BILL ANALYSIS ��
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2011-2012 Regular Session
SB 242 (Corbett)
As Amended May 2, 2011
Hearing Date: May 10, 2011
Fiscal: No
Urgency: No
BCP
SUBJECT
Social Networking Internet Web Sites: Privacy
DESCRIPTION
This bill would require social networking Internet Web sites to:
establish a default privacy setting for registered users
that prohibits the display of any information about the
user without the agreement of the user, as specified;
establish a process for new users to set their privacy
settings as part of the registration process that explains
privacy options in plain language; and
remove personal identifying information in a timely
manner upon request.
This bill would provide that a social networking Internet Web
site that willfully and knowingly violates the bill's provisions
shall be liable for a civil penalty not to exceed $10,000 for
each violation.
BACKGROUND
Social networking Internet Web sites such as MySpace and
Facebook have grown in use and become more popular with users
who post messages and photos on a personal web page. Those
personal pages, generated by the social network, may also
display the user's address, phone number, and birth date. That
information may then be displayed to the user's friends or the
general public. Users of social networking sites are generally
able to limit who may see their personal information by changing
their "privacy settings," but absent any change by the user, the
"default" for those settings may be to allow for full disclosure
(more)
�
SB 242 (Corbett)
Page 2 of ?
of a users personal information.
As an example of why those settings are important, the Los
Angeles Times' December 9, 2009 article by Cecilia Kang entitled
"Facebook's Default Privacy Settings Too Loose, Critics Say"
reported:
Beginning this week, Facebook members can customize every
piece of data about themselves on the site. They can control
who sees personal information such as age, name, gender and
workplace; and status updates and photos. In some cases,
they can restrict access to photos to just one or two people
or allow basic profile information to go out to the entire
Web. . . . The site's recommended settings will be the
default, and it is some of those recommendations that don't
sit well with public interest groups.
For example, status updates that were formerly limited to a
user's network of friends will now be recommended for
friends of friends. The default for profile information --
including a picture, gender and age -- will now go out
beyond the site to the entire Web. While Facebook users will
be able to choose their privacy settings, the problem is
that most people don't take the time to do so and may simply
stick with Facebook's default recommendations. Others may
find the process confusing and may not understand how to
adjust those settings. Facebook said that about 1 in 5 users
currently adjusts privacy settings.
Regarding the ability of users to change those privacy settings,
a recently released study by Columbia University entitled The
Failure of Online Social Network Privacy Settings found that
93.8 percent of participants revealed information that they
intended to keep private, and that 84.6 percent of participants
were hiding information that they actually wanted to share.
This bill seeks to respond to the above issues by, among other
things, requiring social networking websites to establish a
default privacy setting that prohibits the display of
information about a registered user (other than name and city of
residence) without the users explicit agreement, and allow users
to request removal of their personal identifying information, as
specified.
CHANGES TO EXISTING LAW
Existing law provides that, among other rights, all people have
�
SB 242 (Corbett)
Page 3 of ?
an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. 1.)
Existing case law permits a person to bring an action in tort
for an invasion of privacy and provides that in order to state a
claim for violation of the constitutional right to privacy, a
plaintiff must establish the following three elements: (1) a
legally protected privacy interest; (2) a reasonable expectation
of privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy. (Hill
v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Existing law recognizes four types of activities considered to
be an invasion of privacy, giving rise to civil liability
including the public disclosure of private facts. (Id.)
Existing case law provides that there is no reasonable
expectation of privacy in information posted on an Internet Web
site. The information is no longer a "private fact" that can be
protected from public disclosure. (Moreno v. Hanford Sentinel
(2009) 172 Cal.App.4th 1125.)
This bill would require a social networking site to establish a
default privacy policy setting for all registered users of the
site that prohibits the display to the public or other
registered users, any information about a registered user, other
than the user's name and city of residence, with the agreement
of the user.
This bill would require a social networking site to establish a
process for new users to set their privacy settings as part of
the registration process that explains privacy options in plain
language. The site shall not complete the registration process
until privacy settings are selected by the user, and the site
shall make privacy settings available to all users in a
conspicuous place and an easy-to-use format that allow the user
to adjust his or her privacy setting.
This bill would define "plain language" as a clear explanation,
written in easy to understand terms that achieve a minimum
Flesch Reading Ease score of 70, as that calculation is
described in the California Code of Regulations, as specified.
This bill would require a social networking site to remove the
personal identifying information of a registered user "in a
timely manner" upon his or her request. For registered users
that have self-identified as under 18 years of age, the social
networking internet web site shall remove that information upon
�
SB 242 (Corbett)
Page 4 of ?
the request of a parent of the registered user.
This bill would define "in a timely manner" to mean within 48
hours of the request.
