This is Part 2 of our series on the California Consumer Privacy Act (the “Act”), which was signed into law just this year. Here’s a link to Part 1. Here’s a link to the Act for your reference. As I mentioned before, please keep in mind as you read through this and subsequent posts that they discuss the Act as originally passed and signed into law, and do not include discussion of any amendments to the Act (yes, there have been amendments already). Therefore, please understand that some of the provisions I will be discussing may have already been changed. But don’t worry, I plan on following up with updates in that regard. Now let’s get to it!
Where Do Privacy Laws Come From Anyway?
I am genuinely fascinated by data privacy laws given the reality that most of us simply must provide our personal information online in order to go about our daily lives. And from a business perspective, as if doing the million tasks required to keep the lights on wasn’t hard enough, now you may have to add yet another, fairly intensive, task to the list. We’ll get into the Act, but before getting into the thick of it, it’s important for you to get a general sense of where data privacy laws like the Act, and privacy laws in general, have their origins. There’s something you should know – these laws didn’t just pop up out of thin air. These laws are based on privacy concepts that have evolved over time and with the development of technology. With that in mind, let’s do this!
History of Privacy Laws in the U.S. Leading Up to the Act
In the U.S., the U.S. Constitution is the supreme law of the land in the U.S., ratified by Congress in 1788. However, in response to calls from several states which sought greater constitutional protection for individual liberties, Congress ratified 10 amendments to the Constitution in 1791. These amendments and the ratified amendments which followed, 27 in total, make up the Bill of Rights.
Among the rights contained in the Bill of Rights is the First Amendment, which protects, among other things, freedom of religion, freedom of speech, freedom of assembly (or association), and freedom of the press. However, when the First Amendment was ratified there was no explicit right to privacy in it, and therefore, no express right to privacy exists in the Constitution or the Bill of Rights.
But the U.S. is a common law system, which means it is largely based on precedent, or court decisions that have already been made in prior cases. That being the case, the U.S. Supreme Court, in the 1965 case, Griswold v. Connecticut, for the first time recognized that the Bill of Rights guarantees U.S. citizens a “zone of privacy”. The Court in Griswold, while acknowledging that the Bill of Rights does not explicitly use the word “privacy”, referenced the self-incrimination clause of the Fifth Amendment, the Ninth Amendment, and the due process clause of the Fourteenth Amendment as examples of this implied zone of privacy. The U.S. Supreme Court further expanded on and explained the right to privacy in subsequent cases, including the 1969 case Stanley v. Georgia, the 1972 case Roe v. Wade, and the 2003 case Lawrence v. Texas.
In addition to these enforceable privacy rights founded in common law, the U.S. Federal Trade Commission also has authority to enforce sector-specific laws, which are generally intended to prevent deceptive practices and unfair competition. These laws include numerous federal statutes and rules regarding data privacy, including the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, and the Telemarketing Sales Rule.
Indeed, there are a number of federal laws which regulate the the collection and use of personal information or data, which include:
The Fair Credit Reporting Act, enacted in 1970, aims for accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies.
The Privacy Act of 1974 was the U.S.’ first major data privacy legislation, governing the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained by federal agencies.
The Health Insurance Portability & Accountability Act (HIPAA) was enacted in 1996 to protect the privacy of individually identifiable health information.
The Financial Monetization Act of 1999, also known as the Gramm-Leach-Bliley Act, while removing barriers between banking, securities, and insurance companies to consolidate, also put into place regulations that require financial institutions to provide consumers with a privacy notice explaining the institution’s collection, use, sharing and protection practices relating to each consumer’s information.
The Children’s Online Privacy Protection Act (COPPA) took effect in April 2000, and requires parental consent for the collection or use of any personal information of children under 13 years of age (if the website targets them or knowingly collects their information), the posting of a privacy policy, and allowing parents to opt-out or limit the collection, use, and disclosure of their children’s personal information.
In terms of civil causes of action in the United States, there are generally four distinct claims for invasion of privacy:
Intrusion of Solitude - an intentional invasion of private affairs, offensive to a reasonable person, regarding a private matter, that causes mental anguish or suffering.
Also, paparazzi can get into trouble here if they harass or stalk celebrities they seek to photograph. In the 1973 federal case Galella v. Onassis, a paparazzo named Ron Galella relentlessly and intrusively pursued former First Lady Jacqueline Onassis (Kennedy) and her children. He even followed son John Jr. on his bicycle and interrupted daughter Caroline while she played tennis. The Appeals Court upheld the trial court’s order finding an invasion of privacy for intrusion of solitude.
For example, wire-tapping someone’s phones or planting hidden cameras in someone’s home.
Appropriation of Name or Likeness - the use of an aspect of someone’s identity (such as name or likeness, or other personal attributes), for an exploitative purpose, without consent.
Similar to this tort is a claim for invasion of the right of publicity
Which generally gives someone the right to control the commercial value of their name, likeness, voice, signature, or other personal identifying traits unique to them.
A popular 1993 case White v. Samsung Electronics America, Inc. involved a Samsung television commercial which depicted Vanna White for the purpose of selling Samsung VCRs.
For example, using someone’s image in an ad claiming they endorse a product or service without their permission.
Public Disclosure of Private Facts - public disclosure, of a private fact (not something generally known), offensive to a reasonable person, that is not newsworthy (in other words, not a matter of legitimate public concern).
