The replay for our July 30, 2020 California Consumer Privacy Act (CCPA) for Procrastinators: What You Need To Do Now If You Haven’t Done Anything Yet webinar is available here.

The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked in on July 1, 2020, and companies reportedly have begun to receive notices of alleged violation. In addition, several class actions have brought CCPA claims. Although final regulations to implement the CCPA have yet to be approved, compliance cannot wait.

If you’re not yet on the road to CCPA compliance (or would like a refresher), this webinar is for you. We covered:

  • Latest CCPA developments
  • Compliance strategies
  • Potential changes to the CCPA if the California Privacy Rights Act (CPRA) ballot initiative passes

Anyone who has not begun their CCPA compliance efforts or thinks they need a refresher should watch this webinar.

To view the presentation slides, click here.

To view the webinar recording, click here.

Subscribe to our Ad Law News and Views newsletter to receive information on our next round of webinars and to stay current on advertising and privacy matters.

Visit the Advertising and Privacy Law Resource Center for additional information for additional information, past webinars, and educational materials.

Ad Law Access Podcast

January 1, 2020 was the effective date for the California Consumer Privacy Act (CCPA).  As we reported and summarized in our Q1 2020 CCPA Litigation Round-Up, private litigants wasted no time in filing consumer-related causes of action under the new law.

Here, we provide an update on material developments in that first wave of claims and report on additional private lawsuits commenced in the first half of the year.  We have further categorized the recently-filed cases based on those stemming from a data breach versus not.  In the latter category, the cases are further split based on the underlying alleged violations – last quarter, non-breach based claims related to the disclosures and opt-out mechanisms required by the CCPA as well as the scope of “personal information” covered by the CCPA.

1. Update on Cases Reported in Q1 2020

Continue Reading CCPA Litigation Round-Up: Q2 2020

The California Consumer Privacy Act (CCPA) right to non-discrimination explainedOn June 24, 2020, the Secretary of State of California announced that the California Privacy Rights Act (CPRA), had enough votes to be eligible for the November 2020 general election ballot. CPRA is a ballot initiative, which, if adopted, would amend and augment the California Consumer Privacy Act (CCPA) to increase and clarify the privacy rights of California residents.  The result is a law that is closer in scope to robust international privacy laws, such as the GDPR. For more information on the CCPA, please see our posts here.

To be eligible for the November 2020 ballot, CPRA needed to obtain over 623,212 verified signatures. If passed by a simple majority of California voters in November, as is looking likely, the CPRA will become effective on January 1, 2021, with most compliance obligations required by January 1, 2023. With the exception of the access right, the CPRA would apply only to personal information collected after January 1, 2022. Additionally, the CPRA would extend the CCPA’s temporary business to business exemption and employee data exemptions (which are scheduled to sunset on January 1, 2021) until January 1, 2023.

Until January 1, 2023, businesses would need to comply with the CCPA and any finalized regulations in force (which could mean both CCPA and CPRA regulations). The Attorney General would preserve its authority to issue CCPA regulations and enforcement during this period, and a new privacy agency would be formed with its own rulemaking and enforcement authority.

For more information on the comparison between CCPA and CPRA, please see our chart below. While there are no immediate action items, companies may benefit from reviewing the CPRA requirements to assess what changes may be necessary should the ballot pass. And a reminder — the CCPA enforcement date is set for July 1, 2020, although it is not yet clear whether the CCPA regulations will be effective by then; the Office of Administrative Law’s review remains pending. Please contact any of the attorneys in Kelley Drye’s Privacy Group if you would like assistance in California privacy compliance.

  CCPA CPRA
“Business” Threshold $25 million annual revenue; or 50,000+ consumers; or 50% of annual revenue derived from selling consumers personal data $25 million annual revenue; or buys, sells or shares 100,000+ consumers or households; or 50% of annual revenue derived from selling or sharing consumers’ personal data
Operative date January 1, 2020 January 1, 2023, and applies only to personal information collected on or after January 1, 2022, except with regard to access requests.
Employee and B2B exemptions Sunsets January 1, 2021 Sunsets January 1, 2023
“Sold” and “Shared” Definitions “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … for monetary or other valuable consideration. The term “sold” is broadened to “sold or shared.” This change is accompanied by a change in the definition of what it means to sell, which removes the carve-out for sharing personal information with a service provider (although this point is addressed in a more narrow definition of “third party”).
Service Providers and Contractors

A Service Provider is an entity “that processes information on behalf of a business … provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business…”

 

Introduces new requirements to qualify as a “service provider” and adds a new definition of a “contractor” that mirrors the definition of a service provider.

