California Lights the Way: Legislature Could Become Global Internet Regulator
Last week Governor Schwarzenegger created a new state agency to help Californians protect their personal information online. With more than one million cases of identity theft reported in California last year, the Office of Information Security and Privacy Protection will serve as a valuable educational resource to help residents stem this tide. When legislators return to work this week, however, they will face strong pressure from consumer groups seeking strict new privacy laws that threaten to impede the growth of Internet commerce worldwide.
California’s lawmakers are no strangers to privacy legislation. Over the past decade, they have passed more than 80 laws, dictating safeguards for many sources of consumer information ranging from rental cars to supermarket club cards. In 2003, California became the first state to legislate how online businesses store and share customer data. The “Shine the Light” law, described by California’s top privacy official as “bizarre,” asserts the state’s questionable authority to define international privacy standards for the entire Internet.
Because online technologies are rapidly evolving, lawmakers designed the “Shine the Light” law to encompass the broadest possible terms and applications. As a result, it applies to any business on the Internet, regardless of whether it has a physical presence in California. Therefore, any website in the world frequented by a California resident could be subjected to California’s law.
The law defines “personal information” broadly, encompassing any personal quality, habit, or preference, and sets strict rules for disclosing how such information is shared online. Regulating the use of this innocuous information will do little to protect Californians from identity theft. It will, however, restrict growth of a $40-billion global online advertising market.
The meteoric rise of this market has been driven by the ability of advertisers to reach their target audience efficiently. Revenue generated by these targeted advertisements allows many popular vendors to provide services free-of-charge. If lawmakers render this practice unduly burdensome or complicated, consumers will face higher prices, and fewer choices online.
Given the vague language and far-reaching consequences of “Shine the Light,” it is not surprising that the law remains obscure. A report released last week by the California Public Interest Group (CALPIRG) found that only 33 percent of businesses surveyed were in full compliance with the law. Based on this finding, CALPIRG urges lawmakers to give consumers even “stronger, better tools to ensure that their privacy is adequately protected.”
In particular, CALPIRG recommends banning all targeted advertising unless the customer expressly grants permission. Alternatively, a UC Berkeley study released last month calls for creation of a centralized state-run database where consumers could “opt out” of targeted advertising. Either of these proposals would vastly overstep the state’s authority to regulate interstate commerce, and would have a chilling effect on the appeal and viability of conducting business online.
If other states and municipalities follow California’s lead, online companies could quickly face the cost-prohibitive task of complying with hundreds or thousands of individual privacy policies. The risk of non-compliance would soon become unmanageable.
For California’s “Shine the Light” law alone, each infraction draws a penalty of $500. If the violation is deemed “willful,” the fine increases six-fold. Successful Web sites can receive millions of hits per day, creating billions of dollars in potential liability if every visitor is not treated according to the laws of his individual jurisdiction.
The state’s commitment to protecting consumers from identity theft does not justify imposing vague and unreasonable restrictions over the entire Internet. Regulating such a rapidly developing platform for innovation can have devastating and unintended consequences. Instead, agencies like the Office of Information Security and Privacy Protection should educate consumers about targeted online advertising, and how they can use existing technologies to tailor their own desired level of privacy protection.