This article is part of the 2023 BCLT-BTLJ Symposium.
In 1972, Californians approved Proposition 11, a legislatively proposed amendment to the California constitution to establish an inalienable right to privacy.2 Accompanying this right was an enforceable right of action.3 The ballot arguments in favor of Proposition 11 (Ballot Arguments) in the voter information guide as well as case law on the constitutional right to privacy suggest that there were several concerns underlying the push for a constitutional right to privacy. In reviewing the Ballot Arguments and interpreting the intent behind Proposition 11, the California Supreme Court observed that “the accelerating encroachment on personal freedom and security caused by increased surveillance and data collection activity in contemporary society” was the “moving force behind the new constitutional” right to privacy.4 Similarly, the Ballot Arguments decried a lack of effective restraints, at that time, on public and private entities’ data practices.5
California’s constitutional right to privacy has perhaps also partially served as a justification for modern privacy legislation in California. The California Consumer Privacy Act (CCPA) provides one such example.6 Today, academics and other commentators continue to debate and evaluate the boundaries and efficacy of California’s constitutional right to privacy.7 Legal advocates have contended that the California Supreme Court has too narrowly construed the constitutional right to privacy, thereby hindering the electorate’s intent.8
Given existing debates regarding the potential limits of the California constitutional right to privacy, this essay contends that several of the concerns that led to the California constitutional right to privacy, as articulated by the Ballot Arguments, can be addressed in certain instances through alternative sources of California law. This essay focuses on California’s Song-Beverly Consumer Warranty Act (Warranty Act)9 and California’s version of the Uniform Commercial Code (UCC).10 While these important sources of commercial and consumer law do not appear to have been adopted initially to deal with privacy and cybersecurity issues, this essay posits that when applicable, these sources of law can provide Californians with the ability to protect their reasonable expectations of privacy and cybersecurity in the modern Internet of Things (IoT) age. The defining features of this era center on the ability of moveable goods, from cameras to smart speakers, to connect to the internet and receive an ongoing provision of services and software updates that enable data collection, disclosure, and continuous monitoring.11 These IoT data practices often raise important privacy and cybersecurity risks.12 The Warranty Act and the California Commercial Code has the potential to address several of these concerns.
II. THE CALIFORNIA UNIFORM COMMERCIAL CODE AND THE SONG-BEVERLY CONSUMER WARRANTY ACT
The UCC is an important source of commercial law in California. Article 2 of the California UCC is applicable to “transactions in goods.”13 The California UCC provides a buyer with a cause of action for breach of a non-disclaimed implied warranty of merchantability.14 The Warranty Act, which expressly supplements the provisions of the California UCC,15 also provides California’s consumers with a cause of action for breach of an implied merchantability warranty in retail consumer goods transactions.16 The Warranty Act provides California consumers with additional extensive protections in certain retail consumer transactions.17Notably, the Warranty Act restricts subject entities’ ability to disclaim and limit the duration of the implied warranties in retail consumer goods transactions.18 The federal Magnuson-Moss Warranty Act can also nullify warranty disclaimers in transactions involving consumer products.19
The merchantability warranty is intended to facilitate fair dealing by merchants with respect to the goods they sell while ensuring the protection of buyers’ reasonable expectations.20 Although the California UCC has a more extensive definition of merchantability than that in the Warranty Act, both sources of law require that merchantable goods (1) be “fit for the ordinary purposes for which such goods are used,” (2) be “adequately contained, packaged and labeled . . . ” and (3) “conform to the promises or affirmations of fact made on the container or label,” among other conditions.21 These merchantability standards can also ameliorate several privacy and data security concerns and protect buyers’ reasonable expectations of privacy and cybersecurity. It is also notable that the California Supreme Court has acknowledged that an important “element of a state constitutional cause of action for invasion of privacy is a reasonable expectation of privacy on plaintiff’s part.”22
The Ballot Arguments describe the right to privacy as “the right to be left alone” and expresses concern about Californians’ lack of control over their data.23 The Ballot Arguments highlight concerns that may flow from the collection, storage, and stockpiling of data about Californians, the risk of misuse of collected data, Californians’ lack of knowledge about entities’ data practices, and the potential for unintended uses of the data.24 The Ballot Arguments stress that privacy is central to “social relationships and personal freedom” and fundamental for the protection of “our homes, our families, our emotions, our expressions … and our personalities.”25
The fit for the ordinary purpose merchantability standard could also further foster Californians’ ability to hold entities responsible for the misuse and disclosure of their data. The implementation of robust privacy and cybersecurity measures is a key component of the safety of IoT devices.26 Additional examples of IoT devices include internet connected televisions, refrigerators, and doorbells.27 An IoT device and related systems that collect and store data vulnerable or susceptible to cybersecurity intrusions could, in certain instances, fail to qualify as fit for its ordinary purpose. If a cybersecurity vulnerability in an IoT device or connected service is exploited and causes harm, or renders a product unsafe, there may be a breach of the merchantability warranty. Possible factors in making this determination include whether the entity built security and privacy into the device and associated services and systems, as well as the company’s other privacy and cybersecurity practices, such as the use of encryption and security patches, cybersecurity trainings, and adherence to recommended industry and governmental privacy and cybersecurity standards.28
The collection of data unnecessary to device functionality could also come into consideration, particularly where the data is susceptible to misuse and inadvertent disclosure to third parties. The Ballot Arguments expressly criticized the unnecessary stockpiling of data and the “collection of extraneous and frivolous information,” going so far as to denounce the creation of “cradle to grave profiles” on American citizens.29
With respect to the Ballot Arguments’ concerns about Californians’ lack of knowledge regarding entities’ data practices, a company’s failure to adequately disclose on product labeling critical device and service components (or data practices) that may generate potential privacy and cybersecurity risks could render a device unmerchantable with respect to the “adequately contained and labeled” requirement.30 This interpretation of the merchantability warranty could further encourage disclosure of privacy and data security practices along with other traditional sources of privacy law, such as the CCPA.
Companies’ use of layered labelling on IoT devices, in which a URL or QR Code appears on a device label to provide additional information about privacy and data security practices, could also serve as an alternative route to hold entities responsible for failing to keep privacy or security promises, including collecting data for one purpose and using same for other purposes.31 Indeed, the Ballot Arguments express an intent to “prevent misuses of . . . information for unauthorized purposes” and the merchantability warranty requires that goods conform to “promises or affirmations of fact made on” product labels and containers.32
The California constitutional right to privacy is an important source of privacy protection for Californians in the modern age. However, there are various other underexplored sources of California law that could, in certain contexts, address several of the underlying concerns which led to the California constitutional right to privacy. When applicable, the provisions of the Warranty Act and the California UCC contain important warranty principles that can address modern-day privacy and cybersecurity concerns. The implementation of vigorous privacy and cybersecurity practices is likely a significant and reasonable expectation of privacy of the average California purchaser of IoT devices and associated services.33 Given the nature of IoT devices as software- and service-dependent objects, an IoT device company’s privacy and cybersecurity practices are also likely closely connected to the functionality and safety of such objects. California’s implied warranty of merchantability could help to address several of the concerns expressed in the Ballot Arguments by protecting Californians’ reasonable expectations of privacy and cybersecurity.