California’s Reader Privacy Act: A First Step in a New Direction (Guest Blog Post)

By Sonya Ziaja (with comments at the end from Eric)

[Eric’s note: this guest post is from Sonya Ziaja, J.D., a California attorney and co-owner of Ziaja Consulting LLC. She writes regularly for LegalMatch’s Law Blog and Ziaja Consulting’s blog, Shark. Laser. Blawg. I have added some of my own comments at the end.]

California’s Reader Privacy Act, SB 602, recently passed through the Senate Judiciary Committee and will move to the next step in the legislative process. The bill, sponsored by Senator Yee, the ACLU, and EFF, aims to protect readers’ right to privacy against unwarranted disclosure to state governments and third parties. It represents an important first step towards protecting readers’ rights in the digital age; but it alone cannot achieve reader privacy.

Background

The impetus for this bill stems in part from behavioral and technological shifts in how people read. The availability and variety of data about people’s reading habits is far greater when they read digital materials than with traditional printed media. The ACLU’s 2010 report on digital books provides a nice summary of what information can be collected:

Digital book providers can easily track what books an individual considers, how often a given book is read, how long a given page is viewed, and even what notes are written in the “margins.” As reading has moved online, it also has become much easier to link books that are browsed or read with a reader’s other online activities, such as Internet searches, emails, cloud computing documents, and social networking. With all of this information, companies can create profiles about individuals, their interests and concerns, and even those of their family and friends.

Despite the dramatic increase in metadata about people’s online reading activities, current reader privacy law in California only protects personal information recorded at libraries. Earlier attempts to protect readers of digital materials from unwarranted government searches focused on self-regulation. For example, in 2009 EFF, concerned about Google’s reader privacy policy, requested that Google adopt a “come back with a warrant” policy. Google refused. Self-regulation has so far has been insufficient to protect reader privacy.

Key Provisions

The Reader Privacy Act defines book providers and books inclusively. “Book providers” means any commercial entity that offers a “service that, as its primary purpose, provides the rental, purchase, borrowing, browsing, or viewing of books.” A “book” is defined as

. . . paginated or similarly organized content in printed, audio, electronic, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or volumes.

Under this definition, news articles, blogs, magazines, and potentially some websites could all be considered “books.” This would mean that “book providers” could include LexisNexis, Google Reader, Amazon and your local bookstore. (More on the expansive definition of “book provider” in a moment).

The Act would limit a book provider’s release of information it collects about readers to a third party. Essentially, the bill places stones in the river; it won’t dam it completely, but it would subtly redirect the flow.

The Act is strongest against government entities. Generally, if a request comes from a government entity, a book provider could not “knowingly disclose” personal information without a valid warrant except in cases of “imminent danger.” In addition to requiring a warrant, the Act gives guidelines for when such a warrant is legitimate. The guidelines are very similar to Colorado’s Tattered Cover balancing test (Tattered Cover v. City of Thornton, 44 P. 3d 1044 (2002)), which requires that (1) the requester have a compelling need for the information sought, (2) there are no alternative means for collecting the information, and (3) the court balance the law enforcement’s need for information against the constitutional rights of the user. Similarly, California’s bill requires there be a compelling interest in obtaining the information, and that there be no less intrusive way to obtain the information, before a warrant can be issued. In addition, under the California bill, before a warrant can be issued, the provider must be given reasonable notice and have a chance to contest disclosure before a warrant is issued.

While government entities would need a warrant before a book provider can release personal information to them, book providers can, on their own initiative, still sell and trade personal information to data brokers and other third parties. The Act, however, does place a few hurdles in the way of third parties who seek to compel book providers to disclose information. Litigants—both government entities and private third parties—cannot compel discovery of personal information about users from book providers without a court order. The court order would be subject to similar restrictions to warrants: compelling interest, no less intrusive means, notice to the book provider, and notice to the user.

The Act requires the book provider communicate specific discovery requests it receives to users.

Book providers must also publish aggregate statistics on a publicly accessible website. Those stats must include the number of disclosure requests the book provider received and whether they complied with or contested those requests.

These are new obligations; the ACLU notes that Amazon’s privacy policy as of 2010 specifically states that the company will not tell users if they have shared personal information in many circumstances. By mandating disclosure, the Act would make companies more publicly accountable for their privacy policies and compliance with the law.

