House Democrats Primed to Introduce 13(b) Legislative FixOn Thursday afternoon, the future of the Federal Trade Commission’s enforcement authority took center stage during a House Energy and Commerce Committee hearing entitled, “Safeguarding American Consumers: Fighting Fraud and Scams During the Pandemic.” While the Consumer Protection and Commerce Subcommittee hearing was ostensibly focused on pandemic-related fraud, calls to clarify the agency’s ability to use Section 13(b) of the FTC Act to provide restitution dominated the discussion. For their part, House Democrats appear ready to move forward with a legislative fix – perhaps even before the Supreme Court issues its ruling on the scope of 13(b) in AMG Capital Management, LLC v. Federal Trade Commission later this year.

During Thursday’s hearing, Representative Tony Cárdenas (D-CA) announced plans to introduce legislation to clarify the FTC’s ability to use Section 13(b) to provide refunds to consumers victimized by fraud and deception. In highlighting the need for the legislation, Representative Cárdenas cited an October 2020 letter from all five FTC Commissioners urging Congress to “act quickly so that the FTC can continue to effectively protect American consumers.” Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) expressed strong support for the legislation, as did full committee Chair Frank Pallone (D-NJ), who noted that “the FTC’s ability to make consumers whole is under threat in the Supreme Court.”

Witnesses at the hearing – including former FTC Chairman William Kovacic and former director of the agency’s Bureau of Consumer Protection Jessica Rich – expressed concern that an adverse ruling by the Supreme Court in AMG would severely weaken the agency’s enforcement power. A top legislative priority, in Kovacic’s words, should be “repairing what is likely to be a hole in 13(b) authority.”

Notably, the witnesses were divided on the issue of whether Congress should act before the Supreme Court rules. In response to a question from Subcommittee Chair Schakowsky, Kovacic expressed concern that acting before the Court’s decision would “lead to the conclusion that the authority was never intended” by Congress. Rich and TINA.org Executive Director Bonnie Patten, however, noted that the agency’s ability to pursue restitution under 13(b) has already been severely curtailed by the courts and that Congress should move quickly.

While Representative Cárdenas urged committee Republicans to work with him on the legislation, none lined up in support of the yet-to-be introduced bill on Thursday. Energy and Commerce Committee Ranking Member Cathy McMorris Rodgers (R-WA) spoke about the importance of 13(b), but expressed concern that the agency might abuse the authority and use it “primarily to leverage defendants into settlements.” On the other side of the Capitol, the Senate Commerce Committee’s top Republican Roger Wicker (R-MS) included a 13(b) fix in a comprehensive privacy bill introduced last year – a point not lost on Representative Cárdenas.

Although the timing for legislative action remains uncertain, Thursday’s hearing strongly suggests that the new Democratic Congress is intent on revising the statute to provide the FTC with the express authority to obtain monetary penalties.

_______________________________

Sign up for our Ad Law News and Views newsletter to get more on 13(b) and to stay current on advertising law and privacy law matters.

As 2020 drew to a close and Congress scrambled to reach a deal to continue funding the federal government, tucked in amidst the 2124 pages of the 2021 Appropriations Bill is a new power for the FTC:  civil penalty authority for deceptive COVID-related acts and practices.  Titled the COVID-19 Consumer Protection Act (see page 2094 here), the law states as follows:

(b) For the duration of a public health emergency declared pursuant to section 319 of the Public Health Service Act (42 U.S.C. 247d) as a result of confirmed cases of the 2019 novel coronavirus (COVID–19), including any renewal thereof, it shall be unlawful for any person, partnership, or corporation to engage in a deceptive act or practice in or affecting commerce in violation of section 5(a) of the Federal Trade Commission Act (15 U.S.C.45(a)) that is associated with—

(1) the treatment, cure, prevention, mitigation, or diagnosis of COVID–19; or

(2) a government benefit related to COVID–19.

(c) ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.—

(1) VIOLATION.—A violation of subsection (b) shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

The civil penalty authority is granted through the duration of the current public health emergency.  The current maximum civil penalty amount per violation is $43,280.

Here’s why this is significant:  The FTC generally does not have authority to seek civil penalties for a first violation of the FTC Act.  However, if a company or individual is subject to an order and then violates that order or where the FTC has obtained a final cease and desist order via litigation and subsequently put a non-party on notice of a violation, the FTC can seek civil penalties.   With the authority granted in the COVID-19 Consumer Protection Act, though, the FTC can identify practices relating to COVID-19 treatment, cure, prevention, mitigation, diagnosis, or a government benefit that the agency considers deceptive per Section 5 of the FTC Act and seek civil penalties for that violation.

The law does not specify how each violation will be calculated.  However, at a recent webinar, the Rose Sheet reports that Richard Cleland, FTC Assistant Director for Advertising Practices, indicated that “Every ad is a separate violation and every day that that ad runs or is disseminated to the public is a separate violation.”

