On May 13, the Court of Justice of the European Union ruled that individuals have the “right to be forgotten,” meaning they have the right to ask Google to remove information about them from its search index. A 1972 amendment to the California Constitution declares that the right to privacy is inalienable. So, should we expect that Californians will soon have the ability clean up some awkward digital history and limit future information sharing? That would be premature.
Why the EU Ruling is Remarkable
The “right to be forgotten” ruling has its roots in criminal law, in the widely shared sentiment that someone who has paid the price for a criminal misdeed has the right to be welcomed back into the arms of society. We do much the same in this country. Ex-felons regain the franchise. Juvenile records are sealed. Even adult criminal records may be expunged.
What’s different is that the Court of Criminal Justice has made a giant leap into the behavioral realm, to include information about activities that are not criminal, not a breach of civil law, not illegal in any way — as long as the data is “inadequate, irrelevant or no longer relevant.” The right to be forgotten is the right to eliminate the embarrassing.
This is quite compelling for anyone who has ever been foolish. (Who would not actually prefer that everyone else’s mind be sunny and spotless?) It’s inconvenient if you like to receive marketing information about things you might like to buy. It’s puzzling for lawyers trying to balance the competing rights to privacy and free speech. The task of removing information is potentially ruinous for giant data collectors, like Facebook and Google, and it’s baffling for the small retailer trying to micro-target customers who are shopping for big screen TVs. There are several constituencies with competing interests.
Let’s Get Back to California
The situation for small California businesses is defined, first of all, by federal law. Much federal legislation dates from the same era as California’s Constitutional amendment, including the Fair Credit Reporting Act of 1970. This wave of legislation affected financial institutions and federal data collection. In the 1990s, federal laws were also passed to require privacy policy statements from the healthcare industries and from web sites and online services directed to children under the age of 13.
In 2003 California enacted the Online Privacy Protection Act, the first law in the nation to require operators of commercial web sites and online services to post a privacy policy about the collection of personally identifiable information of California residents. It was subsequently amended in 2013 to require data collectors disclose whether they honor Do Not Track notices. Nearly all search engines permit users to make this request. Virtually no online services honor the request.
Last week the California Attorney General’s Office issued guidance about what the notice required to be posted by commercial websites or online services should include:
- How the site responds to a browser’s Do Not Track signal,
- Whether third parties are or may be collecting personally identifiable information,
- Uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or app.
- What personally identifiable information is collected and how long it is retained, and
- What choices a consumer has regarding the collection, use and sharing of personal information.
Notice that neither the law, nor the new guidance require online services to comply with a Do Not Track notice or to refrain from marketing personally identifiable information. The law requires simply that the sites disclose their practices.
What About Data Breaches?
Another day, another data breach, it appears. First Target, then Heartbleed, and last week EBay users were told to change their passwords in the wake of another huge hacking scandal. As with data collection, the legal obligation of online services is to notify Californians whose information may have been compromised. This has nationwide effect, as long as the consumer is a California resident.
The Point of Disclosure Requirements
The point of disclosure requirements, whether of the initial data collection or its subsequent loss, is to give customers the chance to respond with the power of the purse. If the customer is unhappy about the harvesting of personally identifiable information, he or she can shop elsewhere or deal in cash.
Businesses that collect data, and increasingly smart businesses do, in order to maximize marketing efforts essentially rely on a contract theory. If they disclose as required by law, and the customer accepts the terms of the deal, where is the harm? In reality, though, this approach does not quite address the problem because consumers who care about the privacy of personally identifiable data do not have many other acceptable choices. There’s a great deal of market pressure to alienate an inalienable right.
So, Do Consumers Care?
Are privacy laws a solution in search of a problem? It depends on your demographic. If your customer base is young and technologically savvy, they may not care a great deal. Facebook, for example, just rolled out a new app that turns on the user’s microphone, identifies background music or TV sound and automatically updates the user’s status. Unless it is the kind of breach that leaves the bank account empty, many consumers don’t seem to care. Many derive a sense of community, or at least anonymity, in the massive quantity of data collected and shared, whether or not the sharing is deliberate. Some other segments of your customer base, however, may be a bit more touchy.
Should Californians Anticipate the Day When They Can Ask Google to Scrub its Search Index?
Not soon, it seems. Even in California, which has historically been in the forefront of privacy protection, there seems to be no movement to import a “right to be forgotten.” The EU ruling has a faintly 70s feel to it.
Privacy advocates might plausibly support legislation requiring web based businesses to honor Do Not Track notices, but how compliance might be managed is not entirely clear. This is still a very long way from deleting historical information that has become “inadequate, irrelevant or no longer relevant.”
