X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
It has become a distressingly common practice for commentators to overstate the impact of the Internet on business practices and law. Contrary to the once-popular slogan heard over and over during the 1990s dot-com boom, the Internet does not “change everything.” One thing that has changed because of the Internet is the rate of exchange of personal information from consumers to businesses that transact business online. As consumer connectivity levels increase and the average connection speed rises, it becomes easier for consumers to transact business over the Internet. With those transactions comes more disclosure of consumers’ personal information. And with that disclosure comes an increased potential for such information to be used by the recipients in ways that the average consumer might not even consider when he or she provides the information in the first place. In the absence of comprehensive federal legislation regulating the manner in which this personal information can be used, abuses can and do occur. Consumers find their personal information turned over to third parties with which they never intended to do business, sometimes to be passed along from one recipient to another with little regard for the concerns of the disclosing individuals. Important consumer information, such as Social Security numbers or purchasing histories, can become a commodity available for sale from one business to another, and companies with substantial customer databases enjoy a new revenue stream from selling access to that customer information. Consumer and privacy protection groups have begun to take notice, and have raised legitimate questions as to the propriety of this new commerce in personal information. While Europe has developed a broad scheme for protecting personal information, the approach in the United States has been more scattershot, affecting information in certain contexts. Financial services and health care are examples of two areas that have seen federal restrictions imposed on the use of their customers’ personal information. GOLDEN STATE’S EXAMPLE The states have by no means abandoned this area, however. California in particular has been at the forefront in enacting legislation designed to protect the manner in which personal information is used and exchanged over the Internet. While this recent legislation obviously protects California residents, the substantial population of the Golden State coupled with the border-ignoring nature of the Internet means that it affects all businesses that collect and use the personal information of large numbers of consumers, particularly those that transact business electronically. These companies need to consider the new state laws and come to some understanding whether and to what extent the laws apply to them. Because the applicability of the new laws to an individual company are fact-specific, it is best to look closely at particular situations before deciding when and whether to make any law-driven changes to the way a company conducts business. It is also important, of course, to pay close attention to your own state’s laws that may complement or sometimes counter those of California or other states that may attempt to regulate the use of personal information. COMPUTER SPYWARE ACT The stated intent of the California Consumer Protection Against Computer Spyware Act (SB 1436, Business and Professions Code �22947), which became law on Sept. 28, and becomes effective Jan. 1, 2005, is to “protect California consumers from the use of spyware and malware that is deceptively or surreptitiously installed on their computers.” This is software that either tracks what computer users are doing, or permits a third party to control remotely the actions of a user’s computer, almost always without the knowledge or informed consent of the user. Spyware is commonly used to gather valuable information about consumers and how they use their computers and automatically forwards that information to a third party. Malware is often used to harness the computing power and Internet connections of groups of computers to, for example, send e-mail messages, launch viruses, or initiate large scale denial-of-service attacks against victim Web sites. The new law prohibits the installation of software “onto the computer of a consumer in this state” that (i) modifies “through intentionally deceptive means” Internet browser settings such as the browser’s “home page,” its bookmarked pages, or its default Internet service provider; or (ii) collects “through intentionally deceptive means” defined “personally identifiable information” by way of a keystroke — or Web site-logging-and-reporting function, or by extracting from the consumer’s hard drive certain specified personal information. The law also prohibits malware that takes control of some aspect of the user’s computer by, for example, surreptitiously transmitting or relaying e-mail or a computer virus from the user’s computer; causing the user’s computer to access the Internet and incur unwanted charges; enrolling the user’s computer with other remotely controlled computers to damage other computers by, for example, using them to launch a denial-of-service attack; or opening “multiple, sequential, stand-alone advertisements” in the user’s browser without the user’s authorization. The provisions of the California anti-spyware act apply to “intentionally deceptive” acts. This leaves the door open for such software to continue to be installed on user’s computers with their apparent consent, either as part of a “decoy” program (such as a game or a file-sharing utility), or alone. By providing a sufficiently densely worded license agreement as part of the installation process, and requiring the user to “consent” to its terms, spyware and even malware purveyors may be able to insulate themselves from the act’s penalties of $1,000 per incident, plus attorney fees. New York is considering its own anti-spyware legislation. Both Senate bill 7141 and Assembly bill 11531 are currently in committee. SECURITY ACT Another new California law introduces broad security requirements for “businesses that own or license personal information about California residents.” (AB 1950, Civil Code �1798.81.5) It requires such businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” Businesses that disclose such information to “nonaffiliated third parties” must require those parties “by contract” to implement and maintain similar security procedures. The law defines what personal information is included in its scope; in general this includes what one would expect would be included: first and last names; Social Security, credit card, and account numbers; passwords; and medical information. Certain businesses are exempt from the law. These generally include those that are already regulated by other statutes such as the Health Insurance Portability and Accountability Act, financial privacy acts, and certain California state laws. The problem with this law is its lack of guidance as to what constitutes “reasonable security procedures and practices.” In the absence of accepted security standards for protecting personal data, there is likely to be substantial room for reasonable experts to differ about what is appropriate. Furthermore, as more states join California and impose their own security procedures requirements on businesses, complying with the entire m�lange could be quite challenging. ONLINE PRIVACY ACT California’s Online Privacy Protection Act of 2003 took effect on July 1, 2004, (A.B. 68, California Business & Professions Code ��22575-22579). It requires commercial Web sites or online services that collect certain “personally identifiable information” about consumers residing in California to have, maintain, and “conspicuously post” a privacy policy. The mandated privacy policy must identify the types of personal information that the Web site operator collects about the consumers who use or visit its Web site, as well as the categories of third-parties with whom the operator shares that information. It must advise users of any process by which a user can review and request changes to his or her personal information that has been collected through the site, and describe that process if one exists. It must also describe the process that the operator uses to notify consumers of changes to the privacy policy. There are very specific display requirements, designed to ensure that the privacy policy is easy for users to locate and see. These include mandates as to the color and content of an icon linking to the policy, as well as the manner in which a text link to such a policy is to be displayed. There is also a specific list of information that constitutes personally identifiable information under the new law. Here again, while complying with the California law alone may be relatively easy, the problem arises once other states introduce similar privacy policy notice requirements. While it may be possible to aggregate requirements and develop a global policy based on the most restrictive of each of the state laws, such a cobbled-together “uber-policy” will be more complicated to develop and may not be as effective as one based on a uniform set of requirements. Furthermore, as with many of these state laws attempting to regulate information exchanged over the Internet, it will be the businesses that take advantage of the Internet and do business in more than one state that will be burdened the most, as inevitably conflicting laws may end up making things more confusing for the very consumers that the laws are designed to protect. DIRECT MARKETING ACT As of Jan. 1, 2005, businesses that disclose a California customer’s personal information to a third party for direct marketing purposes will be required to provide the customer with the names and addresses of the recipients of the disclosed information, and details concerning the information that was disclosed. (S.B. 27, California Civil Code �1798.83.) The new Direct Marketing Disclosure Law offers several ways for disclosing businesses to advise customers of their rights. These include (i) notifying all “agents and managers who directly supervise employees who directly have contact with customers” of the addresses or numbers by which customers can obtain the information about the recipients of the information; (ii) adding a link to the home page of the Web site that leads to a page that has the information about the consumers’ rights under the new law; or (iii) making the information readily available at each place where the business operates in California. The “personal information” that is subject to the new law is defined broadly as “any information that when it was disclosed identified, described, or was able to be associated with an individual,” and includes such disparate categories as names of children, height, weight, race, religion, occupation, education, and products purchased. While there are a number of exemptions in the Privacy Rights law, there are many businesses both within and outside of California that will be affected. Companies that provide customer information to third parties that use the information for direct marketing purposes should be prepared to disclose a list of the categories of personal information that they disclose to third parties during the previous calendar year, and the names and addresses of those third parties. If the nature of the business of a third party cannot be determined from its name, the company should also list some examples of the third party’s products or services. The California direct marketing disclosure law does not restrict the use of personal information so much as it makes it more burdensome for businesses to share their customers’ personal information with direct marketing companies. Businesses outside of California that market their California customers’ information should be prepared to comply with this new law beginning Jan. 1. LOOKING FORWARD These recent examples of state privacy legislation serve as a reminder of the burdens that come with the extra-territorial benefits of doing business over the Internet. Keeping track of the many new state laws that can affect an out-of-state businesses’ operations will become an increasingly difficult chore, and may inspire new strategies for dealing with conflicting or incompatible requirements. It is important for businesses that collect, store, and use consumers’ personal information to be aware of the shifting legal landscape and to take affirmative steps to remain compliant with the various new legal requirements. Kelly D. Talcott is a partner at Kirkpatrick & Lockhart (www.kl.com) specializing in intellectual property and technology law. If you are interested in submitting an article to law.com, please click here for our submission guidelines.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.