California Book Legislation Doesn't Understand How Retailers Work

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

If you're selling books in California, you may soon have to handle all customer data very differently. If a piece of legislation now winding its way through the California legislature becomes a law, new restrictions on your record-keeping and file maintenance will extend far beyond the sales of actual books.

The legislation, which has more holes than a chunk of Swiss cheese, would place these burdens on retailers while ignoring a lengthy list of other people in the retail environment who have access to the identical data. The key problem: The writers of the legislation didn't think much about how retailers do their magic.

For example, the statute would make it illegal for a book retailer—and presumably any employee of that retailer—to disclose information about book (and, for that matter, all types of) purchases to police. But it places no restrictions on the volumes of other people who have access to the identical data, including card processors, card brands and possibly POS vendors. What about the employees of the security firm that handles the security cameras and other customers? Both are groups who might see or overhear the information. What if a third-party firm handles the loyalty/CRM system? If the transaction is handled by the customer's mobile device, that brings in an entirely different set of people who might know about a purchase.

If a receipt for a book is E-mailed to the consumer (or sent by SMS or other means), the ISP and E-mail provider could be forced to give the cops that information (which confirms the name of the book). If books are read online or through, say, the Kindle app for a computer or iPhone, although Amazon might not have to turn over the records (as a provider), Apple, AT&T, Verizon or another ISP would enjoy no such legal restriction/protection.

It would be like saying that Barnes and Noble couldn't turn over records of what customers bought, but the chain's security company could be forced to turn over the high-def security tapes of customers—book in hand—at the cash register. Although the videotape would be "personal information" under the statute, because it would include "information that relates to, or is capable of being associated with, a particular user's access to or use of a book service or a book, in whole or in partial form," the security company would not be a provider of a book service and, therefore, would not be covered by this law.

If the government really wants to know what someone is reading without a court order, it could subpoena family members, other customers or even members of a book club—indeed anyone who is not a provider—to try and find out.

Many years ago, I helped represent a local Washington, D.C., bookstore that received a subpoena from a special prosecutor demanding the production of cash-register receipts for book purchases by a particular former White House intern named Monica Lewinsky. After reaching a deal with prosecutors, Lewinsky herself agreed to provide these records. But the case raised both First Amendment and general privacy concerns that have recently been addressed by the State of California in its proposed "Reader's Privacy Act," for which public hearings are scheduled for August 17.

If enacted and signed, the bill would prohibit anyone who provides a book service with the primary purpose of selling or lending books from disclosing customer personal information (including IP address) without a valid court order supported by probable cause unless there is some imminent danger of death or serious injury.Another problem with the legislation is that, for a retailer to be covered, the chain doesn't have to primarily sell books. The chain merely has to offer a book service to the public. So an entity like Giant Foods or Safeway, which (in aisle 9, next to the magazines) offers a book service selling trashy paperbacks might become a provider under the law—not simply with respect to the paperbacks but with respect to everything it does.

As a provider the grocer would be prohibited from disclosing not only information relating to its customers' use of the book service (what books they bought and read, and what IP address they used to buy or read them) but also other personal information, including "any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information."

The way the bill is drafted, if a commercial entity offers a book service, then it is a provider and, therefore, cannot release any personal information to the police without a court order unless there is an exception in the law.

The statute's definitional problems go on. Besides the convoluted definitions of "provider" and "book service," not to mention "primary purpose," it also has a bizarre definition of "book." The proposed statute defines a book as "paginated or similarly organized content in printed, audio, electronic, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or volumes."

If it is not paginated or similarly organized, is it no longer a book? Is Plato's Republic on a Web site not a book because it is not paginated? The Harry Potter novels are protected as books or CDs, but the movie versions are not?

The problem with the statute's definitions of book and book service is that it fails to take into account what it is about what we read that makes it private, personal and protected. What we read—whether it is a traditional book, a magazine article, a tweet, a Facebook posting, a Web site or even an ad—reveals something about ourselves, our thoughts and our knowledge. That can be something intimate or frivolous. But by limiting privacy to "books," the statute imposes a civil and administrative burden on retailers without protecting that which is truly private. The proposed law at once is too broad and too narrow.

Such a statute would have helped that D.C. bookstore in its challenge to the Independent Counsel, but that was more than 14 years ago. There are now so many different ways to get information, and retailers do so much more than sell books, that we should consider new laws protecting the privacy of individuals not just the privacy of books themselves.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.