As we chronicled, the FTC issued hundreds of COVID-related warning letters relating to deceptive COVID claims during 2020.  And yet, the agency faced criticism from members of Congress who questioned why the FTC did not pursue financial remedies on consumers’ behalf.  With the rollout of the vaccines, potentially more financial assistance in the works, and the virus raging on, the FTC has a larger hammer than it did just a year ago and advertisers of COVID-related products should expect them to use it.

________________________

For additional information on cannabis matters, visit our Cannabis Law Update blog. For more information on FTC and other regulatory matters, visit the Advertising and Privacy Law Resource Center and subscribe to the Ad Law Access podcast and blog.

In the absence of comprehensive federal privacy law, states are following California’s lead and proposing their own privacy bills. This blog post provides an overview of three state bills that we are tracking closely in this year’s legislative session: the Washington Privacy Act (“WAPA”), the New York Privacy Act (“NYPA”), and the Virginia Consumer Data Protection Act (“VCDPA”). Though the proposed bills are distinct, there are similarities that largely track existing CCPA and/or GDPR requirements:

  • Distinguishing between controllers and processors. Similar to the EU’s GDPR, all three bills distinguish between “controllers,” which generally determine the purposes and means for processing personal data, and “processors,” which process data on behalf of the controller.
  • Imposing contractual requirements between controllers and processors. Similar to the CCPA, the three measures require establishing contractual obligations between controllers and processors that provide specific instructions for processing, among other requirements, depending on the bill.
  • Defining targeted advertising. In contrast to the CCPA and GDPR, each of these state bills provides an explicit definition of targeted advertising. Generally, this definition includes advertising targeted to consumers based on the personal data that a controller has collected about those consumers from across a number of websites. This definition generally does not include advertising solely based on a consumer’s current visit to the website.
  • Providing rights for consumers. Consistent with the GDPR and CCPA, all three bills provide consumers with various privacy rights, including the right to confirm processing, access, delete, correct, and opt-out of their data processing for specific purposes. Notably, the NYPA goes one step further and requires opt-in consent for all data processing.
  • Providing transparency about data practices. All three measures require those subject to the law to provide transparent privacy notices with information about their data processing practices.
  • Conducting risk assessments. Each measure references risk assessments, or similar measures, that applicable entities must conduct with respect to data processing, including, in the instance of the WAPA, targeted advertising, data sales, and some specific instances of profiling. Though the NYPA references risk assessments, it does not provide explicit requirements.

While the bills include many similarities, some of the measures’ differences are worth noting, specifically as they apply to thresholds for which entities are subject to the law, consent requirements, enforcement mechanisms, and penalties. The following chart identifies some of these key distinctions.

NYPA WAPA VCDPA
Thresholds to Applicability None Conduct business in WA and (a) annually control or process personal data of 100,000+ consumers; or (b) derive over 25% of gross revenue from the sale of personal data and process or control personal data of 25,000+ consumers* Conduct business in or produce products or services targeted to VA and (a) control or process personal data of at least 100,000 consumers; or (b) derive over 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers*
Data Brokers Separately defines and provides obligations for data brokers N/A Separately defines data brokers
Consent Required for all processing Generally not required, except for sensitive data Only required where a consumer has restricted processing, or a risk assessment indicates that risks of processing outweigh consumer benefits
Opt-Out Permitted for all processing Permitted for processing for targeted advertising, sale, or profiling for decisions that have legal effects Permitted where processing requires consent
Fiduciary Duty? Yes, for controllers and data brokers No No
Private Cause of Action Yes No Yes
Cure Period? No Yes, 30 days after receipt of a warning letter from the Attorney General Yes, 30 days after receipt of notice of alleged noncompliance
Damages/Penalties Injunction, damages, and a civil penalty based on number of and type of violations, and the size of the entity Up to $7,500 per violation

Private plaintiffs can seek the greater of actual damages or $500, or, for willful actions, the greater of treble damages or $1,000**

 

Attorney General can seek up to $2,500 per willful violation

 

*Consumers are defined as residents of the respective state acting in an individual or household context, and explicitly exclude individuals acting in a commercial or employment context.

**The VCDPA permits a private cause of action under the state Consumer Protection Act, which includes a cap on damages as identified in the chart.

Notably, two of the three bills include a private cause of action, a point of contention at the federal level. The absence of such a provision in the WAPA helped kill two prior attempts to enact a state privacy law. Critics of the WAPA point to the lack of a private right of action as the biggest reason to reject the bill, and we could see changes to these provisions as the bill moves through the legislative process.