Clarifies and provides additional requirements regarding service providers’ use of the data, such as a requirement that service providers silo the data they learn about a consumer from other sources.  (This is more restrictive than the AG CCPA regulations).

Requires contractual terms, similar to the GDPR.

Consent Consent is not required in the CCPA. However, the definition of sale contains guidance regarding “intentional interactions.”

Consent is defined as any freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she… signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.

Introduces the concept of “dark patterns” defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, as further defined by regulation.  Agreement obtained through use of dark patterns does not constitute consent.

Sensitive information Does not contain separate provisions for sensitive information (other than increased verification requirements.) Contains disclosure, opt-out, and purpose limitation requirements for sensitive information.
Automated Decision-Making N/A

Introduces concept of “profiling.”

Calls for regulations requiring businesses’ response to access requests to include meaningful information about the logic involved in such profiling, as well as a description of the likely outcome of the process with respect to the consumer.

Right to Correct N/A Gives consumers the right to correct inaccurate information.
Opt Out of Targeted Advertising The CCPA does not restrict targeted advertising if it can be conducted without “selling” data.

Providing advertising or marketing services is a business purpose but this does not include “Cross-Context Behavioral Advertising,” a newly defined term to describe ads targeted to consumers based on a profile or predictions about the consumer related to the consumer’s activity over time and across multiple businesses or distinctly-branded services, websites or applications.

Contains a broader opt-out provision (for both “sale” and “sharing”) and specifically limits service providers from engaging in any “cross-context behavioral advertising.”

Retention The CCPA does not contain any requirements that businesses disclose their retention practices to consumers.

Businesses must disclose, at the time of collection: the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period.

A business cannot retain personal information for longer than is reasonably necessary for that disclosed purpose.

GDPR Concepts

·        

N/A

 

Contains language to promote the following GDPR principles:

  • Data Minimization
  • Purpose Limitation
  • Duty to Avoid Secondary Use
Enforcement

Enforced by the Attorney General

 

 

Allows a 30 day period to cure violations

Establishes the California Privacy Protection Agency that would have a broad scope of responsibilities and enforcement powers.

Security breaches include email/password/challenge questions.

Modifies the 30-day cure period to apply to a private right of action for security breach violations, rather than for general privacy violations of the law.

Fines for violations involving children’s personal data are tripled.

 

 

Advertising and Privacy Law Resource Center

On June 2, California Attorney General Xavier Becerra announced that he had submitted final CCPA regulations to the Office of Administrative Law (OAL) for review. The final regulations are substantively identical to the second set of modified proposed regulations, which the AG released in March. In addition, the AG issued a Final Statement of Reasons that (1) explains the changes between the first draft and final regulations, and (2) is accompanied by Appendices that respond to each public comment received throughout the rulemaking process – including written comments submitted in response to each draft of proposed regulations and those provided at the four public hearings held in December 2019.

We have described below some of the key provisions of the final regulations, which will impose additional requirements on businesses, service providers, and third parties and data brokers, and likely require the design and implementation of new processes. Whatever hardship the regulations may cause, it is clear that the AG is prioritizing consumer privacy, explaining that the office “has made every effort to limit the burden of the regulations while implementing the CCPA” and does not believe the regulations are “overly onerous or impractical to implement, or that compliance would be overly burdensome or would stifle businesses or innovation.” Continue Reading CCPA Update: Final Regulations Submitted but No Changes from Prior Draft

Ad Law Access Podcast - Operationalizing CCPACCPA compliance is a cross-functional exercise that requires active participation and buy-in from business units across the organization to tackle data mapping, work flows and employee training. On the latest episode of the Ad Law Access Podcast, special counsel Tara Marciano and associates Carmen Hinebaugh and Alexander Schneider discuss the ongoing challenges of operationalizing CCPA compliance focusing broadly on two areas: rights requests and vendor agreements.

Listen on Apple,  SpotifyGoogle Podcasts,  Soundcloud or wherever you get your podcasts.

For more information on CCPA and other topics, visit:

Advertising and Privacy Law Resource Center - Operationalizing the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal informationThe California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal information.  However, the meaning of “non-discrimination” and the exceptions to this prohibition provided in the CCPA and proposed regulations are among the more confusing aspects of California’s privacy law.

