Business Law

Selected Developments in Business Law — Internet Law and Practice in California

Please share:

Courtesy of CEB, we are bringing you selected legal developments in areas of California business law that are covered by CEB’s publications.  This month’s feature is from the July 2021 update to Internet Law and Practice in California.  References are to the book’s section numbers.  The most significant legal developments since the last update include developments in such important topic areas as copyright, patent, trademark, independent contractor classification, privacy, cybersecurity, Internet advertising, and First Amendment issues.  

July 2021 Update


Short phrases are not entitled to copyright protection. Corbello v Valli (9th Cir 2020) 974 F3d 965, 977 (phrase “social movement” was not subject to copyright protection); Grosso v Miramax Film Corp. (9th Cir 2004) 383 F3d 965, 967 (poker jargon not subject to copyright protection); Narell v Freeman (9th Cir 1989) 872 F2d 907, 911. In addition, names, titles, and slogans are not copyrightable subject matter. BeyondBlond Prods. v Heldman (CD Cal, Aug. 17, 2020, No. CV 20-5581 DSF (GSJx)) 2020 US Dist Lexis 150556; 37 CFR §202.1(a). But tweets could contain sufficient original expression by the author to be subject to copyright protection. Kaseberg v Conaco, LLC (SD Cal 2017) 260 F Supp 2d 1229. See §1.2.

An interesting issue arises when a person creates an unauthorized recording of a live performance. Examples include bootleg recordings of live concerts and unauthorized recordings of live performances. Under the Copyright Act, such recordings are not entitled to copyright protection because the recordings are not fixed by or under the authority of the author (i.e., the performers). Performers of bootlegged musical performance have a cause of action against bootleggers, despite not having ownership. Kihn v Bill Graham Archives, LLC (CD Cal 2020) 445 F Supp 3d 234, 256. See §1.2.

Literary and graphic characters are subject to copyright protection when they “constitute the story being told in a work.” Daniels v Walt Disney Co. (9th Cir 2020) 958 F3d 767, 773. The Ninth Circuit described this as “a high bar, since few characters so dominate the story such that it becomes essentially a character study”; ancillary characters that are “only the chessman in the game of telling the story” are not entitled to copyright protection. 958 F3d at 773. See §1.4.

The U.S. Supreme Court has created the “government edicts doctrine,” which applies to state and local governments as well as to the federal government (see 17 USC §105). Georgia v Public.Resource.Org, Inc. (2020) ___ US ___, 140 S Ct 1498, 1506. The doctrine applies to works created by judges and legislators in the course of their judicial or legislative capacities (e.g., judicial opinions, statutes, and legislative histories). The doctrine can also apply to works created by private entities through a work made for hire agreement with the legislature and when the work serves a legislative function, such as annotations to statutes. 140 S Ct at 1508. In contrast, the government edicts doctrine does not extend to parts of a court reporter created by a private party and not subject to a work made for hire agreement, like headnotes, summaries, syllabi, and tables of contents. 140 S Ct at 1507. See §1.4D.

It is well settled that the voluntary, unauthorized downloading, copying, and uploading of copyrighted works violates the reproduction right. See Oracle Am., Inc. v Hewlett Packard Enter. Co. (9th Cir 2020) 971 F3d 1042, 1050. See §1.9.

A licensee of an exclusive copyright has standing to sue for copyright infringement if the infringement occurred during the term of the license and the infringement implicated the specific right held by the licensee. Tresona Multimedia, LLC v Burbank High Sch. Vocal Music Assoc. (9th Cir 2020) 953 F3d 638, 645. If, however, less than all co-owners of a copyright attempt to independently grant an exclusive license, the licensee does not have standing to sue. This result dovetails with the principle that the holder of a nonexclusive license does not have standing to use. 953 F3d at 646. See §1.16.

