Nasir Pasha, Esq.

Is the “Right to be Forgotten” on the Horizon in California?

On May 13, the Court of Justice of the European Union ruled that individuals have the “right to be forgotten,” meaning they have the right to ask Google to remove information about them from its search index.  A 1972 amendment to the California Constitution declares that the right to privacy is inalienable.   So, should we expect that Californians will soon have the ability clean up some awkward digital history and limit future information sharing?  That would be premature.

Why the EU Ruling is Remarkable

The “right to be forgotten” ruling has its roots in criminal law, in the widely shared sentiment that someone who has paid the price for a criminal misdeed has the right to be welcomed back into the arms of society.  We do much the same in this country.  Ex-felons regain the franchise.  Juvenile records are sealed.  Even adult criminal records may be expunged.

What’s different is that the Court of Criminal Justice has made a giant leap into the behavioral realm, to include information about activities that are not criminal, not a breach of civil law, not illegal in any way — as long as the data is “inadequate, irrelevant or no longer relevant.”  The right to be forgotten is the right to eliminate the embarrassing.

This is quite compelling for anyone who has ever been foolish. (Who would not actually prefer that everyone else’s mind be sunny and spotless?) It’s inconvenient if you like to receive marketing information about things you might like to buy.  It’s puzzling for lawyers trying to balance the competing rights to privacy and free speech.  The task of removing information is potentially ruinous for giant data collectors, like Facebook and Google, and it’s baffling for the small retailer trying to micro-target customers who are shopping for big screen TVs.  There are several constituencies with competing interests.

Let’s Get Back to California

The situation for small California businesses is defined, first of all, by federal law.  Much federal legislation dates from the same era as California’s Constitutional amendment, including the Fair Credit Reporting Act of 1970.  This wave of legislation affected financial institutions and federal data collection.  In the 1990s, federal laws were also passed to require privacy policy statements from the healthcare industries and from web sites and online services directed to children under the age of 13.

In 2003 California enacted the Online Privacy Protection Act, the first law in the nation to require operators of commercial web sites and online services to post a privacy policy about the collection of personally identifiable information of California residents.  It was subsequently amended in 2013 to require data collectors disclose whether they honor Do Not Track notices.  Nearly all search engines permit users to make this request. Virtually no online services honor the request.

Last week the California Attorney General’s Office issued guidance about what the notice required to be posted by commercial websites or online services should include:

  • How the site responds to a browser’s Do Not Track signal,
  • Whether third parties are or may be collecting personally identifiable information,
  • Uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or app.
  • What personally identifiable information is collected and how long it is retained, and
  • What choices a consumer has regarding the collection, use and sharing of personal information.

Notice that neither the law, nor the new guidance require online services to comply with a Do Not Track notice or to refrain from marketing personally identifiable information.  The law requires simply that the sites disclose their practices.

What About Data Breaches?

Another day, another data breach, it appears.  First Target, then Heartbleed, and last week EBay users were told to change their passwords in the wake of another huge hacking scandal.  As with data collection, the legal obligation of online services is to notify Californians whose information may have been compromised.  This has nationwide effect, as long as the consumer is a California resident.

The Point of Disclosure Requirements

The point of disclosure requirements, whether of the initial data collection or its subsequent loss, is to give customers the chance to respond with the power of the purse. If the customer is unhappy about the harvesting of personally identifiable information, he or she can shop elsewhere or deal in cash.

  • What to Look for When Buying a Franchise

    March 05, 2015

    Thinking of buying a franchise?  That’s very exciting. For many, franchising is the first foray into owning your own business. As with any business purchase, however, you will want to make sure that you can …

  • When the Boss Sells the Company

    December 11, 2014

    I once worked for a company that had been rumored, maybe, at some distant time in the future, possibly, but not certainly, perhaps in connection with a potential sale or not, to be tentatively considering …

  • Erotic Data on Employee Smartphones: What Can an Employer Do?

    March 03, 2016

    The topic of teachers getting into trouble over sex-related matters has become almost a sub-genre of American journalism for several decades now. In the late 1990's, Washington schoolteacher Mary Kay Letourneau became a tabloid feature …

  • Can An Employer Be Held Liable For An Employee's Facebook Post? [e259]

    March 14, 2016

    The guys kick off the week by discussing the lawsuit in Hawaii where an employee posted a defamatory remark about a customer and tried to hold the employer liable. They also discuss the new anti-discrimination and …

  • State Mandated Retirement Savings Plans

    July 30, 2015

    Twenty-four states and New York City either are or have very recently considered establishing state run retirement savings plans.  Several of these are modeled on SB 1234, the California Secure Choice Retirement Savings Trust Act. …

  • The Cost of Converting Independent Contractors to Employees

    October 06, 2015

    While Uber may be receiving the lion’s share of the attention on the topic, there has been no shortage of court rulings, IRS audits, and labor decisions on the issue of workforce misclassification. With a …

  • What To Do When Your Amazon Account Gets Suspended [e278]

    September 08, 2016

    Nasir and Matt discuss why Amazon seller accounts are getting suspended and banned without notice and how business owners can rectify this situation through a Corrective Action Plan. Transcript: NASIR: Welcome to Legally Sound Smart Business. My name is …

  • How Businesses Can Fight Back Against Negative Social Media [e246]

    January 11, 2016

    Nasir and Matt kick off 2016 by discussing how one Indianapolis bar responded to a negative post on its Facebook page. Transcript: NASIR: Welcome to our podcast where we cover business in the news and add our …

  • Should You Finance the Sale of Your Business?

    September 30, 2014

    Truthfully, most sellers don’t want to take back paper. An all-cash deal often looks like the easiest and cleanest way to get on to the next venture, much preferable to waiting for another 5 to …

  • Is PTO Enough When Paid Sick Leave Is Required?

    January 19, 2016

    Look around your office. Is anyone out sick today? (Alternatively, is someone who is in the office clearly too sick to be there?) According to Bloomberg BNA, sick leave will be a big issue for …

Businesses that collect data, and increasingly smart businesses do, in order to maximize marketing efforts essentially rely on a contract theory.  If they disclose as required by law, and the customer accepts the terms of the deal, where is the harm?   In reality, though, this approach does not quite address the problem because consumers who care about the privacy of personally identifiable data do not have many other acceptable choices.  There’s a great deal of market pressure to alienate an inalienable right.

So, Do Consumers Care?

Are privacy laws a solution in search of a problem?  It depends on your demographic.  If your customer base is young and technologically savvy, they may not care a great deal. Facebook, for example, just rolled out a new app that turns on the user’s microphone, identifies background music or TV sound and automatically updates the user’s status. Unless it is the kind of breach that leaves the bank account empty, many consumers don’t seem to care.  Many derive a sense of community, or at least anonymity, in the massive quantity of data collected and shared, whether or not the sharing is deliberate. Some other segments of your customer base, however,  may be a bit more touchy.

Should Californians Anticipate the Day When They Can Ask Google to Scrub its Search Index?

Not soon, it seems.  Even in California, which has historically been in the forefront of privacy protection, there seems to be no movement to import a “right to be forgotten.”  The EU ruling has a faintly 70s feel to it.

Privacy advocates might plausibly support legislation requiring web based businesses to honor Do Not Track notices, but how compliance might be managed is not entirely clear.  This is still a very long way from deleting historical information that has become “inadequate, irrelevant or no longer relevant.”

Read More