While other privacy laws contain non-discrimination provisions, the CCPA non-discrimination right is notably broader.  For example, the CCPA concept of discrimination is not limited to protected or sensitive categories, as is the case with Title VII.  Nor is it limited to a specific type of economic activity, as is the case with industry-specific laws such as the Equal Credit Opportunity Act.  Instead, CCPA’s non-discrimination right applies to all California consumers exercising any of their other rights under the Act.

This post looks at what the non-discrimination right prohibits (and allows), as well as some of the important questions that the statute and draft regulations leave open.  Critical practical issues include being able to (1) distinguish between lawful denials of CCPA rights and impermissible discrimination, and (2) justify the magnitude of financial incentives offered in connection with personal information collection, retention, and sale.  With about two months before the CCPA’s July 1 enforcement date, it’s important for businesses to confirm how they are addressing this often overlooked right and square away any final adjustments that may be prudent.

Continue Reading The CCPA Non-Discrimination Right, Explained

California Attorney General (AG) released third draft of proposed CCPA regulationsRecent putative consumer class action cases filed against Ring and Zoom raise allegations under the California Consumer Privacy Act (“CCPA”) and are likely to be the first battlegrounds over the CCPA’s potential hostility to consumer arbitration clauses.  The continued applicability of arbitration agreements is likely to be a significant (and hard-fought) issue with far-reaching implications for consumer litigation under, and involving, the CCPA.  This post reviews recent precedent concerning prior attempts by California to bar arbitration or otherwise ignore federal preemption in the context of privacy statutes in an effort to predict how the courts will navigate the CCPA’s attempted restriction on arbitration.

CCPA On Arbitration

The CCPA provides consumers with a private right of action when they are affected by a data breach of certain types of personal information.  Cal. Civ. Code § 1798.150.  The law permits recovery of statutory damages between $100 to $750 per consumer, per incident, and explicitly envisions actions proceeding on an individual or class-wide basis.  Id. at (b).  In addition to monetary damages, private consumers may seek injunctive relief under the CCPA.   1798.150(a)(1)(B).  These statutory damages and right to collective action make the CCPA a ripe target for consumer class actions.  That is further bolstered by the CCPA’s apparent limitation of parties’ ability to contract around public class actions.  Specifically, the CCPA directs that:

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.

Section 1798.192 (emphasis added).  Thus, the CCPA would not permit a company to force an individual arbitration based on a consumer contract where a class-wide CCPA claim is asserted.  But is that enforceable?

California’s History of Trying to Limit Arbitration

California’s history of seeking to limit parties’ rights to compel arbitration has, for years, been at the center of the dispute over the strength and reach of the Federal Arbitration Act, 9 U.S.C. § 1 et seq. (“FAA”).  The landmark case on this issue is AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011).  In Concepcion, the United States Supreme Court addressed a clash between the FAA and California’s declaration that arbitration waivers were unconscionable and, thus, unenforceable.  The FAA won.  Based on the FAA, the Court found California could not reject arbitration agreements, even if such clauses required consumers to arbitrate individually.

In the ensuing decade, the Court has re-confirmed the Concepcion decision against subsequent challenges, including from California.  Of particular relevance, in 2015, the Court confirmed that class action waiver clauses in consumer agreements are enforceable, even in the face of contrary California state law.  DirecTV, Inc. v. Imburgia, 577 U.S. __, 136 S.Ct. 463, 468, 193 L.Ed.2d 365 (2015).  The Court also confirmed that arbitration agreements with a class action waiver remain valid, even where consumers are presented with the practical hurdle that a plaintiff’s costs of individually arbitrating might far exceed the potential individual recovery available.  American Express Co. v. Italian Colors Restaurant, 570 U.S. 228 (2013).

In 2017, the California Supreme Court held that arbitration clauses that left individual consumers without the ability to obtain public injunctive relief were unenforceable.  McGill v. Citibank, N.A., 2 Cal. 5th 945 (2017).  Currently pending before the United States Supreme Court is a petition for a writ of certiorari on the question of “whether California’s public-policy rule conditioning the enforceability of arbitration agreements on acquiescence to public-injunction proceedings is preempted by the FAA.”  AT&T Mobility LLC v. McArdle, No. 19-1078.

