Social Networking Internet Web Sites Privacy - SB 242 Corbett by alon

VIEWS: 1,135 PAGES: 12

									                   SENATE JUDICIARY COMMITTEE
                   Senator Noreen Evans, Chair
                    2011-2012 Regular Session

SB 242 (Corbett)
As Amended May 2, 2011
Hearing Date: May 10, 2011
Fiscal: No
Urgency: No


          Social Networking Internet Web Sites: Privacy


This bill would require social networking Internet Web sites to:
       establish a default privacy setting for registered users
     that prohibits the display of any information about the
     user without the agreement of the user, as specified;
       establish a process for new users to set their privacy
     settings as part of the registration process that explains
     privacy options in plain language; and
       remove personal identifying information in a timely
     manner upon request.

This bill would provide that a social networking Internet Web
site that willfully and knowingly violates the bill's provisions
shall be liable for a civil penalty not to exceed $10,000 for
each violation.


Social networking Internet Web sites such as MySpace and
Facebook have grown in use and become more popular with users
who post messages and photos on a personal web page. Those
personal pages, generated by the social network, may also
display the user's address, phone number, and birth date. That
information may then be displayed to the user's friends or the
general public. Users of social networking sites are generally
able to limit who may see their personal information by changing
their "privacy settings," but absent any change by the user, the
"default" for those settings may be to allow for full disclosure

SB 242 (Corbett)
Page 2 of ?

of a users personal information.

As an example of why those settings are important, the Los
Angeles Times' December 9, 2009 article by Cecilia Kang entitled
"Facebook's Default Privacy Settings Too Loose, Critics Say"

  Beginning this week, Facebook members can customize every
  piece of data about themselves on the site. They can control
  who sees personal information such as age, name, gender and
  workplace; and status updates and photos. In some cases,
  they can restrict access to photos to just one or two people
  or allow basic profile information to go out to the entire
  Web. . . . The site's recommended settings will be the
  default, and it is some of those recommendations that don't
  sit well with public interest groups.

  For example, status updates that were formerly limited to a
  user's network of friends will now be recommended for
  friends of friends. The default for profile information --
  including a picture, gender and age -- will now go out
  beyond the site to the entire Web. While Facebook users will
  be able to choose their privacy settings, the problem is
  that most people don't take the time to do so and may simply
  stick with Facebook's default recommendations. Others may
  find the process confusing and may not understand how to
  adjust those settings. Facebook said that about 1 in 5 users
  currently adjusts privacy settings.

Regarding the ability of users to change those privacy settings,
a recently released study by Columbia University entitled The
Failure of Online Social Network Privacy Settings found that
93.8 percent of participants revealed information that they
intended to keep private, and that 84.6 percent of participants
were hiding information that they actually wanted to share.
This bill seeks to respond to the above issues by, among other
things, requiring social networking websites to establish a
default privacy setting that prohibits the display of
information about a registered user (other than name and city of
residence) without the users explicit agreement, and allow users
to request removal of their personal identifying information, as

                       CHANGES TO EXISTING LAW

 Existing law   provides that, among other rights, all people have

SB 242 (Corbett)
Page 3 of ?

an inalienable right to pursue and obtain privacy.   (Cal.
Const., art. I, Sec. 1.)

 Existing case law permits a person to bring an action in tort
for an invasion of privacy and provides that in order to state a
claim for violation of the constitutional right to privacy, a
plaintiff must establish the following three elements: (1) a
legally protected privacy interest; (2) a reasonable expectation
of privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy. (Hill
v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Existing law recognizes four types of activities considered to
be an invasion of privacy, giving rise to civil liability
including the public disclosure of private facts. (Id.)

 Existing case law provides that there is no reasonable
expectation of privacy in information posted on an Internet Web
site. The information is no longer a "private fact" that can be
protected from public disclosure. (Moreno v. Hanford Sentinel
(2009) 172 Cal.App.4th 1125.)
 This bill would require a social networking site to establish a
default privacy policy setting for all registered users of the
site that prohibits the display to the public or other
registered users, any information about a registered user, other
than the user's name and city of residence, with the agreement
of the user.

