In 2019, Ad Law Access published 124 stories on a wide range of topics. However, two topics stood out above the others:

  • California Consumer Privacy Act (CCPA)
    CCPA was far and away the most popular topic of 2019 and, as mentioned in one of our last posts of the year, “businesses and privacy professionals would do well to catch their breath over the holiday season. Next year is going to need focus and investment to reach the [CCPA] finish line (which, yes, will continue to move because this is privacy law, after all).​” Here are a few CCPA related posts you may want to read if you haven’t already:

Stay tuned for more installments of the “Section 13 (b)log.”

Other posts that resonated with readers:

Stay tuned to Ad Law Access in 2020 for more updates on these issues and other advertising and privacy law issues. Subscribe to our Ad Law News and Views newsletter and other Kelley Drye publications here to receive email communications tailored to your interests.

AD LAW ACCESS PODCAST

2019 also saw the launch of the Ad Law Access podcast. Top episodes included:

You can find the Ad Law Access podcast and other Kelley Drye podcasts wherever you get your podcasts.

NAD announced that that they are making changes to their filing fees, effective January 1, 2020. The new fees will be as follows:

  • Under $250M: $10,000
  • National Partner: $25,000
  • Under $5B: $30,000
  • Over $5B: $35,000
  • NARB: $25,000

The first category (under $250 million) is a new one, designed to encourage participation from small businesses and strengthen industry self-regulation.

NAD also announced that there will be process improvements in 2020, including a new online submission process, as well as new tracks for faster resolution of NAD challenges. Stay tuned for more updates.

This month, AutoZone agreed to pay almost $50 million to settle a class action over changes the company made to its loyalty program.

According to the complaint, AutoZone promised consumers that they would receive a credit for every purchase of over $20, and that once they accumulated five credits, they would receive a $20 reward. A few years after the plaintiffs enrolled in the program, though, AutoZone changed the terms so that credits would expire after 12 months and rewards would expire after three months. The plaintiffs claimed they unknowingly lost credits and rewards, as a result of this change.

AutoZone argued that the program terms specifically permitted them to make changes, including changes to the “period of time members have to use credits to earn rewards, and the period of time members have to use rewards.” Moreover, AutoZone argued that it took various steps to inform members before it made changes. The plaintiffs, however, argued that they did not see the notices and that AutoZone did not adequately disclose the program’s limitations in ads, even after the changes were made.

Although AutoZone denied the allegations, the company agreed to settle the case, a little over three years after the complaint was first filed. As part of the settlement, AutoZone will reinstate rewards and pay additional costs for an estimated total of just under $50 million.

Without a full record or a decision in this case, it’s hard to say if AutoZone could have done anything differently to avoid this result. Nevertheless, it’s important to note that companies frequently face complaints when they make changes to loyalty programs that adversely affect members. There are a number of steps that companies can take to reduce the likelihood that those complaints will turn into lawsuits. Among other things, companies should give some thought as to whether their terms are enforceable and ensure that their ads clearly communicate material limitations.

Congratulations. You’re nearly to January 1 with new practices designed to address CCPA obligations. Hydrate, and grab an energy bar – you’re just hitting your stride. Up ahead, we’ll need to incorporate obligations under the final Attorney General CCPA regulations (finalized perhaps mid-summer?), potential new legislation, and perhaps changes from a ballot initiative, which just passed one of its own hurdles.

On December 17, Californians for Consumer Privacy – the organization led by Alastair Mactaggart that brought us the CCPA – announced that the Attorney General had released the title and summary for Initiative 19-0021, a/k/a CCPA 2.0.

The AG summary highlights that CCPA 2.0 would allow consumers to: (1) prevent businesses from sharing personal information; (2) correct inaccurate personal information; and (3) limit the use of certain types of “sensitive personal information.” The initiative would also prohibit retention of personal information for longer than reasonably necessary, triple the maximum penalties for violations of minors’ privacy rights, and establish a new California Privacy Protection Agency, with the ability to impose fines. The summary also notes that the initiative could cost the state over $10MM, and it remains unknown how the initiative would affect state revenue associated with taxes from businesses affected by the initiative.