Privacy Laws Cannot Overcome Federal Preemption

Given the unique nature of the privacy protections of the CCPA and lack of parallel federal privacy protections, it is instructive to see how courts have approached preemption of prior California privacy statutes.  In 2012, California’s Attorney General brought suit against Delta Airlines alleging that the lack of a clearly-disclosed privacy policy in the “Fly Delta” app violated the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§ 22575-22579.  Delta challenged the state’s ability to bring consumer protection claims against commercial airlines given the federal Airline Deregulation Act of 1978, Pub. L. 95-504, 49 U.S.C. § 1371, et seq.  The court dismissed, finding that the federal statute preempted the statutory requirements of CalOPPA.  State of California v. Delta Air Lines, Inc., Case No. CGC-12-526741 (Cal. Sup. Ct. May 9, 2013).  The decision was affirmed by the California Court of Appeals.  Case No. A139238, 2016 WL 3001805 (Cal. Ct. App. May 25, 2016).

Conclusion

Recent precedent supports the continuing viability of arbitration clauses, including as part of consumer contracts that waive class actions.  It further confirms that California’s attempts to circumvent federal law, including in the privacy space, are likely to be struck down based on preemption.  Thus, all signs point towards the continued ability of companies to compel arbitration, including individual arbitration, over CCPA claims.

That said, it remains to be seen how far the California courts (federal or state) might permit or force litigants to proceed before that likely outcome is reached.  Thus, despite potential contract terms that include an otherwise valid arbitration clause and class action waiver, CCPA defendants such as Ring and Zoom may need to engage in multiple rounds of motion practice and appeals before getting clarity on the forum in which their cases will even be heard.

Another consideration:  until there is a decision that the CCPA is preempted by the FAA, the CCPA litigation occurring now may be the only cases to provide clarification as to some of the vague provisions of the CCPA (evident by the inconsistent interpretations and compliance applications in the marketplace).  Once CCPA claims are addressed mainly through arbitration, guidance will be left to the California Attorney General’s Office and the more limited number of cases initiated by that Office.

If you have privacy, cyber, or related litigation questions, our team of compliance and litigation specialists would be happy to speak with you.  More information about Kelley Drye’s Privacy and Information Security Litigation team can be found here.

Ad Law Access Podcast

The CCPA grants the California Attorney General (AG) the authority to enforce the CCPA starting on July 1, 2020.  Last month, the AG confirmed no intention to delay that enforcement date due to the COVID-19 pandemic, despite mounting industry pressure.The CCPA grants the California Attorney General (AG) the authority to enforce the CCPA starting on July 1, 2020.  Last month, the AG confirmed no intention to delay that enforcement date due to the COVID-19 pandemic, despite mounting industry pressure.

Even if enforcement begins July 1st, companies must contend with another glaring obstacle: the AG has not yet issued final regulations.  The AG has a narrow window to complete its final regulations, leaving companies with less than three months advance notice to implement highly technical final regulations.  If the AG fails to meet its statutory deadlines, the AG’s enforcement of the CCPA would begin before final regulations are issued.

In March, the AG released a third draft of CCPA regulations, with comments due on March 27th.  Now, the AG can either issue another round of proposed regulations or finalize the regulations.  The third draft had far fewer changes than previous drafts, indicating the AG may be ready to finalize the regulations, although the AG has remained largely silent in explaining the reasoning behind any changes to its various drafts.

Once the AG is ready to issue final regulations, the AG will send the regulations to the Office of Administrative Law, which generally has up to 30 working days to review regulations, although an executive order linked to the COVID-19 crisis extends the Office’s deadline by 60 calendar days.

Once reviewed, the Office transmits the final rule to the Secretary of State for adoption.  The effective date of the final CCPA regulations depends on the date that the Office files the regulations with the Secretary of State.  For example:

  • If filed March 1 – May 31: the effective date is July 1.
  • If filed June 1 – August 31: the effective date is October 1.
  • Another effective date may be possible if the AG demonstrates good cause.

As a result of this timeline, the AG is likely aiming to complete the final regulations in April, to provide the Office with sufficient time to complete the rulemaking process by May 31st and implement the regulations by July 1st.  Any delay could push the effective date of new rules to October 1st, well past the statutory enforcement date of July 1.

Given this timeframe, companies seeking to comply with the new CCPA regulations should not wait for final regulations to stand up compliance processes.  With enforcement slated to arrive either at the same time as or before the effective date of new regulations, covered businesses should work with privacy counsel to prepare for CCPA as soon as possible.

