Social Media, Right to Privacy and the California Consumer Privacy Act

• Publication year: 2019
• Author: By Dominique-Chantale Alepin

SOCIAL MEDIA, RIGHT TO PRIVACY AND THE CALIFORNIA CONSUMER PRIVACY ACT

By Dominique-Chantale Alepin¹

I. INTRODUCTION

By the spring of 2018, media and consumer outrage over social media misuse of personal information had reached fever pitch. On March 17, 2018, three news organizations including the New York Times, published stories revealing that Cambridge Analytica had harvested the personal data of millions of people's Facebook profiles without their consent and used it for political purposes.² It was a watershed moment in the public understanding of how much personal data was being stored on social media, and the use and misuse of that data.

In California that spring, the group "Californians for Consumer Privacy" had been putting together a sweeping privacy initiative for presentation on the ballot for California voters. Given the mounting concern over the use and misuse of personal data, the initiative quickly garnered enough signatures—629,000—nearly twice the required minimum to appear on the ballot statewide in the November 2018 election.³

As they collected signatures, Californians for Consumer Privacy told California lawmakers that it would remove their initiative from the ballot in exchange for passing and signing a reasonable privacy bill by June 28, 2018. The California legislature was under immense pressure to meet this demand and pass legislation—a privacy law passed through the ballot process could prove unworkable both for industry and for consumers. For once a ballot initiative passes and is enacted, it cannot be amended by the state legislature. Instead, any amendments generally must be made through other initiatives. Practically speaking, that means it can be very difficult to amend ballot initiatives once they are voted into law. And for a privacy law where things are always in flux, being unable to amend the law would be impracticable.

On June 21, 2018, Californians for Consumer Privacy and the California Legislature struck a deal: in exchange for withdrawing the initiative, the state legislature would pass an agreed version of the California Consumer Privacy Act ("CCPA").⁴ The initiative was withdrawn and on June 28, 2018, the CCPA was signed into law by Governor Jerry Brown.

[Page 96]

The CCPA appears to be a consumer success story—citizens pressured their government to enact privacy laws that would help protect them from the misuse of their data by social media and other companies. But the story does not end there.

First, the CCPA has already been amended once and its implementation delayed until January 1, 2020, to allow for further amendments and to provide the California Attorney General the opportunity to promulgate rules and regulations interpreting the Act's various provisions. As the discussion below reflects, there are particular provisions of the CCPA that have very broad definitions and may have unintended effects on products and applications, market power and other market dynamics.

Second, the CCPA does not address all uses and misuses of personal data by social media companies—there is still more work to do. And a greater level of transparency for consumers as to the workings of social media companies (including the collection and use of personal data) would help remedy some other identified problems with social media platforms.

PANELISTS

The panelists below discuss those issues and more:

• Jennifer Lynch, Electronic Frontier Foundation. Jennifer Lynch the Surveillance Litigation Director with the Electronic Frontier Foundation where she worked to protect user privacy and civil liberties at both the federal and state level. While at EFF, Jennifer founded the EFF Street Level Surveillance Project, which informs advocates, defense attorneys, and decision makers on potentially invasive police tools.
• Tracy Shapiro, DLA Piper LLP. Tracy Shapiro is a Partner with DLA Piper LLP. Her practice focuses on privacy, data security, advertising, and marketing practices. She regularly represents and counsels social media companies on privacy issues. Tracy was also at the Federal Trade Commission where she worked in the Division of Privacy and Identity Protection and the Division of Advertising Practices. Following her time at the FTC, she worked at Yahoo!, advising in-house clients on privacy, advertising and marketing issues.
• Moderators—Dominique Alepin and Elaine Call. Dominique Alepin is the Assistant Director for the Western Region of the Federal Trade Commission. Elaine Call is Senior Privacy Counsel at LinkedIn.

