Some of the official privacy protection legislation is now being debated in the halls of California's state capitol I'd like to make readers aware of. I do this not just because I'll be working on (i.e. Consumer Federation of California) ensuring these bills will become law, but also because California often establishes landmark privacy protections that become templates for which other states mimic. In other words, the importance of these bills cannot be overstated - particularly the new effort to protect the privacy of digital book readers.
We're not talking about just another library mind you - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.
The concerns of privacy advocates are not hypothetical. Our country has a long history of government efforts to compel libraries and booksellers to turn over customer records and information. Why would anyone believe, particularly after the warrantless wiretapping scandal, that the government won't ask a company like Google to turn over the treasure trove of private personal information it has on millions of Americans?
For these reasons and more, it is essential that products like Google Book Search incorporate strong privacy protections, and SB 602 is one big way to ensure this process. Without such protections, we're talking about a virtual one-stop shop for government and third party "fishing expeditions into the personal details of our lives."
Again, these concerns are not hypothetical. In 2006, the U.S. attorney subpoenaed Amazon for the used book purchase records of over 24,000 customers in the course of a grand jury probe investigating a single individual.
The good news was a federal judge agreed that Amazon should not have to turn over this information about its customers, saying that if word spread over the Internet that the federal government was probing book purchase information , “the chilling effect on e-commerce would frost keyboards across America."
This fight has been ongoing in fact, just recently another privacy stalwart, the Electronic Frontier Foundation (EFF), joined the ACLU and the privacy authors and publishers they represent, which include the American Library Association, the Association of Research Libraries and the Association of College and Research Libraries, CDT, EPIC, SFLC, Professor James Grimmelman, urging Google to include privacy protection.
Some more good news to report is the two bills that were MOST disappointingly vetoed last year by Governor Schwarzenegger are back, with much better chances of signage by a more privacy conscious Jerry Brown. For long time readers of this blog, this bill info may sound familiar, but let's review regardless.
SB 24 (Simitian) - Protecting Personal Information - was vetoed in the form of SB 1166 last year. This was a particularly stinging loss because, while the Governor vetoed a nearly identical bill the year before (that's right...third times a charm!), he said to bring it back again with just a minor modification - which was made. Apparently, the Governor changed his mind.
Here's why this bill is important: A recent study by the Privacy Rights Clearinghouse indicated upwards of 500 million data breaches since 2005, including personal medical records, credit card numbers and Social Security numbers. According to a 2009 Javelin Research&Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter.
It goes without saying then, that these findings epitomizes the need for SB 24 (Simitian). California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.
The bill will rectify this problem by amending California's security breach notification law stating that any public agency, person or business required to issue a security breach notification to more than 500 residents must submit the notification electronically to the Attorney General. This measure also would have required that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.
Last year, the Governor's veto message claimed, "This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices.”
Strange that the Governor saw fit to speak FOR consumers. Here's an idea, ask yourself whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.
The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”
The second bill that is back from the dead is AB 22 (Mendoza) – Protecting Financial Privacy. Governor Schwarzenegger's veto of this bill was another big disappointment (though largely expected to the Governor's allegiance to big business interests), particularly considering how many people's credit scores have suffered due to the Great Recession. This bill would have prohibited a prospective employer from using consumer credit reports in the hiring process.
An employer should not have any right to obtain confidential information that is not germane to a prospective employee's job. Credit reports do not have predictive value in determining a worker's ability to perform job duties, but a bad credit report might unfairly influence a hiring employer's attitude toward a job applicant. AB 22 would provide exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement, and in other narrow areas.
The fact is, credit reports are often inaccurate, and could unfairly bias an employer. Correcting mistaken information in a credit report is a tedious, time consuming process, and in the meantime, the job applicant is harmed due to errors by credit reporting entities.
So that's a quick rundown of the privacy bills that are top on our (Consumer Federation of California) list this year (probably a few more to come). I'll keep anyone interested informed as to their progress throughout this legislative year.