The three bills are still pending, with the NYPA and WAPA referred to committees in their respective legislatures. The VCDPA is the closest to enactment, with companion bills having passed in both the state House and Senate. The legislature must now reconcile the companion bills before the General Assembly adjourns on February 11, 2021. The bill would then require the governor’s signature to become law, which could be by the end of the month. If enacted, the VCDPA would become effective on January 1, 2023. Stay tuned to this blog for updates on these and other proposed measures, and what their enactment means for future privacy compliance.

_____________________________

For additional information on privacy matters, visit our Advertising and Privacy Law Resource Center and subscribe to the Ad Law Access podcast and blog.

In the absence of comprehensive federal privacy law, states are following California’s lead and proposing their own privacy bills. This blog post provides an overview of three state bills that we are tracking closely in this year’s legislative session: the Washington Privacy Act (“WAPA”), the New York Privacy Act (“NYPA”), and the Virginia Consumer Data Protection Act (“VCDPA”). Though the proposed bills are distinct, there are similarities that largely track existing CCPA and/or GDPR requirements:

  • Distinguishing between controllers and processors. Similar to the EU’s GDPR, all three bills distinguish between “controllers,” which generally determine the purposes and means for processing personal data, and “processors,” which process data on behalf of the controller.
  • Imposing contractual requirements between controllers and processors. Similar to the CCPA, the three measures require establishing contractual obligations between controllers and processors that provide specific instructions for processing, among other requirements, depending on the bill.
  • Defining targeted advertising. In contrast to the CCPA and GDPR, each of these state bills provides an explicit definition of targeted advertising. Generally, this definition includes advertising targeted to consumers based on the personal data that a controller has collected about those consumers from across a number of websites. This definition generally does not include advertising solely based on a consumer’s current visit to the website.
  • Providing rights for consumers. Consistent with the GDPR and CCPA, all three bills provide consumers with various privacy rights, including the right to confirm processing, access, delete, correct, and opt-out of their data processing for specific purposes. Notably, the NYPA goes one step further and requires opt-in consent for all data processing.
  • Providing transparency about data practices. All three measures require those subject to the law to provide transparent privacy notices with information about their data processing practices.
  • Conducting risk assessments. Each measure references risk assessments, or similar measures, that applicable entities must conduct with respect to data processing, including, in the instance of the WAPA, targeted advertising, data sales, and some specific instances of profiling. Though the NYPA references risk assessments, it does not provide explicit requirements.

While the bills include many similarities, some of the measures’ differences are worth noting, specifically as they apply to thresholds for which entities are subject to the law, consent requirements, enforcement mechanisms, and penalties. The following chart identifies some of these key distinctions.

NYPA WAPA VCDPA
Thresholds to Applicability None Conduct business in WA and (a) annually control or process personal data of 100,000+ consumers; or (b) derive over 25% of gross revenue from the sale of personal data and process or control personal data of 25,000+ consumers* Conduct business in or produce products or services targeted to VA and (a) control or process personal data of at least 100,000 consumers; or (b) derive over 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers*
Data Brokers Separately defines and provides obligations for data brokers N/A Separately defines data brokers
Consent Required for all processing Generally not required, except for sensitive data Only required where a consumer has restricted processing, or a risk assessment indicates that risks of processing outweigh consumer benefits
Opt-Out Permitted for all processing Permitted for processing for targeted advertising, sale, or profiling for decisions that have legal effects Permitted where processing requires consent
Fiduciary Duty? Yes, for controllers and data brokers No No
Private Cause of Action Yes No Yes
Cure Period? No Yes, 30 days after receipt of a warning letter from the Attorney General Yes, 30 days after receipt of notice of alleged noncompliance
Damages/Penalties Injunction, damages, and a civil penalty based on number of and type of violations, and the size of the entity Up to $7,500 per violation

Private plaintiffs can seek the greater of actual damages or $500, or, for willful actions, the greater of treble damages or $1,000**

 

Attorney General can seek up to $2,500 per willful violation

 

*Consumers are defined as residents of the respective state acting in an individual or household context, and explicitly exclude individuals acting in a commercial or employment context.

**The VCDPA permits a private cause of action under the state Consumer Protection Act, which includes a cap on damages as identified in the chart.

Notably, two of the three bills include a private cause of action, a point of contention at the federal level. The absence of such a provision in the WAPA helped kill two prior attempts to enact a state privacy law. Critics of the WAPA point to the lack of a private right of action as the biggest reason to reject the bill, and we could see changes to these provisions as the bill moves through the legislative process.

The three bills are still pending, with the NYPA and WAPA referred to committees in their respective legislatures. The VCDPA is the closest to enactment, with companion bills having passed in both the state House and Senate. The legislature must now reconcile the companion bills before the General Assembly adjourns on February 11, 2021. The bill would then require the governor’s signature to become law, which could be by the end of the month. If enacted, the VCDPA would become effective on January 1, 2023. Stay tuned to this blog for updates on these and other proposed measures, and what their enactment means for future privacy compliance.

