BILL ANALYSIS Ó SENATE JUDICIARY COMMITTEE Senator Noreen Evans, Chair 2011-2012 Regular Session SB 242 (Corbett) As Amended May 2, 2011 Hearing Date: May 10, 2011 Fiscal: No Urgency: No BCP SUBJECT Social Networking Internet Web Sites: Privacy DESCRIPTION This bill would require social networking Internet Web sites to: establish a default privacy setting for registered users that prohibits the display of any information about the user without the agreement of the user, as specified; establish a process for new users to set their privacy settings as part of the registration process that explains privacy options in plain language; and remove personal identifying information in a timely manner upon request. This bill would provide that a social networking Internet Web site that willfully and knowingly violates the bill's provisions shall be liable for a civil penalty not to exceed $10,000 for each violation. BACKGROUND Social networking Internet Web sites such as MySpace and Facebook have grown in use and become more popular with users who post messages and photos on a personal web page. Those personal pages, generated by the social network, may also display the user's address, phone number, and birth date. That information may then be displayed to the user's friends or the general public. Users of social networking sites are generally able to limit who may see their personal information by changing their "privacy settings," but absent any change by the user, the "default" for those settings may be to allow for full disclosure (more) SB 242 (Corbett) Page 2 of ? of a users personal information. As an example of why those settings are important, the Los Angeles Times' December 9, 2009 article by Cecilia Kang entitled "Facebook's Default Privacy Settings Too Loose, Critics Say" reported: Beginning this week, Facebook members can customize every piece of data about themselves on the site. They can control who sees personal information such as age, name, gender and workplace; and status updates and photos. In some cases, they can restrict access to photos to just one or two people or allow basic profile information to go out to the entire Web. . . . The site's recommended settings will be the default, and it is some of those recommendations that don't sit well with public interest groups. For example, status updates that were formerly limited to a user's network of friends will now be recommended for friends of friends. The default for profile information -- including a picture, gender and age -- will now go out beyond the site to the entire Web. While Facebook users will be able to choose their privacy settings, the problem is that most people don't take the time to do so and may simply stick with Facebook's default recommendations. Others may find the process confusing and may not understand how to adjust those settings. Facebook said that about 1 in 5 users currently adjusts privacy settings. Regarding the ability of users to change those privacy settings, a recently released study by Columbia University entitled The Failure of Online Social Network Privacy Settings found that 93.8 percent of participants revealed information that they intended to keep private, and that 84.6 percent of participants were hiding information that they actually wanted to share. This bill seeks to respond to the above issues by, among other things, requiring social networking websites to establish a default privacy setting that prohibits the display of information about a registered user (other than name and city of residence) without the users explicit agreement, and allow users to request removal of their personal identifying information, as specified. CHANGES TO EXISTING LAW Existing law provides that, among other rights, all people have SB 242 (Corbett) Page 3 of ? an inalienable right to pursue and obtain privacy. (Cal. Const., art. I, Sec. 1.) Existing case law permits a person to bring an action in tort for an invasion of privacy and provides that in order to state a claim for violation of the constitutional right to privacy, a plaintiff must establish the following three elements: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by the defendant that constitutes a serious invasion of privacy. (Hill v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.) Existing law recognizes four types of activities considered to be an invasion of privacy, giving rise to civil liability including the public disclosure of private facts. (Id.) Existing case law provides that there is no reasonable expectation of privacy in information posted on an Internet Web site. The information is no longer a "private fact" that can be protected from public disclosure. (Moreno v. Hanford Sentinel (2009) 172 Cal.App.4th 1125.) This bill would require a social networking site to establish a default privacy policy setting for all registered users of the site that prohibits the display to the public or other registered users, any information about a registered user, other than the user's name and city of residence, with the agreement of the user. This bill would require a social networking site to establish a process for new users to set their privacy settings as part of the registration process that explains privacy options in plain language. The site shall not complete the registration process until privacy settings are selected by the user, and the site shall make privacy settings available to all users in a conspicuous place and an easy-to-use format that allow the user to adjust his or her privacy setting. This bill would define "plain language" as a clear explanation, written in easy to understand terms that achieve a minimum Flesch Reading Ease score of 70, as that calculation is described in the California Code of Regulations, as specified. This bill would require a social networking site to remove the personal identifying information of a registered user "in a timely manner" upon his or her request. For registered users that have self-identified as under 18 years of age, the social networking internet web site shall remove that information upon SB 242 (Corbett) Page 4 of ? the request of a parent of the registered user. This bill would define "in a timely manner" to mean within 48 hours of the request. This bill would provide that a