California bill SB568 was signed by Gov. Brown Monday, September 23, giving minors (>18) the right to remove information they post online. There are some important caveats to the law and differences from the COPPA amendments in the Do Not Track Kids bill proposed that failed at the federal level.
First, the California bill only applies:
- to sites and services directed at minors or those with actual knowledge that a minor is using the site or service;
- to minors that have registered with a site (unless the operator prefers to extend the right to non-registered users);
- to non-anonymized posts that do not individually identify the minor.
So registered users under the age of 18 may request the removal of content or information posted on the site or service that they themselves have posted in a way that identifies them.
The right does not extend to:
- content posted by another user;
- posts that have been copied or reposted by a third party;
- anonymous posts;
- content removed from visibility but still stored with the site or service.
The bill does not require an “eraser button,” meaning this is not a technology forcing bill. Rather, it grants the substantive right to remove content that has been disclosed (arguably) to the public and the associated procedural requirements to effectuate that right. Procedurally it is similar to laws that ensure information controllers provide means to correct information in certain settings (included in most policies based on the Fair Information Practices Principles). The bill requires that sites and services must provide notice of the right, clear instructions for exercising the right, and explain that exercising the right does not ensure complete or comprehensive removal of the information.
The substantive right is novel. Only under a few circumstances does the law allow truthful information to be retracted from the public domain once it is released (e.g., copyright). The law only grants this right to minors in California but intends to hold any site that is accessible to those in California responsible for any violations.
A few responses to some of the reactions I’ve heard about the law. The first suggests that users can already delete things they post online. The most popular sites like Google, Facebook, and Twitter already offer this feature to all their users, but there are many that do not – e.g., most forums and comments. Content does the most damage once it’s been copied and distributed (and usually the original source is one of the popular sites), to which the law explicitly does not apply. The second is that the law is not enforceable. Beyond authentication problems (pseudonyms or usernames may identify an individual but not be the name on their legal documents and so hard to verify the user’s identity or age), sites will comply with the law the same way that they comply with various state and international laws. They will include a final section addressing the law in the TOS (possibly saying that if you are under 18 and in California, you are not allowed on the site) and try to determine the validity of deletion requests as they come in. User participation, which is a tenet in most FIPPs-based policies around the world, is just a pain for data controllers. Lastly, to reiterate, this is not a technology forcing law. A site can require a copy of birth certificate, username, and IP address be mailed to them before they remove these posts – there is no eraser button. This is an important departure from the federal Do Not Track Kids bill.
I’m not a fan of takedown systems, which do not include some judicial process to determine the validity of the claims, because of their potential for error and abuse (I’ll be discussing this at TPRC this weekend). It’s much easier for data controllers to simply assess the validity of a court order. For minors however, I’m not opposed to such a system and COPPA requirements have already made sites and services aware of and prepared for the added compliance costs.
An interesting legal question that is relevant to all right to be forgotten laws is whether truthful information can pulled from the public domain based on reputation/dignity/privacy justifications without violating the First Amendment. This may be possible for children and not for adults, but challenges to these types of laws are a route to the answer.