With the Eric Snowden controversy shining a bright light on government intrusions on individual privacy, attention is beginning to shift, much to the dismay of some of the nation's most powerful companies, to the broader issue of consumer privacy. Companies around the world have invested millions into the research, collection and analysis of consumer data, often gleaned from consumer activity online and on social media sites.
Which raises the question: how strong are consumer protections in the state of California, historically a legislative trendsetter in privacy and identity protection? In particular, in the area of consumer privacy, what sorts of personal information may commercial vendors gather, use and exchange? And if they cross the line, what sort of liability, if any, do they face for violating a consumer's right to privacy?
Under California common law, there are four traditional types of actionable, privacy-related offenses: (1) intrusion into private affairs, (2) public disclosure of private facts, (3) false light, and (4) misappropriation of name or likeness. The first three common law torts require some conduct that goes beyond mere annoyance. That is, it must be something that a reasonable person would find highly offensive. The fourth type — for misappropriation of name or likeness — generally requires that the offending party churned a profit by purposely using an image or description that is unmistakably the plaintiff, as opposed to general characteristics that can easily be someone else.
The threat of that tort liability rarely prevents a commercial vendor from collecting information about a consumer in order to sell that person a different brand of a product the consumer regularly buys. Nor does such tort liability stop the private company from sharing such information with its affiliates to engage in tag-team marketing. But — here is where a consumer needs to be extra vigilant — in California, plaintiffs are not limited to choosing from the four common law torts.
Namely, in 1972, California voters affirmed that their right to privacy was among their inalienable rights. That affirmation remains embodied in Article I, §1 of the California Constitution. California courts have repeatedly confirmed that the constitutional right to privacy is self-executing, and pertains to infringement by both government and business entities. What this means is that a violation of the right to privacy is actionable conduct in and of itself.
Moreover, a potential violation of the right to privacy does not insist upon a "reasonable person" standard of inquiry. Rather, the mechanics of the constitutional variety can, in theory, subject a wider variety of conduct by a private business to liability than do the common law torts. In the real world, however, the state constitutional right to privacy affords consumers little or no protection against the collection and dissemination of consumer information by commercial enterprises.
As applied to private actors, California's constitutional right to privacy poses three questions: First, is there a legally protected privacy interest at issue? As the court in Hill v. National Collegiate Athletic Association (1994) articulated, legally protected interests can be either "informational" privacy (interests in precluding the dissemination or misuse of sensitive and confidential information) or "autonomy" privacy (interests in making intimate personal decisions or conducting personal activities without observation, intrusion, or interference).
Whether the interest at issue is legally protectable is extracted from developments in common law, developments in state and federal constitutional law, social norms, and even the arguments that accompanied the 1972 ballot itself. For instance, citing several examples, the California Supreme Court in its seminal White v. Davis opinion noted that California courts have long recognized the propriety of resorting to arguments to voters written in election brochures to interpret legislative measures and constitutional amendments.
Notably, the 1972 ballot argument in favor of the constitutional amendment expressed a concern about the computerization of records making it possible to create "cradle-to-grave" profiles of individuals. The argument asserted that the ability to control the dissemination of one's personal information is fundamental to one's privacy.
Proponents of the amendment further explained that recognizing the right to privacy would prevent misuse of personal information for unauthorized purposes, including the collection of frivolous information.
Those arguments undoubtedly make the state constitutional standard for violation of a right to privacy much easier to meet than the "highly offensive" standard under the traditional common law torts. Indeed, the collection of information about what a consumer regularly purchases or products a consumer might view on a website might easily fall within the "frivolous information" to which the ballot argument alludes.
But determining whether the privacy interest is afforded legal protection is only the first step. There is a second step. In particular, the second inquiry asks if the plaintiff has a reasonable expectation of privacy.
Answering this second question means looking at all the circumstances in a case-by-case analysis. Factors affecting one's reasonable expectation of privacy include (1) advance notice, (2) an opportunity to voluntarily consent, (3) common customs, norms and practices, and (4) physical settings surrounding particular activities.
Nonetheless, your typical consumer generally does not have a reasonable expectation of privacy regarding a description of his home address. This is the case even if a retailer obtains it without that consumer's knowledge or permission, and then uses that information to mail him annoying advertising materials.
On the other hand, in Planned Parenthood Golden Gate v. Superior Court, the Court of Appeal determined that staff members and volunteers of a Planned Parenthood clinic had a strong expectation of privacy concerning their home addresses and telephone numbers. In that case, there was a safety issue involved. Consequently, the nature of the information sought is not, by itself, determinative of whether a reasonable expectation of privacy exists. Instead, the totality of all surrounding circumstances must be considered.
