Photo of Alysa Z. Hutnik

Email
(202) 342-8603
Bio  LinkedIn

Last year’s voter guide to California Proposition 24, the California Privacy Rights Act (CPRA), included a stark argument against enacting the privacy ballot initiative because it did not go far enough to protect employee privacy.  “Currently, employers can obtain all kinds of personal information about their workers and even job applicants,” the argument against Proposition

The FTC yesterday took two actions that on their face seemed part of the regular course, but that could signal notable changes for financial institutions and multi-level marketing companies.  First, the FTC filed an amended complaint against RCG Advances, a merchant cash advance provider, alleging that the company violated the Gramm-Leach-Bliley Act and seeking civil

Update: Governor Polis signed SB 21-190 into law on July 7, 2021, see our updated blog post here.

The Colorado Legislature recently passed the Colorado Privacy Act (“ColoPA”), joining Virginia and California as states with comprehensive privacy legislation. Assuming Colorado Governor Jared Polis signs the bill (SB 21-190) into law, ColoPA will

Just a few months after California officials announced the nominations of the inaugural Board members of the California Privacy Protection Agency (“CalPPA”), the CalPPA released the agenda for its first board meeting on June 14, 2021. The meeting will be held remotely in accordance with California Executive Order N-29-20, but the public may still

The California Privacy Rights Act (CPRA), effective January 1, 2023, adds “contractors” to the list of entities that a business may entrust with customer data.  So what is a “contractor?”  And how are “contractors” different from other entities described by California privacy law, such as “service providers” or “third parties?”

As it turns out, the answer is surprising.  Contractors are nearly identical to service providers, with just two differences:  contractors are not data processors; and contractors must make a contractual certification in CCPA contracts.  Moreover, contractors are not even new entities, and were already described in existing California privacy law.

Origins of “Contractors” in CCPA

To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA).  Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions.  Altogether, there are three potential data flows described in the CCPA:  business to third party, business to service provider, and business to a person who is not a third party.  We describe each in turn:

  • Business to Third Party:  First, when a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure).  The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.

As an example, selling a marketing list to a third party or sharing profile information with an adtech partner in most cases would be considered a sale of personal information to a third party.

  • Business to Service Provider:  Second, when a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt out.  The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.

Service providers provide technical, professional, and other business support to the business.  For example, a service provider might offer various services such as cloud-based servers or software, consulting, or e-commerce fulfillment services.

  • Business to a Person Who Is Not a Third Party:  Finally, there is a rarely discussed third option in the CCPA.  The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party.  This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms:  (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.

This third option is significant to avoid the “sale” of personal information.  If the recipient is not a third party, then a sale can only occur if the recipient is a “business” under CCPA.  In many cases, the recipient will not be a business either, typically because the recipient does not determine the purposes and means of processing the personal information.

As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party.   Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a “business.”  No sale occurs.

Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.

Here’s a summary of the entities that may receive personal data under the CCPA:
Continue Reading CPRA Update: What is a “Contractor?”

The Florida legislature recently passed CS/SB 1120 updating and significantly expanding the state’s existing telemarketing laws, the Florida Telemarketing Act and the Florida Do Not Call Act. Many of the new provisions are similar to the TCPA, including, most importantly, adding a private cause of action for any violations of the Florida Do Not Call Act and requiring prior express written consent for automated or prerecorded calls or texts. If the bill becomes law, it will go into effect on July 1, 2021.

Under the existing Florida Do Not Call Act, callers are prohibited from making telephonic sales calls using “an automated system for the selection or dialing of telephone numbers” unless (i) the call is in response to a consumer-initiated call, (ii) the numbers are unlisted or have been scrubbed against the state Do Not Call list, or (iii) the calls relate to goods or services previously ordered or purchased. This Act does not include exemptions from the definition of “telephonic sales calls.” The Florida Telemarketing Act determines licensure, call timing, identification, and recordkeeping requirements, among others, and includes a number of exemptions.
Continue Reading Florida Takes Page Out of TCPA’s Book with New Legislation

Smart (CA) TVs Are Listening: California Assembly Passes Voice Recognition Device Bill Headed to Senate

The California Assembly recently passed AB-1262 updating an existing law to further limit the use of personal information collected through connected TVs and smart speaker devices. Specifically, the bill prohibits:

  • Operating a voice recognition feature of a connected TV or

Over the last few months, a wave of consumers have filed putative class action complaints against a long list of consumer-facing website owners/operators and their software providers alleging invasion of privacy rights under statutes focused on wiretapping and eavesdropping.

Our team has represented both website and software defendants in these cases.  However, this post is not intended to reflect on any specific claim, website, or software.  Rather, our goal is to provide an introduction to the general nature of the consumer claims and current landscape of these litigations.

This post summarizes (1) the “session replay” technology at issue in these claims; (2) arguments presented by the Complaints; (3) an overview of common defenses; and (4) where things stand.  With that context, we then provide our list of practical considerations for the use of session replay software.      

What is “Session Replay” Software? 

A significant branch of the Software-as-a-Service (Saas) industry has arisen to support website owners/operators in effectively maintaining and leveraging their consumer-facing websites.  These software products are generally scripts placed in the JavaScript of a given website to capture specific information related to a consumer’s interactions with a given page.  The software can capture consumer’s keystrokes and mouse movements to provide information on everything from broken links or error messages to support IT teams, create heat maps showing website usage, and/or capture consumer information for validating consent to be contacted or agreement to receive products and services.

Despite how these products are often described, the software does not actually record the consumer’s session in the way that a security camera in a brick-and-mortar store would capture a consumer’s movements. Rather it captures the consumer’s interactions with the website at regular intervals and allows those movements and data points to be laid over an existing image of the website so that owners/operators can review a recreation (or dramatization) of an individual consumer’s experience.          
Continue Reading Privacy Litigation Trend: The Latest on Session Replay Lawsuits, and Practical Considerations for Risk Mitigation

The Senate Commerce Committee today voted overwhelmingly to move forward with Lina Khan’s nomination as FTC Commissioner, signaling that Khan is likely to ultimately be confirmed as the youngest Commissioner ever at 32.  As we previously discussed here, Khan is primarily known as an antitrust scholar advocating for more exacting scrutiny of big tech

Key Developments in CCPA Litigation for Q1 2021As we move deeper into the second year of CCPA litigation, the substantive issues continue to develop and we remain focused on the patterns and implications of recent filings and rulings.  In this post, we highlight notable developments in three cases that occurred in the first quarter of 2021.  These cases raise significant issues