California Privacy Legislation: Wins and Losses

During September 2012, the California legislature voted in favor of three laws recognizing new privacy rights resulting from technological advancements and the ubiquity of Internet activity in the lives of Americans. California Governor Jerry Brown took two steps forward in the name of privacy by signing two of the laws, but took one step back by vetoing the third.

Social Media Information Off-limits For Employers and Postsecondary Educational Institutions

On September 27, 2012, Governor Brown signed two laws effectuating new protections for personal social media account information and passwords, thus making California the third state (joining Maryland and Illinois) to enact a social media privacy law—something even Congress is considering implementing on a federal level. The first law, Senate Bill 1349, institutes new privacy protections for students at California’s postsecondary educational institutions, and the second law, Assembly Bill 1844, institutes similar protections for employees or applicants for employment. Both laws take effect January 1, 2013. The laws have been hailed by privacy proponents, like the ACLU, as an affirmation of existing privacy rights brought into the online context. But, not all discussion of the new laws has been as positive. Some legal experts critique the laws for being too vague in their language and thus problematically overbroad in their eventual application.

Social media provides Internet users the ability to express themselves in quasi-private (such as Facebook) or quasi-public (such as YouTube) fora in any way that they see fit. In this way, the information posted on social media can more closely align with the contents of a person’s diary or private conservations with friends. The privacy right espoused by these new laws fit neatly into the context of such a view of social media.

However, recent court decisions such as Fraley v. Facebook, Inc., 830 F. Supp. 2d 785 (N.D. Cal. 2011) offer a different picture of social media where every user is a celebrity in the context of their “friends” and all of his or her actions are newsworthy. Such a conceptualization of social media seems facially incongruent with California’s new protection for social media information and passwords–why should an employer not be able to request “newsworthy” information posted by a potential employee? In reality, though, this “newsworthiness” view does not interfere with the new statutory social media privacy right. Specifically, activity by a social media user only constitutes a newsworthy action in the context the relevant audience of the user’s “friends.” Social media activity cannot be viewed as newsworthy to the public at large and, contrary to public misconceptions, social media users actually have higher expectations of privacy online in social media when they are often conversing with friends and family. See William McGeveran, Disclosure, Endorsement, and Identity in Social Marketing, 2009 U. Ill. L. Rev. 1105, 1125 (2009).

Although the new laws restrict postsecondary educational institutions and employers from requesting personal social media information and even prevents these institutions and employers from retaliating against a student or employee who invokes this new privacy right, the new laws will likely cause some problems in their implementation due to the vague language of the statutes. Professor Eric Goldman correctly criticizes the statutes for the purported definitions of “social media” and for the statutes’ failure to clarify the term “personal” in relation to a social media account.

The first point of contention lies with the statutes’ definitions of “social media.” The statutes share a definition of “social media” as “an electronic service or account, or electronic content, including, but not limited to, videos or still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.” Through this broad definition the legislature attempted to reach all existing and future social media services, but in doing so, the legislature implicitly included other activity into the definition of social media that would not generally be viewed as such. For example, Professor Goldman points out that the definition extends to “locally-stored content” on a person’s computer such as documents or photographs saved to a person’s desktop or to an external hard drive. This category of content would not fall under a general understanding of social media. While Professor Goldman’s analysis of the statute is correct, the harm caused by the over-extension of this definition is not readily apparent and instead may provide preemptive protection to a category of personal information employers and educational institutions had not yet thought to request.

The second point of contention relating to the language of the statutes is the statutes’ limited application only to “personal social media” and “personal social media information” without providing any guidance as to the definition of the word personal. Perhaps the legislature thought to draw from the term “personally identifiable information” or PII, but in reality the word proves especially problematic where a student or employee controls a business-related or quasi-business-related social media account (or in the case of Facebook, has administrative privileges over the page of a product, brand, or service). Professor Goldman provides a string of recent cases concerning the difference between “personal” and “business-related” social media accounts that properly indicate that the current legal understanding of “personal social media” is not clear-cut. For example, consider whether a Facebook or Twitter account of a prominent (or even not prominent) blogger or independent journalist would be considered a “personal social media account.” Do the privacy settings of the account make a difference as to whether it should be deemed personal? After the new laws take effect next year, the courts will certainly struggle with this and similar questions as they attempt to define the term “personal” and this struggle could severely limit the effectiveness of the new laws as envisioned by the California legislature.