Californians for Consumer Privacy will have 180 days to gather at least 623,212 signatures (based on 5% of the total votes cast in the last gubernatorial election) to get the initiative on the November ballot. For reference, the group had obtained 629,000 signatures by June 2018 for CCPA 1.0.

Businesses and privacy professionals would do well to catch their breath over the holiday season. Next year is going to need focus and investment to reach the finish line (which, yes, will continue to move because this is privacy law, after all).​

When it takes effect next month, the CCPA is almost certain to become an immediate spark for litigation.  While requests for access/deletion and individual or threatened claims start to fill in-house legal departments’ inboxes and the practical realities of compliance seize resources, a more fundamental question will need to be answered:  Is the CCPA constitutional?

Whether in the form of a declaratory judgment action filed in early January or as part of the normal-course litigation that the CCPA will create, certain aspects of the CCPA are ripe for constitutional challenge and could stall, if not derail, the CCPA before it even gets started.

In this post, we look at two of the constitutional vulnerabilities of the CCPA:  whether its cross-border implications violate the dormant commerce clause, and whether the vague definition of “personal information” is unconstitutionally void.

Dormant Commerce Clause

The Constitution’s Commerce Clause restricts States from regulating commerce or imposing regulations that impact conduct wholly in another state and/or that create an inconsistent framework across state lines.  While States have the power to regulate conduct outside their borders in certain circumstances, the CCPA creates a unique challenge that includes areas that arguably over-reach.

The Commerce Clause protects against inconsistent legislation arising from the projection of one state’s regulatory regime into the jurisdiction of another State.  The critical inquiry is whether the practical effect of the regulation is to control conduct beyond the State’s borders.  While state-specific data privacy laws are not new, the breadth and scope of the CCPA creates an issue of first impression.

While California has the right and power to protect California consumers, the practical effect of the CCPA is to control business practices outside the state.  Significantly, the CCPA significantly over-reaches in its applicability to corporate affiliates, subsidiaries, and commonly-owned companies of California businesses, regardless of those entities’ own contacts with the state.

Given how uniquely the CCPA defines and regulates “personal information,” “service providers,” “third parties,” and “sale,” the CCPA comprehensively restricts companies’ collection of personal information on their websites that is not readily limited to California data.  If a company wants to avoid triggering a “sale,” the CCPA requires companies to make material changes to what information they collect or which other entities collect on their websites, as well as how business relationships are structured and memorialized, which cannot be readily limited to California resident personal information.

The practical effect of the CCPA on these issues is likely to affect entire industries and cost hundreds of millions, if not billions, of dollars, including affecting business practices and industries not limited to conduct occurring within California.

State Regulation of the Internet

While courts have taken different approaches to the permissible breadth and scope of a state’s internet regulations, the recent trend in the Ninth Circuit has put the onus on companies to either comply with CA’s laws or develop technology that allows them to block access to their websites in CA.

For example, in Greater Los Angeles Agency on Deafness, Inc. v. Cable News Network, Inc., the Ninth Circuit found CNN needed to find a way to provide closed captioning to CA visitors to its website, as mandated by a CA statute. Similarly, in Nat’l Fed’n of the Blind v. Target Corp., the District Court found a retailer needed to make its website accessible to blind visitors to comply with CA law.  The Court offered that Target could make a CA-specific website or block CA visitors; thus, if it chose to alter its entire website to comply with CA law that did not mean California was regulating out-of-state conduct.  One can expect the relevant courts will likely argue companies must comply across the board or find technological solutions.

