The California Consumer Privacy Act (CCPA) right to non-discrimination explainedOn June 24, 2020, the Secretary of State of California announced that the California Privacy Rights Act (CPRA), had enough votes to be eligible for the November 2020 general election ballot. CPRA is a ballot initiative, which, if adopted, would amend and augment the California Consumer Privacy Act (CCPA) to increase and clarify the privacy rights of California residents.  The result is a law that is closer in scope to robust international privacy laws, such as the GDPR. For more information on the CCPA, please see our posts here.

To be eligible for the November 2020 ballot, CPRA needed to obtain over 623,212 verified signatures. If passed by a simple majority of California voters in November, as is looking likely, the CPRA will become effective on January 1, 2021, with most compliance obligations required by January 1, 2023. With the exception of the access right, the CPRA would apply only to personal information collected after January 1, 2022. Additionally, the CPRA would extend the CCPA’s temporary business to business exemption and employee data exemptions (which are scheduled to sunset on January 1, 2021) until January 1, 2023.

Until January 1, 2023, businesses would need to comply with the CCPA and any finalized regulations in force (which could mean both CCPA and CPRA regulations). The Attorney General would preserve its authority to issue CCPA regulations and enforcement during this period, and a new privacy agency would be formed with its own rulemaking and enforcement authority.

For more information on the comparison between CCPA and CPRA, please see our chart below. While there are no immediate action items, companies may benefit from reviewing the CPRA requirements to assess what changes may be necessary should the ballot pass. And a reminder — the CCPA enforcement date is set for July 1, 2020, although it is not yet clear whether the CCPA regulations will be effective by then; the Office of Administrative Law’s review remains pending. Please contact any of the attorneys in Kelley Drye’s Privacy Group if you would like assistance in California privacy compliance.

  CCPA CPRA
“Business” Threshold $25 million annual revenue; or 50,000+ consumers; or 50% of annual revenue derived from selling consumers personal data $25 million annual revenue; or buys, sells or shares 100,000+ consumers or households; or 50% of annual revenue derived from selling or sharing consumers’ personal data
Operative date January 1, 2020 January 1, 2023, and applies only to personal information collected on or after January 1, 2022, except with regard to access requests.
Employee and B2B exemptions Sunsets January 1, 2021 Sunsets January 1, 2023
“Sold” and “Shared” Definitions “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … for monetary or other valuable consideration. The term “sold” is broadened to “sold or shared.” This change is accompanied by a change in the definition of what it means to sell, which removes the carve-out for sharing personal information with a service provider (although this point is addressed in a more narrow definition of “third party”).
Service Providers and Contractors

A Service Provider is an entity “that processes information on behalf of a business … provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business…”

 

Introduces new requirements to qualify as a “service provider” and adds a new definition of a “contractor” that mirrors the definition of a service provider.

Clarifies and provides additional requirements regarding service providers’ use of the data, such as a requirement that service providers silo the data they learn about a consumer from other sources.  (This is more restrictive than the AG CCPA regulations).

Requires contractual terms, similar to the GDPR.

Consent Consent is not required in the CCPA. However, the definition of sale contains guidance regarding “intentional interactions.”

Consent is defined as any freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she… signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.

Introduces the concept of “dark patterns” defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, as further defined by regulation.  Agreement obtained through use of dark patterns does not constitute consent.

Sensitive information Does not contain separate provisions for sensitive information (other than increased verification requirements.) Contains disclosure, opt-out, and purpose limitation requirements for sensitive information.
Automated Decision-Making N/A

Introduces concept of “profiling.”

Calls for regulations requiring businesses’ response to access requests to include meaningful information about the logic involved in such profiling, as well as a description of the likely outcome of the process with respect to the consumer.

Right to Correct N/A Gives consumers the right to correct inaccurate information.
Opt Out of Targeted Advertising The CCPA does not restrict targeted advertising if it can be conducted without “selling” data.

Providing advertising or marketing services is a business purpose but this does not include “Cross-Context Behavioral Advertising,” a newly defined term to describe ads targeted to consumers based on a profile or predictions about the consumer related to the consumer’s activity over time and across multiple businesses or distinctly-branded services, websites or applications.

Contains a broader opt-out provision (for both “sale” and “sharing”) and specifically limits service providers from engaging in any “cross-context behavioral advertising.”