 This bill would require a social networking site to establish a
process for new users to set their privacy settings as part of
the registration process that explains privacy options in plain
language. The site shall not complete the registration process
until privacy settings are selected by the user, and the site
shall make privacy settings available to all users in a
conspicuous place and an easy-to-use format that allow the user
to adjust his or her privacy setting.

 This bill would define "plain language" as a clear explanation,
written in easy to understand terms that achieve a minimum
Flesch Reading Ease score of 70, as that calculation is
described in the California Code of Regulations, as specified.

 This bill would require a social networking site to remove the
personal identifying information of a registered user "in a
timely manner" upon his or her request. For registered users
that have self-identified as under 18 years of age, the social
networking internet web site shall remove that information upon

SB 242 (Corbett)
Page 4 of ?

the request of a parent of the registered user.

 This bill would define "in a timely manner" to mean within 48
hours of the request.

 This bill would provide that a social networking site that
willfully and knowingly violates any provision of this part
shall be liable for a civil penalty, not to exceed $10,000 for
each violation of the bill.

This bill would define "social networking internet web site" as
an Internet Web based service that allows individuals to
construct a public or partly public profile within a bounded
system, articulate a list of other users with whom they share a
connection, and view and traverse their list of connections and
those made by others within the system. This bill would also
define "registered user" and "personally identifying


1.      Stated need for the bill

According to the author:

     Computers systems and the Internet have brought consumers
     many conveniences. Sites like Facebook and Twitter provide
     users with a place to share personal information with
     friends, family, and the public - an activity that's proven
     to be hugely compelling to Internet users. In response to
     the demand, technology is evolving to encourage the
     disclosure of information that was formerly discreet (like
     location), and to enable the sharing of information even
     when not sitting in front of a traditional computer (like
     from mobile phones).

     But these innovative methods of information sharing can pose
     a serious threat to our privacy and security. There are
     countless privacy pitfalls when our personal identifying
     information is indiscriminately posted, indefinitely stored,
     and quietly collected and analyzed by marketers, and
     identity thieves.

     Current law does not require social networking websites to
     provide a mechanism for users to adjust their privacy
     settings, or remove their personal identifying information;

SB 242 (Corbett)
Page 5 of ?

     nor does it govern the disclosure of users' personal
     information to third parties and the public.

2.      Importance of default settings

As noted above, the vast majority of users arguably do not
change their user privacy settings on a social network. If the
conclusions of the recent study released by Columbia University
are correct, the privacy settings on social networks appear to
contain serious flaws that result in not only the user sharing
information that they desired to keep private, but also fail to
allow the user to share information that the user actually wants
to share. To address privacy concerns regarding the potential
over-sharing of information, this bill would require those
privacy settings to default to a setting where information is
not shared (except for the user's name and city of residence).
That default position would appear to keep more information from
being shared, including information that is not desired to be
shared, but also potentially restriction information that the
user desires to share.

From a policy standpoint, protecting information from disclosure
on the Internet is especially important due to the ability of
that information, once it becomes publically available, to be
rapidly distributed through the Internet. Since there are
websites that do archive web pages as of a certain date and
time, such as , it is also possible that a user's
inadvertent disclosure of his or her personal information may be
"cached" and saved indefinitely on another website. Given those
serious privacy issues, the default settings proposed by this
bill would appear to help protect users from the unknowing
disclosure of information. For social networking sites that do
want their users to share more information, the required default
settings would act as incentive for those sites to make the
privacy settings easily accessible so that users who do want to
share that information can act to change the settings.