That said, even with technology that can block or filter by California IP address, the CCPA may still regulate the conduct of non-California residents given its overall comprehensive structure regulating a company’s operational practices and business relationships that are not readily limited to California residents.  Unless and until a federal privacy law with preemptive effect is passed, the CCPA will push the Courts to consider the limits of one state’s ability to regulate conduct on the internet.

What is Personal Information? 

Given the rushed nature of the process that led to the CCPA’s passage, it is not surprising that it includes half-formed and vague definitions or directives.  Unfortunately, one of the most troubling terms is the core concept of “personal information.”  The CCPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Significantly, that definition includes “household” information, which (counter-intuitively) means that information about other people falls into the definition of “personal information.”

Other than government-provided information, seemingly anything could qualify as “personal information” under the CCPA because, if combined with other data, it is capable of being linked to an individual consumer.  For example, studies have confirmed that by knowing only a person’s birthdate, zip code, and gender gives you an 87% chance of making an accurate identification.

Void for Vagueness

A statute is void for vagueness if it fails to give a person of ordinary intelligence fair notice that his or her contemplated conduct is forbidden by the statute.  Papachristou v. City of Jacksonville, 405 U.S. 156, 162 (1972).  The failure to define terms has proven a fatal flaw in other regulatory schemes.  For example, in Entm’t Software Ass’n v. Blagojevich, a trade association successfully challenged an Illinois statute that regulated violent video games, including because the definition of “sexually explicit” was found to be unconstitutionally overbroad.

The definition of “personal information” certain seems ripe for challenge on these grounds.  Other CCPA definitions that may be similarly infirm, include:  “business,” “third party,” “sale,” and “aggregate consumer information,” particularly given the materially different obligations, restrictions, and liability exposure if a company misinterprets these vague terms.

These two issues are likely to be significant obstacles to the implementation and application of the CCPA.  Unfortunately, it may be some time before the Courts offer clarity on these questions.  While any declaratory judgment action may involve a request to stay implementation of the statute, it is not guaranteed that additional time will be available.  In the meantime, companies need to ensure their practices, procedures, and policies comply with the CCPA or open themselves up to increased risk and penalties.

 

 

 

Last week, Grammy Award-winning singer-songwriter Jason Mraz filed a lawsuit against MillerCoors, arguing that the company used his song “I’m Yours” in an Instagram post promoting Coors Light without his consent. The post featured 13 seconds of Mraz performing the song with Coors Lite branding visible in the video. The caption read: “Kicking off summer with the World’s Most Refreshing Beer at the Beach Life Festival.”

Mraz alleges that MillerCoors did not seek his permission, and that he wouldn’t have given it anyway. “Due to the family friendly nature of the song, Mraz has never licensed the composition for use by alcohol companies or other adult-oriented products and would never do so.” According to the complaint, the unauthorized use violates Mraz’s copyrights and right of publicity, among other things.

MillerCoors removed the ad from Instagram, but a spokesperson insists the company didn’t do anything wrong. “MillerCoors contracted the rights to the BeachLife Festival and video assets through the event’s promoter, so if they truly feel there has been a violation here, we are not the party they should be suing.”

It’s too early to tell how this will turn out, and the case is likely to settle, so we may never have a clear answer. But it does illustrate an issue that commonly comes up with sponsorship agreements. Just because you’ve paid to sponsor a festival or other event doesn’t necessarily mean you have the rights to use footage captured at that event. You may need to secure those rights separately (and sometimes from another party). If you get those rights from the event organizer, make sure you have provisions in the agreement to help protect you against suits like this.

As the 45-day period for public comments on proposed regulations to implement the California Consumer Privacy Act (“CCPA”) draws to a close (comments must be submitted by 5:00 pm Pacific time on December 6), we share this report from the second of four public hearings that the Attorney General’s Office is holding this week.  Deputy Attorney General Nick Akers, joined by three colleagues from the AG’s Office, presided over the hearing, which was held on December 3 in Los Angeles.  Mr. Akers made it clear from the outset that the AG’s Office was in listening mode and would not engage in dialogue or answer substantive questions during the hearing.

