Skip to main content

The Great Disappearing Acts: California Considers Two Bills Addressing the Removal of Online Information of Minors

Written by Jake Romero

Do you ever find yourself worrying that, given the types of things minors deem appropriate to post on social networking Web sites like Facebook and Twitter, our country won’t be able to produce an electable candidate for president in 40 years?  If so, you’ll be glad to know that the California state legislature is in the process of considering two bills that could impact the obligations of online services operators to delete certain types of information collected from minors.  The first bill, California Senate Bill 568, would give minors an “eraser button” with respect to the content and information that they provide to Web sites and online services, while the latter, California Senate Bill 501, would require social networking sites to remove identifying information about minors from their pages if those minors or their parents request it.

CALIFORNIA SENATE BILL 568 – THE “ERASER BUTTON”

California Senate Bill 568, which was introduced by Senator Darrell Steinberg and has already been passed unanimously by the Senate, would require that, at the request of a minor, the operator of any Web site, online service, online application, or mobile application remove all content or information submitted to the operator’s site or service by that minor.  If passed, S.B. 568 would also require operators of Web sites, online services, online applications and mobile applications to notify minors that they have the right to request that their information be deleted, while cautioning that such removal does not ensure “complete or comprehensive” removal of that information.  S.B. 568 would also prohibit the operators of online services that are directed to minors (or, if not directed at minors, where the operator has actual knowledge that a minor is using the service) from marketing goods or services to minors if those goods or services cannot legally be purchased by a minor.

If S.B. 568 is passed in its current form, it could require operators of online services to make a number of changes to their data collection and retention policies.  First, operators should note that S.B. 568 expands and deviates from the protections provided by the federal Children’s Online Privacy Protection Act (“COPPA”), as amended.   COPPA permits parents of a child under the age of 13 to contact the operator of an online service to request that any information their child has provided be deleted. Our blogposts about the latest amendments to COPPA (effective July 1, 2013) can be found here.  S.B. 568 not only raises this age to 18, but also puts the power directly in the hands of the minor, rather than the parent or guardian.  The bill does provide for certain exceptions to the removal requirement where the content or information was submitted to the online service by a third party (rather than directly by the minor) or where any provision of state or federal law requires the operator to maintain such information.

As currently drafted, S.B. 568 would create a number of potential pitfalls for online operators by not providing clear guidance on a number of key aspects of the bill.  For example, there is no definition for what constitutes “content or information submitted to or posted on the operator’s website.”  Depending on how broadly this is interpreted, an operator may have a difficult time removing all such information in response to requests.  S.B. 568 also does not provide guidance with respect to what actions are sufficient to constitute “removal” of content or information or what online services would be deemed to be directed toward minors.

If passed, S.B. 568 will become effective as of January 1, 2015.

CALIFORNIA SENATE BILL 501 – THE SOCIAL MEDIA PRIVACY ACT

Like S.B. 568, Senate Bill 501, which was introduced by Senator Ellen Corbett and has been passed by a majority in the California Senate, expands the obligations of certain online service operators with respect to the removal of information related to minors.  In its current form, S.B. 501 would require social networking sites to remove personal identifying information of any registered user under the age of 18 within 96 hours of the receipt of any request from that minor or his or her parent or guardian and imposes a civil penalty of $10,000 for each failure to do so.

S.B. 501 does include limitations on the obligations of social media operators.  Social networking sites are permitted under S.B. 501 to require that any request submitted to remove information include the following statement:

“I attest that the information in this request is accurate, that I am the registered user or the parent or legal guardian of the registered user to whom the personal identifying information in this request pertains, and that I am authorized to make this request under the laws of the State of California.”  

Also, (similar to the restriction contained in S.B. 568) social networking sites are not required to remove information where state or federal law requires that it be maintained.

To the surprise of no one, social networking sites have taken issue with S.B. 501’s requirements.  As reported in the L.A. Times, a coalition that includes Facebook, Google, Zynga and Tumblr have banded together to opposed S.B. 501.  In a letter to Senator Corbett, the Applications Developers Alliance claims on behalf of its members that the 96 hour deadline for removal of information is unworkable, as it does not permit sufficient time to verify requests before removing data.  In addition, the Applications Developers Alliance also argues in its letter that S.B. 501 infringes the privacy rights of users under the age of 18, because it permits a parent or guardian to unilaterally request that information be deleted.

PREPARING FOR CHANGE – CONSIDERATIONS IN THE MEANTIME

Online service operators will need to begin considering what actions will need to be taken if, as seems likely, one or both of S.B. 501 and 568 are signed into law.  Here are some important questions to ask:

  • • Does your online service collect information from users under the age of 18?  If so, do you have full and complete understanding of what information is collected, and how and where it is stored?
  • • If requested, are you able to separate out a minor’s information and remove it?  How long would this process take?
  • • Do you have a point-of-contact in place for requests to delete information?  Do you have policies in place regarding how to respond to such requests, and have you trained your employees to respond appropriately?
  • • Is there any aspect to your online service that can be considered to be directed toward minors?
  • • Do you sell goods or services that minors cannot legally purchase?  If so, are your marketing practices solely targeted toward adults?
  • • Does your online service constitute “social networking”?  (As defined in Section 62(d) of S.B. 501, a “social networking Internet web site” would mean “an Internet Web-based service that allows an individual to construct a public or partly public profile within a bounded system, articulate a list of other users with whom the individual shares a connection, and view and traverse his or her list of connections and those made by others in the system.”)

Ultimately, if either or both of S.B. 501 and S.B. 568 are signed into law, online service operators may have to reassess the cost-benefit analysis of collecting certain types of data from minors.  The collection of user data can yield substantial monetary benefits for online operators.  However, there is no clear way to know how often requests would be made under either of these statutes, and whether the aggregate cost of responding to such requests would outweigh the benefits of collecting certain types of user data.

If S.B. 501 and/or S.B. 568 are adopted they will bring with them considerable change to the online marketplace.  In the meantime, you can find comfort in two fact:  (1) many more of our children could become president someday, and (2) your Mintz Levin privacy team is always available to help with any questions you may have.

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.