B. Establishing consumers' right to control dissemination of personal information
1. The courts recognize the common-law right of individuals to control sharing of the personal information they volunteer to businesses and government agencies.
"[B]oth the common law and the literal understandings of privacy encompass the individual's control of information concerning his or her person. In an organized society, there are few facts that are not at one time or another divulged to another. Thus the extent of the protection accorded a privacy right at common law rested in part on the degree of dissemination of the allegedly private fact and the extent to which the passage of time rendered it private.15 According to Webster's initial definition, information may be classified as 'private' if it is 'intended for or restricted to the use of a particular person or group or class of persons: not freely available to the public.'
"Footnote 15: See Warren & Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 198 (1890-1891) ('The common law secures to each individual the right of determining, ordinarily, to what extent his thoughts, sentiments, and emotions shall be communicated to others.... [E]ven if he has chosen to give them expression, he generally retains the power to fix the limits of the publicity which shall be given them.') The common law recognized that one did not necessarily forfeit a privacy interest in matters made part of the public record, albeit the privacy interest was diminished and another who obtained the facts from the public record might be privileged to publish it. See Cox Broadcasting Corp. v. Cohn, 420 U.S., at 494-495 ('[T]he interests in privacy fade when the information involved already appears on the public record.').... W. Keeton, D. Dobbs, R. Keeton, & D. Owens, Prosser & Keeton on Law of Torts § 117, p. 859 (5th ed. 1984) ('[M]erely because [a fact] can be found in a public recor[d] does not mean that it should receive widespread publicity if it does not involve a matter of public concern')."[1]
"Also supporting our conclusion that a strong privacy interest inheres in the nondisclosure of compiled computerized information is the Privacy Act of 1974, codified at 5 U. S. C. § 552a (1982 ed. and Supp. V). The Privacy Act was passed largely out of concern over 'the impact of computer data banks on individual privacy.' H. R. Rep. No. 93-1416, p. 7 (1974). The Privacy Act provides generally that '[n]o agency shall disclose any record which is contained in a system of records... except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.' 5 U. S. C. § 552a(b) (1982 ed., Supp. V)."[2]
2. A "balancing test" is applied to determine whether disclosure of private information violates the California State Constitution: the disclosure may be justified by a "competing interest," which includes "legally authorized and socially beneficial activities of government and private entities."[3]
"The constitutional provision in the Privacy Initiative is self-executing; hence, it confers a judicial right of action on all Californians. Privacy is protected not merely against state action; it is considered an inalienable right which may not be violated by anyone. The privacy tort seeks to vindicate multiple and different interests that range from freedom to act without observation in a home, hospital room, or other private place to the ability to control the commercial exploitation of a name or picture."[4]
At what point does the value of private information and the incumbent risk to consumers of loss or misuse exceed the right of government and private entities to make "legally authorized and socially beneficial" use of the data?
"In general, where the privacy violation is alleged against a private entity, the defendant is not required to establish a 'compelling interest' but, rather, one that is 'legitimate' or 'important.' [Hill at p. 57.] Legally recognized privacy interests are generally of two classes: interests in precluding the dissemination or misuse of sensitive and confidential information (informational privacy) and interests in making intimate personal decisions or conducting personal activities without observation, intrusion, or interference (autonomy privacy). Informational privacy is the core value furthered by the privacy initiative that amended Cal. Const., art. I, § 1.... The right to control circulation of personal information is fundamental. This right reaches beyond the interests protected by the common law right of privacy, and may be protected from infringement either by the state or by any individual.... A reasonable expectation of privacy is an objective entitlement founded on broadly based and widely accepted community norms. Various factors such as advance notice, customs, practices, justification, physical settings, and the presence of an opportunity to consent may inhibit or diminish reasonable expectations of privacy.... An actionable invasion of privacy must be sufficiently serious in its nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right. Thus, the extent and gravity of the invasion is an indispensable consideration in assessing an alleged invasion of privacy. The impact on the claimant's privacy rights must be more than slight or trivial."[5]
However, the unauthorized collection of a person's location data has been found to be a privacy violation under the California Constitution:
"Legally protected privacy interests include 'conducting personal activities without observation, intrusion, or interference' as determined by 'established social norms.' Hill, 7 Cal. 4th at 36-37. The California Supreme Court has explained that '[i]nformational privacy is the core value furthered by the Privacy Initiative.' White v. Davis, 13 Cal. 3d 757, 774, 120 Cal. Rptr. 94, 533 P.2d 222 (1975). In fact, the Ballot Argument in support of the California privacy initiative stated that the right would 'prevent[] government and business interests from [1] collecting and stockpiling unnecessary information about us and from [2] misusing information gathered for one purpose in order to serve other purposes or to embarrass us.' Ballot Pamp., Proposed Stats. and Amends. to Cal. Const. with arguments to voters, Gen. Elec. (Nov. 7, 1972), p. 27.