_____________________________

For additional information on privacy matters, visit our Advertising and Privacy Law Resource Center and subscribe to the Ad Law Access podcast and blog.

The California Office of Environmental Health Hazard Assessment (OEHHA) yesterday released its explanation for withdrawing proposed “clarifications” to the Proposition 65 regulations governing internet sales.  Last January, OEHHA proposed what it considered to be modest clarifications to the safe harbor warning regulations, including provisions that would:

•  Specify that “internet sales” include purchases through mobile device applications;

•  Clarify that the option to provide a warning “by electronic device or process” is intended to apply to in-store product purchases at a physical retail location, and that this provision is unrelated to the requirements for warnings provided online for internet purchases;

•  Make clear that the tailored warnings provided in the regulations for specific products (such as for food, alcoholic beverages, and furniture) apply to internet and catalog sales; and

•  Expressly state that the requirement to provide warnings in alternate/foreign languages applies to the tailored product-specific warnings.

In September 2020, after reviewing feedback on the rulemaking, OEHHA announced that it intended to withdraw the proposed clarifications.  Now, the agency has released its final determination and response to comments document in which it explains that the withdrawal was precipitated by stakeholder comments that the supposed “clarifications” in fact represented a “wholesale change” to “the existing safe harbor warning for almost every consumer product.”  OEHHA objected to commenters’ characterization of the proposed revisions, particularly the contention that the “current safe harbor regulations do not require businesses selling online to provide both a website warning and a warning on or with the same product.”  In OEHHA’s view:

Websites and smart phones can be a part of a safe harbor warning method, but neither are a standalone safe harbor warning method.

While disagreeing with the comments, the agency opted to withdraw the proposed changes and said it will consider proposing similar amendments in the future.

With regard to alcohol sales, OEHHA finalized a series of changes intended to codify the terms of a settlement stemming from the California Attorney General’s enforcement action against online sellers of alcoholic beverages.  The new provisions include a requirement that Prop 65 warnings provided on-line or in catalogs also must be “provided to the purchaser or delivery recipient prior to or contemporaneously with the delivery of the product.”  Such warnings “must be readable and conspicuous to the recipient prior to consumption of the alcoholic beverages,” and must be provided (1) on or in the shipping container or delivery package, or (2) delivered by email or text message as part of the electronic receipt
or confirmation of the purchase.  These regulations go into effect April 1, 2021.

It is important to remember that the “safe harbor” warning regulations are not mandatory, but, rather, prescribe warning text and methods that are considered de facto compliant.  Businesses can use other means of communicating a warning, or different text, but, if so, they run the risk of a plaintiff challenging the sufficiency of the warning as “clear and reasonable.”

Further information is available at OEHHA’s website.

Find out more on Prop 65 on our Kelley Green blog.

On Friday, January 22, 2021, the Federal Trade Commission settled charges with three ticket brokers for violating the Better Online Ticket Sales (BOTS) Act, which was passed in 2015.  These are the first case brought under the Act.  In them, the Commission alleged that three brokers “used automated software to illegally buy up tens of thousands of tickets for popular concerts and sporting events, then subsequently made millions of dollars reselling the tickets to fans at higher prices.”  According to the Commission, the brokers acquired 150,000 tickets “using automated ticket-buying software to search for and reserve tickets automatically, software to conceal their IP addresses, and hundreds of fictitious Ticketmaster accounts and credit cards to get around posted event ticket limits.”  Judgments against the three amounted to about $31 million of which the defendants will pay $3.7 million.  The Commission sued both the companies and the individuals who ran the companies.

These cases are notable because they are the first cases but also because it took the Commission over 5 years to bring the first leaving the Act completely unenforced for years.  While the release suggests the investigation was complex, detection was likely easy.  Brokers are usually fairly visible to the public.  The Commission likely found them online, subpoenaed their records and software, and hired a forensic specialist to peel apart the code.  These cases raise serious issues for brokers who use automated purchasing software to purchase tickets for resale although it remains to be seen whether these enforcement actions will be a one-off signal to brokers that the Commission is watching or something more common.  Acting Chair Slaughter’s concurring statement would seem to suggest that there will be more during her tenure.

 

For more information on the FTC, advertising, marketing, and privay law, subscribe to Kelley Drye’s Ad Law Access blog and podcast  and visit the Advertising and Privacy Law Resource Center. Additional Kelley Drye resources can be found here.

Private consumer litigation in 2020 was significantly impacted by the California Consumer Privacy Act (CCPA) which took effect on January 1, 2020.  Whether asserted as a standalone CCPA violation claim or as a predicate act for other causes of action, including under California’s Unfair Competition Law (“UCL”), the volume of CCPA litigation has not abated.  While some claims have already been resolved (by motion or agreement), others are just hitting their litigious stride and with a full year of experience, certain trends have started to develop.

