Privacy Laws Can Create Opportunities, Limitations, California Lawmakers Advised

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Joyce E. Cutler  

Dec. 13 --California's privacy laws have created opportunities for industries to flourish while consumer and company confusion can subvert the intention of the laws, privacy practitioners told California lawmakers Dec. 12.

During a California legislative informational hearing at Santa Clara University in Santa Clara, Calif., law professors and privacy attorneys said the state can improve privacy by requiring warrants for electronic communications and cleaning up old statutes that impede compliance and consumer protection.

“Privacy rules don't necessarily erode innovation. Sometimes they're the fabric of it,” said Deirdre Mulligan, co-director of the University of California Berkeley School of Law Center for Law& Technology.

Bright-line rules and the clarity they provide allow leaner startups to operate without devoting resources to “trying to figure out what their obligations are,” Mulligan told the California Assembly Judiciary Committee, the Business, Professions& Consumer Protection Committee and the Select Committee on Privacy.

“Privacy and technological innovation are not mutually exclusive goals,” said David Lieber, Google Inc. privacy policy counsel. “In fact, we've seen innovation flourish when companies compete on the basis of privacy,” Lieber said on a panel discussion.

Money and Regulation

Michael Beckerman, president and chief executive officer of the trade group the Internet Association, whose members include companies such as eBay Inc., Yahoo! Inc., Inc., Facebook Inc. and LinkedIn Inc., said a “strong Internet sector means a stronger California economy.”

Consumers are protected by existing laws that prohibit deceiving or acting in ways that cause harm regardless of technology, Beckerman said on a separate panel.

“So before taking steps to add additional burdens on the industry that is the driving force of California's economic growth, the question we should ask is: does the collection of consumer information create concrete consumer harms that can't be addressed under existing law?,” Beckerman said. “And in the absence of the real demonstrable harm, why should we go forward with additional laws and regulations that risk slowing down the strongest growth sector of California's economy?” he said.

Assembly Member Donald Wagner (R) said his constituents “are not coming to me and saying you've got to protect me against Google or Amazon’’ and are seeing protection from identity theft and government overreach.

'California Effect.'

“California has a profound effect on how the rest of the country and even the world addresses policy issues,” said Assembly Member Ed Chau (D), the chairman of the Select Committee on Privacy.

The “California Effect” is how what California does ripples across the nation and the world, said Paul Schwartz, special adviser at Paul Hastings LLP and co-director of Berkeley Law's Center for Law & Technology.

The 2002 California breach notification law was adopted by 45 other states and to a limited extent the federal government in the Health Information Technology for Economic and Clinical Health Act, Schwartz said. “Now the EU has looked to California as a model for privacy notification,” with the European Union adopting breach notification requirements for Internet service and telecommunication providers, he said.

“The thing to note, though, the California Effect is typically the first stage. It would be followed by action in D.C.,” which Schwartz said has been lacking. “The question becomes in absence of action in D.C., what should we do?” he asked. The question is whether “to act or not to act” in the world's ninth largest economy, he said.

Given European regulators are concerned about the vigor and strength of U.S. privacy safeguards, he said, “efficient and effective California privacy law has the potential to make a significant contribution to the international dialogue here.”

Areas for Legislative Action

Schwartz suggested that California lawmakers consolidate and amend existing law, including the Song-Beverly Credit Card Act, Cal. Civ. Code §§ 1747-1748.95, a 1970s consumer protection act that seeks to balance privacy with the need to bolster security and stop identity theft.

Song-Beverly “is almost like a ship that has collected various kinds of barnacles over time,” with amendments that give retailers no overall ability to request reasonable additional information to prevent fraud and identity theft while reducing unwarranted marketing pitches, Schwartz said. Legislative “help here would save everybody a lot of time,” he said.

Other areas for streamlining are the state Confidentiality of Medical Information Act, Cal. Civ. Code §§ 56-56.37, which has been followed by much federal action, and a centralized digital resource of California legislation, Schwartz said.

Warrants for Electronic Data

One area the Legislature can act is in the area of warrants, Google's Lieber said.

Recent revelations about the National Security Agency's surveillance program have cast a cloud around Internet services, many of which are based in California, “but they sparked a serious and overdue debates,” Lieber said. “So we can start by fixing our domestic surveillance laws,” Lieber said.

Google supports amendments to the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2522, to require a warrant when the government wants users' electronic communications, Lieber said.

In April, the Senate Judiciary Committee approved an ECPA reform bill (S. 607) introduced by Sen. Patrick Leahy (D-Vt.), the panel's chairman . In May, Rep. Kevin Yoder (R-Kan.) introduced similar legislation (H.R. 1852), which is now pending before the House Judiciary Subcommittee on Crime, Terrorism, Homeland Security, and Investigations.

In July, the House Appropriations Committee reported approved a bill (H.R. 2786) that would bar federal agencies from using appropriated funds to approach Internet service providers without a warrant seeking access to emails and other private electronic communications .

California Gov. Jerry Brown (D) in October vetoed legislation (S.B. 467) that would have required government agencies to obtain a warrant to access electronic communications from ISPs and others, saying the bill would impede ongoing criminal investigations .

“And we encourage legislators to continue to press for changes that would ensure that the law does comport with users' reasonable expectations of privacy,” Lieber said.

Broader Impact

Eric Goldman, director of the Santa Clara Law High Tech Law Institute, cautioned that California's enactment of laws affecting the Internet exceeds state lines can implicate the dormant Commerce Clause.

California lawmakers take pride in knowing “we who are not elected by the world can change the world and make a difference to people who are constituents and to those who are not,” Goldman said.

Because California is a large economic market that has power to change company practices, “this line of thinking about the California effect is very damaging when it comes to Internet regulation,” Goldman said.

Unlike the environment, Goldman said, “we don't have the same kind of local conditions that require local solutions.” The Internet's architecture “doesn't understand geographic borders,” so websites don't have a cost effective and reliable mechanism to determine the state in which a user is located, Goldman said.

Consumer, Cost Concerns

Aleecia McDonald, director of privacy at the Stanford Law School Center for Internet and Society, said the notice and choice concept failed. McDonald said her research showed 98 of the top 100 websites tracked consumers, “so there's not much choice there unless unplugging your computer.”

“And there's also a tremendous user burden in asking users to read the privacy policies of every site they visit,” McDonald said. A separate study she conducted found it would take as much time to read privacy policies as to spend time on websites.

“This is just not a supportable or realistic model to put on users,” she said. The iTunes privacy policy from Apple Inc. is 56 pages on an iPhone screen, McDonald said.

“But let me point out that right now we are putting the cost of this Wild West of privacy on citizens while most of the benefits are accruing to companies,” McDonald said. More than two thirds of Americans “think their privacy is protected by laws that don't exist,” she said.

Chris Conley, a technology and civil liberties fellow at the American Civil Liberties Union of Northern California, said the “problem with voluntary transparency is you get something that looks a little like an online dating profile. Companies can pick and choose what they think looks best about them.”

“I would like to have a privacy framework in which even the most paranoid people are feeling really comfortable about the use of technology,” Mulligan said.


To contact the reporter on this story: Joyce E. Cutler in San Francisco at

To contact the editor responsible for this story: Katie W. Johnson at

Full text of Schwartz's written testimony is available at

Request Bloomberg Law: Privacy & Data Security