"Taking their factual allegations as true and drawing all inferences in Plaintiffs' favor, the conduct that Plaintiffs allege constitutes the violation of a legally protected privacy interest. Plaintiffs allege that Defendants not only tracked their locations, but also compiled this information to analyze their behavior and build profiles about them. (Dkt. No. 38 at 10.) Plaintiffs allege that Defendants 'obtained sensitive personal information... including, inter alia, a continually updated log of precisely where they live, work, park, dine, pick up children from school, worship, vote, and assemble, and what time they are ordinarily at these locations.' (Dkt. No. 50 at 18.)"[6]
To date, the social cost to consumers of the collection and use of their private information by government and business entities has not been measured. In many instances the detailed consumer profiles created and sold by data brokers include more private information than is collected and sold by credit-reporting agencies that are subject to the safeguards of the Fair Credit Reporting Act.[7] These include their family, friends, social habits, likes and dislikes, location history, and spending history. This information is clearly private yet it lacks the legal protections afforded consumers' medical and financial records in the Health Information Privacy Protection Act[8], the Gramm-Leach-Bliley Act[9], and other state and federal legislation.
3. If use of a Web service constitutes a waiver of an expectation of privacy, the collection and reuse of personal information by the service may not violate the California Constitution's privacy provision.
"The various branches of the privacy tort refer generally to conduct that is 'highly offensive to a reasonable person,' thereby emphasizing the importance of the objective context of the alleged invasion, including: (1) the likelihood of serious harm, particularly to the emotional sensibilities of the victim; and (2) the presence or absence of countervailing interests based on competing social norms which may render defendant's conduct inoffensive, e.g., a legitimate public interest in exposing and prosecuting serious crime that might justify publication of otherwise private information or behavior."[10]
"The plaintiff in an invasion of privacy case must conduct himself or herself in a manner consistent with an actual expectation of privacy, i.e., he or she must not have manifested by his or her conduct a voluntary consent to the invasive actions of defendant. If voluntary consent is present, a defendant's conduct will rarely be deemed 'highly offensive to a reasonable person' so as to justify tort liability."[11]
"(Rest.2d Torts, § 652B, com. c [no liability for public observation of plaintiff 'since he is not then in seclusion, and his appearance is public and open to the public eye']; Gill v. Hearst Publishing Co. (1953) 40 Cal.2d 224, 230 [253 P.2d 441] [plaintiffs waived any right to privacy by a 'pose voluntarily assumed in a public market place']; Aisenson v. American Broadcasting Co. (1990) 220 Cal.App.3d 146, 162 [269 Cal. Rptr 379] ['One factor relevant to whether an intrusion is [highly offensive to a reasonable person] is the extent to which the person whose privacy is at issue voluntarily entered into the public sphere.']; Melvin v. Reid (1931) 112 Cal.App. 285, 290 [297 P. 91] [no right to privacy in matters publicized with consent: 'There can be no privacy in that which is already public.']; see also Kapellas v. Kofman (1969) 1 Cal.3d 20, 36-37 [81 Cal.Rptr. 360, 459 P.2d 912].) The maxim of the law 'volenti non fit injuria' (no wrong is done to one who consents) applies as well to the invasion of privacy tort. (Rest.2d Torts, § 892A, com. a; see also Civ. Code, § 3515.)"[12]
