by Paul Alan Levy
In a blog post today about the California Reader Privacy Act, Eric Goldman raises an alarm about the law’s possible application to bloggers. The statute provides that a “book service” — a “service that, as its primary purpose, provides the rental, purchase, borrowing, browsing, or viewing of books” — may not provide personal information about its users to a “government entity” without observing certain heightened process, and may not be compelled to provide personal information about its users to “any person, private entity, or government entity.” Professor Goldman argues that the definition of the word “book” could be extended to blogs because it applies to “paginated or similarly organized content,” and blogs typically have a series of pages, with the most recent posts on the first page. He acknowledges that the law extends only to commercial entities, in that the law defines "provider" as "any commercial entity offering a book service to the public." But he expresses concern that any blogger who carries ads could be argued to be a “commercial entity.”
His post suggests that the drafters of the statute may not have intended this result, but the words could be construed to apply to bloggers and the danger is heightened because “the statute has a private cause of action that will be enforced by a rapacious privacy plaintiffs’ bar.” He concludes by offering the possible unintended consequences of the statute as an illustration of his general view that “states categorically should not try to regulate the Internet.”
Generally speaking, I tend to agree with most of what Eric Goldman posts on his Technology & Marketing Blog, but I disagree with this post.
First of all, as noted above the statute only regulates what a “commercial entity” may disclose, and Professor Goldman ignores the limiting impact of the word “entity.” An individual is not an entity; rather, an entity is defined by Black’s Law Dictionary as an organization whose identity is separate from its members. The statute itself confirms this construction, in that it limits any disclosure (voluntary or compelled) to a “government entity,” but limits compelled disclosure to “any person, private entity, or government entity.” A similar understanding that an individual is not an entity is shown by the fact that “government entity” is defined to include any “state or local agency” or “any individual acting or purporting to act for or on behalf of a state or local agency.” If “government entity” included individuals, this last clause would not be needed So the individual blogger is plainly off the hook as a “commercial entity.” A corporation that blogs, yes. A partnership blogs, yes. But not an individual.
Second, the statute limits all disclosures to government entities, but with respect to disclosure to individuals the statute is limited to “compelled” disclosure — in other words, disclosure pursuant to subpoena. In this blog, we have covered time and again the problem of ISP’s that turn over information about their users in response to subpoenas without giving notice so that the user has an opportunity to oppose disclosure. The most important requirements that the statute imposes on compelled disclosures are notice to the user so that the user can seek to quash the subpoena, and an explanation by the court of the need for the disclosure before enforcing the subpoena. So even if Professor Goldman were correct that individual bloggers could be subject to liability for giving up such user information pursuant to subpoena if they don;t try to give notice, I would not have a problem with a general rule that bloggers need to give notice and make sure that appropriate process is available to anonymous users who are the subject of subpoenas seeking their identity. For roughly ten years, Virginia has required notice by ISP’s before they disclose identifying information in response to civil subpoenas, and I have heard of no serious problems caused by that law.
Two more points. I am disappointed to see Professor Goldman complaining about “rapacious plaintiffs’ lawyers” who try to protect individual rights. Sure, it is easy for those of us in the public interest bar, such as at Public Citizen, or EFF and the ACLU which co-sponsored the California statute, to take impact cases pro bono to protect rights online, but we all have very limited resources for that work. As a practical matter, individual members of the public can’t expect effective protection for their rights unless and until lawyers in private practice have a financial incentive to represent them despite their inability to pay up-front for legal services. That is one of the most important reasons why Public Citizen supports the enactment of anti-SLAPP statutes, as recently happened in DC and Texas, and as the Public Participation Project seeks to have enacted at the federal level. A strong anti-SLAPP statute with an attorney fee provision creates a financial incentive for private practitioners to defend free speech rights in SLAPP suits despite the fact that many SLAPP defendants cannot afford to pay. Indeed, Professor Goldman has been counted among the strong supporters of a federal anti-SLAPP law. But I have never seen him rant about rapacious defense lawyers – and I have seen many of them in my 35 years of practice.
And unlike Professor Goldman, I do not hold to any general opposition to state-law "regulation of the Internet.” Yes, like him, I support a vibrant immunity under section 230, not because of any special affinity for Internet Service Providers (altough I represent them sometimes) but because it plays a crucial role in protecting the free speech of ISP users. But ISP’s sometimes abuse their users, including abuses of their privacy rights, and just as we need the First Amendment to protect against government action that violates Internet users’ rights, I would not shy away from appropriate statutes when needed to prevent private parties from infringing privacy.