Over the course of the year, we have reported and summarized filed cases in our CCPA Round-Ups (Q1, Q2, Q3/4).  Now, with the first year of CCPA litigation behind us, this post (1) highlights emerging trends across the docket of cases; and (2) introduces Kelley Drye’s new CCPA Litigation Tracker, which is designed to provide an ongoing reference guide for updates on key cases involving consumers asserting CCPA-related claims.

It has been a full year since the California Consumer Privacy Act (“CCPA”) took effect at the top of 2020. In the cases filed in the second half of the year, the complaints more frequently assert a violation of the CCPA as a standalone cause of action, though it remains common for a CCPA violation to be asserted as a predicate to support a separate cause of action, such as a violation of California’s Unfair Competition Law (“UCL”).

In this post, we include our round-up of representative cases filed in the third and fourth quarters of the year. Our prior summaries of CCPA-related litigation filed last year can be found in our Q1 2020 CCPA Litigation Round-Up and CCPA Litigation Round-Up: Q2 2020. We have separately analyzed trends emerging from the 2020 CCPA litigation landscape. Going forward into 2021, we will continue to report on relevant developments in CCPA consumer litigation, and also provide updates in our CCPA Litigation Tracker chart.

  1. Cases Filed in Q3/Q4 2020 Alleging Direct Violation of CCPA

Shadi Hayden v. The Retail Equation, Inc. et al., No. 8:20-cv-01203 (C.D. Cal.)

On August 3, a class action amended complaint was filed by thirteen named plaintiffs against The Retail Equation, Inc. (“TRE”) and a variety of retailers: Sephora USA, Inc., Advance Auto Body Parts, Inc., Bed Bath & Beyond, Inc., Best Buy Co., Inc., Buy Buy Baby, Inc., Caleres, Inc., CVS Health Corporation, Dick’s Sporting Goods, Inc., L Brands, Inc., Stein Mart, Inc., The Gap, Inc., The Home Depot, Inc., and The TJX Companies, Inc. (the “Defendant Retailers”) in the District Court for the Central District of California.  Plaintiffs’ CCPA claim alleges that the Defendant Retailers, without their customers’ knowledge or consent, collect large amounts of data about their retail customers, including: (1) “Consumer Commercial Activity Data,” which includes “the unique purchase, return, and/or exchange histories of individuals consumers”; and (2) “Consumer ID Data,” which includes “the unique identification information contained on or within a consumer’s driver’s license, government-issued ID card, and/or passport” such as “the consumer’s name, date of birth, race, sex, photograph, complete street address, and zip code.” Plaintiffs allege that this data is shared with TRE as non-anonymized, individual data sets, which TRE processes to create consumer reports and a risk score for each customer. The risk score is allegedly used to advise the retailer about whether a customer’s attempted return or exchange is fraudulent or abusive.  The amended complaint alleges that “Defendants’ policies and practices failed to hold plaintiffs’ and Class members’ personal information secure by, for example, [the Retailer Defendants’ sharing of] the personal information . . . in an unsecured, unrestricted manner with TRE to create consumer reports and generate a ‘risk score’ that TRE then shared with other Defendant Retailers alongside other personal information.”

McCoy v. Alphabet, Inc. et al., 5:20-cv-05427 (N.D. Cal.)

On August 5, 2020, plaintiff Robert McCoy filed a class action complaint against defendants Alphabet Inc. and Google LLC for monitoring and collecting the sensitive personal data of Android Smartphone users when they interact with non-Google applications on their smartphones, without obtaining consent. This personal data includes the duration of time spent on non-Google apps and how frequently those apps are opened.  Plaintiff’s CCPA cause of action alleges that defendants failed to disclose that they collect the class members’ personal data and the true purpose for collecting the data, which plaintiff alleges is to gain a competitive edge over rival companies. Plaintiff’s proposed class definition includes “All Android Smartphone users from at least as early as January 1, 2014 through the present.”

On September 30, 2020, Google filed a Motion to Dismiss, including arguments that the CCPA claim fails because (1) plaintiff fails to allege his information was subject to a data breach; and (2) relief is only available to a consumer, which is defined as a “California resident,” and plaintiff is a New York resident.

Guzman v. RLI Corp. et al., No. 2:20-cv-08318 (C.D. Cal.)

On September 10, 2020, plaintiff Jose Guzman filed a class action complaint against defendants RLI Corp. and RLI Insurance Company alleging that defendants, through the Pacer filing service, disclosed the login credentials to computer systems containing personal and confidential information of class members. Plaintiff alleges that as a surety, defendants requested access to the records of Libre by Nexus, which secures bonds for detained undocumented immigrants. Plaintiff alleges that, in a separate suit, defendants disclosed Libre’s login credentials by filing them publicly, giving anyone with a Pacer login access to class members’ personal and confidential information including dates of birth, names of minor children, home address, Social Security Numbers, and taxpayer identification numbers and financial account information.