This bill would provide that a social networking site that
willfully and knowingly violates any provision of this part
shall be liable for a civil penalty, not to exceed $10,000 for
each violation of the bill.
This bill would define "social networking internet web site" as
an Internet Web based service that allows individuals to
construct a public or partly public profile within a bounded
system, articulate a list of other users with whom they share a
connection, and view and traverse their list of connections and
those made by others within the system. This bill would also
define "registered user" and "personally identifying
information."
COMMENT
1. Stated need for the bill
According to the author:
Computers systems and the Internet have brought consumers
many conveniences. Sites like Facebook and Twitter provide
users with a place to share personal information with
friends, family, and the public - an activity that's proven
to be hugely compelling to Internet users. In response to
the demand, technology is evolving to encourage the
disclosure of information that was formerly discreet (like
location), and to enable the sharing of information even
when not sitting in front of a traditional computer (like
from mobile phones).
But these innovative methods of information sharing can pose
a serious threat to our privacy and security. There are
countless privacy pitfalls when our personal identifying
information is indiscriminately posted, indefinitely stored,
and quietly collected and analyzed by marketers, and
identity thieves.
Current law does not require social networking websites to
provide a mechanism for users to adjust their privacy
settings, or remove their personal identifying information;
�
SB 242 (Corbett)
Page 5 of ?
nor does it govern the disclosure of users' personal
information to third parties and the public.
2. Importance of default settings
As noted above, the vast majority of users arguably do not
change their user privacy settings on a social network. If the
conclusions of the recent study released by Columbia University
are correct, the privacy settings on social networks appear to
contain serious flaws that result in not only the user sharing
information that they desired to keep private, but also fail to
allow the user to share information that the user actually wants
to share. To address privacy concerns regarding the potential
over-sharing of information, this bill would require those
privacy settings to default to a setting where information is
not shared (except for the user's name and city of residence).
That default position would appear to keep more information from
being shared, including information that is not desired to be
shared, but also potentially restriction information that the
user desires to share.
From a policy standpoint, protecting information from disclosure
on the Internet is especially important due to the ability of
that information, once it becomes publically available, to be
rapidly distributed through the Internet. Since there are
websites that do archive web pages as of a certain date and
time, such as www.archive.org , it is also possible that a user's
inadvertent disclosure of his or her personal information may be
"cached" and saved indefinitely on another website. Given those
serious privacy issues, the default settings proposed by this
bill would appear to help protect users from the unknowing
disclosure of information. For social networking sites that do
want their users to share more information, the required default
settings would act as incentive for those sites to make the
privacy settings easily accessible so that users who do want to
share that information can act to change the settings.
This bill would also establish a process for new users to set
their privacy settings as part of the registration process that
explains the privacy options in "plain language." The
registration process may not be completed until those settings
are selected, and, the site must make those settings available
to all users in a conspicuous place and an easy-to-use format.
As a result, even if those settings are defaulted to prohibit
display of information, new users may easily change those
settings when they first sign up for their account. Although
�
SB 242 (Corbett)
Page 6 of ?
the opposition generally expresses concern that users will be
setting privacy settings before they are familiar with the site,
those users would always be free to subsequently change those
settings should they want a different level of privacy for their
information.
It should be noted that "plain language" would be defined as a
clear explanation, written in easy to understand terms, that
achieves a minimum Flesch Reading score of 70, as calculated
under Section 2689.4 of the California Code of Regulations, as
specified. That Section notes that:
The Flesch Reading Ease Score rates text on a 100-point
scale -- the higher the score, the easier it is to
understand the document. The formula for the Flesch Reading
Ease score is:
206.835 - (1.015 x ASL) - (84.6 x ASW)
where:
ASL = average sentence length (the number of words divided
by the number of sentences)
ASW = average number of syllables per word (the number of
syllables divided by the number of words. (Cal. Code Regs.
Sec. 2689.4.)
Although the above standard provides a bright-line rule for
social networking sites to evaluate their compliance with the
bill's requirements, TechNet, in opposition, contends that
"While we all agree that information about privacy and
visibility online should be conveyed in simple,
easy-to-understand language, such a standard is arbitrary and
impossible to achieve in this context." It should be noted that
concerns have arisen regarding the application of the Flesch
Reading score to disclosures provided in a language other than
English. The author should continue to work with Committee
staff regarding the definition of "plain language" to ensure
that the developed standard appropriately accommodates
disclosures given in any language.
3. Ability to request removal of personal information
This bill would also require a social networking internet web
site to remove the personally identifying information of a
�
SB 242 (Corbett)
Page 7 of ?
registered user, upon his or her request. For users under 18, a
parent may request that their child's information be removed.