We will continue to follow new developments that may impact the timeframes for implementation of the CCPA regulations.  If you have questions on how the regulations may impact your business, please contact Alysa Hutnik or Alex Schneider at Kelley Drye.

 

Kelley Drye's Ad Law Access Podcast

The California Consumer Privacy Act (CCPA) took effect January 1, 2020.  While the California Attorney General’s enforcement authority is delayed until July 1, private litigants have already started to file direct claims under the CCPA as well as other consumer-related causes of actions predicated on alleged CCPA violations.  Notably, the California Attorney General takes the position that enforcement actions can cover violations that predate July 1, 2020.

As detailed in our prior posts (see, e.g., here and here), the CCPA expressly provides for only a limited private right of action related to data security breaches.  Cal. Civ. Code 1798.150.  Private plaintiffs can recover actual damages or statutory damages of $100 to $750 per statutory violation.  While a broader potential private right of action was considered, which would have permitted individuals to sue for additional CCPA violations, that amendment (SB 561) failed.

Nevertheless, private litigants have thus far filed CCPA-related claims in cases where breaches have occurred, but also in cases where no breach is alleged.  A quarter of the year in, we consider here how the CCPA has already impacted consumer class action claims.

Barnes v. Hanna Andersson LLC and Salesforce.com Inc., Case No. 4:20-cv-00812 (N.D. Cal.)

On February 3, 2020, California consumer Bernadette Barnes filed a putative class action Complaint against retailer Hanna Andersson arising from a data breach.  The breach (which occurred in September-November 2019), allegedly resulted in the loss of personally identifiable information (“PII”), including unencrypted credit card and consumer information.  Plaintiff also sued the cloud vendor Salesforce.com that allegedly stored the PII at issue.

Plaintiff seeks to represent a nationwide class including: “All individuals whose PII was compromised in the data breach announced by Hanna Andersson on January 15, 2020,” as well as a California sub-class.  Plaintiff does not include a cause of action under the CCPA, but relies upon the CCPA as a predicate for her claim under California’s Unfair Competition Law, Cal. Bus. & Prof. Code §17200 (“UCL”), along with causes of action for negligence and a declaratory judgment.

Sheth v. Ring LLC, Case No. 2:20-cv-01538 (C.D. Cal.)

On February 18, 2020, Seattle, Washington consumer Abhi Sheth filed a putative class action Complaint against California-based video doorbell and security camera manufacturer Ring.  Plaintiff alleges inadequate security measures for handling PII as well as unauthorized disclosure to third parties.

Plaintiff seeks to represent a class of consumers defined as: “All persons residing in the United States who purchased a Ring Security Device within the applicable statute of limitations period.  Plaintiff’s CCPA claim alleges improper collection and use of personal information without notice, and failing to provide the required notice of a right to opt out of the sale of personal information to third parties.  Plaintiff does not allege that Ring had any specific data breach or security event that triggered the claim.  Plaintiff asserts seven other causes of action arising from the same facts:  invasion of privacy; negligence; breach of implied warranty of merchantability; breach of implied contract; unjust enrichment; and violations of the UCL and California Legal Remedies Act, Cal. Civ. Code § 1750, et seq. (“CLRA”).

Significantly, the arbitration clause in Ring’s consumer agreement may create the first opportunity to balance the CCPA’s perceived hostility to arbitration, on the one hand, and the parties’ contract and policy underlying the Federal Arbitration Act, on the other.  That issue is expected to be a heavy battleground in CCPA consumer class actions, making this a potentially important first test on that issue.

On March 5, the Sheth case was consolidated with four other privacy-related cases pending against Ring and on March 31, the separate Sheth case was closed.  The continuing matter, In re: Ring LLC Privacy Litigation, Case No. 2:19-cv-10899 (C.D. Cal.), began with a December 26, 2019 Complaint that does not reference the CCPA; however, the Court’s February 11 Consolidation Order permits the plaintiffs to file a Consolidated Complaint after interim class counsel is appointed.  It is reasonable to expect that the updated pleading and addition of Sheth to the consolidated action could inject the CCPA more directly into the overall claims.

Burke v. ClearviewAI, Inc., Case No. 3:20-cv-00370 (S.D. Cal.)

