BILL ANALYSIS                                                                                                                                                                                                    Ó

                             SENATE JUDICIARY COMMITTEE
                             Senator Noreen Evans, Chair
                              2011-2012 Regular Session

          SB 242 (Corbett)
          As Amended May 2, 2011
          Hearing Date: May 10, 2011
          Fiscal: No
          Urgency: No

                    Social Networking Internet Web Sites: Privacy


          This bill would require social networking Internet Web sites to:
                 establish a default privacy setting for registered users 
               that prohibits the display of any information about the 
               user without the agreement of the user, as specified;
                 establish a process for new users to set their privacy 
               settings as part of the registration process that explains 
               privacy options in plain language; and
                 remove personal identifying information in a timely 
               manner upon request.

          This bill would provide that a social networking Internet Web 
          site that willfully and knowingly violates the bill's provisions 
          shall be liable for a civil penalty not to exceed $10,000 for 
          each violation.


          Social networking Internet Web sites such as MySpace and 
          Facebook have grown in use and become more popular with users 
          who post messages and photos on a personal web page.  Those 
          personal pages, generated by the social network, may also 
          display the user's address, phone number, and birth date.  That 
          information may then be displayed to the user's friends or the 
          general public.  Users of social networking sites are generally 
          able to limit who may see their personal information by changing 
          their "privacy settings," but absent any change by the user, the 
          "default" for those settings may be to allow for full disclosure 


          SB 242 (Corbett)
          Page 2 of ?

          of a users personal information.  

          As an example of why those settings are important, the Los 
          Angeles Times' December 9, 2009 article by Cecilia Kang entitled 
          "Facebook's Default Privacy Settings Too Loose, Critics Say" 

            Beginning this week, Facebook members can customize every 
            piece of data about themselves on the site. They can control 
            who sees personal information such as age, name, gender and 
            workplace; and status updates and photos.  In some cases, 
            they can restrict access to photos to just one or two people 
            or allow basic profile information to go out to the entire 
            Web. . . .  The site's recommended settings will be the 
            default, and it is some of those recommendations that don't 
            sit well with public interest groups.

            For example, status updates that were formerly limited to a 
            user's network of friends will now be recommended for 
            friends of friends. The default for profile information -- 
            including a picture, gender and age -- will now go out 
            beyond the site to the entire Web. While Facebook users will 
            be able to choose their privacy settings, the problem is 
            that most people don't take the time to do so and may simply 
            stick with Facebook's default recommendations. Others may 
            find the process confusing and may not understand how to 
            adjust those settings. Facebook said that about 1 in 5 users 
            currently adjusts privacy settings.

          Regarding the ability of users to change those privacy settings, 
          a recently released study by Columbia University entitled The 
          Failure of Online Social Network Privacy Settings found that 
          93.8 percent of participants revealed information that they 
          intended to keep private, and that 84.6 percent of participants 
          were hiding information that they actually wanted to share.  
          This bill seeks to respond to the above issues by, among other 
          things, requiring social networking websites to establish a 
          default privacy setting that prohibits the display of 
          information about a registered user (other than name and city of 
          residence) without the users explicit agreement, and allow users 
          to request removal of their personal identifying information, as 

                                CHANGES TO EXISTING LAW
           Existing law  provides that, among other rights, all people have 


          SB 242 (Corbett)
          Page 3 of ?

          an inalienable right to pursue and obtain privacy.  (Cal. 
          Const., art. I, Sec. 1.)

           Existing case law  permits a person to bring an action in tort 
          for an invasion of privacy and provides that in order to state a 
          claim for violation of the constitutional right to privacy, a 
          plaintiff must establish the following three elements: (1) a 
          legally protected privacy interest; (2) a reasonable expectation 
          of privacy in the circumstances; and (3) conduct by the 
          defendant that constitutes a serious invasion of privacy.  (Hill 
          v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)  
          Existing law recognizes four types of activities considered to 
          be an invasion of privacy, giving rise to civil liability 
          including the public disclosure of private facts.  (Id.)
           Existing case law  provides that there is no reasonable 
          expectation of privacy in information posted on an Internet Web 
          site.  The information is no longer a "private fact" that can be 
          protected from public disclosure.  (Moreno v. Hanford Sentinel 
          (2009) 172 Cal.App.4th 1125.)
           This bill  would require a social networking site to establish a 
          default privacy policy setting for all registered users of the 
          site that prohibits the display to the public or other 
          registered users, any information about a registered user, other 
          than the user's name and city of residence, with the agreement 
          of the user.  