"In determining the 'offensiveness' of an invasion of a privacy interest, common law courts consider, among other things: 'the degree of the intrusion, the context, conduct and circumstances surrounding the intrusion as well as the intruder's motives and objectives, the setting into which he intrudes, and the expectations of those whose privacy is invaded.' Thus, the common law right of privacy is neither absolute nor globally vague, but is carefully confined to specific sets of interests that must inevitably be weighed in the balance against competing interests before the right is judicially recognized. A plaintiff's expectation of privacy in a specific context must be objectively reasonable under the circumstances, especially in light of the competing social interests involved. As one commentator has summarized: 'Through a careful balancing of interests, the courts developed specific [common law] causes of action which protected somewhat well-defined aspects of personal privacy. Although privacy was clearly identified as an interest worthy of some legal protection, courts generally did not give privacy a privileged place or undue weight in the balancing process.' (Kelso, California's Constitutional Right to Privacy (1992) 19 Pepperdine L.Rev. 327, 376.)"[13]
4. Consumers lack many of the privacy protections and remedies available to corporations.
"[G]roup privacy will not leave corporate entities — which, like individuals, surely have their secrets — unable to control the flow of information about themselves. Even if such data cannot be controlled under the rubric of privacy, they can be managed through alternate legal categories, such as contract, tort, and intellectual property. Indeed, a potent array of unfair competition, trade secret, patent, trademark, and copyright law, in addition to confidentiality agreements, support an institution’s ability to control various types of information identifiable to itself. In addition, collective entities often have the wherewithal to employ self-help security measures so that information in their control flows only in ways they choose."[14]
In the absence of the legal safeguards available to corporations, the likelihood of a violation of an individual's privacy right is greater.
5. The Privacy Principles of the Information Infrastructure Task Force's National Information Infrastructure[15] recommend notice and "individual empowerment" policies.
a. Notice:
"Information users who collect personal information directly from the individual should provide adequate, relevant information about:
b. Empowerment:
"Individuals should be able to safeguard their own privacy by having:
[1] United States DOJ v. Reporters Comm. for Freedom of Press, 489 U.S. 749, 763-764 (U.S. 1989)
[2] Id. at 766.
[3] Hill v. National Collegiate Athletic Assn., 7 Cal. 4th 37-38 (Cal. 1994).
[4] Id. at 37-38.
[5] Pettus v. Cole, 49 Cal. App. 4th 439-440 (Cal. App. 1st Dist. 1996).
[6] Goodman v. HTC Am., Inc., 2012 U.S. Dist. LEXIS 88496 39-40 (W.D. Wash. June 26, 2012).
[7] 15 USCS § 1681.
[8] Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936l.
[9] Financial Services Modernization Act of 1999, Pub.L. 106–102, 113 Stat. 1338; 15 USCS § 6801.
[10] Hill v. National Collegiate Athletic Assn., 865 P.2d 633 25-26 (Cal. 1994).
[11] Id. at 26.
[12] Id. at 26.
[13] Id. at 25-27.
[14] Kang, supra, at 1211.
[15] National Information Infrastructure: Agenda for Action; U.S. Department of Commerce, Washington, DC. Information Infrastructure Task Force, September 15, 1993 (PDF).
[16] Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information; Privacy Working Group, Information Policy Committee, Information Infrastructure Task Force, Final Version, June 6, 1995.
[17] Id.