social networking site that willfully and knowingly violates any provision of this part shall be liable for a civil penalty, not to exceed $10,000 for each violation of the bill. This bill would define "social networking internet web site" as an Internet Web based service that allows individuals to construct a public or partly public profile within a bounded system, articulate a list of other users with whom they share a connection, and view and traverse their list of connections and those made by others within the system. This bill would also define "registered user" and "personally identifying information." COMMENT 1. Stated need for the bill According to the author: Computers systems and the Internet have brought consumers many conveniences. Sites like Facebook and Twitter provide users with a place to share personal information with friends, family, and the public - an activity that's proven to be hugely compelling to Internet users. In response to the demand, technology is evolving to encourage the disclosure of information that was formerly discreet (like location), and to enable the sharing of information even when not sitting in front of a traditional computer (like from mobile phones). But these innovative methods of information sharing can pose a serious threat to our privacy and security. There are countless privacy pitfalls when our personal identifying information is indiscriminately posted, indefinitely stored, and quietly collected and analyzed by marketers, and identity thieves. Current law does not require social networking websites to provide a mechanism for users to adjust their privacy settings, or remove their personal identifying information; SB 242 (Corbett) Page 5 of ? nor does it govern the disclosure of users' personal information to third parties and the public. 2. Importance of default settings As noted above, the vast majority of users arguably do not change their user privacy settings on a social network. If the conclusions of the recent study released by Columbia University are correct, the privacy settings on social networks appear to contain serious flaws that result in not only the user sharing information that they desired to keep private, but also fail to allow the user to share information that the user actually wants to share. To address privacy concerns regarding the potential over-sharing of information, this bill would require those privacy settings to default to a setting where information is not shared (except for the user's name and city of residence). That default position would appear to keep more information from being shared, including information that is not desired to be shared, but also potentially restriction information that the user desires to share. From a policy standpoint, protecting information from disclosure on the Internet is especially important due to the ability of that information, once it becomes publically available, to be rapidly distributed through the Internet. Since there are websites that do archive web pages as of a certain date and time, such as www.archive.org , it is also possible that a user's inadvertent disclosure of his or her personal information may be "cached" and saved indefinitely on another website. Given those serious privacy issues, the default settings proposed by this bill would appear to help protect users from the unknowing disclosure of information. For social networking sites that do want their users to share more information, the required default settings would act as incentive for those sites to make the privacy settings easily accessible so that users who do want to share that information can act to change the settings. This bill would also establish a process for new users to set their privacy settings as part of the registration process that explains the privacy options in "plain language." The registration process may not be completed until those settings are selected, and, the site must make those settings available to all users in a conspicuous place and an easy-to-use format. As a result, even if those settings are defaulted to prohibit display of information, new users may easily change those settings when they first sign up for their account. Although SB 242 (Corbett) Page 6 of ? the opposition generally expresses concern that users will be setting privacy settings before they are familiar with the site, those users would always be free to subsequently change those settings should they want a different level of privacy for their information. It should be noted that "plain language" would be defined as a clear explanation, written in easy to understand terms, that achieves a minimum Flesch Reading score of 70, as calculated under Section 2689.4 of the California Code of Regulations, as specified. That Section notes that: The Flesch Reading Ease Score rates text on a 100-point scale -- the higher the score, the easier it is to understand the document. The formula for the Flesch Reading Ease score is: 206.835 - (1.015 x ASL) - (84.6 x ASW) where: ASL = average sentence length (the number of words divided by the number of sentences) ASW = average number of syllables per word (the number of syllables divided by the number of words. (Cal. Code Regs. Sec. 2689.4.) Although the above standard provides a bright-line rule for social networking sites to evaluate their compliance with the bill's requirements, TechNet, in opposition, contends that "While we all agree that information about privacy and visibility online should be conveyed in simple, easy-to-understand language, such a standard is arbitrary and impossible to achieve in this context." It should be noted that concerns have arisen regarding the application of the Flesch Reading score to disclosures provided in a language other than English. The author should continue to work with Committee staff regarding the definition of "plain language" to ensure that the developed standard appropriately accommodates disclosures given in any language. 