           This bill  would require a social networking site to establish a 
          process for new users to set their privacy settings as part of 
          the registration process that explains privacy options in plain 
          language.  The site shall not complete the registration process 
          until privacy settings are selected by the user, and the site 
          shall make privacy settings available to all users in a 
          conspicuous place and an easy-to-use format that allow the user 
          to adjust his or her privacy setting.  

           This bill  would define "plain language" as a clear explanation, 
          written in easy to understand terms that achieve a minimum 
          Flesch Reading Ease score of 70, as that calculation is 
          described in the California Code of Regulations, as specified.

           This bill  would require a social networking site to remove the 
          personal identifying information of a registered user "in a 
          timely manner" upon his or her request.  For registered users 
          that have self-identified as under 18 years of age, the social 
          networking internet web site shall remove that information upon 


          SB 242 (Corbett)
          Page 4 of ?

          the request of a parent of the registered user.  

           This bill  would define "in a timely manner" to mean within 48 
          hours of the request.  

           This bill  would provide that a social networking site that 
          willfully and knowingly violates any provision of this part 
          shall be liable for a civil penalty, not to exceed $10,000 for 
          each violation of the bill.  
          This bill  would define "social networking internet web site" as 
          an Internet Web based service that allows individuals to 
          construct a public or partly public profile within a bounded 
          system, articulate a list of other users with whom they share a 
          connection, and view and traverse their list of connections and 
          those made by others within the system.  This bill would also 
          define "registered user" and "personally identifying 

          1.   Stated need for the bill  

          According to the author:

            Computers systems and the Internet have brought consumers 
            many conveniences.  Sites like Facebook and Twitter provide 
            users with a place to share personal information with 
            friends, family, and the public - an activity that's proven 
            to be hugely compelling to Internet users. In response to 
            the demand, technology is evolving to encourage the 
            disclosure of information that was formerly discreet (like 
            location), and to enable the sharing of information even 
            when not sitting in front of a traditional computer (like 
            from mobile phones).

            But these innovative methods of information sharing can pose 
            a serious threat to our privacy and security.  There are 
            countless privacy pitfalls when our personal identifying 
            information is indiscriminately posted, indefinitely stored, 
            and quietly collected and analyzed by marketers, and 
            identity thieves.

            Current law does not require social networking websites to 
            provide a mechanism for users to adjust their privacy 
            settings, or remove their personal identifying information; 


          SB 242 (Corbett)
          Page 5 of ?

            nor does it govern the disclosure of users' personal 
            information to third parties and the public.  

          2.   Importance of default settings  

          As noted above, the vast majority of users arguably do not 
          change their user privacy settings on a social network.  If the 
          conclusions of the recent study released by Columbia University 
          are correct, the privacy settings on social networks appear to 
          contain serious flaws that result in not only the user sharing 
          information that they desired to keep private, but also fail to 
          allow the user to share information that the user actually wants 
          to share.  To address privacy concerns regarding the potential 
          over-sharing of information, this bill would require those 
          privacy settings to default to a setting where information is 
          not shared (except for the user's name and city of residence).  
          That default position would appear to keep more information from 
          being shared, including information that is not desired to be 
          shared, but also potentially restriction information that the 
          user desires to share. 

          From a policy standpoint, protecting information from disclosure 
          on the Internet is especially important due to the ability of 
          that information, once it becomes publically available, to be 
          rapidly distributed through the Internet.  Since there are 
          websites that do archive web pages as of a certain date and 
          time, such as  , it is also possible that a user's 
          inadvertent disclosure of his or her personal information may be 
          "cached" and saved indefinitely on another website.  Given those 
          serious privacy issues, the default settings proposed by this 
          bill would appear to help protect users from the unknowing 
          disclosure of information.  For social networking sites that do 
          want their users to share more information, the required default 
          settings would act as incentive for those sites to make the 
          privacy settings easily accessible so that users who do want to 
          share that information can act to change the settings.

