California Rules The Internet

Posted By on August 11, 2014

How would you like to take a trip to the parched ends of the Earth, or as the locals call it—California, to defend an action brought in a Superior Court because of something you said, did, or sold on your website? If this isn’t your idea of a good time, keep reading. California’s internet privacy laws have changed the way the internet works. Coupled with a long-arm statute that gives California courts the most liberal and extensive reach in the country, California’s online privacy laws make anyone who operates a business or personal website highly susceptible to being summoned into court in there.

California’s Absolute Right

Global computer technology concept

Image Source: Fotolia.com

California took the lead in attempting to protect individual privacy on the internet with the enactment of The California Online Privacy Protection Act (“CalOPPA”).[1] The law, which became effective in July of 2004, subjects website owners to legal actions by California residents claiming their privacy rights have been violated. Residents of California have an absolute right to know how their information is being collected and used in cyber space. If you operate a website and receive a request from a California user asking you to tell them what information you are collecting and how you are using it, you have 30 days to post that information or face a lawsuit for non-compliance.

CalOPPA[2] requires websites that may attract California user post the following information in a conspicuous place on the site.

(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.

This means that if you allow people to access your site through Facebook, Twitter, Google +, or any other third-party social media provider, you must inform your users not only of the information you are collecting through the use of cookies, web beacons, or other tracking devices, but you must also inform users of the information being collected by those third-parties.

Don’t make the mistake of assuming that just because you or your Web development team aren’t aware of any tracking software on your Site that it doesn’t exist. If you’re using a free hosting service like Blogger or a free content management system (“CMS”) like WordPress, there are built-in processes that collect user information, and even if you are totally unaware that this is happening, you can nonetheless be liable to a California resident for breaching their right to privacy.

(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.

Once you’ve informed potential California users that their information is being collected and used, if you make the mistake of allowing them to change part or all of that personally identifiable information, you must describe in detail how that change can be effected.

(3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.

It’s not enough that you occasionally update your site’s privacy policy. California demands that you describe how you will notify users of any changes you made.

(4) Identify its effective date.

(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.

Web browsers have add-ons that purport to allow the user to opt out of a site’s tracking processes. Additionally, some services allow users to browse anonymously in order to avoid being tracked by the sites you visit. If your site is collecting information and you receive a request from a browser to opt-out, you must provide a notification about how you will handle the request. You do not have to honor a no-track request, but if you do, you must provide a clear and conspicuous hyperlink in your privacy policy to a page containing a description, including the effects, of any program or protocol to opt-out.

(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.

Even if you’ve done everything right, there’s still a chance that a third-party could collect information about your users. If you’re using “free” images or applications on your site, the chances are pretty good that the creators are tracking the usage statistics of their creations via embedded programs. Free images often contain Web beacons—tiny, transparent images that contain a code that allows the creator to track a user’s activity. Every time you use a free image, you must read the terms of use and include a link to them on your own site.

Right now, you’re probably thinking that California has made operating in cyber space a lot harder than it has been in the past, and you’re right. But if you’re entertaining the notion that you’re not going to bother to comply with California’s law because you’re beyond the reach of a California court, you might want to think again.

The Long Arm of the Law

Jurisdiction is the authority of a court to decide an issue. The authority of a court is bifurcated into subject matter jurisdiction and personal jurisdiction. Subject matter jurisdiction is fairly straightforward. Federal courts only have subject matter jurisdiction over cases arising in diversity or under their federal question jurisdiction expressly set forth in the Constitution or as prescribed by Congress. This means federal courts are limited in the kinds of cases they can hear. Similarly, State courts cannot hear federal question issues that are reserved for the federal courts, such as bankruptcy and patent issues. It’s not all that complicated.

Personal jurisdiction, however, has long been an area of debate. Providing a State has a law that allows its court to assert personal jurisdiction over an out-of-state defendant, there is nothing to stop them from exercising personal jurisdiction. California has just such a statute, and it is both simple and breathtakingly broad:

A court of this state may exercise jurisdiction on any basis not inconsistent with the Constitution of this state or of the United States.[3]

This doesn’t mean that California can reach out and tag an out-of-state defendant arbitrarily. The Fourteenth Amendment to the U.S. Constitution demands that the States recognize the right to both substantive and procedural due process. Substantive Due Process under the Fourteenth Amendment requires that law makers not pass laws that would interfere with the fundamental rights guaranteed by the U.S. Constitution. Procedural Due Process requires that individuals have notice and the right to be heard when legislation threatens to deprive them of a constitutionally guaranteed right.

