Courtesy of CEB, we are bringing you selected legal developments in areas of California business law that are covered by CEB’s publications. This month’s feature is from the September 2022 update to Privacy Compliance and Litigation in California. References are to the book’s section numbers. The most significant legal developments since the last update include developments in such important topic areas as information security and security breaches, financial and health information privacy, identity theft, internet and electronic privacy, and the California Consumer Privacy Act.
September 2022 Update
Challenges of Privacy Compliance and Litigation
New or amended state privacy laws were recently enacted in Nevada, Colorado, and Utah. In addition, New York City recently adopted its own regulations on biometric identifying information, prohibiting all selling, leasing, trading, and sharing of such information for anything of value or profit, including allowing for a private right of action for violations of the regulation. See §1.3.
Common Law and Constitutional Privacy Protection
The court in People v Roberts (2021) 68 CA5th 64, 97, held that the use of a DNA sample taken from the defendant who was validly arrested for a felony based on probable cause but never formally charged did not violate his federal or state constitutional rights against unreasonable search and seizure or his state constitutional right to privacy. See §2.4A.
Information Security and Security Breach
Civil Code §§1798.81.5 and 1798.82 were amended effective January 1, 2022, to include as protected information an individual’s genetic data. See §§3.8, 3.46, 4.2.
The FTC issued a statement in September 2021 signaling its commitment to enforce the FTC Health Breach Notification Rule and clarifying that the rule applies to most health apps and similar technologies, e.g., apps and other technologies that help consumers track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, and diet. In addition, the FTC has issued two publications to help explain the FTC rule and the steps that covered businesses need to take in the event of a breach. See §§3.35, 3.35D.
Internet and Electronic Privacy
The U.S. Supreme Court held that a person “exceeds authorized access” only when they access a computer with authorization but then obtain information located in particular areas of the computer (such as files, folders, or databases) that are off-limits to them. See Van Buren v U.S. (2021) ___ US ___, 141 S Ct 1648, 1662, in §4.21.
Civil Code §1724, which became effective January 1, 2022, makes it unlawful for a person to sell data, or sell access to it, that the person obtained or accessed as the result of a criminal act. It also prohibits an unauthorized person to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed the data as a result of the commission of a crime. See §§4.21A, 4.58.
In Lee v Amazon.com, Inc. (2022) 76 CA5th 200, 250, the court held that the Communications Decency Act did not shield Amazon from its own, independent obligation under Proposition 65 to warn consumers about harmful products listed for sale on its website. See §4.49.
Marketing and Sales Regulation
In Greenberg v Digital Media Solutions, LLC (2021) 65 CA5th 909, 919, the court held that a recipient of a commercial email advertisement sent by a third party is not precluded as a matter of law from stating a claim under Bus & P C §17529.5 against the advertiser based on the third party’s failure to provide sufficient information disclosing or making traceable the third party’s own identity, even if the email sufficiently identifies the advertiser. See §5.52.
Financial Data Privacy
In 2021, the FTC, together with the Department of Justice, reached a $20 million settlement—the largest then to date—with a defendant for its FCRA violations, including illegally obtaining consumer credit reports without the consumers’ knowledge or consent and using them to establish credit profiles for uncreditworthy customers. See U.S. v Vivint Smart Home, Inc. (D Utah, Apr. 29, 2021, No. 2:21-cv-00267-TS) FTC File No. 192 3060, in §6.43.
Health Information Privacy
In County of Los Angeles v Superior Court (2021) 65 CA5th 621, 641, the court held that the trial court’s discovery order violated state constitutional privacy rights when it granted the defendant’s motion to compel detailed data on over 1 million dispensed medications, along with pharmacy and prescriber identifiers and other clinical, patient-level information. See §7.2.
On July 1, 2021, the California Department of Public Health issued a final rulemaking implementing the breach reporting requirements of Health & S C §1280.15(b). See 22 Cal Code Regs §§79900–79905 in §7.16.