          This bill would also establish a process for new users to set 
          their privacy settings as part of the registration process that 
          explains the privacy options in "plain language."  The 
          registration process may not be completed until those settings 
          are selected, and, the site must make those settings available 
          to all users in a conspicuous place and an easy-to-use format.  
          As a result, even if those settings are defaulted to prohibit 
          display of information, new users may easily change those 
          settings when they first sign up for their account.  Although 


          SB 242 (Corbett)
          Page 6 of ?

          the opposition generally expresses concern that users will be 
          setting privacy settings before they are familiar with the site, 
          those users would always be free to subsequently change those 
          settings should they want a different level of privacy for their 

          It should be noted that "plain language" would be defined as a 
          clear explanation, written in easy to understand terms, that 
          achieves a minimum Flesch Reading score of 70, as calculated 
          under Section 2689.4 of the California Code of Regulations, as 
          specified.  That Section notes that:

            The Flesch Reading Ease Score rates text on a 100-point 
            scale -- the higher the score, the easier it is to 
            understand the document. The formula for the Flesch Reading 
            Ease score is:   

            206.835 - (1.015 x ASL) - (84.6 x ASW)


            ASL = average sentence length (the number of words divided 
            by the number of sentences)

            ASW = average number of syllables per word (the number of 
            syllables divided by the number of words.  (Cal. Code Regs. 
            Sec. 2689.4.)

          Although the above standard provides a bright-line rule for 
          social networking sites to evaluate their compliance with the 
          bill's requirements, TechNet, in opposition, contends that 
          "While we all agree that information about privacy and 
          visibility online should be conveyed in simple, 
          easy-to-understand language, such a standard is arbitrary and 
          impossible to achieve in this context."  It should be noted that 
          concerns have arisen regarding the application of the Flesch 
          Reading score to disclosures provided in a language other than 
          English.  The author should continue to work with Committee 
          staff regarding the definition of "plain language" to ensure 
          that the developed standard appropriately accommodates 
          disclosures given in any language. 

          3.   Ability to request removal of personal information
          This bill would also require a social networking internet web 
          site to remove the personally identifying information of a 


          SB 242 (Corbett)
          Page 7 of ?

          registered user, upon his or her request.  For users under 18, a 
          parent may request that their child's information be removed.  
          That removal must be done in a "timely manner," which would be 
          defined as within 48 hours of the request.  From a practical 
          standpoint, if a user seeks to remove personal information 
          displayed on his or her own social networking page, that user 
          could arguably change the privacy settings or delete the 
          offending post.  The situation becomes more complicated if the 
          personally identifying information is located on another user's 
          web page, or consists of GPS coordinates that are embedded on a 
          photo that was posted by another user. 

          Despite the potential complexities of removing that information, 
          it should be noted that most social networking sites should 
          already have some sort of system where users can flag 
          inappropriate information for review.  For example, if an 
          individual posts an explicit picture that is against the site's 
          policy, the site arguably should already have a process that 
          allows a user to flag the image for review and removal by the 
          social networking site.  On the other hand, since personally 
          identifying information, as defined, includes the name of a 
          user, the bill could arguably allow a user to request a social 
          network to removal all instances of his or her name from the 
          site.  If that user happens to be a public figure whose name is 
          appearing in numerous posts, this bill could arguably allow that 
          figure to request that the social network remove references to 
          his or her name from the site.  That compelled removal could act 
          to stifle the free expression of individuals on social 
          networking sites, including Facebook which was recently credited 
          as playing an important role in the organization of the 2011 
          revolution in Egypt.  In order to help ensure that the 
          provisions of this bill are not used in a fashion that could 
          unduly suppress the free expression of users on social 
          networking sites, the bill should be amended to clarify that the 
          requirement to remove information upon request does not include 
          the removal of names.

             Suggested amendment  :

            On page 2, line 27, insert:

            Notwithstanding subdivision (b) of section 62, for purposes of 
            this subdivision, "personal identifying information" shall not 
            include a person's name.

          The Internet Alliance (IA), in opposition, notes that the bill 


          SB 242 (Corbett)
          Page 8 of ?

          "does not stipulate that the person provide a specific 
          description of the information to be removed or its location. 
          Without that information, social networking sites especially 
          would not know what information to look for, a problem that gets 
          more complicated when many users share the same basic 
          biographical information. For example, there may be 100 John 
          Smiths in the United States.  Moreover, social networks do not 
          currently have the technology to delete a customer's information 
          from an entire site."  While the above amendment would address 
          the situation where a user requests the removal of a common name 
          from the social networking site, it would not address issues 
          relating to specificity of the request.  In an effort to address 
          those issues, the author offers the following amendment to 
          require the registered user to verify his or her identity and to 
          specify any known location of that information.