Retention The CCPA does not contain any requirements that businesses disclose their retention practices to consumers.

Businesses must disclose, at the time of collection: the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period.

A business cannot retain personal information for longer than is reasonably necessary for that disclosed purpose.

GDPR Concepts

·        

N/A

 

Contains language to promote the following GDPR principles:

  • Data Minimization
  • Purpose Limitation
  • Duty to Avoid Secondary Use
Enforcement

Enforced by the Attorney General

 

 

Allows a 30 day period to cure violations

Establishes the California Privacy Protection Agency that would have a broad scope of responsibilities and enforcement powers.

Security breaches include email/password/challenge questions.

Modifies the 30-day cure period to apply to a private right of action for security breach violations, rather than for general privacy violations of the law.

Fines for violations involving children’s personal data are tripled.

 

 

Advertising and Privacy Law Resource Center

The Supreme Court issued an 8 to 1 decision today in the highly-anticipated case of Liu v. SEC. The opinion, authored by Justice Sotomayor (with Justice Thomas dissenting), holds that “[a] disgorgement award that does not exceed a wrongdoer’s net profits and is awarded for victims is equitable relief,” and allows the SEC to seek such relief under the Securities Act. Importantly, the decision indicates support for the argument that such relief, whether referred to as restitution, disgorgement, or an accounting, also qualifies as equitable relief under other statutes – including potentially under Section 13(b) of the FTC Act.

As we explained in January, the case involved two petitioners who had solicited contributions for the construction of a cancer-treatment center in California, but used $20 million of the almost $27 million collected for marketing expenses and salaries – contrary to representations in the private offering memorandum. The SEC brought an action, and the District Court found for the SEC, granting an injunction, imposing a civil penalty, and ordering disgorgement equal to the full amount the petitioners had raised from investors. The District Court concluded that the disgorgement award was a “reasonable approximation of the profits causally connected to [their] violation,” and the Ninth Circuit affirmed.

The Supreme Court concluded that disgorgement is relief that is “typically available in equity” provided that it (1) is not deposited into Treasury funds, (2) does not impose joint-and-several liability, and (3) deducts legitimate expenses. It vacated the previous decisions and remanded the case to the District Court to ensure the remedy satisfies these requirements. Notably, the Court cited the following text from Porter v. Warner Holding Co.:

Decisions from this Court confirm that a remedy tethered to a wrongdoer’s net unlawful profits, whatever the name, has been a mainstay of equity courts.

The FTC has cited this case in its petition for writ of certiorari following the Seventh Circuit decision in FTC v. Credit Bureau Center, over whether the authority to grant a permanent injunction under Section 13(b) includes the authority to require wrongdoers to return money that they illegally obtained.

The decision is limited to the relief available under the Securities Act, but indicates that the Court could agree with the FTC that restitution to consumers (i.e., monetary relief) qualifies as equitable relief under Section 13(b). However, the differences in statutory language could distinguish the two cases. Section 13(b) authorizes injunctive relief, while the Securities Act provides more broadly for “equitable relief” in civil actions, and the Supreme Court decision focuses on the definition of this term. The Court has not yet ruled on the cert petition, and the Solicitor General had previously requested an extension until after the Liu decision.

Earlier this year, Align Technology filed an NAD challenge against SmileDirectClub over claims that company made about its teeth aligners. After that, SmileDirectClub filed its own challenge against Align over claims that Align made about its own teeth aligners. After the dust settled on these cases, neither company was left smiling. Although the cases cover a lot of ground, we’re just going to focus on one issue in the second case that frequently comes up – identifying the object of a comparison.

Align advertised that its Invisalign clear aligners are “more comfortable and better-fitting,” as well as “easier to put on and take off.” Comparative claims like these often beg the same question: “more comfortable,” “better fitting,” and “easier to put on and take off” . . . than what? SmileDirectClub argued that consumers would understand that to be a superiority claim against competing aligners, such as the ones it sells. Align argued that a footnote tied to the claim made clear that wasn’t the case.

A disclosure at the bottom of the web page explained that the comparison was against “aligners made from single layer .030 inch (Ex30) material.” And to support its claims, Align presented various types of evidence comparing how consumers felt about “Invisalign brand aligners made out of the older EX30 material” versus “Invisalign brand aligners made out of new ST30 material.” Thus, Align argued that the comparison was against its previous product and that the claim was substantiated.