Assembly Bill 133, which added Health & S C §130290, effective July 27, 2021, requires the California Health and Human Services Agency to establish, on or before July 1, 2022, the California Health and Human Services Data Exchange Framework. See discussion in §7.41B.
In 2021, §123114(e) was added to the Health and Safety Code to clarify that “a health care provider may honor a request to disclose a patient record … that contains the written or electronic signature of the patient or the patient’s personal representative.” See §7.86.
The Genetic Information Privacy Act (CC §§56.18–56.186), effective January 1, 2022, seeks to ensure the “privacy, confidentiality, and integrity of a consumer’s genetic data” when that data is handled by direct-to-consumer genetic testing companies. See §7.92A.
In Lozano v City of Los Angeles (2022) 73 CA5th 711, 727, the court held that the use in police officers’ termination proceedings of a digital in-car video system (DICVS) recording did not violate Pen C §632 because the city did not intend for the DICVS to record the officers’ confidential communication that demonstrated their misconduct, but rather the DICVS merely happened to record it. See §8.65.
Civil Code §1724, effective January 1, 2022, provides that it is unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime. Similarly, it is unlawful for an unauthorized person to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data through the commission of a crime. See §10.81A.
The California Consumer Privacy Act of 2018
The federal district court in Karter v Epiq Sys., Inc. (CD Cal, July 16, 2021, No. SACV 20-01385-CJC (KESx)) 2021 US Dist Lexis 189258, *5, found that the defendant was not a service provider because it collects consumers’ personal information from consumers rather than from another business and also determines the purposes and means of processing that personal information. See §10A.4.
The California Attorney General has opined that a consumer is entitled to “inferences,” regardless of whether those inferences were internally generated or obtained from another source. See 2022 Ops Cal Atty Gen No. 20–303, in §10A.31A.
The CCPA is not retroactive and the private right of action does not apply to breaches that occurred before January 1, 2022. See Gardiner v Walmart, Inc. (ND Cal, July 28, 2021, No. 20-cv-04618-JSW) 2021 US Dist Lexis 211251, *3, in §10A.68.
The continued access and disclosure of a consumer’s personal information after termination of a relationship does not equate to a defendant’s failure “to implement and maintain reasonable security measures,” and thus such a claim “falls entirely outside of the reach of the CCPA.” Danfer-Klaben v JPMorgan Chase Bank, N.A. (CD Cal, Jan. 24, 2022, No. SACV 21-262 PSG (JDEx)) 2022 US Dist Lexis 25553, *17. See §10A.68.
On October 6, 2021, Governor Newsom signed AB 1391 into law, adding CC §1724 to make it unlawful for anyone to sell or sell access to data that were obtained pursuant to the commission of a crime. It also makes it unlawful for anyone to buy or use data that they know, or should know, were obtained through the commission of a crime. See §10A.69.
Class Actions, Data Breach Litigation, and Privacy Concerns Before and During Trial
In Ramirez v TransUnion LLC (2021) ___ US ___, 141 S Ct 2190, 2208, the U.S. Supreme Court held that only a portion of the class for which TransUnion provided misleading credit reports to third party businesses had demonstrated concrete reputational harm and had art III standing needed for damages relief; the other portion of the class that had only experienced unrealized risk due to alleged statutory violation did not have art III standing needed for damages relief. See §12.6A.
In In re Google Inc. Streetview Electronic Communications Litig. (9th Cir 2021) 21 F4th 1102, the Ninth Circuit affirmed the district court’s approval of a cy pres settlement when the district court found that it was not feasible to distribute settlement funds to class members and the settlement provided for injunctive relief, payments to nine internet privacy advocacy groups, attorney fees, and service awards to class representatives. See §12.10.
Even when the information is continuously available to the public online after initial publication, only one cause of action exists under the Federal Privacy Act of 1974. See Doe v Garland (9th Cir 2021) 17 F4th 941, 945, in §12.113.