Like most things these days the online book market is rapidly growing and eclipsing the non-digital market. With that in mind Senator Leland Yee from California recently introduced legislation to put stronger privacy protections in place to restrict disclosure of records about consumer activity on e-book sites. While the legislation would provide more protection for information about consumer reading habits, it would also bring new obligations and risks for providers of such services.
Senate Bill 602, introduced on February 17th and recently amended, would require the government and other third parties to have a warrant or court order to access sensitive reading records. Groups like California ACLU and EFF see this as a step in the right direction by making e-book policies aligned with other California privacy laws and are supporting the legislation. A hearing and possible vote is set to occur in the Senate Judiciary Committee on April 12th.
SB 602 would prohibit providers from disclosing records about a user’s reading history absent a statutory exception allowing the disclosure. Like the federal Stored Communications Act, 18 U.S.C. § 2701 et seq., these exceptions include government agencies with appropriate legal process, user consent, and emergencies. However, there are many differences. First, the bill requires that law enforcement use a warrant obtained based on probable cause, but also requires that notice be provided both to the provider before the warrant is issued and to the user contemporaneously with the execution of the warrant, so that either party may object. Second, the bill creates a new process for a civil court order that private litigants would be required to use to obtain the information. Third, the bill would require user consent to be “informed” and “affirmative,” while no such standard is required for consent under the SCA. The differences don’t stop there.
Providers may be interested to note that SB 602 requires providers to give users notice of civil orders for their information. It also creates new reporting requirements for providers that would require detailed tracking and reporting on legal process issued under the legislation. Such information would need to be posted online by the provider and linked to from their privacy policy. In addition, the bill introduces new civil penalties for disclosures that violate the law and limits the liability protection for providers to only those situations where it is “objectively reasonable” to rely on the process received to make the disclosure (the SCA immunities are not so restricted).
Perhaps the issue of most interest to providers in the e-book space will be the impact SB 602 could have on their ability to share information about book browsing and renting history for commercial purposes. Given the breadth of the definition of “personal information” (which includes IP addresses), it may be worth further examination.