The storage, protection and use of personal data presents significant regulatory and litigation risks for any business. In our Information Age, the sheer volume and varied uses and abuses of data grows exponentially. Companies must recognize not only the potential upside to their treasure trove of data but corresponding litigation and regulatory risks that accompany various types of information, ranging from customers’ financial and health information to personnel information maintained by a human resources department.
To understand the unique litigation and regulatory liabilities that California companies face, it is important to recognize how the concept of privacy originated and is extended by the California courts and new legislation compared with the federal courts’ recognition of a right to privacy.
While there is no express right to privacy in the United States Constitution, the U.S. Supreme Court recognized the right for the first time in Griswold v. Connecticut 381 U.S. 479 (1965). In contrast, the California Constitution was amended in 1972 to expressly provide for a right to privacy:
All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy. California Constitution, Article 1, Section 1 (emphasis added).
In contrast to the right to privacy recognized in the U.S. Constitution which requires state action, the right to privacy under California law is generally understood to encompass actions by private individuals and entities which violate a privacy right.
California courts have built on this concept of privacy. In Valley Bank of Nevada v. Superior Court, 14 Cal. 3d 652 (1975), the Court recognized the right of consumers to financial privacy. Years later, in Hill v. National Collegiate Athletic Assn, 7 Cal. 4th 1 (1994) the Court established three-part test for privacy interests: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.
Over the past few decades, there has been a proliferation of privacy-related statutes passed by the Legislature. Today there are more than 90 separate statutory provisions aimed at protecting privacy rights in a wide variety of contexts.
In 2000, California legislation established an Office of Privacy Protection. That Office’s website maintains a list of the privacy laws and regulations. The website includes a link to a page with all of the privacy-related legislation that is introduced in each legislative session. As you can see, several pieces of legislation relating to privacy are proposed each year and many of those become law adding to the list of privacy protections.
There appears to be no end in sight. It does not take a great deal of imagination for a legislator to come up with a new privacy protection to apply to the ever-evolving technology landscape. As discussed in an earlier post, the most noteworthy privacy laws passed during this last legislative session relates to the protection of social passwords.
While these new privacy statutes certainly offer benefits to consumers and the public, they also provide fuel for enterprising privacy class action lawyers who are eager to keep one step ahead of industry and bring dozens if not hundreds of class action lawsuits before companies implement measures to comply with new regulations.
A WORD TO THE WISE . . .
Print out the privacy web pages linked above and carefully assess which of these regulations might apply to your line of business. You will note that the analysis differs greatly from industry to industry (e.g., financial services, health care, credit card processing).
The one area of privacy that applies to almost every business is employee privacy. A blog post discussing some of the primary privacy concerns that arise in the employment context will be posted in the next several days.