Remedies & Scope

There are few penalties for violating the Act. Evidence obtained in violation of the bill would not be admissible in criminal or civil proceedings (except of course to demonstrate a violation of the Act). And book providers would be civilly liable for violating the Act, but only if they knowingly give information to a government entity.

In those cases, the user whose information was distributed can sue the book provider for up to $500 per violation. In addition, if a book provider violates the Act more than two times in six months—again, by knowingly giving personal information to a government entity—then the Attorney’s General, district attorney, or city attorney can sue the provider for $500 per violation.

It is not clear from the statute what constitutes a “single” violation. As the Act is currently written, a single violation could be a data transfer of compiled information, or it could be the transfer of each individual piece of personal information in that compilation. Depending on the interpretation of the statute, transferring just 100 distinct pieces of user information in one transfer could make a book provider liable for either $500 or $50,000. If and when a case is brought under the Reader Privacy Act, this interpretation is likely to be an issue in litigation.

Interpreting what exactly a “book” is will also likely be an issue. Part of the statutory definition is that a book is “paginated or similarly organized content.” The “pagination” requirement might limit the statutory scope; but, if “similarly organized” means “information appearing in a sequential order,” then the scope of the Act is greatly increased. Given the references to “audio” books, some Internet radio stations and even services like NetFlix could be within the statute’s scope. Films, for example, are frequently organized by chapters or segments in “audio, electronic, or other format.” Similarly, some unexpected websites could hypothetically be “books.” Ted.com, for example, is a website that presents short lectures on a myriad of topics. Once a viewer has finished one lecture, links appear for what to watch next or for other lectures from the same series. In other words, there is a sequence to the lectures presented. Since the information is presented sequentially—and could be paginated if it the same lectures were transcribed into a codex form—perhaps the website is also a “book.” The effort to define “books” as separate from other types of content (for purposes of heightened protection) could trigger lots of litigation, some of it unproductive.

Websites that primarily feature written content, e.g. blogs, are more likely candidates to be covered by the Act. Blogs after all are published sequentially (by date) and some are paginated; so they very likely fulfill the first part of the statutory definition. The content in blogs is presented in electronic format, which fulfills the second part of the definition. In short, bloggers, watch out—even though the statute probably wasn’t meant to cover you, you inadvertently might be a “book provider” too.

The geographic scope of the Act of course covers websites based in California, and will include some out-of-state sites as well. A plaintiff’s ability to sue an out-of-state “book provider” under the Act depends on whether the site is “active” or “passive.” Without going too deep into the rabbit hole of internet jurisdiction, generally speaking a site is “active” if it has an interactive component (including marketing). A website that sells books, for example, is likely “active.” Whereas a blog is more likely to be “passive.” If a website is “active” and establishes minimum contacts in California, it could be subject to liability under the Reader Privacy Act.

Shortcomings & Potential

The most significant limitation of the Reader Privacy Act is that the warrant requirement only applies to California state and local government entities. It does not (by its own terms) and cannot (under Article VI of the Constitution) restrict the information-gathering efforts of federal government entities. And so, for example, warrantless searches for reader information conducted by FBI cannot be covered by the Reader Privacy Act. This seriously undermines the Act’s efficacy.

In addition, the Act would not prevent book providers from compiling and using data about readers for their own benefit. It also does not prohibit providers from selling or giving personal information away to non-government entities.

This allowance could create a significant loophole in preventing government intrusion. One legal scholar describes this as the fourth-party aggregator problem,

[Fourth-party data aggregators, like Choice Point and LexisNexis] are in the business of acquiring information, not from the information’s originator (first-party), nor from the information’s anticipated recipient (second-party), but from the unavoidable digital intermediaries that transmit and store the information (third-parties). These fourth-party companies act with impunity as they gather information that the government wants but would be unable to collect on its own due to Fourth Amendment or statutory prohibitions.

(Joshua L. Simmons, Note: Buying You: The Government’s Use of Fourth-Parties to Launder Data About “The People,” Columbia Business Law Review, Vol. 2009, No. 3, p. 950.)