C. Legal implications of personal-information collection
"[B]oth the common law and the literal understandings of privacy encompass the individual's control of information concerning his or her person. In an organized society, there are few facts that are not at one time or another divulged to another. Thus the extent of the protection accorded a privacy right at common law rested in part on the degree of dissemination of the allegedly private fact and the extent to which the passage of time rendered it private.15 According to Webster's initial definition, information may be classified as 'private' if it is 'intended for or restricted to the use of a particular person or group or class of persons: not freely available to the public.'
"Footnote 15: See Warren & Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 198 (1890-1891) ('The common law secures to each individual the right of determining, ordinarily, to what extent his thoughts, sentiments, and emotions shall be communicated to others.... [E]ven if he has chosen to give them expression, he generally retains the power to fix the limits of the publicity which shall be given them.') The common law recognized that one did not necessarily forfeit a privacy interest in matters made part of the public record, albeit the privacy interest was diminished and another who obtained the facts from the public record might be privileged to publish it. See Cox Broadcasting Corp. v. Cohn, 420 U.S., at 494-495 ('[T]he interests in privacy fade when the information involved already appears on the public record.').... W. Keeton, D. Dobbs, R. Keeton, & D. Owens, Prosser & Keeton on Law of Torts § 117, p. 859 (5th ed. 1984) ('[M]erely because [a fact] can be found in a public recor[d] does not mean that it should receive widespread publicity if it does not involve a matter of public concern')."[1]
"Also supporting our conclusion that a strong privacy interest inheres in the nondisclosure of compiled computerized information is the Privacy Act of 1974, codified at 5 U. S. C. § 552a (1982 ed. and Supp. V). The Privacy Act was passed largely out of concern over 'the impact of computer data banks on individual privacy.' H. R. Rep. No. 93-1416, p. 7 (1974). The Privacy Act provides generally that '[n]o agency shall disclose any record which is contained in a system of records... except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.' 5 U. S. C. § 552a(b) (1982 ed., Supp. V)."[2]
2. A "balancing test" is applied to determine whether disclosure of private information violates the California State Constitution: the disclosure may be justified by a "competing interest," which includes "legally authorized and socially beneficial activities of government and private entities."[3]
"The constitutional provision in the Privacy Initiative is self-executing; hence, it confers a judicial right of action on all Californians. Privacy is protected not merely against state action; it is considered an inalienable right which may not be violated by anyone. The privacy tort seeks to vindicate multiple and different interests that range from freedom to act without observation in a home, hospital room, or other private place to the ability to control the commercial exploitation of a name or picture."[4]
At what point does the value of private information and the incumbent risk to consumers of loss or misuse exceed the right of government and private entities to make "legally authorized and socially beneficial" use of the data?
"In general, where the privacy violation is alleged against a private entity, the defendant is not required to establish a 'compelling interest' but, rather, one that is 'legitimate' or 'important.' [Hill at p. 57.] Legally recognized privacy interests are generally of two classes: interests in precluding the dissemination or misuse of sensitive and confidential information (informational privacy) and interests in making intimate personal decisions or conducting personal activities without observation, intrusion, or interference (autonomy privacy). Informational privacy is the core value furthered by the privacy initiative that amended Cal. Const., art. I, § 1.... The right to control circulation of personal information is fundamental. This right reaches beyond the interests protected by the common law right of privacy, and may be protected from infringement either by the state or by any individual.... A reasonable expectation of privacy is an objective entitlement founded on broadly based and widely accepted community norms. Various factors such as advance notice, customs, practices, justification, physical settings, and the presence of an opportunity to consent may inhibit or diminish reasonable expectations of privacy.... An actionable invasion of privacy must be sufficiently serious in its nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right. Thus, the extent and gravity of the invasion is an indispensable consideration in assessing an alleged invasion of privacy. The impact on the claimant's privacy rights must be more than slight or trivial."[5]
However, the unauthorized collection of a person's location data has been found to be a privacy violation under the California Constitution:
"Legally protected privacy interests include 'conducting personal activities without observation, intrusion, or interference' as determined by 'established social norms.' Hill, 7 Cal. 4th at 36-37. The California Supreme Court has explained that '[i]nformational privacy is the core value furthered by the Privacy Initiative.' White v. Davis, 13 Cal. 3d 757, 774, 120 Cal. Rptr. 94, 533 P.2d 222 (1975). In fact, the Ballot Argument in support of the California privacy initiative stated that the right would 'prevent[] government and business interests from [1] collecting and stockpiling unnecessary information about us and from [2] misusing information gathered for one purpose in order to serve other purposes or to embarrass us.' Ballot Pamp., Proposed Stats. and Amends. to Cal. Const. with arguments to voters, Gen. Elec. (Nov. 7, 1972), p. 27.