Two dozen speakers took advantage of the AG Office’s attention to present a broad array of concerns about – and request changes to – the proposed regulations.  The overwhelming majority of speakers discussed operational and practical challenges that they would face if required to implement the regulations as proposed; there were few speakers representing consumer or advocacy groups.  Below are some of the main themes that emerged from the hearing.

  • Modify the Notice Requirements for Onward Sale of Data.  Speakers representing data brokers, online directories, people search services, and similar services urged the AG to rethink proposed subdivision 999.305(d).  This provision would excuse a business that “does not collect information directly from consumers” from the obligation to provide notice at the time of collection, but it would require such businesses to take one of two actions prior to selling personal information obtained indirectly: (1) provide direct notice to consumers of their right to opt out of sale; or (2) confirm that the source provided such notice, and obtain the source’s signed attestation to that effect.

Speakers asserted that these requirements are unworkable and potentially unconstitutional.  A better route, they argued, is to rely on general privacy policies, the right to opt out of sale, and the data broker registry mandated under AB 1202 to provide consumers with transparency and control.

  • Limit Do Not Sell Requirements.  Speakers presented three main objections to the AG’s proposed implementation of the right to opt out of sale.  First, these speakers objected to the “downstream notice” requirement (subdivision 999.315(f)) – which would require businesses to send opt-out requests to third parties to which they sold information within 90 days before receiving an opt-out request – arguing that the CCPA does not authorize such a requirement, and that it will require companies to breach lawful, existing contracts.  A second objection to the downstream notice requirement is that it will, in effect, impose the opt-out requirement on entities that are not subject to the CCPA and require all entities involved in a given request to respond on an unrealistically short timeline.  Finally, at least one speaker argued that the regulations should permit businesses to respond to opt-out requests received from the “Do Not Sell My Personal Information” link or browser-based opt-out signals but should not require the ability to respond to both.
  • Provide Additional Guidance About Verification and Data Security.  Speakers representing a broad array of interests argued that the proposed regulations create the potential for abuse by fraudsters, identity thieves, and other bad actors.  For instance, the direct notice requirement would likely create a flood of notices, providing perpetrators of imposter schemes with an opportunity to send fraud-related requests for consumers’ personal information with legitimate notices.  Others criticized the AG’s proposal (subdivision 999.313(d)(1)) to require businesses to treat unverifiable deletion requests as requests to opt out as an invitation to opt out of sale on the ground that it will invite bot attacks that have the effect of opting many consumers out of the sale of personal information.
  • Ease Burdens on Small Businesses.  Small business owners and representatives asked the AG to consider ways to reduce regulatory burdens on small businesses.  For instance, one suggestion was to exempt business from CCPA obligations if they meet the definition of a business only because they collect IP addresses – and no other personal information – from 50,000 or more consumers annually.
  • Clarify Exemptions for Nonprofits, Financial Institutions, and Employers.  Representatives of credit unions sought clarify about whether, and to what extent, the CCPA applies to them.  One speaker noted that many credit unions are organized as nonprofits but, as mutual benefit corporations, operate for the benefit of their members and therefore could qualify as “businesses” under the CCPA.  Others asked the AG to clarify the scope of the CCPA’s exemption for personal information collected under the Gramm-Leach-Bliley Act and California Financial Information Privacy Act, arguing that the AG should take a broad view of the exemption to prevent consumers from receiving additional – and potentially confusing – notices from financial institutions.  Finally, representatives of employee benefits administrators recommended that the AG provide guidance that broadly defines benefits that fall within AB 25’s exemption.

We will closely monitor subsequent stages of the AG’s CCPA rulemaking process.  Please contact any member of Kelley Drye’s Privacy team if you have any questions.

On the latest episode of the Ad Law Access Podcast, partner Kristi Wolff discusses FDA’s recent CBD warning letters, Commissioner nominee Dr. Stephen Hahn’s confirmation hearings, and a preview of this week’s Cannabis Law Update webinar.

