State Attorneys General

It’s no secret that the Justice Department and state Attorneys General don’t like coupon settlements in class actions.  Since 2007, groups of state AGs have been objecting regularly to coupon settlements that would force class members to pay more money to defendants accused of consumer fraud.  On February 4, the Justice Department filed an amicus

Last week, five advertising and marketing trade associations jointly filed comments with the California Attorney General seeking clarification on provisions within the California Consumer Privacy Act (CCPA).

While expressing “strong support” for the CCPA’s intent, and noting the online ad industry’s longstanding consumer privacy efforts like the DAA’s YourAdChoices Program, the group proposed the

In the Data Business? You May Be Obligated to Register in Vermont by Thursday

Data brokers have until this Thursday to register with the Vermont Secretary of State as part of a new data broker oversight law that became effective January 1st.

Approved unanimously by the Vermont Senate last May, the Vermont Data Broker Regulation, Act 171 of 2018, requires data brokers to register annually, pay an annual filing fee of $100, and maintain minimum data security standards, but the law does not prevent data brokers from collecting or selling consumer data.

What Qualifies as a “Data Broker”?

The law only applies to “data broker[s],” defined as a “business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
Continue Reading

As we noted previously, the California Attorney General is holding a series of public forums on the California Consumer Privacy Act (CCPA) to provide the public with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.  On Friday, January 25, 2019, the Attorney General’s Office held its fourth of six hearings before a full auditorium in Los Angeles.  This blog post summarizes the main themes discussed at the hearing.

Timing/Scope:  For businesses hoping for CCPA clarity and guidance soon, that seems unlikely. California Deputy Attorney General Lisa Kim initiated the hearing, emphasizing that the Attorney General’s Office was in the beginning of its rulemaking process and noting that she anticipated the formal review process not to start until Fall 2019.  For now, the Attorney General’s Office encouraged interested parties to submit comments by the end of February, focusing on subjects within the scope of the Attorney General’s rulemaking responsibilities, as set forth in the CCPA, including:

  • Categories of Personal Information
  • Definition of Unique Identifiers
  • CCPA Exemptions
  • Submitting and Complying with Consumer Requests
  • Uniform Opt-Out Logo/Button
  • Notices and Information to Consumers, including Financial Incentive Offerings
  • Certification of Consumers’ Requests

During the hearing, the Attorney General’s Office displayed this PowerPoint deck, summarizing the CCPA regulatory process.

Main Themes


Continue Reading

43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide.

California Attorney General Xavier Becerra announced yesterday that the California Department of Justice will hold a series of six public forums on the California Consumer Privacy Act (CCPA).  The hearings will take place during January and February of this year and will give the public an initial opportunity to comment on the requirements set forth

Yesterday, the California legislature passed SB-327, a bill intended to regulate the security of internet-connected devices.  Unlike the California Consumer Privacy Act (CCPA), SB-327 is significantly more narrow.  As enacted, the bill is a “lighter” version of what was first introduced and amended in 2017 (which, at that time, would have included certain

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country.
Continue Reading

Florida attorney general Pam Bondi filed a complaint last week against Icebox Cafe, L.C. alleging that the restaurant violated Florida’s Deceptive and Unfair Trade Practices Act by making misleading claims that its food products were “locally-sourced” and “sustainable.”  The defendant operates a self-proclaimed “farm-to-table” restaurant in Miami Beach, along with select locations at airports.

According

When class actions have a low settlement value relative to the size of the class, it is normal for defendants to pay out money to non-profit groups that advocate for issues relevant to the case rather than directly to class members. Last July, in “Give the Money to One Percenters, Not to Non-Profits,” I reported that 11 state Attorneys General had decided to buck this ongoing trend, asking the Third Circuit to reject a class action settlement in which Google would have paid $3 million to non-profit groups advocating for privacy rights.  The Third Circuit has not ruled on that appeal, but with a new brief to the U.S. Supreme Court, the number of state AGs advocating for this change now has grown to a bipartisan group of 20.

Courts approve these “cy pres” distributions to non-profits where they find it “infeasible” to distribute money directly to class members.  The Circuits are slightly split on what it means to be “feasible,” however, and in the new brief, the AGs chastise the Ninth Circuit for approving cy pres “whenever there is a large class.”  The AGs prefer “feasible” to be synonymous with “possible,” and whenever possible, they want money to be distributed, somehow, at least to a subset of affected class members.

In the new case, In re Google Referrer Header Privacy Litigation (captioned at the Supreme Court as Frank v. Gaos, with “Frank” being Ted Frank, head of the Competitive Enterprise Institute’s Center for Class Action Fairness), Google would pay out $8.5 million to settle claims that it inappropriately shared user searches with third party marketers.  The Ninth Circuit “quickly disposed of the argument that the district court erred by approving a cy pres-only settlement.”  Because “[o]bjectors do not contest the value of the settlement” or plead that they suffered any out-of-pocket injury from Google’s conduct, the only question was whether it was “feasible” to distribute $8.5 million to a class with 129 million estimated members who performed searches through Google.
Continue Reading