Clearly, California’s long-arm statute doesn’t interfere with an individual’s right to Substantive Due Process, but there have been some real questions about California’s ability to reach the operator of a Web site without violating their right to Procedural Due Process. Traditionally, a court would have general personal jurisdiction over an out-of-state defendant when that person had a systematic and continuous presence in the forum state. Simple enough. If you live in the forum state, do business in the forum state, or own property in the forum state, it’s likely you have notice that you could be taken to court in that state. But what if you only have occasional or sporadic contacts with the forum state? Is that enough to satisfy the requirement of notice?

A court can exercise specific jurisdiction over an out-of-state defendant if that person has “sufficient minimum contacts” with the forum state such that they have purposely availed themselves of the services and protections of the state and know that they could be sued in that state. This type of jurisdiction is a little trickier, and the internet complicated the discussion considerably. When does an out-of-state Web site operator have sufficient notice that they might be subject to suit in California under the Due Process Clause of the Fourteenth Amendment? It’s a rapidly evolving area, but courts in the U.S. have identified three tests to determine if activity conducted through a website amounts to sufficient minimum contacts, thereby satisfying the Due Process Clause of the Fourteenth Amendment.

(1) The Zippo Sliding Scale Test

In 1997, a Pennsylvania court found that it had jurisdiction over a California defendant, even though the defendant had never set foot in Pennsylvania. Zippo Manufacturing Co. produced lighters. They brought suit against Zippo Dot Com, Inc, an online news gathering service based in California, alleging a trademark violation.[4]

The California-based company claimed that Due Process precluded the Pennsylvania court from exercising jurisdiction. The court in Pennsylvania disagreed, finding that jurisdiction was proper because Zippo Dot Com’s site was sufficiently interactive enough to constitute purposeful availment. In the decision, the court developed a tri-level sliding scale that determined whether sufficient minimum contact existed. Id. Websites that actively solicit and advertise products or services nationwide and collect user information will provide a court with jurisdiction over the operator. Online businesses like Amazon.com fall squarely into this category.

At the other end of the spectrum are the static websites that merely contain information about a person or business, and doesn’t advertise nationally or within the forum state. These are considered passive websites. The out-of-state owners of these websites have almost no chance of being dragged into court under the Zippo test. This was a critical hole in the court’s logic, and later cases would deal with the consequences.

It’s the middle level of the Zippo test that demands the most attention, and that’s the area where the vast majority of small business websites are. The Pennsylvania court held that an extensive review of the facts would determine whether the operator had sufficient minimum contacts that amounted to purposeful availment. California courts, however, don’t want to have to deal with the middle, because California cases have completely ignored the three-part Zippo test, preferring both the “effects” and “targeting” tests.

If you operate a personal or business Website and you don’t have a California Compliant Privacy Policy, keep on reading, because if a California user wants to sue you in a Superior Court in California, they have two ways to argue that you are subject to jurisdiction there—either the effect of conduct on your website was felt in California or your website targeted residents California in some way. Either way, if you aren’t providing the required warnings on your site, you could be headed for a trip to sunny California.

(2) The Effects Test

The effects test predates modern internet usage. It was adopted by the U.S. Supreme Court in Calder v. Jones in 1984.[5] In that case, the National Enquirer, a Florida-based publisher, printed defamatory statements about a California entertainer. When the entertainer tried to sue in California, the National Enquirer moved to quash service of process on jurisdictional grounds. A Superior Court in California granted the motion, but the U.S. Supreme Court reversed, holding that because the actions of the National Enquirer were intentional, and the effects of their conduct had consequences in California, a court in California did have jurisdiction. This principal was more recently tested in the internet case of Zidon v. Pickrell, decided in 2004.[6]

Patrick Zidon, a North Dakota resident, began an online romance with Linda Pickrell, a resident of Colorado in September of 2000. Four years later, after a particularly ugly online breakup, Pickrell began operating a website with a URL that used Zidon’s name, www.patrickzidon.com. The website was entitled “Monster of Love: Surviving Love/Sex Addicts and Spiritual Predators.”

Following their breakup, Pickrell posted allegedly defamatory statements and e-mailed a hyper link to the Web site to others in the Bismarck, North Dakota, area as well as the public at large. Zidon brought claims for defamation and intentional infliction of emotional distress. The Federal District Court was asked to decide the question of jurisdiction. Could a court in North Dakota assert personal jurisdiction over a Colorado resident based on the operation of a passive website? An analysis under the Zippo sliding scale test would arguably not result in North Dakota having jurisdiction, because the site was clearly static and non-interactive.

However, the court answered in the affirmative and pointed squarely to Calder as the basis for their decision. “An application of the “effects test” derived from Calder v. Jones[7] in the context of Internet activity, is appropriate and warranted.” Id. It’s clear from the Zidon decision that moving forward, when courts apply the effects test, the focus will not be on the characteristics of the website. Rather, the court will focus on the harm in the forum state and whether the defendant could have foreseen the harm. The decision in Calder gave California the green light to exercise jurisdiction based on the foreseeable effects in the forum state. Zidon opened the door for the rest of the states to follow.

