Could the European GDPR or the new California Privacy Act affect your business?
Digital privacy rights have received more attention since it was revealed that the voter-profiling firm Cambridge Analytica gained access to personal data of millions of Facebook users. This prompted the European Union to establish some of the toughest online privacy regulations in the world. Even companies outside Europe must comply with the E.U.’s new General Data Protection Regulation (“GDPR”) if their web presence extends into Europe. Facebook, for example, announced in April that it will offer the privacy controls required under the GDPR to all Facebook users, not just Europeans.
The State of California also recently enacted the Consumer Privacy Act, A.B. 375, which is modeled on the GDPR. The California Consumer Privacy Act is set to take effect on January 1, 2020, giving citizens an array of new rights, and more control over how their data is used. California consumers will have the right to request deletion of personal information, to opt-out of the sale of personal information, and to access personal information in a “readily usable format” that enables transfer to third parties without hindrance. It also makes it more difficult to share or sell data related to children younger than 16.
This California law will have an impact outside of that State, because it will apply to any legal entity that (i) does business in California, (ii) is operated for the profit or financial benefit of its owners, (iii) collects consumers’ personal information and determines the purpose and means of processing such information, and (iv) satisfies at least one of the following three conditions:
* Has an annual gross revenue of over $25 million
* Alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of $50,000 or more consumers, households or devices, or
* Derives 50% or more of its annual revenues from selling consumers’ personal information
The California law will force companies meeting the minimum size threshold to be transparent about how they use consumer data. These companies will have to obtain permission before using targeting ads based on personal information that they’ve received, such as a person’s job, education, or the websites and apps used by the person.
Many companies that use or gather consumer data, from retailers to cellular network providers to internet companies, have at least some California customers. Companies large enough to be subject to the new law must bring their systems and websites into compliance, and ensure that their processes are robust enough to take action in response to consumer inquiries and requests.
Prosecution of an Occupy Wall Street protester may lead to clarification of privacy rights for social media accounts
The Twitterverse has been abuzz about an ongoing criminal prosecution in New York City of an Occupy Wall Street protester named Matthew Harris, and his effort to stop the government from obtaining information from his Twitter account. Mr. Harris was one of the hundreds of protesters arrested during a march across the Brooklyn Bridge. He was charged with disorderly conduct for allegedly walking in the street instead of on the sidewalk. Many of the protesters, including Mr. Harris, maintain that the police directed them off the sidewalk and into the street. The case has received a great deal of attention recently because the District Attorney subpoenaed Twitter records related to Mr. Harris’s account, in the hope that his tweets might refute his claim that the police directed him to move onto the roadway. Harris moved to quash the subpoena.
There isn’t a lot of reported case law on whether people have a legitimate expectation of privacy in information that they voluntarily post on social media sites such as Facebook or Twitter, but the limited number of reported court decisions so far have generally found little or no privacy protection for a social media site user. It was not entirely surprising, therefore, that the judge in Mr. Harris’ case declined to quash the subpoena, finding that Mr. Harris lacked standing to oppose a subpoena directed toward Twitter. The judge reasoned that Twitter, not Harris, owns any information that Harris posted on his Twitter account, because the Twitter terms of service grant Twitter a license to distribute all tweets.
The denial of the motion to quash that was brought by Mr. Harris didn’t end the matter, however, because Twitter then filed its own motion to quash the subpoena. Twitter argued in its motion that, despite the license rights that Twitter users grant to Twitter, the users themselves “own” their posts under Twitter’s terms of service. Twitter also argued that the Stored Communications Act allows users to challenge requests for their material, and that federal law requires a warrant (not just a subpoena) to access users’ communications. The distinction is important because warrants require probable cause, while a subpoena may be issued if authorities merely have a supportable belief that they are likely to uncover relevant information through the issuance of a subpoena. A number of privacy organizations, including the ACLU, the Electronic Frontier Foundation, and Public Citizen, have now filed their own submissions with the court.
Although this case is only in the pre-trial stage, the high visibility that it has garnered and the efforts by multiple organizations to use it as a vehicle for highlighting these privacy issues, mean that this could end up being an important step in the process of sorting out privacy rights of social media users.