The following text is copyright 2004 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.


Knitting legal patchwork quilts


By Scott Bradner


One of the most difficult features to deal with on the Internet is the lack of any understandable localization of authority.  Once upon a time when a country or state within a country enacted a law regulating some aspect of human or corporate behavior it was generally easy to figure out if the law applied to you.  A Boston law against spitting on sidewalks or regulating the size of billboards could be safely ignored in Chicago.  Chicago could have its own laws dealing with spitting or billboard size and those laws would apply to people or businesses in Chicago.  It's not so easy to similarly localize a law's area of application when the law applies to activity or content on the Internet.  With the Internet, a German law restricting the publication of Nazi propaganda or an Australian libel law can have impacts in the US, as has been proven in the last few years.  Within the US we have been getting a spate of state laws that may or may not impact out of state companies providing services over the Internet or out of state Internet users. California has been particularly good at passing such laws but I wonder if, in the end, California 's aggressiveness will be rewarded by federal preemption.


I've already written about what has been referred to as the California Database Breach Disclosure Act ( - text at which was passed two years ago and requires anyone who gets a computer containing certain kinds of unencrypted data about California residents hacked has to notify those residents of the breakin.  Until next January 1 the only pain that the computer owner suffers is embarrassment. 


After January 1 the recipient of such a letter may be able to forward the disclosure letter to their lawyer who could start getting a lawsuit together.  California has just added teeth to the breakin disclosure act with a new law ( approved by the Governor the end of September that requires that companies with unencrypted data described in the law to "implement and maintain reasonable security procedures and practices" to protect the data.  The new law does not block private law suits so you can expect that many disclosures will result in law suits -- maybe you better figure out how to encrypt the data.


Another California law that went into effect on July 1st this year requires that websites that deal with individual consumers residing in California publish and abide by privacy statements. (   The law includes specific requirements about what the privacy statements have to include and how they have to be advertised on the web site. This law also does not block private law suits.


Finally, another new law due to take effect on January 1st requires any California company employing more than 20 people that collects a wide range of personal information about individuals to disclose, upon request, what information they share with which direct marketers. ( Depending on the definition of a "California company" this last bill may or may not impact companies outside of California but since the law specifically permits awarding a penalty I expect some lawyers test the boundaries. 


California is not alone. Other states are also passing these types of laws.  The last time we had a lot of state level laws being passed it was over spam.  Bowing to business complaints of having to deal with a legal patchwork quilt the U.S. Congress passed the permission-to-spam act. (  I expect the same thing to happen with each new hot issue -- Congress will pass legislation to preempt and gut the much stronger state initiatives. 


disclaimer: Harvard is not of one mind on legislation, the B School likes legislation that guts rules, the School of Government likes any legislation , and the Law School likes conflicting legislation but I consulted none of them for this column.