The California State Senate votes today on the passage of SB761, introduced by State Senator Alan Lowenthal (D-Long Beach), that would require the state attorney general to adopt regulations allowing users to opt-out of programs that track online information and identifying user behavior on computers, smartphones, tablet computers, and any other device that accesses the Internet. Under SB761, any Internet user can send a message to a website doing business in California requesting that their online activity not be monitored. The bill would allow consumers or the state attorney general to file a civil lawsuit against a company or website that ignores or violates this law. This law would be the first one of its kind nationwide and is based upon a similar federal bill introduced into Congress by Rep. Jackie Speier (D-CA).
Specifically, the proposed law prohibits any software to be copied onto a computer, without the prior approval of the user, and using the software to:
- take control of the computer;
- modify certain settings relating to the computer’s access to or use of the Internet;
- collect, through intentionally deceptive means, personally identifiable information;
- prevent, without authorization, an authorized user’s reasonable efforts to block the installation of or disabling of software;
- intentionally misrepresent that the software will be uninstalled or disabled by an authorized user’s action; or
- through intentionally deceptive means, remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer.
Although, at first glance, this proposed bill seems to benefit all Internet users, there lies the risk that this is the first step towards a user-fee-based Internet. The business model of many of today’s websites is based upon advertising sales and the sale of personal data collected from users accessing their sites. Advertisers seek this personal data in order to better understand the behaviors of their target audience resulting in enhanced access to their potential consumer base through a more strategic placement of ads. Without the sale of this collected data as well as reduced advertising sales, websites will begin to see a decline in revenue and will require a new method of generating funds in order to replace these financial losses. Therefore, we anticipate that websites will begin require users to pay a fee for the privilege of accessing websites and information that they were accustomed to access for free and, in exchange, websites would not collect or disseminate any user data. This type of behavior will result in a “digital divide” in which those who have the financial means to pay for access will have better choices for an enhanced ad-free and tracking-free online experience. Those without will have no choice but to give-up personal data in order to access lower quality websites or potentially not be allowed to access these websites at all. By limiting Internet access to those that have the financial means to pay for services, there lies the question of whether Internet access is an inalienable right thereby allowing this type of digital divide without violation of any federal law.
On the flipside, without the passage of SB761, websites will continue to track user behavior and collect highly-invasive psychographic data resulting in an invasion or privacy. As seen by the recent fury directed at Apple for tracking and storing the location of iPhone users, consumers need to have some type of protection against websites or option to restrict data collection from websites that will take advantage of unwitting Internet users without some type of restriction. Therefore the passage of the law is the appropriate first step towards providing online users with appropriate options.
While the public is rightfully concerned about online data collection and the sale of information to advertisers, companies need to be able to protect themselves and continue to generate revenue while still balancing the needs of the online consumer. Companies with an online presence, especially start-up companies, need to determine the types of safeguards needed to be incorporated to protect themselves and their users and still succeed in generating revenue. If companies engage in tracking practices and behavior, it is important to determine how to incorporate such practices and divulge this information in the privacy policies. Disclosure is key but the ramifications of not being tracked needs to be divulged as well.