II. PANEL DISCUSSION

MS. CALL. Four or five years ago when I told people that I was a privacy lawyer, I would get blank stares. I think that has definitely changed today. You cannot open a newspaper and read something about privacy, for better or worse, or the latest breach, it seems to be on the headlines truly daily. Ms. Shapiro, what do you see as the most important or challenging issue that social media has with respect to privacy?

[Page 97]

MS. SHAPIRO: I think that, as we saw with Facebook and Cambridge Analytica, it would have to be the ways social media companies are providing access to consumer's information. Social media companies have a good grasp on what they collect and they are using the information, but once they start making data available, for example, via APIs, to third-party applications, or to other data providers, then there is a risk that you start to lose control over who is obtaining, collecting and using your data.

MS. ALEPIN: Ms. Lynch, coming from a consumer perspective, what do you see as the biggest privacy issues arising from social media?

MS. LYNCH: There are a few notable ones. First, we do not know what companies are doing with our data. We do not know what they are collecting about us, and with whom they are sharing the data. And we have very little control as consumers over what happens to the data. Companies can track us all throughout the Internet—whether it is reading an article on the New York Times, searching for a wedding dress, or sharing information with our friends. Companies are collecting a broad amount of information.

More troubling perhaps, companies like Facebook are collecting biometric data as well, including facial recognition data. Most people do not realize that those companies are collecting biometric data. And if people do realize it, they do not understand the implications of it.

Going back to the issues revealed by the Cambridge Analytica incident. Sensitive personal data collected by some companies is being shared with third parties. It is very difficult to track where the data is going. With Cambridge Analytica, not only did Facebook users not have a lot of control over what data was shared when they interacted with Cambridge Analytica directly, those users' friends had no knowledge that their data was being shared too. These issues go beyond the consumer's direct relationship with a social media company.

MS. ALEPIN: You mentioned biometric data. Recently Microsoft president Brad Smith called for federal legislation on facial recognition.⁵ He demanded that tech companies exercise more responsibility when implementing facial recognition technology to accommodate the need to retain privacy and control over personal information. As social media companies begin to collect data and implement these technologies, do you feel a similar need for increased transparency and caution? And is legislation the only way to achieve this?

MS. LYNCH: I definitely think we need more transparency and caution, and I am at the point where I think that legislation is the only way to achieve that. A few years ago, EFF was involved in a working group process at NTIA, the National Telecommunications and Information Administration. The working group got together a bunch of consumer and biometric companies and tried to come up with meaningful regulations for the use of face recognition. But the process was flawed from the beginning, and not even because the federal agency intended it that way. They fully tried to allow consumer groups, advocacy groups, to be involved. But consumer groups are small, we have small budgets and we cannot be involved in every meeting. And social media companies and biometric associations are large and they can fund people to be at all these meetings.

[Page 98]

What the consumer groups tried to do in those meetings was to set a baseline. We tried to ask companies just to sign on to say that they would not allow tracking or collection of facial recognition data in public without a consumer's opt-in consent. And companies were not even willing to get to that point, when we knew that people around the country were concerned about the collection of facial recognition data and really did not want companies to be holding onto this data.

And so all the consumer advocacy groups could do at that point was to walk out. We could no longer be a part of a process where we couldn't have a meaningful voice. Which is why I think that legislation is, at this point, really the only way we can see change. We're starting to see that happen with a law that passed in Illinois in 2008, the Biometric Information Privacy Act (BIPA) of 2008,⁶ which requires opt-in consent from consumers before a company can collect and share their biometric data. BIPA is unique as well because, while three states have biometric privacy statutes on the book, only BIPA allows for a private right of action. Legal questions surrounding that law are starting to be litigated, both in Illinois and in California,⁷ and there are ongoing attempts in the state to roll back the law's protections. I hope that law can be a model for future legislation.

MS. ALEPIN: In LabMD v. Federal Trade Commission,⁸ the FTC's order was shot down by the 11th Circuit because of its reference to "reasonable" data protection measures which the Court believed was too vague to be enforceable.⁹ In essence...