3. Ability to request removal of personal information This bill would also require a social networking internet web site to remove the personally identifying information of a SB 242 (Corbett) Page 7 of ? registered user, upon his or her request. For users under 18, a parent may request that their child's information be removed. That removal must be done in a "timely manner," which would be defined as within 48 hours of the request. From a practical standpoint, if a user seeks to remove personal information displayed on his or her own social networking page, that user could arguably change the privacy settings or delete the offending post. The situation becomes more complicated if the personally identifying information is located on another user's web page, or consists of GPS coordinates that are embedded on a photo that was posted by another user. Despite the potential complexities of removing that information, it should be noted that most social networking sites should already have some sort of system where users can flag inappropriate information for review. For example, if an individual posts an explicit picture that is against the site's policy, the site arguably should already have a process that allows a user to flag the image for review and removal by the social networking site. On the other hand, since personally identifying information, as defined, includes the name of a user, the bill could arguably allow a user to request a social network to removal all instances of his or her name from the site. If that user happens to be a public figure whose name is appearing in numerous posts, this bill could arguably allow that figure to request that the social network remove references to his or her name from the site. That compelled removal could act to stifle the free expression of individuals on social networking sites, including Facebook which was recently credited as playing an important role in the organization of the 2011 revolution in Egypt. In order to help ensure that the provisions of this bill are not used in a fashion that could unduly suppress the free expression of users on social networking sites, the bill should be amended to clarify that the requirement to remove information upon request does not include the removal of names. Suggested amendment : On page 2, line 27, insert: Notwithstanding subdivision (b) of section 62, for purposes of this subdivision, "personal identifying information" shall not include a person's name. The Internet Alliance (IA), in opposition, notes that the bill SB 242 (Corbett) Page 8 of ? "does not stipulate that the person provide a specific description of the information to be removed or its location. Without that information, social networking sites especially would not know what information to look for, a problem that gets more complicated when many users share the same basic biographical information. For example, there may be 100 John Smiths in the United States. Moreover, social networks do not currently have the technology to delete a customer's information from an entire site." While the above amendment would address the situation where a user requests the removal of a common name from the social networking site, it would not address issues relating to specificity of the request. In an effort to address those issues, the author offers the following amendment to require the registered user to verify his or her identity and to specify any known location of that information. Author's amendment: On page 2, line 28, insert: (d) A request submitted by a registered user pursuant to subdivision (c) shall include sufficient information to verify the identity of the user and specify any known location of the information that is the subject of the request. 4. Remedies This bill would provide that a social networking site that willfully and knowingly violates any of the above provisions shall be liable for a civil penalty, not to exceed $10,000 for each violation. It should be noted that due to the willful and knowing standard, unintentional violations of this bill's provision would not result in liability under that provision. 5. Constitutional arguments The opposition contends that this bill would violate both the United States and California constitutions as follows: a. First Amendment The IA, in opposition, contends that the requirement for social networks to "default" privacy options to a setting the does not allow the public display of information "clearly conflicts with both the First Amendment to the United States Constitution and Article 1 of the California Constitution." SB 242 (Corbett) Page 9 of ? Generally speaking, the First Amendment, and Article 1, act to protect the freedom of expression of the citizens of California (as well as the rest of the nation). The determination about whether a specific statute inappropriately restricts speech requires an examination of whether it is content-based or content-neutral, is unduly vague or overbroad, and whether the restriction acts as a prior-restraint on speech. Laws that are content-based, vague, or act as a prior-restraint are strongly disfavored by the courts. In Police Department of Chicago v. Mosley, the U.S. Supreme Court stated that: İA]bove all else, the First Amendment means that government has no power to restrict expression because of its message, its ideas, its subject matter, or its content. To permit the continued building of our politics and culture, and to assure self-fulfillment for each individual, our people are guaranteed the right to express any thought, free from government censorship. The essence of this forbidden censorship is content control. Any restriction on expressive activity because of its content would completely undercut the 'profound national commitment to the principle that debate on public issues should be uninhibited, robust, and wide-open.' (Police Dep't of Chicago v. Mosley (1972) 408 U.S. 92, 95-96 (citations omitted).) In the present circumstance, it is unclear how requiring that default settings be set to private would unduly restrict the free expression of users who elect to disseminate their information. Any user who chooses to disclose his or her home address or telephone number may elect to do so by affirmatively changing the privacy settings to share that information. For registered users who desire to disclose all of their information, posts, pictures, and location data to the entire world, this bill would not impact that ability, provided that the user affirmatively sets his or her privacy settings to allow that display. The IA further contends that the ability to