By Joyce E. Cutler, BNA
Dec. 5 –Unmanned aerial vehicles–drones–and license
plate readers likely will receive California legislative
attention in the next year while lawmakers begin to
consider whether existing government policies concerning
privacy are effective and should be more targeted,
panelists told privacy practitioners Dec. 3.
California may be ahead of the game in terms of privacy
and understanding technology, but even in California
lawmakers, policy makers and consumers don’t really
understand the Internet, privacy and technology, panelists
said at a San Francisco roundtable on “Developments in
California Privacy Law: Assessing the Present and
Predicting the Future” sponsored by University of
California Berkeley School of Law Center for Law &
Technology and Paul Hastings LLP.
“One of the weaknesses of the privacy regime in
California and throughout the U.S. is we continue to rely
heavily on statutes that may be outdated,” said Jeffrey
Rabkin, special assistant California attorney general for
law & technology.
Through California’s privacy statutes and privacy
enforcement structure, the state “continues to be a leader
throughout the country and the world,” Rabkin said.
Yet, said Drew Liebert, chief counsel on the California
Assembly Judiciary Committee, federal and state
governments are “so far behind the eight ball in even
understanding the Internet generally.”
‘Interesting Conundrum.’
“We have this kind of interesting conundrum as a society
right now in that we are in this revolution of
extraordinary moment where things are changing so quickly,
and I think we have not even developed fundamental notions
of what privacy rights really ought to be in this new
world and what do consumers really think,” Liebert said.
The number of people taking steps to control their
privacy “I think is very, very small,” he said.
Fewer than six people in California have used the state’s
“Shine the Light” law, Cal. Civ. Code § 1798.83, which
requires businesses to establish a procedure through which
consumers can obtain information about their sharing of
consumer marketing information with third parties, Liebert
said.
Don’t Look to Washington.
California is more likely to see more action in the
privacy area than in Congress, said Sheresse Smith, a Paul
Hastings partner in Washington, and former chief counsel
to former Federal Communications Commission chairman
Julius Genachowski.
“The reality is there are too many subcommittees on the
Hill who have responsibility for privacy. We can’t get
basic things done in D.C. It is very unlikely that there
is going to be federal privacy legislation any time soon,”
Smith said.
The Do Not Track Online Act of 2013 (S.
418), introduced by Sen. Jay Rockefeller (D-W.Va.) ,
is “unlikely to go anywhere, but the reality is there is a
lot of concern around tracking right now,” Smith said.
California is “one of the states that has actually done
something.”
regime in California and throughout the U.S. is we
continue to rely heavily on statutes that may be
outdated.”
California Attorney General for Law & Technology
New California Laws.
California bills passed this year include A.B.
370, which Gov. Jerry Brown (D) signed Sept. 27 .
The measure requires website operators and online services
that collect personally identifiable information starting
Jan. 1, 2014, to disclose how they respond to a customer’s
request not to track the customer’s activity on their
sites.
S.B.
568 requires websites and online applications to
allow minors who are registered users to remove postings,
among other provisions . The law, which takes effect Jan.
1, 2015, doesn’t apply to postings by third parties.
Brown also signed two bills to expand the state’s data
breach notification law. A.B.
1149 extends to local government agencies the
existing state law requiring businesses and state agencies
to disclose computerized data breaches to consumers.S.B.
46 broadens breach notification requirements to
include breaches involving user names or e-mail addresses,
acquired in combination with a password or security
question and answer that permits access to an online
account.
James Aquilina, executive managing director for computer
forensics firm Stroz Friedberg LLC in Los Angeles, said
highly-publicized data breaches involving user names and
passwords, such as those involving online dating site
eHarmony and professional networking site LinkedIn , can’t
be ignored because a company is not a social network.
Changes under S.B. 46 may affect more than just
electronic commerce and social network companies, Aquilina
said, noting that “any business that requires logon
credentials” may be affected by the updated law.
Privacy Bills on Pause.
Most of California’s major privacy-related bills this
year were held in the Assembly Judiciary Committee,
Liebert said.
“I think that you’re going to see in the very immediate
future in California a little bit more of a pause and an
effort at least to work with industry to try to figure out
how to make some of the things we’ve already done work
better” with targeted approaches, Liebert said.
He said there is a realization “that the technology is
changing so quickly and that we understand so little
compared to what the folks out there who are actually
doing the technology do.”
The California Assembly is holding Dec. 12 a joint
hearing of the Judiciary Committee, the Business,
Professions and Consumer Protection Committee and the
Select Committee on Privacy on balancing privacy and
opportunity in the Internet age, Liebert said.
“The immediate thing I think we find ourselves facing
right now is the realization that we’ve got a lot to
learn,” Liebert said.
Rethinking System.
Moreover, Liebert said, lawmakers are realizing “that our
privacy policy system, our disclosure system, is really a
facade. It’s not working.”
If the goal of a system is to use an opt-out approach
that gives meaningful information to consumers to make
choices, it fails, Liebert said.
“So I anticipate in the next couple of years increasing
efforts to think about whether the current privacy regime
of disclosure and consent is working at all, and if not,
what are alternatives to that scheme,” he said.
Areas to Watch.
Rabkin said he expects legislative efforts to put limits
on specific technologies such as drones and automatic
license plate readers.
License plate readers are “like the poor man’s wiretap,”
he said. “And it’s very unclear what if any best practices
or guidance is available to law enforcement with regard to
license plate technology.”
Two steps beyond that are efforts to legislate biometrics
in law enforcement, such as facial recognition technology,
Rabkin said. “There will be efforts by many to legislate
that, and then there will be tremendous pushback by law
enforcement,” he said.
On Dec. 3, the Department of Commerce’s National
Telecommunications and Information Administration launched
a new multistakeholder process to develop voluntary
privacy code of conduct on commercial uses of facial
recognition technology (see related report).
Another potential area to watch is dynamic pricing, the
concept where the price changes as companies start to
learn more about a consumer and the level of demand,
Rabkin said.
There is a potential “for abuse or problems, so I will be
interested to see how in the future the power of big data
and big analytics winds up producing capabilities that
grow scary enough that people start thinking there should
be” some action, he said.