On February 27, 2020, California consumer Sean Burke and Illinois consumer James Pomerene filed a putative class action Complaint against ClearviewAI (and its two founders) alleging the improper collection and sale of PII and biometric information in violation of, among other laws, the CCPA.  Clearview “scrapes” websites (scanning, extracting, and copying images) to compile a comprehensive database that allegedly includes over three billion images and PII of consumers, which Clearview sells to law enforcement and private entities.  Plaintiffs allege that Clearview collected and used their PII without notice or consent in violation of the CCPA.

Plaintiffs seek to represent three California-related sub-classes:

(a) Sub-Class One (the “CCPA Class”) (Cal. Civ. Code § 1798.100, et seq): All persons who, while residing in California, had their California Biometric Information collected and/or used by Clearview without prior notice by Clearview and without their consent.

(b) Sub-Class Two (the “Commercial Misappropriation Class”) (Cal. Civ. Code § 3344): All persons who, while residing in California, had their Photograph or likeness knowingly used by Clearview for commercial gain without their consent.

(c) Sub-Class Three (the “Unjust Enrichment Class”): All persons who, while residing in California, had their California Biometric Information misappropriated by Clearview from which Clearview was unjustly enriched.

The Complaint also asserts claims under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”) as well as specific causes of action for violations of the UCL, commercial misappropriation, and unjust enrichment.

Cullen v. Zoom Video Communications, Inc., Case No. 5:20-cv-02155 (N.D. Cal.)

On March 30, 2020, California consumer Robert Cullen filed a putative class action Complaint against online video-conferencing provider Zoom alleging the failure to properly safeguard user information and improper disclosure of individual and business information to third parties, including Facebook.  The allegations arise from a March 26 Vice Media report that purports to detail unauthorized sharing and data vulnerabilities of Zoom.

Plaintiff seeks to represent a class comprised of: “All persons and businesses in the United States whose personal or private information was collected and/or disclosed by Zoom to a third party upon installation or opening of the Zoom video conferencing application.”

Plaintiff asserts a claim under the CCPA for Zoom’s alleged collection and use of PII without adequate notice and failing to prevent unauthorized disclosure.  Plaintiff asserts related claims under the UCL and CLRA based on the same conduct and violation of, inter alia, the CCPA.  Plaintiff also alleges negligence, invasion of privacy, and unjust enrichment.

While these initial CCPA-related cases remain at the earliest stages, they demonstrate the ways in which consumer plaintiffs will use the CCPA in class actions.  Notably, however, not all consumer privacy complaints filed since January incorporated the CCPA.  Indeed, two consumer complaints filed in March 2020 in the Northern District of California make allegations arising from a consumer data breach, but do not include any claim under (or even reference to) the CCPA.

I.C., a minor by and through his natural parent, Nasim Chaudhri and Amy Gitre v. Zynga, Inc., Case No. 3:20-cv-01539 (N.D. Cal.); Carol Johnson and Lisa Thomas v. Zynga, Inc., Case No. 3:20-cv-02024 (N.D. Cal.). 

On March 3, 2020, Plaintiffs Amy Gitre and I.C. filed a putative class action Complaint arising from video game manufacturer Zynga’s alleged failure to protect PII of its users, including both adults (Gitre) and minors (I.C.).  Plaintiffs filed a fourteen-count Complaint that includes statutory and common law claims arising from the alleged failure to properly secure account holders’ PII.  In September 2019, a hacker publicly claimed to have breached Zynga’s database and was able to extract information concerning 218 million users.  The breach is alleged to have included users from some of Zynga’s most popular games: Words With Friends; Draw Something; and OMGPOP.  On September 12, 2019, Zynga posted a “Player Security Announcement” that confirmed the breach.

Plaintiffs seek to represent a nationwide class of: “All individuals in the United States whose PII was obtained or maintained by Zynga and compromised as a result of the Zynga data breach described herein” as well as adult and minor sub-classes.  The causes of action include:  negligence; negligent misrepresentation; negligence per se (under Section 5 of the FTC Act); unjust enrichment; violation of state data breach laws (including failure to safeguard data and failure to provide adequate notice of the breach); intrusion upon seclusion; and declaratory judgment (seeking an injunction compelling proper security of PII).  There are no references to, or causes of action under, the CCPA.