That removal must be done in a "timely manner," which would be
defined as within 48 hours of the request. From a practical
standpoint, if a user seeks to remove personal information
displayed on his or her own social networking page, that user
could arguably change the privacy settings or delete the
offending post. The situation becomes more complicated if the
personally identifying information is located on another user's
web page, or consists of GPS coordinates that are embedded on a
photo that was posted by another user.
Despite the potential complexities of removing that information,
it should be noted that most social networking sites should
already have some sort of system where users can flag
inappropriate information for review. For example, if an
individual posts an explicit picture that is against the site's
policy, the site arguably should already have a process that
allows a user to flag the image for review and removal by the
social networking site. On the other hand, since personally
identifying information, as defined, includes the name of a
user, the bill could arguably allow a user to request a social
network to removal all instances of his or her name from the
site. If that user happens to be a public figure whose name is
appearing in numerous posts, this bill could arguably allow that
figure to request that the social network remove references to
his or her name from the site. That compelled removal could act
to stifle the free expression of individuals on social
networking sites, including Facebook which was recently credited
as playing an important role in the organization of the 2011
revolution in Egypt. In order to help ensure that the
provisions of this bill are not used in a fashion that could
unduly suppress the free expression of users on social
networking sites, the bill should be amended to clarify that the
requirement to remove information upon request does not include
the removal of names.
Suggested amendment :
On page 2, line 27, insert:
Notwithstanding subdivision (b) of section 62, for purposes of
this subdivision, "personal identifying information" shall not
include a person's name.
The Internet Alliance (IA), in opposition, notes that the bill
�
SB 242 (Corbett)
Page 8 of ?
"does not stipulate that the person provide a specific
description of the information to be removed or its location.
Without that information, social networking sites especially
would not know what information to look for, a problem that gets
more complicated when many users share the same basic
biographical information. For example, there may be 100 John
Smiths in the United States. Moreover, social networks do not
currently have the technology to delete a customer's information
from an entire site." While the above amendment would address
the situation where a user requests the removal of a common name
from the social networking site, it would not address issues
relating to specificity of the request. In an effort to address
those issues, the author offers the following amendment to
require the registered user to verify his or her identity and to
specify any known location of that information.
Author's amendment:
On page 2, line 28, insert:
(d) A request submitted by a registered user pursuant to
subdivision (c) shall include sufficient information to verify
the identity of the user and specify any known location of the
information that is the subject of the request.
4. Remedies
This bill would provide that a social networking site that
willfully and knowingly violates any of the above provisions
shall be liable for a civil penalty, not to exceed $10,000 for
each violation. It should be noted that due to the willful and
knowing standard, unintentional violations of this bill's
provision would not result in liability under that provision.
5. Constitutional arguments
The opposition contends that this bill would violate both the
United States and California constitutions as follows:
a. First Amendment
The IA, in opposition, contends that the requirement for
social networks to "default" privacy options to a setting the
does not allow the public display of information "clearly
conflicts with both the First Amendment to the United States
Constitution and Article 1 of the California Constitution."
�
SB 242 (Corbett)
Page 9 of ?
Generally speaking, the First Amendment, and Article 1, act to
protect the freedom of expression of the citizens of
California (as well as the rest of the nation). The
determination about whether a specific statute inappropriately
restricts speech requires an examination of whether it is
content-based or content-neutral, is unduly vague or
overbroad, and whether the restriction acts as a
prior-restraint on speech. Laws that are content-based,
vague, or act as a prior-restraint are strongly disfavored by
the courts. In Police Department of Chicago v. Mosley, the
U.S. Supreme Court stated that:
�A]bove all else, the First Amendment means that government
has no power to restrict expression because of its message,
its ideas, its subject matter, or its content. To permit
the continued building of our politics and culture, and to
assure self-fulfillment for each individual, our people are
guaranteed the right to express any thought, free from
government censorship. The essence of this forbidden
censorship is content control. Any restriction on
expressive activity because of its content would completely
undercut the 'profound national commitment to the principle
that debate on public issues should be uninhibited, robust,
and wide-open.' (Police Dep't of Chicago v. Mosley (1972)
408 U.S. 92, 95-96 (citations omitted).)
In the present circumstance, it is unclear how requiring that
default settings be set to private would unduly restrict the
free expression of users who elect to disseminate their
information. Any user who chooses to disclose his or her home
address or telephone number may elect to do so by
affirmatively changing the privacy settings to share that
information. For registered users who desire to disclose all
of their information, posts, pictures, and location data to
the entire world, this bill would not impact that ability,
provided that the user affirmatively sets his or her privacy
settings to allow that display.
The IA further contends that the ability to request the
removal of personal information would "violate other similar
user's legitimate speech to share their personal information
with the world." While, as noted in Comment 3, the ability to
request the removal of an individual's name from an entire
social networking site would arguably be contrary to the
rights of free expression, the suggested amendment in Comment
3 would address that issue. It should also be noted that
�
SB 242 (Corbett)
Page 10 of ?
