California Online Privacy Laws: the Battle for Personal Data

• Publication year: 2016
• Author: By Jonathan Levine and Heather Haggarty

CALIFORNIA ONLINE PRIVACY LAWS: THE BATTLE FOR PERSONAL DATA

By Jonathan Levine and Heather Haggarty¹

I. INTRODUCTION

In 2011, the World Economic Forum published a report describing personal data as the new asset class—the "new oil of the Internet and the new currency of the digital world."² This is truer now than ever. With technology eliminating barriers to privacy and the demand for data creating both opportunities for economic growth and exploitation, legislatures and courts are scrambling to address privacy concerns in this ever-shifting technological landscape. While most online privacy laws and protections have only been enacted in the last decade, California is leading the way with key statutes to safeguard the privacy rights of individuals and businesses. This article focuses on a handful of these laws. Part II provides an overview of the Comprehensive Computer Data Access & Fraud Act (CDAFA),which prohibits unauthorized access to computer data and systems. Part III focuses on the Customer Records Act (CRA), also referred to as the Database Breach Act or the Breach Act, which protects personal information. Part IV discusses the Consumer Protection Against Computer Spyware Act, which prohibits unauthorized installation of spyware on an individual's computer. Last, the article concludes with a discussion of the California Online Privacy Protection Act (OPPA), which addresses the collection of personal information by operators of commercial websites.

II. COMPREHENSIVE COMPUTER DATA ACCESS & FRAUD ACT3

With the intent of providing protection to individuals, businesses and government agencies against unauthorized access and interference with computer data and systems, the CDAFA imposes criminal penalties for knowingly accessing and using a computer, or data from a computer, without permission.⁴ A violation of section 502 is punishable as a felony or misdemeanor.⁵ The statute also provides for a private right of action.⁶

Specifically, a person is guilty if he or she knowingly and without permission:

• Accesses and alters, damages, deletes, destroys or otherwise uses any data, computer, computer system, or computer network in order to either (a) devise or execute any scheme or artifice to defraud, deceive, or extort, or (b) wrongfully control or obtain money, property, or data;
• Accesses and takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network;
• Uses or causes to be used computer services;
• Accesses and adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network;
• Disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network;
• Provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section;
• Accesses or causes to be accessed any computer, computer system, or computer network;
• Introduces any computer contaminant (i.e. a virus or worm) into any computer, computer system, or computer network;
• Uses the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages or posts and thereby damages or causes damage to a computer, computer data, computer system, or computer network;
• Disrupts or causes the disruption of government computer services or denies or causes the denial of government computer services to an authorized user of a government computer, computer system, or computer network;
• Accesses and adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a public safety infrastructure computer system computer, computer system, or computer network;
• Disrupts or causes the disruption of public safety infrastructure computer system computer services or denies or causes the denial of computer services to an authorized user of a public safety infrastructure computer system computer, computer system, or computer network;
• Provides or assists in providing a means of accessing a computer, computer system, or public safety infrastructure computer system computer, computer system, or computer network in violation of this section; or
• Introduces any computer virus or worm into any public safety infrastructure computer system computer, computer system, or computer network. ⁷

A. Application of "Access"

As discussed below, the California courts' evolving interpretation of "access" which is defined under the CDAFA as "to gain entry to, instruct, cause input to, cause output from, cause data processing with, or communicate with, the logical, arithmetical, or memory function resources of a computer, computer system, or computer network"⁸ has broadened the scope and reach of the CDAFA beyond malicious hacking to include unauthorized taking or use of data.

In People v. Hawkins, one of the earlier cases to interpret the CDAFA, an employee was charged with violating section 502(c)(2) of the CDAFA⁹ after he left his employer to start a competing business and downloaded his entire computer directory from his employer's computer system, which happened to include his employer's proprietary source code.¹⁰ The employee argued that the statute lacked a mens rea requirement because "knowingly" only modifies "accesses," and that only knowing access triggers strict liability under the statute.¹¹ He reasoned that he, therefore, could not be convicted of a felony.¹² The court rejected the employee's argument that the statute creates strict criminal liability, noting that evidence of accidental copying would have negated the mental element of section 502(c)(2).¹³

In People v. Childs, an employee was charged under section 502(c)(5)¹⁴ after refusing to provide his employer with the user name and password for his employer's computer network.¹⁵ The employee argued that the charged offense did not apply because the legislative intent of the statute was to address unauthorized access to computers and data. He had authorized access to his employer's computer network.¹⁶ The court rejected his interpretation, reasoning that unauthorized access was an implied element of section 502(c)(5) and that his reliance on the use of "unauthorized access" in subdivision (a) "too narrow."¹⁷ The court found that "[d]isrupting or denying computer services to an authorized user could reasonably be read to fall within 'interference' with computers, even without a showing of unauthorized access."¹⁸ The court further underscored this point, noting that only some of the offenses under section 502(c) mention access and that difference was intentional.¹⁹

In United States v. Christensen, the Ninth Circuit held that "access" included logging into a database with a valid password and subsequently taking, copying, or using information in the database improperly.²⁰ The court distinguished the CDAFA from the federal Computer Fraud and Abuse Act (CFAA),²¹ noting that the CDAFA does not require unauthorized access, rather only knowing access.²² Citing United States v. Nosal, the court made clear that the CFAA is limited to criminalizing access that is not authorized, rather than use that is unauthorized, and noted that the CFAA was not intended to expand beyond an anti-hacking statute into a misappropriation statute.²³ In contrast, the court held that, under the CDAFA, what is illegal is the taking, copying or use without permission, regardless of whether the individual was authorized to access the information itself.²⁴

With United States v. Christensen holding that a showing of "unauthorized access" is not required for liability under section 502(c), the CDAFA has effectively become a powerful tool for prosecutors and plaintiffs seeking to impose civil and criminal liability for authorized users who take or copy data without authorization.

B. Application of "Without Permission"

In addition to interpreting what constitutes knowing access, the courts have also weighed in on what it means to act "without permission" under section 502(c). Expanding the definition of "unauthorized" under the CDAFA to include use that is not permitted, the courts, as the cases below highlight, have been forced to grapple with whether finding a website's terms of use are enough to impose liability or whether there must be a higher threshold, such as overcoming technical or code-based barriers, required before finding a defendant liable under the CDAFA.

In Facebook, Inc. v. ConnectU, ConnectU obtained login information and passwords that were voluntarily submitted by Facebook users. The information allowed ConnectU to access Facebook to gather millions of e-mail addresses for solicitation.²⁵ ConnectU argued that because the Facebook users voluntarily provided the access information, it did not constitute "unauthorized access." However, because using the email addresses for solicitation was prohibited by a standard clause in Facebook's terms of use, the court denied ConnectU's motion to dismiss, holding that such activity constituted knowing access and use "without permission" under the CDAFA.²⁶ The court stated that notwithstanding the statutory title "unauthorized access," the violation turns on unauthorized (i.e., "without permission") taking, copying, or use of data.²⁷ Moreover, the court found that ConnectU was subject to Facebook's terms of use, and disputing ConnectU's contention that this finding would allow private parties to determine what is criminal, the court held that "[t]he fact that private parties are free to set the conditions on which they will grant such permission does not mean that private parties are defining what is criminal and what is...