In its current form, the Reader Privacy Act would not stop “fourth-party” information collectors from giving or selling the same information that the original book provider collected to government entities—but only the book provider sells or transfers the information to a fourth-party collector in the first place

If the bill remains in its current form, there may be external ways to close that loophole, though admittedly, they are scrappy. One possibility is to wait for a judicial ruling in California holding that fourth-party aggregators who turn over data to government entities are acting as agents of the government and therefore are held by the same laws that constrains government intrusion. Of course, such a decision would require a judiciable case to be brought first, and even then, the court’s decision is unpredictable.

Alternatively, one could piece together additional state or federal legislation that protects readers from companies collecting data in the first instance. For example, if the Kerry-McCain privacy bill is passed, users could opt out of data collection by the book providers. But, it would still only protect readers of digital materials who are savvy enough to know about the law and opt out.

Perhaps a more elegant way to handle the fourth-party problem, though, is to simply include fourth-party aggregators who sell or give data to government entities in the Reader Privacy Act’s statutory definition of “government entity.”

How the California legislature chooses to deal with this loophole will determine the efficacy of the Reader Privacy Act. Even so, the transparency requirements of the Act, and the increased scrutiny it provides for discovery requests, makes the Act a positive step towards reader privacy protection.

___________

Eric’s comments

This bill is animated by laudable concerns but ultimately flawed in its execution. Personally, I hope it doesn’t pass in its current form.

The bill starts with the right premise. I find it odd when I see freak outs about “Little Brother’s” use and disclosure of personal data. To me, Big Brother is far scarier, yet we rarely see new legislative initiatives to curb government surveillance powers–even though the digital age has expanded the reasons why we need additional limits on the government’s power to snoop on its citizens

Reading data is an example of relatively new digital data that is overwhelmingly attractive honeypot to government snoopers. I got into this issue a bit in my Coasean Analysis of Marketing article, where I argued that we needed a new evidentiary privilege to protect our reading/browsing data (in that case, as captured in an automated technological agent trying to effectuate our consumer interests). On that basis, I enthusiastically support efforts to restrict the government’s ability to learn more about my private interests.

However, this particular law has two major structural defects. First, it tries to limit its applicability to “books” as a subset of all of the information we consume. Unfortunately, books aren’t easily defined, and as Sonya points out, the definition in this statute creates many ambiguous border cases. Further, in the modern era when consumers have shorter attention spans than ever, it seems archaically quaint to think that our interactions with books are more sensitive than our interactions with other types of content. The more logical move would be to treat all reading data equally rather than privileging books over the other information classes. I suspect such a broad legislative sweep would fail, but the definition of “books” doesn’t work either.

Ordinarily, I would be OK with the definitional ambiguity with a statute like this. After all, the law is designed to limit the government’s snooping power; if that restriction bleeds beyond books and into other content classes, that sounds like a feature, not a bug. However, this leads to my second structural problem: the private cause of action. The combination of an ambiguous scope + private enforcement = plaintiff lawyer fiesta. Let’s be clear how big of a problem this is: as a blogger, I’m not sure if this statute covers me or not. However, if I were to respond to a subpoena without complying with the technical requirements, I may be betting my house. Meanwhile, if I *don’t* comply with the subpoena, I might also be betting my house. Uh, trouble in either direction. NO THANK YOU.

I think the law would be much more appealing if it lacked the private cause of action. But if the drafters thought they really needed a private cause of action, they should put the liability on the real wrongdoers–the people asking for information they are not entitled to have. For example, it would be more appropriate to put the onus on the government to actually comply with its own laws when it’s snooping on its citizens, rather than on the intermediaries to figure out if they are governed by this law or not.

I do want to mention one other structural issue. As a categorical matter, I oppose any state law to regulate the Internet. We have seen absolutely nothing good come from those efforts. At best, the state laws have been inconsequential; at worst, they have threatened to destabilize the Internet. (Utah’s repeated screw-ups come to mind). With this particular law, the state effort might be OK if it only restricts the California government and California litigants–but that is also of limited benefit, and as usual, the drafting doesn’t make its geographic restrictions clear. Separately, I have supported the Digital Due Process effort, which addresses cloud privacy (a similar issue). The DDP effort is federal and therefore would standardize practice across the nation. For that reason alone, the DDP would be more helpful than this law.

I don’t feel great bashing this legislative proposal. We need more legislative efforts to protect readers’ rights, and those efforts are all too rare. Nevertheless, I hope we will continue to think about better ways to accomplish this act’s goals.