             Author's amendment:

             On page 2, line 28, insert:

            (d) A request submitted by a registered user pursuant to 
            subdivision (c) shall include sufficient information to verify 
            the identity of the user and specify any known location of the 
            information that is the subject of the request.

          4.   Remedies  

          This bill would provide that a social networking site that 
          willfully and knowingly violates any of the above provisions 
          shall be liable for a civil penalty, not to exceed $10,000 for 
          each violation.  It should be noted that due to the willful and 
          knowing standard, unintentional violations of this bill's 
          provision would not result in liability under that provision.

          5.   Constitutional arguments  

          The opposition contends that this bill would violate both the 
          United States and California constitutions as follows:

            a.   First Amendment  

            The IA, in opposition, contends that the requirement for 
            social networks to "default" privacy options to a setting the 
            does not allow the public display of information "clearly 
            conflicts with both the First Amendment to the United States 
            Constitution and Article 1 of the California Constitution."  


          SB 242 (Corbett)
          Page 9 of ?

            Generally speaking, the First Amendment, and Article 1, act to 
            protect the freedom of expression of the citizens of 
            California (as well as the rest of the nation).  The 
            determination about whether a specific statute inappropriately 
            restricts speech requires an examination of whether it is 
            content-based or content-neutral, is unduly vague or 
            overbroad, and whether the restriction acts as a 
            prior-restraint on speech.  Laws that are content-based, 
            vague, or act as a prior-restraint are strongly disfavored by 
            the courts.  In Police Department of Chicago v. Mosley, the 
            U.S. Supreme Court stated that:

               İA]bove all else, the First Amendment means that government 
               has no power to restrict expression because of its message, 
               its ideas, its subject matter, or its content.  To permit 
               the continued building of our politics and culture, and to 
               assure self-fulfillment for each individual, our people are 
               guaranteed the right to express any thought, free from 
               government censorship.  The essence of this forbidden 
               censorship is content control.  Any restriction on 
               expressive activity because of its content would completely 
               undercut the 'profound national commitment to the principle 
               that debate on public issues should be uninhibited, robust, 
               and wide-open.'  (Police Dep't of Chicago v. Mosley (1972) 
               408 U.S. 92, 95-96 (citations omitted).)

            In the present circumstance, it is unclear how requiring that 
            default settings be set to private would unduly restrict the 
            free expression of users who elect to disseminate their 
            information.  Any user who chooses to disclose his or her home 
            address or telephone number may elect to do so by 
            affirmatively changing the privacy settings to share that 
            information.  For registered users who desire to disclose all 
            of their information, posts, pictures, and location data to 
            the entire world, this bill would not impact that ability, 
            provided that the user affirmatively sets his or her privacy 
            settings to allow that display.  

            The IA further contends that the ability to request the 
            removal of personal information would "violate other similar 
            user's legitimate speech to share their personal information 
            with the world."  While, as noted in Comment 3, the ability to 
            request the removal of an individual's name from an entire 
            social networking site would arguably be contrary to the 
            rights of free expression, the suggested amendment in Comment 
            3 would address that issue.  It should also be noted that 


          SB 242 (Corbett)
          Page 10 of ?

            California already allows victims of domestic violence, 
            individuals associated with witness protection, and 
            reproductive health care providers to request the removal of 
            specified personal information from an Internet web site.  

            b.   Dormant commerce clause  

            The Constitution of the United States grants Congress the 
            power to regulate commerce among the states.  (U.S. 
            Constitution, art. I, sec. 8.)  From this grant of power, the 
            United States Supreme Court has inferred that states may not 
            enact laws that burden interstate commerce.  (Gibbons v. Ogden 
            (1824) 22 U.S. 1.)  The threshold test for whether a state law 
            violates the dormant commerce clause is whether the law 
            affects interstate commerce.  If the answer to that question 
            is yes, then the court looks to whether the state law 
            discriminates against out-of-staters or whether it treats 
            everyone alike.  A state law that does not discriminate 
            between the two-as this bill arguably would not-generally is 
            upheld unless it is found to place a burden on interstate 
            commerce that outweighs its benefits.  (Pike v. Brace Church 
            (1970) 397 U.S. 137.)  In this case, TechNet, in opposition, 
            argues that:

               Internet commerce is an inherent interstate activity and 
               SB 242 would regulate businesses far beyond California's 
                                                                                        borders.  Social networking sites cannot reliably know if 
               a visitor is a California resident.  Therefore every 
               covered site in the world would need to change its 
               practices in order to comply with California law . . . SB 
               242 would limit the commercial relationship with social 
               networking sites.  As a result, any out-of-state company 
               affected by the new law would be entitled to bring a 
               Commerce Clause challenge under 42 U.S.C. İSec] 1983.

            In response, the author states that "İu]nder SB 242, all 
            social networking site providers - whether in or out of the 
            state - would be governed by the same rules.  There is no 
            discrimination against out of state companies."  It should 
            also be noted that the issue of state regulation of Internet 
            web sites and the dormant commerce clause is in its relative 
            infancy and is ultimately an issue for the courts.  If the 
            opponent's arguments are correct, those statements would 
            essentially preclude the state of California from enacting 
            internet related legislation.  Given California's significant 
            interest in protecting its citizens, the author's office 


          SB 242 (Corbett)
          Page 11 of ?

            should continue to work with Committee staff to ensure that, 
            to the greatest extent possible, the provisions of this bill 
            cannot be construed to violate Dormant Commerce Clause.

          5.   Opposition's remaining arguments  

          TechAmerica, in opposition, contends that this bill "apparently 
          seeks to deny those - who may be selecting and joining a 
          particular social networking site precisely to share information 
          about themselves - the right and ability to do so upon joining 
          the site.  Instead, the consumer will have to un-do the default 
          privacy settings to effectuate their preferences."  TechAmerica 
          also objects to the bill's definition of "social networking 
          site" as unclear and sweeping in too much of the internet.  The 
          author notes that the definition came from a scholarly article 
          entitled Social Network Sites: Definition, History, and 
          Scholarship by Danah M. Boyd and Nicole B. Ellison, available at 

          The IA, in opposition, contends that this bill "would force 
          users to make decisions about privacy and visibility of all 
          information, well before they have even used the service for the 
          first time, and in such a manner that they are less likely to 
          pay attention and process the information than they are today."  
          IA further contends that this bill is moving in the opposite 
          direction urged by the FTC in their proposed privacy framework, 
          that the bill singles out social networks, that major social 
          networks already remove personal information upon request under 
          certain circumstances, and that, if the bill is enacted and 
          challenged, a court could award attorneys' fees for the 
          plaintiff if this statute is found unconstitutional.

          TechNet echoes similar concerns and argues that this bill would 
          do significant damage to California's technology sector by 
          "drastically limitİing] social networking sites' growth 
          potential in California by imposing additional operating costs 
          and raising barriers to consumer participation in social 
          networking services, all while exposing those services to 
          massive and unwarranted civil liability and in turn, creating 
          significant confusion and uncertainty for investors, businesses 
          and consumers."

          6.   Author's amendments  

          The author offers the following amendment to clarify that the 
          bill would require the "express agreement "of a user to change 


          SB 242 (Corbett)
          Page 12 of ?

          the default privacy settings, and to remove inconsistent 
          language that was not stricken by the last set of amendments.

            1)  On page 2, line 12, before "agreement" insert: "express"
            2)  On page 3, strike line 1 through 3, inclusive.

           Support  :  California State Sheriffs' Association

           Opposition  :  Internet Alliance; TechAmerica; TechNet

           Source  :  Author

           Related Pending Legislation  :  SB 761 (Lowenthal), would require 
          the Attorney General, by July 1, 2012, to adopt regulations that 
          would require online businesses to provide California consumers 
          with a method for the consumer to opt out of the collection or 
          use of his or her information by the business.  This bill is in 
          the Senate Appropriations Committee.

           Prior Legislation  :  SB 1361 (Corbett), would prohibit a social 
          networking Internet Web site, as defined, from displaying, to 
          the public or other registered users, the home address or 
          telephone number of a registered user of that Internet Web site 
          who is under 18 years of age, as provided.  This bill failed 
          passage in the Assembly Arts, Entertainment, Sports, Tourism, 
          and Internet Media Committee.