California Practitioners Review Progress Of State, Federal Privacy Legislation

By Joyce E. Cutler, BNA

Dec. 5 --Unmanned aerial vehicles--drones--and license plate readers likely will receive California legislative attention in the next year while lawmakers begin to consider whether existing government policies concerning privacy are effective and should be more targeted, panelists told privacy practitioners Dec. 3.

California may be ahead of the game in terms of privacy and understanding technology, but even in California lawmakers, policy makers and consumers don't really understand the Internet, privacy and technology, panelists said at a San Francisco roundtable on “Developments in California Privacy Law: Assessing the Present and Predicting the Future” sponsored by University of California Berkeley School of Law Center for Law & Technology and Paul Hastings LLP.

“One of the weaknesses of the privacy regime in California and throughout the U.S. is we continue to rely heavily on statutes that may be outdated,” said Jeffrey Rabkin, special assistant California attorney general for law & technology.

Through California's privacy statutes and privacy enforcement structure, the state “continues to be a leader throughout the country and the world,” Rabkin said.

Yet, said Drew Liebert, chief counsel on the California Assembly Judiciary Committee, federal and state governments are “so far behind the eight ball in even understanding the Internet generally.”

'Interesting Conundrum.'

“We have this kind of interesting conundrum as a society right now in that we are in this revolution of extraordinary moment where things are changing so quickly, and I think we have not even developed fundamental notions of what privacy rights really ought to be in this new world and what do consumers really think,” Liebert said.

The number of people taking steps to control their privacy “I think is very, very small,” he said.

Fewer than six people in California have used the state's “Shine the Light” law, Cal. Civ. Code § 1798.83, which requires businesses to establish a procedure through which consumers can obtain information about their sharing of consumer marketing information with third parties, Liebert said.

Don't Look to Washington.

California is more likely to see more action in the privacy area than in Congress, said Sheresse Smith, a Paul Hastings partner in Washington, and former chief counsel to former Federal Communications Commission chairman Julius Genachowski.

“The reality is there are too many subcommittees on the Hill who have responsibility for privacy. We can't get basic things done in D.C. It is very unlikely that there is going to be federal privacy legislation any time soon,” Smith said.

The Do Not Track Online Act of 2013 (S. 418), introduced by Sen. Jay Rockefeller (D-W.Va.) , is “unlikely to go anywhere, but the reality is there is a lot of concern around tracking right now,” Smith said. California is “one of the states that has actually done something.”

“One of the weaknesses of the privacy regime in California and throughout the U.S. is we continue to rely heavily on statutes that may be outdated.”
Jeffrey Rabkin, Special Assistant California Attorney General for Law & Technology

New California Laws.

California bills passed this year include A.B. 370, which Gov. Jerry Brown (D) signed Sept. 27 . The measure requires website operators and online services that collect personally identifiable information starting Jan. 1, 2014, to disclose how they respond to a customer's request not to track the customer's activity on their sites.

S.B. 568 requires websites and online applications to allow minors who are registered users to remove postings, among other provisions . The law, which takes effect Jan. 1, 2015, doesn't apply to postings by third parties.

Brown also signed two bills to expand the state's data breach notification law. A.B. 1149 extends to local government agencies the existing state law requiring businesses and state agencies to disclose computerized data breaches to consumers.S.B. 46 broadens breach notification requirements to include breaches involving user names or e-mail addresses, acquired in combination with a password or security question and answer that permits access to an online account.

James Aquilina, executive managing director for computer forensics firm Stroz Friedberg LLC in Los Angeles, said highly-publicized data breaches involving user names and passwords, such as those involving online dating site eHarmony and professional networking site LinkedIn , can't be ignored because a company is not a social network.

Changes under S.B. 46 may affect more than just electronic commerce and social network companies, Aquilina said, noting that “any business that requires logon credentials” may be affected by the updated law.

Privacy Bills on Pause.

Most of California's major privacy-related bills this year were held in the Assembly Judiciary Committee, Liebert said.

“I think that you're going to see in the very immediate future in California a little bit more of a pause and an effort at least to work with industry to try to figure out how to make some of the things we've already done work better” with targeted approaches, Liebert said.

He said there is a realization “that the technology is changing so quickly and that we understand so little compared to what the folks out there who are actually doing the technology do.”

The California Assembly is holding Dec. 12 a joint hearing of the Judiciary Committee, the Business, Professions and Consumer Protection Committee and the Select Committee on Privacy on balancing privacy and opportunity in the Internet age, Liebert said.

“The immediate thing I think we find ourselves facing right now is the realization that we've got a lot to learn,” Liebert said.

Rethinking System.

Moreover, Liebert said, lawmakers are realizing “that our privacy policy system, our disclosure system, is really a facade. It's not working.”

If the goal of a system is to use an opt-out approach that gives meaningful information to consumers to make choices, it fails, Liebert said.

“So I anticipate in the next couple of years increasing efforts to think about whether the current privacy regime of disclosure and consent is working at all, and if not, what are alternatives to that scheme,” he said.

Areas to Watch.

Rabkin said he expects legislative efforts to put limits on specific technologies such as drones and automatic license plate readers.

License plate readers are “like the poor man's wiretap,” he said. “And it's very unclear what if any best practices or guidance is available to law enforcement with regard to license plate technology.”

Two steps beyond that are efforts to legislate biometrics in law enforcement, such as facial recognition technology, Rabkin said. “There will be efforts by many to legislate that, and then there will be tremendous pushback by law enforcement,” he said.

On Dec. 3, the Department of Commerce's National Telecommunications and Information Administration launched a new multistakeholder process to develop voluntary privacy code of conduct on commercial uses of facial recognition technology (see related report).

Another potential area to watch is dynamic pricing, the concept where the price changes as companies start to learn more about a consumer and the level of demand, Rabkin said.

There is a potential “for abuse or problems, so I will be interested to see how in the future the power of big data and big analytics winds up producing capabilities that grow scary enough that people start thinking there should be” some action, he said.