On October 22, 2020, defendants filed a Motion to Dismiss, including arguments that the CCPA claim fails because: (1) defendants’ access was court-authorized and therefore not unauthorized; (2) plaintiff failed to establish that there was a “violation of the duty to implement and maintain reasonable security procedures and practices”; and (3) plaintiff did not comply with the mandatory 30-day notice and cure provision. On November 6, 2020, the action was voluntarily dismissed without prejudice.

Gardiner v. Walmart Inc. et al., 4:20-cv-04618 (N.D. Cal.)

On July 10, 2020, plaintiff Lavarious Gardiner filed a class action complaint against retailer Walmart alleging that vulnerabilities on Walmart’s website led to breaches of Walmart’s systems, allowing hackers to steal customers’ personally identifiable information (including full names, addresses, financial account information, and credit card information), and allowed hackers to attack Walmart’s customers’ computers directly as well. The CCPA cause of action alleges that Walmart violated its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information. On October 29, 2020, the Parties stipulated to a briefing schedule on defendant’s Motion to Dismiss which is scheduled to be completed by February 3, 2021.

Flores-Mendez et al v. Zoosk, Inc. et al., 3:20-cv-04929 (N.D. Cal.)

On July 22, 2020, plaintiffs Juan Flores-Mendez and Amber Collins filed a class action complaint against Zoosk, Inc., an online dating site, and its parent company, Spark Networks SE, alleging that cybercriminals hacked and obtained 30 million of Zoosk’s user’s records, containing their name, email, date of birth, and password, due to Zoosk failing to maintain reasonable security controls and systems.  Plaintiffs only sought injunctive and equitable relief but alleged that if Zoosk could not cure the breach within 30 days of its July 14 notice letter, they intended to amend to seek actual and statutory damages. On October 30, 2020, plaintiffs filed an Amended Complaint.

Warshawsky et al v. cbdMD, Inc et al., No. 3:20-cv-00562 (W.D.N.C.)

On October 9, 2020, plaintiffs Michael Warshawsky and Michael Steinhauser filed a class action complaint against cbdMD Inc., and CBD Industries, LLC. Plaintiffs allege that due to two data breaches, hackers accessed consumers’ names, credit card numbers, CVV security codes, credit card expiration dates, addresses, email addresses, and bank account numbers. Plaintiffs’ CCPA cause of action alleges that defendants’ computer systems and data security practices were inadequate to safeguard its customers’ personal information.

Diczhazy et al v. Dickeys Barbecue Restaurants Inc. et al., No. 3:20-cv-2189 (C.D. Cal.)

On November 9, 2020, plaintiffs Ross Diczhazy and Wesley Etheridge II filed a class action complaint against Dickey’s Barbecue Restaurants Inc. and Dickey’s Capital Group, Inc. for their alleged failure to secure and safeguard the names, payment card numbers and security codes of proposed class members in a data breach in violation of the CCPA. The complaint purports two classes: (a) All California residents who made a purchase from Dickey’s using a payment card, or otherwise disclosed payment card information to Dickey’s, since January 1, 2020, and whose personal information was compromised including as part of the Joker’s Stash BlazingSun data set; and (b) All persons who made a purchase from Dickey’s using a payment card, or otherwise disclosed payment card information to Dickey’s, since January 1, 2018, and whose personal information was compromised including as part of the Joker’s Stash BlazingSun data set.

Marquez v. Dickey’s Barbecue Resturants, Inc. et al., No. 3:20-cv-2251 (S.D. Cal.)

On November 18, 2020, plaintiff Jose Luis Marquez also filed a class action complaint against Dickey’s Barbecue Restaurants Inc. and Dickey’s Capital Group, Inc. for their failure to secure and safeguard their customers’ personal identifying information. As in Diczhazy (above), there is a nationwide class as well as a California subclass alleged: (a) All persons residing in the United States who made a credit or debit card purchase at any affected Dickey’s Barbecue Pit restaurant during the period of the Data Breach; and (b) All persons residing in the State of California who made a credit or debit card purchase at any affected Dickey’s Barbecue Pit restaurant during the period of the Data Breach.

Gitner v. U.S. Bank National Association et al., No. 0:20-cv-02101 (D. Minn.)

On November 20, 2020, plaintiff Barry Gitner filed a first amended class action complaint in the District of Minnesota against U.S. Bank National Association and U.S. Bancorp for their alleged failure to secure and safeguard the confidential, personally identifiable information of thousands of consumers, including names, account numbers, Social Security Numbers, driver’s license numbers, and dates of birth. Specifically, plaintiffs allege that a computer server with consumer information was stolen from defendants’ corporate offices. Under the CCPA cause of action, plaintiffs seek injunctive or other equitable relief but reserve their rights to amend the complaint to seek actual and statutory damages if the breach is not cured within 30 days. On January 13, 2021, the Court stayed the action pending arbitration of Plaintiff’s individual claims, after defendants’ Motion to Compel Arbitration was unopposed.

