly crafted that they're either unnecessary or an invitation to unforeseen problems. He pointed to the eraser-button bill allowing teens to delete online posts. Most websites already offer a delete feature, he says, and exemptions listed in the bill may be difficult for companies to interpret and implement.

“Such overly detailed, narrow and specific laws impose a significant compliance burden on companies that may not be justified by the benefits,” Determann says. “Company lawyers have to read new legislation, plaintiffs firms and regulators want to try them in court and some of the statutes do not really advance privacy agendas.”

Stephens and others say the tech industry was largely successful in limiting the scope of many of the bills that were passed. Assemblywoman Bonnie Lowenthal (D-Long Beach) shelved her Right to Know Act, AB 1291'which would have required businesses to disclose to individual customers what consumer information they retain and share with third parties.

Another bill, SB 383, a response to Apple v. Superior Court, No. S199384, (Ca. Sup. Ct. 2013), decided earlier this year, would have forced e-retailers to erase consumers' ZIP codes and other information after performing identity theft checks. It fizzled in May. And AB 242, which would have limited online privacy policies to 100 words, never made it to a committee vote.

“Certainly from an economic standpoint the tech industry is very important in California, and they're exercising that clout,” Stephens says.

Naturally, the tech lobby has a different take. James Hawley, a Sacramento lobbyist for the industry group TechNet, says the package of privacy bills on the governor's desk is substantive but also respects the needs of Silicon Valley.

“This is an area where you have a lot of different business models, and you have to be careful that you're not hindering innovation,” Hawley says. “Everybody really wants to come up with things that don't hamper young, innovative companies.”

Significant privacy bills passed by the Legislature in 2013:

• AB 25: Clarifies that the ban on requiring a worker or prospective employee to disclose their social media user names or passwords applies to both public and private employers.
  
• AB 370: Requires website operators to disclose how they respond to do-not-track signals. (Signed by governor.)
  
• AB 1149: Extends the provisions of California's data bre- ach notification laws to local public agencies.
  
• SB 46: Expands the scope of personal information subject to existing security breach disclosures. (Signed by governor.)
  
• SB 467: Requires law enforcement to obtain a search warrant to secure electronic communications stored by a provider.
  
• SB 568: Requires website operators to allow and to tell minors how to delete posts. Also restricts certain online advertising to children. (Signed by governor.)
  

Cheryl Miller is a Reporter for The Recorder, the San Franciso-based ALM affiliate of Internet Law & Strategy. She can be reached at [email protected].