On March 23, a follow-on suit was filed in the same court raising similar allegations.  The Plaintiffs, Carol Johnson and Lisa Thomas, seek an identical nationwide class as well as Missouri and Wisconsin sub-classes, based on the citizenship of the Plaintiffs.  The Complaint asserts a narrower list of causes of action regarding negligence, negligence per se, unjust enrichment, and declaratory judgment.  Again, there are no references to, or causes of action under, the CCPA.

We will continue to monitor the various claims, as well as court decisions in CCPA litigations.  If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team.

Advertising and Privacy Law Resource Center

 California Attorney General (AG) released third draft of proposed CCPA regulationsOn Wednesday, the California Attorney General (AG) released a third draft of proposed CCPA regulations for public comment.  The draft contains a series of technical corrections, along with a handful of substantive incremental modifications to the prior draft.  The limited number of changes signals that the rulemaking process is reaching an end.

The following is a summary of key modifications the AG is proposing in the latest draft:

  • Service Providers – The AG revised the exemptions to the general rule that service providers may not retain, use, or disclose personal information obtained in the course of providing services.

First, the AG removed an exemption allowing service providers to perform the services specified in the written contract with the business that provided the personal information.  In its place, the AG added a new exemption: “to process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.”  This new exemption significantly narrows the ability of a service provider to use personal information to perform services generally, now requiring that the service provider limit the use of personal information “on behalf of the business that provided the personal information.”

Second, the AG edited a clause that allowed a service provider to use personal information for internal purposes to build or improve the quality of its services.  The AG clarified that the exemption does not allow a service provider to build or modify consumer profiles to use in providing services to another business; or correcting or augmenting data acquired from another source.  These clarifications indicate that the AG seeks to limit a service provider from using personal information it obtains through providing a service to develop consumer profiles that it can resell.

  • Removal of Opt Out Button – In the prior draft of the regulations, the AG proposed a standard opt out button and logo for the industry to adopt.  But the opt out button came under scrutiny in comments submitted by Lorrie Cranor of Carnegie Mellon University, which highlighted usability issues presented by the color and appearance of the AG’s proposed button.  Cranor’s team noted that the icon looked deceptively like an actual toggle switch, and when combined with its red color, could be misinterpreted as indicating an off-state.  “[A] consumer may misinterpret the [AG] toggle icon as an indication that they have already opted-out of the sale of their personal information,” Cranor’s team wrote.  In the latest version, the AG removes all reference to the opt out button.
  • Exemption from Notice at Point of Collection – A business that does not collect PI directly from a consumer is not required to provide a notice at the point of collection if that business will not sell the consumer’s personal information.
  • Guidance on IP Addresses – The AG abruptly removed guidance indicating that an IP address that does not link to a particular consumer or household would not be “personal information.”  The new draft does not include new guidance, however, leaving the prior guidance as the only interpretation issued by the AG on whether IP addresses are “personal information.”
  • Privacy Policy Disclosures – The AG restored language from the first draft of the regulations requiring a business to identify the categories of sources from which personal information is collected and the business/commercial purpose for collecting or selling personal information, both in a manner that provides consumers a meaningful understanding of the information disclosed.  The new language does not require these disclosures “for each” category of personal information.
  • Sensitive Data Disclosures – The AG proposes that even if a business withholds sensitive data in response to a request to know, the business must still provide a description of the information withheld.  For example, a business should not provide an actual social security number, but should state that it holds the consumer’s social security number.
  • Denial of Deletion Request – When a business that sells personal information denies a deletion request, the business must ask the consumer if the consumer wants to opt out of the sale of their personal information.
  • Definition of a Financial Incentive – The AG removed a confusing element of the definition of a financial incentive that had previously indicated that a program, benefit, or other offering, including payments to consumers, would be a “financial incentive” where a company compensated the disclosure, deletion, or sale of personal information.   The AG clarified that a financial incentive relates instead to the collection, retention, or sale of personal information.
  • Annual Privacy Policy Disclosures – The requirement to disclose metrics when a business buys, receives, sells, or shares personal information of more than 10 million consumers in a calendar year will now only apply to businesses that know or should reasonably know that they meet the threshold for such a disclosure.

The deadline to submit written comments to the proposed modifications is March 27, 2020. Our firm will continue to review the draft regulations as we work with clients to develop practical guidance on complying with the CCPA. If you have questions on how the regulations may impact your business, or if you would like assistance in submitting a written comment, please contact Alysa Hutnik, Aaron Burstein, Katie Townley, Carmen Hinebaugh, or Alex Schneider.

 

Advertising and Privacy Law Resource Center