NAD didn’t agree, for a number of reasons. First, the disclosures were ineffective because they appear far removed from the claims they modify and they were too small for consumers to easily notice, read, and understand. Second, NAD found the disclosures were too technical, and that consumers would not realize that the comparison was against the company’s previous product. In absence of any clarification, consumers are likely to believe the claims to be a comparison against competing products.

There are at least two important lessons to take away from this decision. First, it’s important to clearly identify the basis of your comparison. That should be identified in the claim itself or in a clear disclosure that appears close to the claim – a footnote may not work. And second, ST30 really does seem to be better than EX30.

Align

Following a data breach, companies generally launch an investigation to determine the source and scope of the breach. These efforts are often led by in-house privacy, compliance, and/or litigation counsel with an eye firmly planted on the legal claims that might be asserted, or need to be defended, as a result of that breach. Often key to any data breach investigation is an incident response consultant that helps determine the scope and analyzes the causes of a potential breach. Many companies expect that any reports by, or communications with, the consultant would be protected by the attorney-client privilege and/or work product doctrine, which would shield relevant materials from production during any governmental investigations or third-party litigation that arise from the event. Recently, however, a federal court compelled production of just such a breach report and related documents, calling into question the scope of that protection for data breaches and possibly other corporate investigations.

This post discusses the background and rationale that led to the Court’s finding and offers our advice concerning steps that should be taken to maximize the potential scope of protection for consultant reports in data breach investigations and other corporate investigations. Continue Reading Lessons Learned for Maintaining Attorney-Client Privileged Data Breach Investigation (and other Consultant) Reports

We’ve posted about how the FTC, FDA, and EPA have each targeted companies for making unsubstantiated claims about how their products can treat or cure the coronavirus. Now, we’ll add another acronym to the list – NAD.

NAD recently issued a decision involving a video by the owners Your Superfoods, promoting the company’s Immunity Bundle. But the claims in this video are a little different than the ones recently targeted by the federal agencies. Here’s the relevant part of the video:

With all that’s going on, with the coronavirus there is [sic] a lot of things you cannot control. However, there Superfoods Screen Shotis a piece that we can control, and that is our own health and building our immune system because its depends on what we eat…. It’s super important to have a lot of micronutrients now, so Superfoods can help. We have this amazing immunity bundle – Super Greens to up your green, Mellow Yellow which really reduces your stress because stress actually reduces your immunity, and then we also have immunity boosting mushrooms in our Magic Mushroom mix.

Notice that the owners don’t actually say their products can treat or cure the coronavirus. (Not even their magical mushrooms.) Instead, the only reference to the coronavirus is the true statement in the first sentence. Here, NAD was likely concerned that following that sentence with other sentences about how the products can help consumers build immune systems could lead viewers to believe that the immunity extended to the coronavirus, itself.

Whether you are talking about health or something more mundane, this case should serve as a reminder that ads can be deemed misleading, even if the individual claims in the ads are literally true. What matters is how reasonable consumers will interpret the claims in context. Make sure you view your ads through their eyes and that you can substantiate all likely interpretations.

In April, Draper James – the clothing line of Hollywood star Reese Witherspoon – conducted a promotion for teachers, but ran into some communication issues along the way and is now the subject of a class action lawsuit. In an Instagram post, the brand thanked teachers for their work during the COVID-19 pandemic, and explained that, to show their gratitude, Draper James “would like to give teachers a free dress.” Media outlets including The Today Show and Good Morning America helped publicize the promotion, reporting that the brand was “giving free dresses to teachers.”

Teachers were instructed to apply by the stated deadline, and the application process required that entrants provide their personal contact information, as well as copies of their employee badges and work email addresses. Many thought that they would receive, or at least have a good chance to receive, a free dress. Unfortunately, that was not the case. Although the Instagram post contained caveats that the “offer [was] valid while supplies last[ed]” and that the “winners” would be notified, it did not disclose that only 250 teachers would receive a free dress.