On Thursday, December 5, from Noon – 1:00 Eastern we will be holding a webinar on the emerging cannabis regulatory and litigation landscape. This program will cover several areas, including the following:

  • Litigation trends
  • Prop 65 applicability
  • Trade and customs issues
  • What cannabis legalization means for government contractors

Register here: https://kelleydrye.zoom.us/webinar/register/WN_KnY4hTq-RVSpoLS7a7O4Xw

For additional information see the Cannabis Law Update blog.

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and wherever you get your podcasts.

On November 26, 2019, Senator Maria Cantwell (D-WA) along with other Democratic senators across four key Senate committees introduced the Consumer Online Privacy Right Act (“COPRA”).  Per Senator Klobuchar’s description, COPRA “establishes digital rules of the road for companies, ensures that consumers have the right to access and control how their personal data is being used, and gives the Federal Trade Commission and state attorneys general the tools they need to hold big tech companies accountable.”

The bill would empower consumers with control over their personal information, including access, deletion, correction, and portability rights. The bill also would provide the FTC with broader powers to combat privacy harms.  Notably, the bill would establish a private right of action for consumers and would not preempt more stringent state privacy laws.  The following chart highlights key aspects of the Scope, Rules, Exceptions, and Enforcement of the COPRA bill.

Scope & Jurisdiction

COPRA covers all businesses with an average annual revenue over $25 MM (among other requirements), who are subject to the FTC Act and process or transfer information that identifies, or is “reasonably linkable” to an individual or consumer device.

COPRA excludes small businesses, non-profit organizations, political campaigns, banks, or other entities not already subject to the FTC’s jurisdiction.

Privacy & Data Security Rights

Duty of Loyalty & Right to Data Security: Codifies the FTC’s interpretation of reasonable privacy and data security standards. Requires businesses to designate privacy and data security officers in charge of ensuring compliance with COPRA.

Right to Access & Transparency: Incorporates provisions similar to the CCPA right to access data and privacy policy disclosure requirements.

Right to Delete: Broader than the CCPA in that there are no business purpose exceptions to retain consumer data.  If a consumer requests that a business delete covered data, the business must delete the data and inform service providers and third parties of the deletion request.

Right to Correct Inaccuracies: Businesses must provide a consumer a mechanism to correct inaccurate or incomplete data and must notify service providers and third parties of the correction.

Right to Controls: Incorporates provisions similar to the CCPA right to opt-out of the sale or transfer of consumer information.  The FTC would be responsible for promulgating rules for compliance with this right.

Right to Data Minimization: Businesses can not process or transfer data unless it is “reasonably necessary, proportionate, and limited” to carry out the specific processing and transfer purposes described in the privacy policy; carry out a specific processing purpose or transfer after a covered entity has obtained affirmative express consent; or for a purpose specifically permitted by the Act.

Civil Rights

Businesses cannot discriminate based on data that differentiates people based on their perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful employment, or disability.

Businesses must offer people the same housing, employment, credit, educational opportunity, and public accommodation to every person.  Businesses are also required to conduct impact assessments to ensure algorithmic decision-making is not discriminating based on data that may differentiate people using those traits.

Exceptions Businesses do not need to comply with the Rights above if:

  • It is demonstrably impossible
  • It would prevent the business from carrying out internal audits, performing accounting functions, processing refunds, or fulfilling warranty claims
  • The request is made about publically available information
  • It would interfere with First Amendment rights
  • It would impair the privacy rights of another consumer
  • The request would prevent the business processing the data for a specific purpose that a consumer authorized or the authorization fell under an exemption
Third Parties & Service Providers

Service providers are exempt from several provisions in the Act.  However, they must delete, correct, or de-identify data subject to consumers’ requests under the Act.  Service providers must only use data in the way their contract provides and can’t sell data to a third party without affirmative express consent from the business.