The 2007 California federal case Paris Hilton v. Persa involved defendants who published a celebrity’s personal sex tape online. The court ultimately issued an injunction in which the defendants were ordered to stop publication of the sex tape. The court held that sexual relations are among the most personal and intimate of acts.
For example, consenting to hospital taping your birth for educational purposes only and then the hospital showing it for a commercial purpose to the public.
False Light - information widely published, that identifies someone, that puts that person in a “false light” that would be highly offensive to a reasonable person, and defendant was at fault.
For example, a news agency that uses stock footage of a person to accompany a news story that the person is not connected to in any fashion. Let’s say a news station runs a segment on the problems of street prostitution, using some stock footage of a woman walking down the street in a short skirt and heels. However, the woman is not a prostitute at all. This may be a case for false light invasion of privacy.
Now Let’s Talk About Some California Privacy Laws Leading Up to the Act
So what about California laws? While the privacy right in the U.S. Constitution requires state action, the right to privacy under California law generally involves actions by private individuals and entities which violate a privacy right.
In 1972, the people of California used the initiative process to add “privacy” to the list of “inalienable rights” guaranteed by Article 1, Section 1 of the California Constitution. Since then, the California Supreme Court’s many rulings on the issue have reiterated that the scope of protection granted by the California Constitution’s explicitly enumerated privacy right is sometimes greater than the scope of the U.S. Constitution’s implied right of privacy. Indeed, this has generally been hashed out in the differing results reached by the California Supreme Court and the U.S. Supreme Court on similar privacy issues.
In regard to the California right of privacy, the California Constitution explicitly states that such state constitutional rights are independent of corresponding federal constitutional rights. Furthermore, California courts have further elucidated the boundaries of this California privacy right. For example, In Valley Bank of Nevada v. Superior Court, 14 Cal. 3d 652 (1975), the Court recognized the right of consumers to financial privacy. Years later, in Hill v. National Collegiate Athletic Assn, 7 Cal.4th 1 (1994) the Court established a three-part test for privacy interests: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.
Over past decades, there have been many privacy-related statutes passed by the California Legislature, in a wide variety of contexts. Moreover, in 2000, the California legislation established an Office of Privacy Protection, which acted as a resource and advocate on privacy issues. However, due to state budget cuts, the Office was disbanded in 2012, at which time the California Department of Justice created a new privacy enforcement unit to concentrate on enforcing state and federal privacy laws.
Given California’s history as a national leader and often times world leader on data privacy laws, it is no surprise that it recently adopted the Act. The Act adds to California’s growing list of notable online privacy laws, which include:
In 2003, California became the first state in the U.S. to impose a data breach notification law, requiring any person, business, or state agency to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. (Civ. Code section 1798.29(a) and 1798.82(a). Any person or business that must issue a security breach notification to more than CA residents as a result of a single breach of the security system must electronically submit a single sample copy of that security breach notification to the Attorney General (Civ. Code 1798.29(e) and Civ Code 1798.82(f). This was amended in 2017 to also include notification provisions for unauthorized acquisition of encrypted information.
The California Online Privacy Protection Act of 2003 (CalOPPA) became effective in 2004 and was amended in 2013, and was the first state law in the U.S. requiring commercial websites and online services to include a privacy policy on their website, which, among other things, must identify the categories of personally identifiable information collected about site visitor, the categories of third parties with whom the operator may share the information, and the operator’s online tracking policies. An operator is in violation for failure to post a policy within 30 days of being notified of noncompliance, or if the operator either knowingly and willfully or negligently and materially fails to comply with the provision of its policy. This Act does not contain an enforcement mechanism of its own, but generally is expected to be enforced through California’s Unfair Competition Law (UCL), which prohibits unlawful, unfair, or fraudulent business acts or practices.
The California “Shine the Light” Law became effective in 2005, and sets out procedures requiring companies to disclose upon request of a California resident what personal information has been shared with third parties, as well as the parties with which the information has been shared. The law also sets out specific language that companies who do business with California residents must include in the privacy policies.
The California Consumer Privacy Act was signed into law on June 28, 2018, setting stringent requirements on qualifying businesses regarding their collection, use, sale, deletion, and making readily accessible personal information of California consumers. The Act also has requirements that mandate transparent privacy policies regarding businesses’ personal information practices. The definition of “personal information” under the Act has expanded the number of categories that qualify, and both individual residents and households are protected.
Conclusion
As you can see, the Act did not simply appear out of thin air. The Act is the natural result of a relatively long common law history in the United States and California, as well as the newest addition to a growing collection of data privacy laws around the world. In the United States, the concept of a right of privacy grew from a non-explicit right inferred from the Bill of Rights. In California, the right of privacy is explicitly granted in the state Constitution. So what was the point of this article? It’s that, while it is great that you have taken the time to learn about the provisions of the Act, it’s also good idea to learn about the history, origins, context, and intent behind it. Hopefully, like me, you will come out of this with a better overall understanding of the Act.
To Be Continued...
I hope this was informative for you. If it was, please make sure to read Part 1, and Parts 3 through 5 of this series as we dive deeper into the California Consumer Privacy Act.
Disclaimer: This article may constitute attorney advertising and is provided for informational purposes only. This article does not constitute legal advice nor does it form an attorney-client relationship. Specifically, this article does not address all potential situations and is in no way intended to apply to your particular situation. Qualified counsel in your jurisdiction should be consulted for your specific concerns and/or needs. If you want more information, please contact Law Unboxed with any questions!