California already allows victims of domestic violence,
individuals associated with witness protection, and
reproductive health care providers to request the removal of
specified personal information from an Internet web site.
b. Dormant commerce clause
The Constitution of the United States grants Congress the
power to regulate commerce among the states. (U.S.
Constitution, art. I, sec. 8.) From this grant of power, the
United States Supreme Court has inferred that states may not
enact laws that burden interstate commerce. (Gibbons v. Ogden
(1824) 22 U.S. 1.) The threshold test for whether a state law
violates the dormant commerce clause is whether the law
affects interstate commerce. If the answer to that question
is yes, then the court looks to whether the state law
discriminates against out-of-staters or whether it treats
everyone alike. A state law that does not discriminate
between the two-as this bill arguably would not-generally is
upheld unless it is found to place a burden on interstate
commerce that outweighs its benefits. (Pike v. Brace Church
(1970) 397 U.S. 137.) In this case, TechNet, in opposition,
argues that:
Internet commerce is an inherent interstate activity and
SB 242 would regulate businesses far beyond California's
borders. Social networking sites cannot reliably know if
a visitor is a California resident. Therefore every
covered site in the world would need to change its
practices in order to comply with California law . . . SB
242 would limit the commercial relationship with social
networking sites. As a result, any out-of-state company
affected by the new law would be entitled to bring a
Commerce Clause challenge under 42 U.S.C. �Sec] 1983.
In response, the author states that "�u]nder SB 242, all
social networking site providers - whether in or out of the
state - would be governed by the same rules. There is no
discrimination against out of state companies." It should
also be noted that the issue of state regulation of Internet
web sites and the dormant commerce clause is in its relative
infancy and is ultimately an issue for the courts. If the
opponent's arguments are correct, those statements would
essentially preclude the state of California from enacting
internet related legislation. Given California's significant
interest in protecting its citizens, the author's office
�
SB 242 (Corbett)
Page 11 of ?
should continue to work with Committee staff to ensure that,
to the greatest extent possible, the provisions of this bill
cannot be construed to violate Dormant Commerce Clause.
5. Opposition's remaining arguments
TechAmerica, in opposition, contends that this bill "apparently
seeks to deny those - who may be selecting and joining a
particular social networking site precisely to share information
about themselves - the right and ability to do so upon joining
the site. Instead, the consumer will have to un-do the default
privacy settings to effectuate their preferences." TechAmerica
also objects to the bill's definition of "social networking
site" as unclear and sweeping in too much of the internet. The
author notes that the definition came from a scholarly article
entitled Social Network Sites: Definition, History, and
Scholarship by Danah M. Boyd and Nicole B. Ellison, available at
http://jcmc.indiana.edu/vol13/issue1/boyd.ellison.html .
The IA, in opposition, contends that this bill "would force
users to make decisions about privacy and visibility of all
information, well before they have even used the service for the
first time, and in such a manner that they are less likely to
pay attention and process the information than they are today."
IA further contends that this bill is moving in the opposite
direction urged by the FTC in their proposed privacy framework,
that the bill singles out social networks, that major social
networks already remove personal information upon request under
certain circumstances, and that, if the bill is enacted and
challenged, a court could award attorneys' fees for the
plaintiff if this statute is found unconstitutional.
TechNet echoes similar concerns and argues that this bill would
do significant damage to California's technology sector by
"drastically limit�ing] social networking sites' growth
potential in California by imposing additional operating costs
and raising barriers to consumer participation in social
networking services, all while exposing those services to
massive and unwarranted civil liability and in turn, creating
significant confusion and uncertainty for investors, businesses
and consumers."
6. Author's amendments
The author offers the following amendment to clarify that the
bill would require the "express agreement "of a user to change
�
SB 242 (Corbett)
Page 12 of ?
the default privacy settings, and to remove inconsistent
language that was not stricken by the last set of amendments.
1) On page 2, line 12, before "agreement" insert: "express"
2) On page 3, strike line 1 through 3, inclusive.
Support : California State Sheriffs' Association
Opposition : Internet Alliance; TechAmerica; TechNet
HISTORY
Source : Author
Related Pending Legislation : SB 761 (Lowenthal), would require
the Attorney General, by July 1, 2012, to adopt regulations that
would require online businesses to provide California consumers
with a method for the consumer to opt out of the collection or
use of his or her information by the business. This bill is in
the Senate Appropriations Committee.
Prior Legislation : SB 1361 (Corbett), would prohibit a social
networking Internet Web site, as defined, from displaying, to
the public or other registered users, the home address or
telephone number of a registered user of that Internet Web site
who is under 18 years of age, as provided. This bill failed
passage in the Assembly Arts, Entertainment, Sports, Tourism,
and Internet Media Committee.
**************