Third parties cannot process data inconsistent with the expectations of a reasonable consumer.  In receiving data, third parties can reasonably rely on the representations of the businesses and service providers.

Businesses must conduct reasonable oversight and due diligence on service providers and third party transfers of data.

Private Right of Action COPRA provides a private right of action for individuals to assert violations.  Any violation of the Act, or of a regulation promulgated under it, will be considered an “injury in fact.”  Damages range from $100 to $1000 per violation per day.  Arbitration agreements and class action waivers are invalid in disputes arising under COPRA.
Federal & State Enforcement

Within two years, the FTC must create a new bureau to assist in exercising their authority under the Act and other Federal laws addressing privacy, data security, and related issues.  A violation of this Act is treated as a violation of the FTC Act.

One year after enactment, a CEO (or equivalent) and data privacy officers must review and certify to the FTC that they maintain adequate internal controls and reporting structures to ensure compliance with this Act.

Businesses will be required to have a privacy and data security officer, who ensures the business has a comprehensive written privacy and data security program, annually conducts risk assessments and facilitates ongoing compliance with this Act.

This Act does not preempt any state laws that afford “a greater level of protection to individuals protected under this Act.”  It only preempts directly conflicting state laws.  The Act does not preempt any other private rights of action but the FTC can intervene in individual enforcement actions under COPRA.

COPRA was introduced in anticipation of the Senate Committee on Commerce, Science, and Transportation December 4th hearings entitled “Examining Legislative Proposals to Protect Consumer Data Privacy.”  While it remains unclear if there will be enough momentum for this bill to advance, the scope and direction of the legislation underscore the change in the privacy law landscape in the US, and that California’s CCPA may only be the start.  If you have further questions about how these developments may apply to your business, please feel free to contact any of our Privacy team members at Kelley Drye.

The week after Thanksgiving is always a busy one and this year does not disappoint. We are pleased to be holding the following educational opportunities this week:

California Consumer Privacy Act Workshop Los Angeles Edition
In Los Angeles, on Wednesday, December 4, we will be holding the latest in our series of California Consumer Privacy Act (CCPA) Workshops. This edition will come a day after the California Attorney General’s public hearing on the draft regulations, which we will recap. Like the others, this will be an interactive discussion on CCPA interpretation questions and compliance strategies, will include a deep dive into understanding and applying core CCPA provisions; industry benchmarking; preventing unintended “sales” of data; updating applicable privacy policy provisions and other disclosures; and considerations for business partner and vendor management. A reception to support networking with your privacy peers will follow the program. To find out more about this this invitation only in-person workshop, please contact workshop@kelleydrye.com.

Politics in the Workplace
Also on December 4, at 12 Eastern,  Barbara Hoey, Chair of Kelley Drye’s Labor and Employment Practice; Christie Grymes Thompson, Chair of the firm’s Advertising Law Practice, and David Frulla, Chair of the firm’s Campaign Finance and Political Law for a discussion on best practices for handling all aspects of politics in the workplace. This one-hour webinar will review federal and state rules regarding employees’ political activity and speech in the workplace; how to protect your company’s brand and reputation in the context of political fundraising and advocacy; and how to comply with federal campaign finance laws when your company or its executives engage in political activity. To register for this webinar, please contact marketing@kelleydrye.com.

Cannabis Regulatory Update
On December 5 at 12 Eastern, special counsel Beth JohnsonBez SternJoseph Green, and associate Melissa Brewer will present a comprehensive cannabis regulatory update.  Topics include the impact of cannabis legalization on government contractors, an update on developing cannabis litigation issues, a review of Prop 65 applicability, and a primer on cannabis customs issues.  To register, click here.

If you cannot attend any of these events, stay up to date with our Ad Law Access blog and podcast, the Cannabis Law Update blog and get a preview of the new Advertising and Privacy Law Resource Center.