If you operate a website or blog that offers opinion or advice, and someone uses that information and is harmed, you could be looking at liability in a state you’ve never physically been in. The Zippo sliding scale test is likely unavailable as a defense to jurisdiction moving forward. Even more precarious is the specter of liability for harm caused by information about a user from California that is collected via your site. Proper legal notices like privacy policies and terms of use agreements are a vital component to your personal or professional website.

(3) The Targeting Test

As legal scholars and the courts have noted, the effects test applies more to individuals and small professional business than it does to multi-national web-based distributors of goods like Amazon.com.[8] These companies don’t themselves experience an effect in just one location. The courts began looking for an approach to address jurisdiction when a party is a corporate entity that does business over the internet on a national or global scale.

The targeting test began emerging in earnest in the Ninth Circuit Court of Appeals when Justice O’Connor, writing a plurality opinion, cited the need for something more than just foreseeability in order for activity on a website to be sufficient enough to establish minimum contacts. Asahi Metal Industries v. Superior Court of California.[9] The opinion itself is illustrative of how the Court grappled with this issue.

A plurality opinion is one where a majority of the justices are in agreement, but not for the same reasons. The opinion reflects the agreed upon reasoning of a majority of the of justices who are in agreement. So, in Asahi, a majority of the justices agreed that a manufacturer’s mere knowledge that their product might be sold in California was not sufficient to establish jurisdiction, but they couldn’t agree on exactly what more was needed. The opinion that “something more” must be present, reflects the opinion of the majority of the majority. Plurality opinions always invite refinement and definition in the lower courts, and the decision in Asahi was no exception.

The first inklings of the targeting test can be found in dicta in Zidon, where the court noted that the concepts of “effects” and “targeting” were closely linked. California courts have further developed the concept of targeting, and will apply the approach when companies purposefully engage with residents of California. Under the targeting approach, the alleged harmful conduct does not have to occur in the forum state. In California the requirement is, “only that the wrongful conduct individually target a known forum resident.”[10]Purposeful engagement will be found if a website requires a user to read and acknowledge a legal notice before the user can register. A website can also purposefully engage a California user informing them of applicable California tax.

While the internet greatly expands the potential scope of a business’s reach, it also exponentially expands liability. Competent web developers and internet publishers must take into consideration the purpose of a site planning for site development and content implementation. The wrong strategy can have serious legal consequences across a wide geographical area.

The Bottom Line

Like it or not, California has taken the lead in the area of internet jurisdiction, and other states are following closely behind. All 50 states have enacted some form of cyberstalking laws, and several have statutes regarding online defamation. These, coupled with long-arm statutes can result in a state having jurisdiction over an out-of-state defendant who runs a website that interacts with,  effects, or targets resident of the forum state. Prudent website developers and operators will conduct regularly site audits to ensure that their website is California compliant and that users understand what private information is being collected and how it is being used. The days of passive website development are over. Developers must be engaged and aware of developing law and policy in the area of cyber space. Anything less, and you could find yourself high and dry in a California Superior Court.

A PDF of this article is available here: http://1drv.ms/1pLijFz


[1] Privacy Law Developments in California, 2 I/S: J. L. & Pol’y for Info. Soc’y 831.

[2] California Business And Professions Code Section 22575-22579.

[3]Code of Civil Procedure Section 410.10.

[4] Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119 (W.D. Pa. 1997).

[5] 465 U.S. 783 (1984).

[6]344 F. Supp. 2d 624 (D.N.D. 2004).

[7] 465 U.S. 783, 104 S.Ct. 1482, 79 L.Ed.2d 804 (1984).

[8] B.D. Boone, Bullseye!: Why A “Targeting” Approach To Personal Jurisdiction In The E-Commerce Context Makes Sense Internationally, Emory Law Review, 40, (Spring 2006).

[9] 480 U.S. 102, 111 (1987).

[10]Sleep Sci. Partners v. Lieberman, C 09-04200 CW, 2009 WL 4251322 (N.D. Cal. 2009).

About the author

Jerri L. Cook is a recognized leader in rural media. She holds a B.S. in Organizational Communications and a Juris Doctor (J.D.) from Concord Law School. Exceptional legal research and writing is essential to providing effective counsel. With her proven record of excellence, Jerri L. Cook provides effective trial support for attorneys who find themselves with only a 24-hour day. Her background in communications, including content creation and internet programming, complement her academic focus on Cyber Law. E-Discovery can be daunting, but with Jerri L. Cook on the team, digital information is readily discovered and retrieved. Contact her at 715.257.4363.


Show Buttons
Hide Buttons