This bill would also establish a process for new users to set
their privacy settings as part of the registration process that
explains the privacy options in "plain language." The
registration process may not be completed until those settings
are selected, and, the site must make those settings available
to all users in a conspicuous place and an easy-to-use format.
As a result, even if those settings are defaulted to prohibit
display of information, new users may easily change those
settings when they first sign up for their account. Although

SB 242 (Corbett)
Page 6 of ?

the opposition generally expresses concern that users will be
setting privacy settings before they are familiar with the site,
those users would always be free to subsequently change those
settings should they want a different level of privacy for their

It should be noted that "plain language" would be defined as a
clear explanation, written in easy to understand terms, that
achieves a minimum Flesch Reading score of 70, as calculated
under Section 2689.4 of the California Code of Regulations, as
specified. That Section notes that:

     The Flesch Reading Ease Score rates text on a 100-point
     scale -- the higher the score, the easier it is to
     understand the document. The formula for the Flesch Reading
     Ease score is:

     206.835 - (1.015 x ASL) - (84.6 x ASW)


     ASL = average sentence length (the number of words divided
     by the number of sentences)

     ASW = average number of syllables per word (the number of
     syllables divided by the number of words. (Cal. Code Regs.
     Sec. 2689.4.)

Although the above standard provides a bright-line rule for
social networking sites to evaluate their compliance with the
bill's requirements, TechNet, in opposition, contends that
"While we all agree that information about privacy and
visibility online should be conveyed in simple,
easy-to-understand language, such a standard is arbitrary and
impossible to achieve in this context." It should be noted that
concerns have arisen regarding the application of the Flesch
Reading score to disclosures provided in a language other than
English. The author should continue to work with Committee
staff regarding the definition of "plain language" to ensure
that the developed standard appropriately accommodates
disclosures given in any language.

3.      Ability to request removal of personal information

This bill would also require a social networking internet web
site to remove the personally identifying information of a

SB 242 (Corbett)
Page 7 of ?

registered user, upon his or her request. For users under 18, a
parent may request that their child's information be removed.
That removal must be done in a "timely manner," which would be
defined as within 48 hours of the request. From a practical
standpoint, if a user seeks to remove personal information
displayed on his or her own social networking page, that user
could arguably change the privacy settings or delete the
offending post. The situation becomes more complicated if the
personally identifying information is located on another user's
web page, or consists of GPS coordinates that are embedded on a
photo that was posted by another user.

Despite the potential complexities of removing that information,
it should be noted that most social networking sites should
already have some sort of system where users can flag
inappropriate information for review. For example, if an
individual posts an explicit picture that is against the site's
policy, the site arguably should already have a process that
allows a user to flag the image for review and removal by the
social networking site. On the other hand, since personally
identifying information, as defined, includes the name of a
user, the bill could arguably allow a user to request a social
network to removal all instances of his or her name from the
site. If that user happens to be a public figure whose name is
appearing in numerous posts, this bill could arguably allow that
figure to request that the social network remove references to
his or her name from the site. That compelled removal could act
to stifle the free expression of individuals on social
networking sites, including Facebook which was recently credited
as playing an important role in the organization of the 2011
revolution in Egypt. In order to help ensure that the
provisions of this bill are not used in a fashion that could
unduly suppress the free expression of users on social
networking sites, the bill should be amended to clarify that the
requirement to remove information upon request does not include
the removal of names.

   Suggested amendment   :

  On page 2, line 27, insert:

  Notwithstanding subdivision (b) of section 62, for purposes of
  this subdivision, "personal identifying information" shall not
  include a person's name.

The Internet Alliance (IA), in opposition, notes that the bill

SB 242 (Corbett)
Page 8 of ?

"does not stipulate that the person provide a specific
description of the information to be removed or its location.
Without that information, social networking sites especially
would not know what information to look for, a problem that gets
more complicated when many users share the same basic
biographical information. For example, there may be 100 John
Smiths in the United States. Moreover, social networks do not
currently have the technology to delete a customer's information
from an entire site." While the above amendment would address
the situation where a user requests the removal of a common name
from the social networking site, it would not address issues
relating to specificity of the request. In an effort to address
those issues, the author offers the following amendment to
require the registered user to verify his or her identity and to
specify any known location of that information.