After receiving close to 1 million entries, Draper James announced that the offer was a sweepstakes and provided all entrants with a coupon for 20 to 30% off. The inevitable resulted: complaints, angry comments on social media, and a class action lawsuit alleging, among other things, breach of contract and violation of the California Consumer Legal Remedies Act and Unfair Competition Law. The complaint, initially filed in Los Angeles County Superior Court but removed last week to the U.S. District Court for the Central District of California, alleges that Draper James made an offer, promising new dresses in exchange for entrants providing their personal contact and employment information, and then breached that promise. That entrants, even if they did not receive a free dress, were added to the brand’s email marketing database only added fuel to the fire. The plaintiffs seek restitution and disgorgement, as well as injunctive relief.

This promotion and its issues highlight the fact that, even if a business is trying to do good, things can go wrong. It is important that businesses communicate the material terms – including any restrictions or limitations – of any promotion. When that promotion is a sweepstakes, official rules are a must, as they lay out the specifics (e.g., winner selection, prize quantity) and provide protections for the business. For more information on structuring and advertising sweepstakes and contests, please check out our podcast or reach out to us directly.

The FTC’s most recent COPPA enforcement action, announced on June 4 with app developer HyperBeard, provides evidence of an ongoing debate within the Commission about privacy harm and the role of monetary relief in the agency’s privacy enforcement program.  Specifically, Commissioner Noah Phillips voted against the settlement with app developer HyperBeard and two corporate officers, and argues in a dissent that the $4 million civil penalty (to be suspended after payment of $150,000) imposed on HyperBeard is too great for the consumer harm caused by the company’s alleged COPPA violation.  In a separate statement, Chairman Simons defended the fine and rejected Commissioner Phillips’s argument that consumer harm should guide the FTC’s civil penalty calculations.

The action against HyperBeard also underscores that developers of child-directed services must not allow third-party interest-based advertising unless they meet COPPA’s parental notice and consent requirements, and that COPPA enforcement remains an FTC priority while the COPPA Rule is under review.

HyperBeard’s Alleged COPPA Violation

The central allegation in the FTC’s complaint is that HyperBeard allowed third-party ad networks to serve interest-based advertising in several child-directed apps without providing notice to parents or obtaining verifiable parental consent.  To support its conclusion that HyperBeard’s apps were child-directed, the complaint cites the apps’ content (e.g., cartoon characters and kid-friendly prizes) as well as a cross-promotion with children’s books that were categorized as such and declared as intended for child audiences on Amazon.

The complaint cites specific alleged failures in how HyperBeard handled third-party advertisers.  According to the complaint, HyperBeard did not “inform [the] third-party advertising networks that any of the [company’s apps were] directed to children and did not instruct or contractually require the advertising networks to refrain from behavioral advertising.”

Commissioner Phillips Dissents; Chairman Simons Responds

Although Chairman Simons and Commissioner Phillips apparently agreed on the merits of charging HyperBeard with a COPPA violation, they differed sharply on the magnitude and justification for the fine.  Chairman Simons argues that “deterrence should come first” when it comes to calculating civil penalties.  Specifically, penalties should “make compliance more attractive than violation.”  The correct starting place for such a measure in this case was HyperBeard’s gain from allowing interest-based advertising in its apps.  Consumer harm, in Chairman Simons’s view, is “inapposite” to the objective of deterrence.

Commissioner Phillips, however, argues that consumer harm should be “a more central consideration in the calculation of privacy penalties.”  He also raises concerns that the FTC has been “relentless, without clear direction other than to maximize the amount in every case” and invites Congress to “pay attention to how the FTC is approaching monetary relief, including civil penalties, especially in privacy cases.”  In Commissioner Phillips’s view, the only harm that HyperBeard caused was to collect data that allowed “users presumed to be children” to be served with interest-based ads without the parental notice and consent that COPPA requires.  Such data collection is “endemic to the economy” and does not warrant a penalty that approaches the $5.7 million fine recently issued against Musical.ly – a case that involved a range of more serious alleged harms.

We do not expect a resolution of the questions about privacy harm and civil penalty calculations anytime soon.  In the meantime, developers should take note of the FTC’s continuing attention to COPPA enforcement and closely examine how they manage any data that flows from child-directed apps to third parties.

Amid the flurry of products making coronavirus-related claims, some without legal approval or scientific support, one class of products raises unique questions:  so-called “pesticide devices,” like ozone generators and ultraviolet (UV) lights, which are instruments that claim to control pests — including viruses and other germs — through physical or mechanical means.  Unlike chemical pesticides, such devices are not required to be registered by EPA and, therefore, are not scrutinized by the agency to ensure they are safe to use or work as intended.

