California is, by far, the king of states when it comes to privacy laws. California’s constitution is one of only 10 state constitutions that contain an explicit “right to privacy,” recognizing each citizen’s “inalienable right” to privacy. Its state laws in many areas have often been precursors to federal legislation or national legislative movements, and that’s certainly true in privacy law as well. For example, California had health privacy laws before HIPAA even existed, and it had the nation’s first data breach notification law, which spawned copycat legislation in almost every state.
Last month, California passed a few more laws aimed at padding its lead, and further protecting the privacy of California residents (or, at least, making them feel like they are more protected). For businesses that collect or store personal data on Californians, however, it is a mixed bag.
One of the new laws is S.B. 178 – colloquially known as CalECPA. This is California’s version of the federal Electronic Communications Privacy Act. ECPA (the federal version) was enacted in 1986, before there was even an Internet, much less smartphones or personal devices with geolocation. Most everyone agrees that ECPA badly needs updating. But Congress and the President can’t seem to agree on much of anything these days, so California has taken matters into its own hands, at least when it comes to matters within its state borders. The updated version of CalECPA requires that law enforcement obtain a judge’s permission – in the form of a search warrant or wiretap order – before it can access private data stored on smartphones and similar devices. Further, because personal data – such as emails and geolocation information – is often stored on servers of companies like Google or Facebook, the law also requires that law enforcement obtain search warrants before accessing private information stored on such servers.
S.B. 178 has the support of more than a dozen technology companies, including Microsoft, Google, Apple, and Facebook. The latter three are all headquartered in California, of course, all within about 20 miles of one another. Microsoft is headquartered in Redmond, Washington, but in terms of server storage, perhaps has as much shelf space in California as the other three tech behemoths have. These companies often have to walk a fine line between assisting law enforcement and protecting their user’s privacy. In California, at least, that line is now a little easier to see. S.B. 178 provides clearer guidance as to when requests by law enforcement should, or should not, be granted. Any business with a large cache of personal data, stored in California, can now find some measure of assurance when insisting that a government request for information should be accompanied by a warrant or other judicial order.
Another privacy law passed last month has clearly given California a position of leadership when it comes to regulating “the Internet of Things.” A.B. 1116 requires that manufacturers of smart-TV’s ensure that these products don’t record peoples’ voices for advertisement purposes. The bill also requires that the voice-recognition features on smart-TV’s only be enabled if the consumer has consented to that feature. The law also mandates that obvious warnings be given to people using televisions connected to the Internet, to inform them that their voices could be recorded and sent to the manufacturer or even to third-parties.
A popular saying is “As California goes, so goes the nation.” It’s certainly not always true, as California has more than 40 separate “privacy laws” on its books, and it’s hard to imagine any other state passing close to this many privacy-related statutes anytime soon. But, it’s not hard to fathom that CalECPA may be a model for the federal government’s revisions to ECPA, if and when Congress ever gets around to it, or that California’s venture into regulating the Internet of Things won’t be the last. Whenever California passes another privacy law, it’s certainly worth some attention.