request the removal of personal information would "violate other similar user's legitimate speech to share their personal information with the world." While, as noted in Comment 3, the ability to request the removal of an individual's name from an entire social networking site would arguably be contrary to the rights of free expression, the suggested amendment in Comment 3 would address that issue. It should also be noted that SB 242 (Corbett) Page 10 of ? California already allows victims of domestic violence, individuals associated with witness protection, and reproductive health care providers to request the removal of specified personal information from an Internet web site. b. Dormant commerce clause The Constitution of the United States grants Congress the power to regulate commerce among the states. (U.S. Constitution, art. I, sec. 8.) From this grant of power, the United States Supreme Court has inferred that states may not enact laws that burden interstate commerce. (Gibbons v. Ogden (1824) 22 U.S. 1.) The threshold test for whether a state law violates the dormant commerce clause is whether the law affects interstate commerce. If the answer to that question is yes, then the court looks to whether the state law discriminates against out-of-staters or whether it treats everyone alike. A state law that does not discriminate between the two-as this bill arguably would not-generally is upheld unless it is found to place a burden on interstate commerce that outweighs its benefits. (Pike v. Brace Church (1970) 397 U.S. 137.) In this case, TechNet, in opposition, argues that: Internet commerce is an inherent interstate activity and SB 242 would regulate businesses far beyond California's borders. Social networking sites cannot reliably know if a visitor is a California resident. Therefore every covered site in the world would need to change its practices in order to comply with California law . . . SB 242 would limit the commercial relationship with social networking sites. As a result, any out-of-state company affected by the new law would be entitled to bring a Commerce Clause challenge under 42 U.S.C. İSec] 1983. In response, the author states that "İu]nder SB 242, all social networking site providers - whether in or out of the state - would be governed by the same rules. There is no discrimination against out of state companies." It should also be noted that the issue of state regulation of Internet web sites and the dormant commerce clause is in its relative infancy and is ultimately an issue for the courts. If the opponent's arguments are correct, those statements would essentially preclude the state of California from enacting internet related legislation. Given California's significant interest in protecting its citizens, the author's office SB 242 (Corbett) Page 11 of ? should continue to work with Committee staff to ensure that, to the greatest extent possible, the provisions of this bill cannot be construed to violate Dormant Commerce Clause. 5. Opposition's remaining arguments TechAmerica, in opposition, contends that this bill "apparently seeks to deny those - who may be selecting and joining a particular social networking site precisely to share information about themselves - the right and ability to do so upon joining the site. Instead, the consumer will have to un-do the default privacy settings to effectuate their preferences." TechAmerica also objects to the bill's definition of "social networking site" as unclear and sweeping in too much of the internet. The author notes that the definition came from a scholarly article entitled Social Network Sites: Definition, History, and Scholarship by Danah M. Boyd and Nicole B. Ellison, available at http://jcmc.indiana.edu/vol13/issue1/boyd.ellison.html . The IA, in opposition, contends that this bill "would force users to make decisions about privacy and visibility of all information, well before they have even used the service for the first time, and in such a manner that they are less likely to pay attention and process the information than they are today." IA further contends that this bill is moving in the opposite direction urged by the FTC in their proposed privacy framework, that the bill singles out social networks, that major social networks already remove personal information upon request under certain circumstances, and that, if the bill is enacted and challenged, a court could award attorneys' fees for the plaintiff if this statute is found unconstitutional. TechNet echoes similar concerns and argues that this bill would do significant damage to California's technology sector by "drastically limitİing] social networking sites' growth potential in California by imposing additional operating costs and raising barriers to consumer participation in social networking services, all while exposing those services to massive and unwarranted civil liability and in turn, creating significant confusion and uncertainty for investors, businesses and consumers." 6. Author's amendments The author offers the following amendment to clarify that the bill would require the "express agreement "of a user to change SB 242 (Corbett) Page 12 of ? the default privacy settings, and to remove inconsistent language that was not stricken by the last set of amendments. 1) On page 2, line 12, before "agreement" insert: "express" 2) On page 3, strike line 1 through 3, inclusive. Support : California State Sheriffs' Association Opposition : Internet Alliance; TechAmerica; TechNet HISTORY Source : Author Related Pending Legislation : SB 761 (Lowenthal), would require the Attorney General, by July 1, 2012, to adopt regulations that would require online businesses to provide California consumers with a method for the consumer to opt out of the collection or use of his or her information by the business. This bill is in the Senate Appropriations Committee. Prior Legislation : SB 1361 (Corbett), would prohibit a social networking Internet Web site, as defined, from displaying, to the public or other registered users, the home address or telephone number of a registered user of that Internet Web site who is under 18 years of age, as provided. This bill failed passage in the Assembly Arts, Entertainment, Sports, Tourism, and Internet Media Committee. **************