Finally, we arrive at the third inquiry. To be actionable under the state constitution, the violation of a person's privacy right must be sufficiently serious in nature, scope and impact. In other words, the violation must be an egregious breach of applicable social norms.
This third part of the analysis sets a high — and often insurmountable — bar for invasion of privacy claims. Back in 1972, proponents of the privacy rights measure had assured voters that this would prevent government and businesses from collecting and stockpiling unnecessary information for one purpose, but then using that information for other, embarrassing purposes. While intended to screen out nominal or otherwise insignificant intrusions of privacy, the "egregious" standard has instead resulted in undermining the original intent of the privacy initiative.
In Low v. LinkedIn Corp., a federal court likened the "egregious" standard under a constitutional privacy action to the "highly offensive" standard under common law privacy torts. In doing so, the court found that disclosing a user's web browsing history to third parties was not serious enough of an invasion of the state constitutional right to privacy to qualify as "egregious."
Likewise, the court in Folgelstrom v. Lamps Plus, Inc., determined that obtaining a consumer's address without his permission and then using that information to mail him unwanted coupons and other advertisements was not an egregious breach of social norms, but rather, "routine commercial behavior." It appears that the Folgelstrom court took a cynical, but amused view of the world of marketing.
Collecting and sharing information about iPhone, iPad and iPod Touch users' addresses and current whereabouts, the unique device identifier assigned to each device, and other personal data — even without the users' consent — also falls short of the "egregious" barricade to bringing a successful claim under the state's constitutional right to privacy.
Thus, despite Proposition 11's stated purpose of making privacy a fundamental right under the California Constitution, the past four decades of appellate rulings have affirmed that private businesses can collect and exchange all sorts of consumer information for marketing purposes.
Notably, businesses with 20 or more employees that share certain types of personal information and data with third parties will be subject to California's "shine the light" statutes. Even so, the law does not make it unlawful to share consumer marketing information with third parties; it merely enables consumers to obtain information about a business' information-sharing practices.
Moreover, federal courts have interpreted the "shine the light" law's injury requirement narrowly within the context of standing. Consequently, courts have repeatedly dismissed consumers' claims.
Similarly, the California Online Privacy Protection Act of 2003 only requires commercial websites and online services to post their privacy policies. Thus, California statutes do not really stop businesses from collecting and sharing consumer information, as long as it is for the ultimate purpose of chasing the almighty dollar.
Recently, however, legislation has been proposed to bolster the right to privacy in California. On Feb. 22, the State Assembly introduced the "Right to Know Act of 2013," which proposes to supplant the current law with new language that would deem a violation of the "shine the light" law itself grounds for a lawsuit.
This would help plaintiffs get around the issue of standing that has prevented consumers from maintaining actions against businesses for failing to comply with the law on privacy. But even if this bill passes, businesses could still share consumer information. They would just have to make sure they did it with a legitimate marketing purpose in mind.
The State Assembly also introduced Assembly Bill 257 on Feb. 7, designed to expand the California Online Privacy Protection Act of 2003 to encompass operators of mobile applications. A week later, on Feb. 14, Assembly Bill 370 was introduced. This proposal is aimed at requiring commercial websites to disclose whether they actually honor "do not track" requests by consumers. Critically, however, these bills are not designed at outlawing the gathering or sharing of web users' information. Instead, these bills are only intended to force iPhone app operators and commercial websites to make their information-gathering policies publicly available.
As it stands, due to courts bowing to economic interests argued by big business, the right to privacy has regressed from what Proposition 11 of 1972 was supposed to accomplish.
What's more, court opinions on "shine the light" claims suggest that personal identifying information — like home addresses and phone numbers — do not hold any inherent economic value for consumer plaintiffs. Ironically, commercial vendors have monetized such "worthless" information to their own benefit. This apparent double standard seems to have been largely ignored by the courts. Accordingly, businesses remain virtually free to use personal consumer information to inundate the public with annoying marketing strategies at their own, unfettered discretion.
With the growth of social media, and its emphasis on personal characteristics like age, race, gender, relationship status, political views, medical conditions, social circles and travel history, the potential for misuse of this information in the marketplace continues to rise. While legislation is in the works to curb businesses from abuse, the free and wide dissemination of one's personal information makes policing commercial misconduct increasingly more difficult.
As with most trends in the postmodern world, it pays to be vigilant at all times regarding one's privacy. The court system offers protection, but the average consumer would likely be surprised at the leniency the law currently offers to businesses in the hunt to turn a buck.
Richard Lee is a partner, and Newton Tak is an associate with the Los Angeles law firm of Salisian Lee.
In Practice articles inform readers on developments in substantive law, practice issues or law firm management. Contact Vitaly Gashpar with submissions or questions at firstname.lastname@example.org.