Laying Down the (Communication) Law
In the United States, federal laws govern everyone in the country as well as state laws that augment what the feds already have in place. (If you’re not in the United States, we can’t go over summarize all the laws in every country for you, because you’d have a very thick book that you’d be intimidated to pick up, let alone read.)
Instead, we take the trite 30,000-foot view of the laws so that you understand how they affect you. We also include links to websites spelling out the full laws, in case you want to get into the weeds.
Looking at federal laws
The Communications Decency Act (CDA), passed in 1996, has a section numbered 230 that protects freedom of expression on the Internet. More specifically, the section provides immunity from liability for website platforms when it comes to third-party content, such as people posting on a social media platform.
What’s more, Section 230 includes a Good Samaritan section, which protects operators of interactive computing services from civil liability if a service removes or moderates that third-party material, even if the speech is constitutionally protected.
Where did this section come from? Let’s start with one of the earliest Internet service providers (ISPs): The World, launched way back in 1989.
The World is still online, all these decades later; you can visit the website at
https://theworld.com
.
As ISPs began to grow toward widespread use in the early 1990s, a pair of lawsuits were brought against two national ISPs — CompuServe and Prodigy — by users who felt their speech was being suppressed illegally. The question at the heart of the lawsuit? Were ISPs publishers or distributors of user content?
The CDA and Section 230 were designed to answer that question, stating categorically that ISPs were mere distributors of content and therefore had no editorial control over the content being distributed. The CDA soon found itself being challenged in the courts, however, and eventually found itself in the Supreme Court. In 1997, the Supreme Court unanimously struck down the anti-indecency provisions of the CDA but left Section 230 alone. (For more on the story, check out www.eff.org/issues/cda230/legislative-history
.)
The end result is that Section 230 is widely hailed as the legislation that enabled the Internet and the web to grow into the indispensable communication medium we have today. And, despite recent court challenges to Section 230 (especially around technology companies’ control over political discussions), several court decisions have found that the section is constitutional.
If you want to look into the various court cases in detail, the Legal Information Institute at Cornell University has both the US Code and notes on its website (www.law.cornell.edu/uscode/text/47/230#
; see Figure 2.1).
FIGURE 2-1: Title 47, Section 230 of the US Code on the Legal Information Institute website.
Parsing the state laws
As of this writing, five states — California, Colorado, Nevada, Vermont, and Virginia — have enacted their own data privacy laws. These laws have similar language in several areas, including
The right to access and delete personal information
The right to opt out of the sale of personal information
Requirements that commercial websites or online services post a privacy policy (which we talk about later in this chapter)
These state laws didn’t just come into being by themselves. Legislators received help from the Uniform Law Commission (
www.uniformlaws.org/home
), a nonprofit organization, founded way back in 1892, to help states produce nonpartisan, uniform laws so that if you move from, say, Virginia to Vermont, you’re not gobsmacked by completely different laws.
We don’t want to smack your head, goblike or otherwise, so we tell you what you need to know about your rights as a consumer in these five states, starting with our home state of California.
California
In California, you need to know about an existing law as well as a proposition that was approved in 2020 and will take effect in 2023.
California Consumer Privacy Act of 2018: The CCPA gives consumers a lot of power to dictate their privacy preferences to a business. The provisions include the right toRequest that a business disclose categories and specific pieces of personal information collected about customersRequest the source of the information as well as the business purpose for that customer informationRequest that the business delete any personal information the business may have collectedRequest to opt out of the sale of their personal information by a business (which is not allowed to discriminate against consumers for opting out)
California Consumer Privacy Rights Act: Voters approved Proposition 24, the Consumer Privacy Rights Act (CPRA), in the November 2020 general election. The CPRA will go (or, depending on when you buy this book, has gone) into effect on January 1, 2023.The CPRA expands consumer data privacy laws in three ways:Consumers can stop businesses from sharing their personal information.Consumers have the power to correct inaccurate personal information collected by a business.Consumers can also limit the use of sensitive personal information by businesses. That information includes race, ethnicity, religion, sexual orientation, specific health information, genetic data, and the consumer’s precise geolocation.What’s more, the CPRA authorizes the formation of the California Privacy Protection Agency to implement consumer privacy laws, enforce those laws, and levy fines. This new agency will also have to figure out how to interpret the portion of the CPRA that says businesses can’t keep personal information for longer than “reasonably necessary.”
Data Broker Registration: California law defines a data broker as a business that deliberately collects and sells consumers’ personal information to third parties. If you’re a data broker in California, you have to register with the state attorney general’s office every year.What this means for you as a private citizen is that if you want a list of data brokers in the state, you can access the website at https://oag.ca.gov/data-brokers
. The website has links to the broker submission information, the contact email address, the broker website address, as well as a link to a list of incomplete registrations.
Colorado
On July 1, 2023, the state of Colorado added the Colorado Privacy Act (CPA) to the existing Colorado Consumer Protection Act. The CPA defines terms for covered businesses, consumers, and data, notably the term controller, as the person or group that determines how they use customer data.
As you would expect, the CPA also includes information about consumer rights and business responsibilities about using customer data. Under the law, the state attorney general and district attorneys throughout the state have the authority to prosecute violators. (For more on the specific language of the legislation, see