California Privacy Legislation 2011: Books, Credit Reports, and Data Breaches

Some of the official privacy protection legislation is now being debated in the halls of California's state capitol I'd like to make readers aware of. I do this not just because I'll be working on (i.e. Consumer Federation of California) ensuring these bills will become law, but also because California often establishes landmark privacy protections that become templates for which other states mimic. In other words, the importance of these bills cannot be overstated - particularly the new effort to protect the privacy of digital book readers.

SB 602 (Yee) - Reader Privacy Act of 2011

Let's begin with some background regarding why this is such an important issue, straight from letters of support being sent in from privacy advocates: As Californians increasingly turn to electronic books and online book services, it is essential to safeguard the reader’s browsing, buying, and viewing information as such details reveal private information about political and religious beliefs, health concerns, and personal lives.

Digital books are now outselling paperbacks on Amazon.com, readers are turning to online services like Google Books, and analysts expect that over 18-million e-readers will be sold in 2012. As companies collect more detailed reader information -- including books browsed, how long a page is viewed, and even the notes written in the margins -- reading records are becoming a larger target for government surveillance.

In other words, without strong privacy protections, all of our browsing and reading history could be collected, analyzed, and turned over to the government or third parties without our knowledge or consent. In light of what has transpired in this country since the Patriot Act, none of this should sound like undue paranoia - its based on a now long history of corporate and governmental abuses of citizen privacy.

We're not talking about just another library mind you - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

The concerns of privacy advocates are not hypothetical. Our country has a long history of government efforts to compel libraries and booksellers to turn over customer records and information. Why would anyone believe, particularly after the warrantless wiretapping scandal, that the government won't ask a company like Google to turn over the treasure trove of private personal information it has on millions of Americans?

For these reasons and more, it is essential that products like Google Book Search incorporate strong privacy protections, and SB 602 is one big way to ensure this process. Without such protections, we're talking about a virtual one-stop shop for government and third party "fishing expeditions into the personal details of our lives."

Again, these concerns are not hypothetical. In 2006, the U.S. attorney subpoenaed Amazon for the used book purchase records of over 24,000 customers in the course of a grand jury probe investigating a single individual.

The good news was a federal judge agreed that Amazon should not have to turn over this information about its customers, saying that if word spread over the Internet that the federal government was probing book purchase information , “the chilling effect on e-commerce would frost keyboards across America." 

If there ever was a time to make sure that companies like Google don't put an end to reader privacy as we know it would be now. At present, all Google has done is make a lot of informal statements about privacy, while failing to provide an actual privacy policy with specific promises to consumers.

The ACLU does a good job framing the issue in their Google Book search campaign: What you choose to read says a lot about who you are, what you value, and what you believe. That’s why you should be able to learn about anything from politics to health without worrying that someone is looking over your shoulder. The good news is that millions of books will be available for browsing and reading online. The bad news is that Google is leaving reader privacy behind. Under its current design, Google Book Search can monitor the books you browse, the pages you read, and even the notes you take in the "margins." Without strong privacy protections, all of your browsing and reading history could be collected, analyzed, and turned over to the government or third parties without your knowledge or consent.

This fight has been ongoing in fact, just recently another privacy stalwart, the Electronic Frontier Foundation (EFF), joined the ACLU and the privacy authors and publishers they represent, which include the American Library Association, the Association of Research Libraries and the Association of College and Research Libraries, CDT, EPIC, SFLC, Professor James Grimmelman, urging Google to include privacy protection.

Now let's get back to SB 602, and how it helps address some of the concerns I've highlighted. One, it would ensure that government and third parties cannot access private reading records without proper justification. The bill permits disclosure of personal information related to reading records when an individual consents to the disclosure and where there are exigent circumstances. 

In addition, personal information must be shared when a government entity or private party obtains a warrant or court order upon a showing of a compelling interest, and the warrant or order is the least intrusive means to obtain the information desired.   

Notice and opportunity to contest the order must be given

The Reader Privacy Act would establish clear rules for businesses and standards for government and third party access to reader records. Under SB 602, consumers will be able to feel comfortable using new digital book services and technology without worrying that their personal information will be unprotected. California should promote the use of new technology by ensuring that upgraded technology does not mean downgraded privacy.  

For updates on how this legislation is progressing in the California Legislature, you can check out the page I've created on the Consumer Federation of California website. 

Two Privacy Bills Vetoed By Governor Schwarzenegger are Back!

Some more good news to report is the two bills that were MOST disappointingly vetoed last year by Governor Schwarzenegger are back, with much better chances of signage by a more privacy conscious Jerry Brown. For long time readers of this blog, this bill info may sound familiar, but let's review regardless. 

SB 24 (Simitian) - Protecting Personal Information - was vetoed in the form of SB 1166 last year. This was a particularly stinging loss because, while the Governor vetoed a nearly identical bill the year before (that's right...third times a charm!), he said to bring it back again with just a minor modification - which was made. Apparently, the Governor changed his mind.

Here's why this bill is important: A recent study by the Privacy Rights Clearinghouse indicated upwards of 500 million data breaches since 2005, including personal medical records, credit card numbers and Social Security numbers. According to a 2009 Javelin Research&Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter.

It goes without saying then, that these findings epitomizes the need for SB 24 (Simitian). California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.

The bill will rectify this problem by amending California's security breach notification law stating that any public agency, person or business required to issue a security breach notification to more than 500 residents must submit the notification electronically to the Attorney General. This measure also would have required that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.

Last year, the Governor's veto message claimed, "This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices.”

Strange that the Governor saw fit to speak FOR consumers. Here's an idea, ask yourself whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.

The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”

For updates on how this legislation is progressing in the California Legislature, you can check out the page I've created on the Consumer Federation of California website.

The second bill that is back from the dead is AB 22 (Mendoza) – Protecting Financial Privacy. Governor Schwarzenegger's veto of this bill was another big disappointment (though largely expected to the Governor's allegiance to big business interests), particularly considering how many people's credit scores have suffered due to the Great Recession. This bill would have prohibited a prospective employer from using consumer credit reports in the hiring process.

An employer should not have any right to obtain confidential information that is not germane to a prospective employee's job. Credit reports do not have predictive value in determining a worker's ability to perform job duties, but a bad credit report might unfairly influence a hiring employer's attitude toward a job applicant. AB 22 would provide exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement, and in other narrow areas.

The fact is, credit reports are often inaccurate, and could unfairly bias an employer. Correcting mistaken information in a credit report is a tedious, time consuming process, and in the meantime, the job applicant is harmed due to errors by credit reporting entities.  

For updates on how this legislation is progressing in the California Legislature, you can check out the page I've created on the Consumer Federation of California website. 

So that's a quick rundown of the privacy bills that are top on our (Consumer Federation of California) list this year (probably a few more to come). I'll keep anyone interested informed as to their progress throughout this legislative year.