      Author's amendment:

      On page 2, line 28, insert:

     (d) A request submitted by a registered user pursuant to
     subdivision (c) shall include sufficient information to verify
     the identity of the user and specify any known location of the
     information that is the subject of the request.

4.        Remedies

This bill would provide that a social networking site that
willfully and knowingly violates any of the above provisions
shall be liable for a civil penalty, not to exceed $10,000 for
each violation. It should be noted that due to the willful and
knowing standard, unintentional violations of this bill's
provision would not result in liability under that provision.

5.        Constitutional arguments

The opposition contends that this bill would violate both the
United States and California constitutions as follows:

     a.     First Amendment

     The IA, in opposition, contends that the requirement for
     social networks to "default" privacy options to a setting the
     does not allow the public display of information "clearly
     conflicts with both the First Amendment to the United States
     Constitution and Article 1 of the California Constitution."

SB 242 (Corbett)
Page 9 of ?

  Generally speaking, the First Amendment, and Article 1, act to
  protect the freedom of expression of the citizens of
  California (as well as the rest of the nation). The
  determination about whether a specific statute inappropriately
  restricts speech requires an examination of whether it is
  content-based or content-neutral, is unduly vague or
  overbroad, and whether the restriction acts as a
  prior-restraint on speech. Laws that are content-based,
  vague, or act as a prior-restraint are strongly disfavored by
  the courts. In Police Department of Chicago v. Mosley, the
  U.S. Supreme Court stated that:

     ÝA]bove all else, the First Amendment means that government
     has no power to restrict expression because of its message,
     its ideas, its subject matter, or its content. To permit
     the continued building of our politics and culture, and to
     assure self-fulfillment for each individual, our people are
     guaranteed the right to express any thought, free from
     government censorship. The essence of this forbidden
     censorship is content control. Any restriction on
     expressive activity because of its content would completely
     undercut the 'profound national commitment to the principle
     that debate on public issues should be uninhibited, robust,
     and wide-open.' (Police Dep't of Chicago v. Mosley (1972)
     408 U.S. 92, 95-96 (citations omitted).)

  In the present circumstance, it is unclear how requiring that
  default settings be set to private would unduly restrict the
  free expression of users who elect to disseminate their
  information. Any user who chooses to disclose his or her home
  address or telephone number may elect to do so by
  affirmatively changing the privacy settings to share that
  information. For registered users who desire to disclose all
  of their information, posts, pictures, and location data to
  the entire world, this bill would not impact that ability,
  provided that the user affirmatively sets his or her privacy
  settings to allow that display.

  The IA further contends that the ability to request the
  removal of personal information would "violate other similar
  user's legitimate speech to share their personal information
  with the world." While, as noted in Comment 3, the ability to
  request the removal of an individual's name from an entire
  social networking site would arguably be contrary to the
  rights of free expression, the suggested amendment in Comment
  3 would address that issue. It should also be noted that

SB 242 (Corbett)
           Page 10 of ?

             California already allows victims of domestic violence,
             individuals associated with witness protection, and
             reproductive health care providers to request the removal of
             specified personal information from an Internet web site.

             b.     Dormant commerce clause

             The Constitution of the United States grants Congress the
             power to regulate commerce among the states. (U.S.
             Constitution, art. I, sec. 8.) From this grant of power, the
             United States Supreme Court has inferred that states may not
             enact laws that burden interstate commerce. (Gibbons v. Ogden
             (1824) 22 U.S. 1.) The threshold test for whether a state law
             violates the dormant commerce clause is whether the law
             affects interstate commerce. If the answer to that question
             is yes, then the court looks to whether the state law
             discriminates against out-of-staters or whether it treats
             everyone alike. A state law that does not discriminate
             between the two-as this bill arguably would not-generally is
             upheld unless it is found to place a burden on interstate
             commerce that outweighs its benefits. (Pike v. Brace Church
             (1970) 397 U.S. 137.) In this case, TechNet, in opposition,
             argues that:

                  Internet commerce is an inherent interstate activity and
                  SB 242 would regulate businesses far beyond California's

borders.   Social networking sites cannot reliably know if
                a visitor is a California resident. Therefore every
                covered site in the world would need to change its
                practices in order to comply with California law . . . SB
                242 would limit the commercial relationship with social
                networking sites. As a result, any out-of-state company
                affected by the new law would be entitled to bring a
                Commerce Clause challenge under 42 U.S.C. ÝSec] 1983.

             In response, the author states that "Ýu]nder SB 242, all
             social networking site providers - whether in or out of the
             state - would be governed by the same rules. There is no
             discrimination against out of state companies." It should
             also be noted that the issue of state regulation of Internet
             web sites and the dormant commerce clause is in its relative
             infancy and is ultimately an issue for the courts. If the
             opponent's arguments are correct, those statements would
             essentially preclude the state of California from enacting
             internet related legislation. Given California's significant
             interest in protecting its citizens, the author's office

           SB 242 (Corbett)
Page 11 of ?

     should continue to work with Committee staff to ensure that,
     to the greatest extent possible, the provisions of this bill
     cannot be construed to violate Dormant Commerce Clause.

5.      Opposition's remaining arguments

TechAmerica, in opposition, contends that this bill "apparently
seeks to deny those - who may be selecting and joining a
particular social networking site precisely to share information
about themselves - the right and ability to do so upon joining
the site. Instead, the consumer will have to un-do the default
privacy settings to effectuate their preferences." TechAmerica
also objects to the bill's definition of "social networking
site" as unclear and sweeping in too much of the internet. The
author notes that the definition came from a scholarly article
entitled Social Network Sites: Definition, History, and
Scholarship by Danah M. Boyd and Nicole B. Ellison, available at .

The IA, in opposition, contends that this bill "would force
users to make decisions about privacy and visibility of all
information, well before they have even used the service for the
first time, and in such a manner that they are less likely to
pay attention and process the information than they are today."
IA further contends that this bill is moving in the opposite
direction urged by the FTC in their proposed privacy framework,
that the bill singles out social networks, that major social
networks already remove personal information upon request under
certain circumstances, and that, if the bill is enacted and
challenged, a court could award attorneys' fees for the
plaintiff if this statute is found unconstitutional.

TechNet echoes similar concerns and argues that this bill would
do significant damage to California's technology sector by
"drastically limitÝing] social networking sites' growth
potential in California by imposing additional operating costs
and raising barriers to consumer participation in social
networking services, all while exposing those services to
massive and unwarranted civil liability and in turn, creating
significant confusion and uncertainty for investors, businesses
and consumers."

6.      Author's amendments

The author offers the following amendment to clarify that the
bill would require the "express agreement "of a user to change

SB 242 (Corbett)
Page 12 of ?

the default privacy settings, and to remove inconsistent
language that was not stricken by the last set of amendments.

  1)   On page 2, line 12, before "agreement" insert: "express"
  2)   On page 3, strike line 1 through 3, inclusive.

 Support       :    California State Sheriffs' Association

 Opposition         :   Internet Alliance; TechAmerica; TechNet


 Source    :       Author

 Related Pending Legislation : SB 761 (Lowenthal), would require
the Attorney General, by July 1, 2012, to adopt regulations that
would require online businesses to provide California consumers
with a method for the consumer to opt out of the collection or
use of his or her information by the business. This bill is in
the Senate Appropriations Committee.

 Prior Legislation : SB 1361 (Corbett), would prohibit a social
networking Internet Web site, as defined, from displaying, to
the public or other registered users, the home address or
telephone number of a registered user of that Internet Web site
who is under 18 years of age, as provided. This bill failed
passage in the Assembly Arts, Entertainment, Sports, Tourism,
and Internet Media Committee.


To top