"Taking their factual allegations as true and drawing all inferences in Plaintiffs' favor, the conduct that Plaintiffs allege constitutes the violation of a legally protected privacy interest. Plaintiffs allege that Defendants not only tracked their locations, but also compiled this information to analyze their behavior and build profiles about them. (Dkt. No. 38 at 10.) Plaintiffs allege that Defendants 'obtained sensitive personal information... including, inter alia, a continually updated log of precisely where they live, work, park, dine, pick up children from school, worship, vote, and assemble, and what time they are ordinarily at these locations.' (Dkt. No. 50 at 18.)"[6]
To date, the social cost to consumers of the collection and use of their private information by government and business entities has not been measured. In many instances the detailed consumer profiles created and sold by data brokers include more private information than is collected and sold by credit-reporting agencies that are subject to the safeguards of the Fair Credit Reporting Act.[7] These include their family, friends, social habits, likes and dislikes, location history, and spending history. This information is clearly private yet it lacks the legal protections afforded consumers' medical and financial records in the Health Information Privacy Protection Act[8], the Gramm-Leach-Bliley Act[9], and other state and federal legislation.
3. If use of a Web service constitutes a waiver of an expectation of privacy, the collection and reuse of personal information by the service may not violate the California Constitution's privacy provision.
"The various branches of the privacy tort refer generally to conduct that is 'highly offensive to a reasonable person,' thereby emphasizing the importance of the objective context of the alleged invasion, including: (1) the likelihood of serious harm, particularly to the emotional sensibilities of the victim; and (2) the presence or absence of countervailing interests based on competing social norms which may render defendant's conduct inoffensive, e.g., a legitimate public interest in exposing and prosecuting serious crime that might justify publication of otherwise private information or behavior."[10]
"The plaintiff in an invasion of privacy case must conduct himself or herself in a manner consistent with an actual expectation of privacy, i.e., he or she must not have manifested by his or her conduct a voluntary consent to the invasive actions of defendant. If voluntary consent is present, a defendant's conduct will rarely be deemed 'highly offensive to a reasonable person' so as to justify tort liability."[11]
"(Rest.2d Torts, § 652B, com. c [no liability for public observation of plaintiff 'since he is not then in seclusion, and his appearance is public and open to the public eye']; Gill v. Hearst Publishing Co. (1953) 40 Cal.2d 224, 230 [253 P.2d 441] [plaintiffs waived any right to privacy by a 'pose voluntarily assumed in a public market place']; Aisenson v. American Broadcasting Co. (1990) 220 Cal.App.3d 146, 162 [269 Cal. Rptr 379] ['One factor relevant to whether an intrusion is [highly offensive to a reasonable person] is the extent to which the person whose privacy is at issue voluntarily entered into the public sphere.']; Melvin v. Reid (1931) 112 Cal.App. 285, 290 [297 P. 91] [no right to privacy in matters publicized with consent: 'There can be no privacy in that which is already public.']; see also Kapellas v. Kofman (1969) 1 Cal.3d 20, 36-37 [81 Cal.Rptr. 360, 459 P.2d 912].) The maxim of the law 'volenti non fit injuria' (no wrong is done to one who consents) applies as well to the invasion of privacy tort. (Rest.2d Torts, § 892A, com. a; see also Civ. Code, § 3515.)"[12]
"In determining the 'offensiveness' of an invasion of a privacy interest, common law courts consider, among other things: 'the degree of the intrusion, the context, conduct and circumstances surrounding the intrusion as well as the intruder's motives and objectives, the setting into which he intrudes, and the expectations of those whose privacy is invaded.' Thus, the common law right of privacy is neither absolute nor globally vague, but is carefully confined to specific sets of interests that must inevitably be weighed in the balance against competing interests before the right is judicially recognized. A plaintiff's expectation of privacy in a specific context must be objectively reasonable under the circumstances, especially in light of the competing social interests involved. As one commentator has summarized: 'Through a careful balancing of interests, the courts developed specific [common law] causes of action which protected somewhat well-defined aspects of personal privacy. Although privacy was clearly identified as an interest worthy of some legal protection, courts generally did not give privacy a privileged place or undue weight in the balancing process.' (Kelso, California's Constitutional Right to Privacy (1992) 19 Pepperdine L.Rev. 327, 376.)"[13]