Schaubach v. Hotels.Com, LP et al., No. 8:20-cv-2370 (C.D. Cal.)

On December 17, 2020, plaintiff Lauren Schaubach filed a class action complaint against defendants Hotels.com, L.P. (“HLP”), Expedia Group, Inc. (“Expedia”) and Amazon Web Services, Inc. (“AWS”) after a Cloud Hospitality server hosted by Defendant AWS and containing information for customers of Defendant HLP and Defendant Expedia was hacked and tens of millions of data records were exposed, including full names, email address, ID numbers, phone numbers, credit card numbers, security codes and expiration dates. Plaintiff seeks to represent a class of “all consumers in California whose personally identifiable information was compromised in the Breach.” On December 17, 2020, the action was voluntarily dismissed without prejudice.

  1. Cases Filed in Q3/Q4 2020 Alleging CCPA Violations As a Predicate For UCL Causes of Action

Pygin v. Bombas, LLC et al., No. 4:20-cv-04412 (N.D. Cal.)

On July 1, 2020, plaintiff Alex Pygin filed a class action complaint against defendants Bombas, LLC, Shopify (USA) Inc. and Shopify, Inc., alleging that sock and apparel retailer Bombas uses an ecommerce platform supplied by Shopify to take customers’ personal and payment information (including name, billing, shipping and email addresses, along with credit card numbers, expiration dates, and security codes) and that the customers’ information was compromised during a data breach due to defendants’ negligent and/or careless acts and omissions and failure to protect the data.

While plaintiff brings no claim under the CCPA, he alleges that class members have suffered injury including “deprivation of rights they possess under . . . the California Consumer Privacy Act” by “failing to maintain reasonable security procedures and practices appropriate to the nature of the personally identifiable information.” As part of its causes of action for negligence and violation of the UCL, plaintiff alleges that defendants: (i) had a duty to take reasonable steps and employ reasonable methods of safeguarding the personally identifiable information of class members, as required under the CCPA; (ii) failed to maintain those reasonable security procedures and practices by storing the information in an unsecure electronic environment; and (iii) failed to disclose the data breach to class members in a timely and accurate manner as required by the CCPA.

Currently pending before the Court is Shopify’s Motion to Dismiss for (1) lack of personal jurisdiction, (2) violation of FRCP 8 for failing to distinguish among defendants and adequately allege that Shopify caused harm, and (3) failure to state a claim, based partially on the argument that the CCPA does not “create any private right of action under any other law.”

Calixte et al. v. Dave, Inc., 2:20-cv-07704 (C.D. Cal.)

On August 24, 2020, five plaintiffs filed a class action complaint against defendant Dave Inc. alleging that its users’ names, emails, date of birth, physical address, phone numbers and social security numbers were compromised as a result of a cyberattack against a former third party service provider of Dave Inc. The complaint alleges that the hackers’ ability to pivot from a third-party vendor’s system to the defendant’s systems without detection demonstrates the lack of controls and cybersecurity measures in use at Dave Inc. to prevent such unauthorized use.

Plaintiffs only allege violations of the CCPA as a predicate to their UCL violation cause of action based on Dave Inc.’s alleged failure to implement and maintain reasonable security measures. The proposed nationwide class is defined as “All persons whose PII was compromised as a result of the Data Breach announced by Dave Inc. in July and August of 2020.” The Parties are currently briefing defendant’s Motion to Compel Arbitration. On November 9, 2020, the action was voluntarily dismissed without prejudice.

Wesch v. Yodlee, Inc. et al., No. 3:20-cv-05991 (N.D. Cal)

On August 25, 2020, plaintiff Deborah Wesch filed a class action complaint against defendants Yodlee, Inc. and Envestnet, Inc. (who acquired Yodlee) alleging that Yodlee sells highly sensitive financial data, such as bank balances and credit card transaction histories, collected from software products that it markets and sells to financial institutions. Plaintiffs allege that when individuals connect their bank accounts to Paypal, they upload their banking credentials using Yodlee’s system. Yodlee then allegedly stores a copy of the credentials on its own system and exploits them, contrary to the disclosed use of the information.

Plaintiff’s UCL cause of action is predicated upon alleged violations of the CCPA, including that defendants: (i) disclose before or at the point of collection, the category of information to be collected and how it will be used; and (ii) refrain from collecting additional information for additional purposes without providing notice.

Plaintiff filed an Amended Complaint on October 21, 2020  and the parties have stipulated to briefing schedule on plaintiff’s anticipated Motion to Dismiss.

