Location:
LIABILITY, LEGAL; PRIVACY;
Scope:
Other States laws/regulations; Federal laws/regulations; Court Cases;

OLR Research Report


July 14, 2011

 

2011-R-0254

OUT-OF STATE BREACHES OF MASSACHUSETTS' AND CALIFORNIA'S ELECTRONIC DATA BASE PRIVACY LAWS

By: Susan Price, Senior Attorney

You asked if a Connecticut resident who unlawfully disclosed personal, electronically stored information about a Massachusetts or California resident can be sued under those states' data privacy laws.

The Office of Legislative Research is not authorized to give legal opinions and this should not be considered as such.

SUMMARY

Whether violation of a law in one state can be enforced against a non- resident often turns on whether the non-resident has sufficient contacts with the forum state. We found no cases addressing whether Massachusetts' or California's data privacy laws could be used in this manner to sue a Connecticut resident over an unauthorized disclosure of private, electronically stored information that occurred in Connecticut. However, it is likely that such a claim would be dismissed under the Massachusetts law, because the statute appears to allow only the state's attorney general to bring suit (MGLA ch. 93H 3, 6).

In the case of a California resident who wants to sue the Connecticut resident in a California court, the feasibility of successfully bringing suit depends on the facts of the case and whether the Connecticut defendant has sufficient contacts with the forum state (in this case, California) to satisfy constitutional Due Process standards (U.S. Constitution, Amendments 5 and 14).

Litigation in a California federal district court is also a possibility, but that analysis is beyond the scope of this report.

CALIFORNIA ONLINE PRIVACY PROTECTION ACT

The California Online Privacy Protection Act of 2003, effective July 1, 2004, requires operators of commercial websites that collect personally identifying information from California residents to conspicuously post and comply with a privacy policy that meets certain requirements (codified at Cal. Business and Professions Code 22575-22579, copy enclosed). It applies to individuals and businesses that own a commercial web page or an online service that collects and records confidential personal information from individual users living in California who visit the web page or use the online service. Individual users are those seeking to or acquiring goods or services, money, or credit for themselves or their families or households. The law does not apply to internet service providers or similar entities that record or store data for third parties.

Under the law, confidential personal and identifiable information is individually identifiable information about a consumer collected online by a website operator and maintained in an accessible form. It includes:

1. a first and last name,

2. a home or other physical address,

3. an email address,

4. a telephone or social security number, and any other identifier that permits the physical or online contacting of a specific individual.

According to the statute the operator of a website must post a distinctive and easily-found link to the website's privacy policy. The privacy policy must detail the kinds of information the site gathers, how it may share information with other parties, and a description of the process the user can use to review and make changes to his or her stored information. It also must include the policy's effective date and a description of any changes put into place since then.

The owner of a website can be subject to legal action under the act within 30 days of being notified that he or she is not meeting the act's criteria. The website's owner could be faulted for actions or inactions undertaken both (1) knowingly and willfully or (2) negligently and materially.

As the act does not contain its own enforcement provisions, California practitioners suggest it will be enforced through California's Unfair Competition Law, which prohibits unlawful, unfair or fraudulent business acts or practices (Cal. Business and Professions Code 17200-17210). Government officials seeking civil penalties or equitable relief and injured private parties seeking damages may sue under that law.

The act's scope is well beyond the state's borders. Neither the web server nor the company that created the web site has to be in California to be within the law's reach. The web site only has to be accessible by California residents. However, the breadth of the act has never been tested in the courts.

LITIGATION: PERSONAL JURISDICTION

When a resident of California brings suit in that state against a non-resident, a judge must decide whether the forum selected has personal (long-arm) jurisdiction over the out-of-state defendant. California has one of the broadest long-arm statutes in the nation, specifying that its courts may exercise jurisdiction on any basis not inconsistent with the state or federal constitutions (Cal. Code Civ. Proc 410.10).

A California state court deciding questions of personal jurisdiction would likely look at whether:

1. the nonresident defendant purposefully directs activities or consummates some transaction with California or a state resident;

2. he or she performs some act by which he or she purposefully avails himself or herself of the privilege of conducting activities within California, thereby invoking the benefits and protections of the state's laws;

3. the claim arises out of or relates to the defendant's forum-related activities; and

4. the exercise of jurisdiction comports with fair play and substantial justice. Core-Vent Corp v. Nobel, 11 F.3d 1482, 1485 (9th Cir. 1993).

In the Core-Vent case, the court identified criteria for analyzing whether the exercise of jurisdiction is fair and just:

1. the extent of the defendant's purposeful interjection into California's affairs;

2. the burden of defending in California;

3. the extent of conflict with the sovereignty of Connecticut, the defendant's home state;

4. California's interest in adjudicating the dispute;

5. the importance of a California forum to the plaintiff's interest in convenient and effective relief;

6. the existence of an alternative forum; and

7. the most efficient judicial resolution of the controversy (Id., at 1487).

Personal Jurisdiction Established by Use of the Internet

In another case pre-dating the California Online Privacy Protection Act, a California appeals court found personal jurisdiction over a student residing in Indiana who developed and posted computer programs on the Internet, including a program that misappropriated trade secrets from a California corporation. After a civil action was brought in a California state court, the defendant moved for dismissal, claiming that he had no contacts with the forum state sufficient to warrant the exercise of personal jurisdiction.

The court rejected his argument, holding that California's long-arm jurisdiction may extend the state's jurisdiction to reach a defendant that lacked both physical and personal presence in the state. The court explained:

Instant access provided by the Internet is the functional equivalent of personal presence of the person posting the material on the Web at the place from which the posted material is accessed and appropriated. It is as if the poster is instantaneously present in different places at the same time, and simultaneously delivering his material at those different places (Pavlovich v. Superior Court, 2001 Cal. App. LEXIS 623 (Cal. Ct. App. 2001)).

The court went on to point out that long-arm statutes function in a similar fashion. They allow a state to extend its jurisdiction beyond its borders to protect the state's laws from violations perpetrated from remote locations: “[t]he Internet, as a mode of communication and a system of information delivery is new, but the rules governing the protection of property rights, and how that protection may be enforced under the new technology, need not be” (id.).

SP:ts