On the positive side, the new laws do provide a much needed protection in the digital age where employers and postsecondary educational institutions are willing to base employment and enrollment on the content of a social media account. The allowance of this practice by employers and educational institutions not only directly harms the privacy expectations of a social media user but also more broadly implicates the privacy of that user’s social media “friends.” Moreover, allowing this practice holds distinct implications for employers who may stumble across an applicant’s age, political affiliation, religious affiliation, or sexual orientation, which could be used improperly to illegally deny an applicant employment. Additionally, obtaining access to social media accounts places dangerous legal liability on an employer or education institution that requests and receives the password to such accounts as that employer or institution could then be liable for the content posted on the account. It should be noted, however, that even under the new laws employers and educational institutions retain the legal right to request personal social media data for investigations into employee or student misconduct.

Although the new laws contain some potentially problematic language, the overall privacy protection provided by the laws represents a substantial step forward toward the protection of online privacy. Other states should look to these new laws and the similar laws of Maryland and Illinois as exemplars of digital privacy protection and follow in the legislative footsteps of these states.

California Governor Sides with Law Enforcement, Vetoes Location-Privacy Law

After signing into law the above-discussed social media privacy bills, California Governor Jerry Brown swiftly turned about and dealt a substantial blow to privacy by vetoing a novel location-privacy law on September 30, 2012. Senate Bill 1434, if signed, would have required law enforcement to effectuate a valid search warrant before requesting location information from a location service provider. The bill defined location information as “information, concerning the location of an electronic device, including both the current location and any prior location of the device, that, in whole or in part, is generated, derived from, or obtained by the operation of an electronic device.” Although it implemented the high standard of a search warrant for location information, the bill provided necessary exemptions for exigent circumstances and user consent.

Currently, law enforcement need only serve a subpoena or merely file a request with an officer’s signature to receive location information from a service provider. The proposed law’s requirement of a search warrant implied that the California legislature desired to recognize a distinct privacy right in an individual’s location information and thus wanted to raise protections for the information similar to protections of the Electronic Communications Privacy Act (ECPA). The bill’s attempt to recognize such a location privacy right aligns with the United States Supreme Court’s recent decision in United States v. Jones, No. 10-1259, 2012 BL 14420 (U.S. Jan. 23, 2012), where the Court required, albeit ambiguously, that law enforcement receive a search warrant to place a GPS tracking device on a person’s vehicle and then track that vehicle. In fact, the bill would have curbed law enforcement’s increased turn to the use of warrantless mobile device location tracking that has resulted from the Jones decision’s changed conceptions about the warrantless use of GPS tracking device.

Governor Brown’s veto letter indicates that he sides with the growing voices advocating the drastic need for the law to keep up with evolving technology and changing norms about privacy. However, Governor Brown gave in to law enforcement concerns about operational obstacles that the bill would impose. The Electronic Frontier Foundation, co-sponsor of the vetoed bill along with the ACLU, has responded to Governor Brown’s veto with considerable disappointment warning that the veto continues a dangerous trend of “allowing law enforcement to gorge itself on as much data and information they can eat without a warrant.”

Because so much private information, such as religious affiliation or sexual orientation, can be gleaned from location information by checking on the various places a person visits, the bill’s recognition of the need for a higher standard for law enforcement to receive that information is entirely necessary. Much like the use of GPS tracking devices, warrantless use of location information provides law enforcement too thorough a record of a person’s movements for the information to be deemed public under the guise that an individual cannot maintain an expectation of privacy in public movements. While implementation of a search warrant requirement would impose an obstacle by compelling law enforcement to provide proof to a judge validating the need for the location information, the Jones Court has already recognized that such obstacles can be necessary when expectations of privacy and threats to the freedom of affiliation and speech are endangered. California citizens should not have to consider whether or not to use their mobile devices while going about their daily activities out of fear that information about their private activities will be available to law enforcement indiscriminately. Such fear chills the liberties and expectations of privacy that the United States has long held fundamental.