4. Consumers lack many of the privacy protections and remedies available to corporations.
"[G]roup privacy will not leave corporate entities — which, like individuals, surely have their secrets — unable to control the flow of information about themselves. Even if such data cannot be controlled under the rubric of privacy, they can be managed through alternate legal categories, such as contract, tort, and intellectual property. Indeed, a potent array of unfair competition, trade secret, patent, trademark, and copyright law, in addition to confidentiality agreements, support an institution’s ability to control various types of information identifiable to itself. In addition, collective entities often have the wherewithal to employ self-help security measures so that information in their control flows only in ways they choose."[14]
In the absence of the legal safeguards available to corporations, the likelihood of a violation of an individual's privacy right is greater.
5. The Privacy Principles of the Information Infrastructure Task Force's National Information Infrastructure[15] recommend notice and "individual empowerment" policies.
a. Notice:
"Information users who collect personal information directly from the individual should provide adequate, relevant information about:
- Why they are collecting the information;
- What the information is expected to be used for;
- What steps will be taken to protect its confidentiality, integrity, and quality;
- The consequences of providing or withholding information; and
- Any rights of redress."[16]
b. Empowerment:
"Individuals should be able to safeguard their own privacy by having:
- A means to obtain their personal information;
- A means to correct their personal information that lacks sufficient quality to ensure fairness in its use;
- The opportunity to use appropriate technical controls, such as encryption, to protect the confidentiality and integrity of communications and transactions; and
- The opportunity to remain anonymous when appropriate."[17]
[1] United States DOJ v. Reporters Comm. for Freedom of Press, 489 U.S. 749, 763-764 (U.S. 1989)
[2] Id. at 766.
[3] Hill v. National Collegiate Athletic Assn., 7 Cal. 4th 37-38 (Cal. 1994).
[4] Id. at 37-38.
[5] Pettus v. Cole, 49 Cal. App. 4th 439-440 (Cal. App. 1st Dist. 1996).
[6] Goodman v. HTC Am., Inc., 2012 U.S. Dist. LEXIS 88496 39-40 (W.D. Wash. June 26, 2012).
[7] 15 USCS § 1681.
[8] Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936l.
[9] Financial Services Modernization Act of 1999, Pub.L. 106–102, 113 Stat. 1338; 15 USCS § 6801.
[10] Hill v. National Collegiate Athletic Assn., 865 P.2d 633 25-26 (Cal. 1994).
[11] Id. at 26.
[12] Id. at 26.
[13] Id. at 25-27.
[14] Kang, supra, at 1211.
[15] National Information Infrastructure: Agenda for Action; U.S. Department of Commerce, Washington, DC. Information Infrastructure Task Force, September 15, 1993 (PDF).
[16] Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information; Privacy Working Group, Information Policy Committee, Information Infrastructure Task Force, Final Version, June 6, 1995.
[17] Id.
C. Legal implications of personal-information collection
Copyright 2014-2015 by Dennis O'Reilly/Rag Hall -- All rights reserved.