Accordingly, EPA recently issued an advisory that cautions:

Please note that ozone generators, UV lights and other pesticide devices may not be able to make claims against coronavirus where devices have not been tested for efficacy or safety for use against the virus causing COVID-19 or harder-to-kill viruses.

Pesticide devices, unlike some existing surface disinfectant products that have data on file with EPA showing effectiveness against similar viruses, are not eligible under the agency’s Emerging Pathogens Policy to make claims related to the coronavirus/SARS-CoV-2 or for inclusion on EPA’s “List N” of products deemed to be effective against the virus.

Pesticide devices, though not subject to registration, are subject to other EPA requirements.  For example, while devices will not have an “EPA Registration Number,” they are required to be labeled with an “EPA Establishment Number” to identify the facility at which the device was produced.  In particular, any claims made for devices may not be false or misleading, and, therefore, manufacturers should have data on file to substantiate any claims.  It is possible, therefore, that a device could be effective against coronavirus, and legally could make such claims, though companies should be prepared to defend the statements.  To do so, companies should look carefully at the criteria for claim approval in EPA’s Emerging Pathogens Policy.

EPA is actively pursuing enforcement in regard to illegal coronavirus claims, further information on which can be found at https://www.epa.gov/enforcement/covid-19-enforcement-and-compliance-resources.

Advertising LawEPA issued another in a series of recent advisories aiming to clarify for consumers and companies what they need to know about disinfectant products claiming to kill the coronavirus.  EPA is actively investigating the numerous tips and complaints it continues to receive concerning products marketed with possibly false and misleading coronavirus/COVID-19 related claims.

For some of these products, those claims have not been reviewed or accepted by EPA and, therefore, may present a risk to consumers, and healthcare providers in particular.

Products that claim to disinfect and kill or otherwise inhibit viruses, bacteria and other germs must be registered with EPA before they can be sold.  A disinfectant cannot make legal claims of effectiveness against a particular pathogen, such as SARS-CoV-2, unless EPA has specifically approved the claim as part of the registration process. Registration requires that any claim be supported by valid test data and an EPA determination that the product works as intended and is safe to use.

Earlier this year, EPA issued a list of disinfectants (“List N”) that meet the agency’s criteria for use against the coronavirus (SARS-CoV-2, the strain of coronavirus that causes COVID-19).  While the surface disinfectant products on List N have not been tested specifically against SARS-CoV-2, they are expected to work against the virus because they demonstrate efficacy against other viruses that are deemed harder-to-kill or another similar strain of coronavirus.

Please note that just because the product label states that it kills “99.5% of viruses,” this does not necessarily mean that it will kill coronavirus.

Consumers are reminded to follow the label directions for approved disinfectants — particularly regarding the amount of time the product must remain wet on the surface — to ensure effectiveness in killing the virus.  Use of a disinfectant in a manner inconsistent with label directions can pose safety risks, both from contact with the pesticide and from a false belief that the surface has been cleaned of the pathogen.

See my prior post on EPA enforcement activity in this area, as well as a more detailed description of EPA’s approval policy for products deemed effective against SARS-CoV-2.

EPA’s advisory is available here.  List N can be found at:  www.epa.gov/ListN.

On June 2, California Attorney General Xavier Becerra announced that he had submitted final CCPA regulations to the Office of Administrative Law (OAL) for review. The final regulations are substantively identical to the second set of modified proposed regulations, which the AG released in March. In addition, the AG issued a Final Statement of Reasons that (1) explains the changes between the first draft and final regulations, and (2) is accompanied by Appendices that respond to each public comment received throughout the rulemaking process – including written comments submitted in response to each draft of proposed regulations and those provided at the four public hearings held in December 2019.

We have described below some of the key provisions of the final regulations, which will impose additional requirements on businesses, service providers, and third parties and data brokers, and likely require the design and implementation of new processes. Whatever hardship the regulations may cause, it is clear that the AG is prioritizing consumer privacy, explaining that the office “has made every effort to limit the burden of the regulations while implementing the CCPA” and does not believe the regulations are “overly onerous or impractical to implement, or that compliance would be overly burdensome or would stifle businesses or innovation.” Continue Reading CCPA Update: Final Regulations Submitted but No Changes from Prior Draft