Conditi v. Instagram, LLC et al., No. 3:20-cv-06534 (N.D. Cal.)

            On September 17, 2020, plaintiff Brittany Conditi brought a class action complaint against defendants Instagram LLC and Facebook Inc. alleging that Instagram constantly accesses users’ smartphone camera feature and monitors users without permission when they are not interacting with the camera feature, which goes beyond the services it promises to provide. Plaintiff alleges that Instagram does this to collect valuable personal data to increase their advertising revenue.

Plaintiff’s UCL cause of action is based upon allegations that defendants violated the CCPA by failing to disclose that they monitor users through their smartphone cameras, while not in use, to collect personal information. Plaintiff proposes the following class definition: “All Instagram users whose smartphone cameras were accessed by Instagram without their consent from 2010 through the present (the ‘Class Period’).”

 

You can follow developments in CCPA-related cases by referring to our new CCPA Litigation Tracker. If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team.

Last week, in a substantial win for the dietary supplement industry, the Ninth Circuit Court of Appeals upheld the Northern District of California’s grant of summary judgment to Target, ruling that state law false advertising challenges to permissible structure/function claims are preempted by the Federal Food, Drug and Cosmetic Act (“FDCA”).

Plaintiff Todd Greenberg alleged that he bought a bottle of Up & Up Biotin, a private label vitamin sold by Target, as part of his battle with hair loss.  Up & Up Biotin’s label states that biotin “helps support healthy hair and skin.”  The label also states that  “[t]his statement has not been evaluated by the Food and Drug Administration.  This product is not intended to diagnose, treat, cure, or prevent any disease.” Greenberg conceded that biotin is a nutrient that supports healthy hair and skin, but nevertheless claimed the label was misleading because most people obtain all the biotin they need from their diet, rendering the vitamin superfluous to all but a tiny percentage of people who have a biotin deficiency.

Under the FDCA, dietary supplement labels are required to be truthful and not misleading.  The statute also authorizes certain categories of statements, including structure/function claims, provided they are adequately substantiated. As a general matter, structure/function claims “describe the role of a nutrient or dietary ingredient intended to affect the structure or function in humans or that characterizes the documented mechanism by which a nutrient or dietary ingredient acts to maintain such structure or function[.]”  21 C.F.R. § 101.93(f).  Statements suggesting an ingredient’s ability to “strengthen,” “improve,” or “protect” a structure or function in the human body are structure/function claims so long as they do not suggest disease prevention or treatment.  The FDCA was intended to establish a national and uniform labeling standard for dietary supplements, expressly preempting any state law labeling requirement “that is not identical to” the labeling requirements in the FDCA.

The Ninth Circuit affirmed the District Court’s ruling that Up & Up Biotin’s label satisfied all of the statutory requirements for a structure/function claim under the FDCA, namely that: (1) there was substantiation for the claim, (2) the label included the proper disclosures, and (3) the label did not suggest the product could treat diseases.  More specifically, and in contrast to a disease claim, the FDCA “only requires substantiation for the ingredient’s function on the human body, not the health impact of the product as a whole.”  In other words, “manufacturers may make structure/function claims about a nutrient’s general role on the human body without disclosing whether the product will provide a health benefits to each consumer.”

Accordingly, the Court found that the plaintiff’s state law false advertising claims “essentially s[ought] to impose an additional requirement that dietary supplement labels can make structure/function claims only if consumers are likely to benefit from the product.”  Because this requirement “is not identical to” the labeling requirements in the FDCA, the claims were preempted.

Dietary supplement companies are often targeted by class action plaintiffs asserting various theories about how carefully-drafted label claims are nevertheless deceptive to the proverbial “reasonable consumer.”  This decision brings a new level of comfort to the industry that if a structure/function claims complies with the FDCA, it is less likely to be challenged (at least in the Ninth Circuit).

Partner Aaron Burstein edited the Fall 2020 issue of Antitrust magazine with Janis Kestenbaum. If you’re looking to get up to speed on some of the most pressing regulatory issues surrounding personal data, this is the place to start — and the ABA is making free to access through the end of January.

A roundtable featuring Alexandra Reeve Givens (President and CEO, CDT), Jessica Rich (former Director of the FTC’s Bureau of Consumer Protection), Will DeVries (Google), and William McGeveran (University of Minnesota Law School) surveys the enforcement and policy landscape. The issue also features articles that examine the California Privacy Rights Act, the state (and stakes) of Section 230 reform, privacy issues in contact tracing apps, and applications of economic analysis to privacy. On the international front, authors analyze the first two years of GDPR enforcement and well as privacy and antitrust developments in China.

For additional privacy information and resources, visit Kelley Drye’s Advertising and Privacy Law Resource center.

Advertising and Privacy Law Resource Center