To show substantial similarity, the Ninth Circuit employs a two-part test: An objective, extrinsic test and a subjective, intrinsic test. The extrinsic test has three parts: First, the plaintiff must identify similarities between the copyrighted work and the accused work. Second, the court must determine which similarities constitute protectable material and which are unprotectable material or material the use of which has been authorized. Finally, after disregarding the unprotectable and authorized-use material, the court must determine the scope of protection for the work as a whole. Corbello v Valli (9th Cir 2020) 974 F3d 965, 974. See §1.22.

Contributory infringement has a threshold requirement of direct infringement by third parties. Vicarious infringement also has a threshold requirement of direct infringement by third parties. Oracle Am., Inc. v Hewlett Packard Enter. Co. (9th Cir 2020) 971 F3d 1042, 1050. See §1.25.

The 3-year statute of limitations starts running when the plaintiff has constructive knowledge of the claim, not actual knowledge. Oracle Am., Inc. v Hewlett Packard Enter. Co. (9th Cir 2020) 971 F3d 1042, 1047. Constructive knowledge is defined as enough information to warrant an investigation which, if reasonably diligent, would lead to the discovery of the claim. 971 F3d at 1047. Whether the plaintiff conducted an investigation is irrelevant. See §1.30.

The Copyright Act grants courts discretion to award costs and “reasonable attorney’s fee[s]” to the prevailing party. 17 USC §505. Not all claims involving copyrights are subject to §505; rather, only claims involving the validity of a copyright and copyright infringement (including declaratory relief actions) are subject to that section. Doc’s Dream, LLC v Dolores Press, Inc. (9th Cir 2020) 959 F3d 357, 359. Claims and defenses that do not require making legal determinations under the Copyright Act, such as an accounting or failure to pay royalties under a license, are not subject to §505. 959 F3d at 361. See §1.35.

On December 27, 2020, the Copyright Alternative in Small-Claims Enforcement Act of 2020 (the CASE Act) (17 USC §§1501–1511) was enacted as part of the Consolidated Appropriations Act, 2021 (116 Pub L 260, 134 Stat 1182). The CASE Act establishes a Copyright Claims Board (CCB) in the Copyright Office to hear copyright infringement matters. The CASE Act (1) caps damages at $30,000 total (including statutory damages of $15,000 per work, and $7500 per work for which an application was not filed in accordance with 17 USC §412 timelines); (2) provides an opt-out alternative for the respondent; (3) includes streamlined procedures that limit discovery and rely mostly on written materials; (4) allows claims by both copyright owners and users for infringement and exceptions and limitations, respectively; and (5) includes additional fees for bad faith claimants and bars those who repeatedly abuse the system. See §1.35A.

Whether a specific use constitutes a “fair use” or an infringement is not subject to a bright-line analysis, and requires a case-by-case approach. Dr. Seuss Enters., L.P. v ComicMix LLC (9th Cir 2020) 983 F3d 443, 451. See §1.39.

In Google LLC v Oracle Am., Inc. (2021) 593 US ___, 141 S Ct 1183, Google had copied a limited part of the so-called declaring code portion of the Sun Java SE program—that portion of the program called an Application Programming Interface (API). The Supreme Court held, as a matter of law, that Google’s copying of part of the Sun Java API was a fair use. Google’s copying involved only those lines of code necessary to allow software developers to put their skills to work creating a brand new and transformative program (the so-called implementing code) for Google’s new Android smartphone platform. See §§1.40, 1.41, 1.49A, 1.50, 1.54, 1.55.

Automated takedown notices (also known as robo-notices) are particularly problematic under the subjective good faith belief requirement, because automated processes cannot make determinations on fair use or whether the party had a license. A key takeaway is that although automated processes can identify potential infringement, it is good practice to have an individual review the use and make a fair use/license determination prior to issuing the notice. See Enttech Media Grp. LLC v Okularity, Inc. (CD Cal. Oct. 2, 2020, No. 2:20-cv-06298 RGK (Ex)) 2020 US Dist Lexis 222489. See §1.83.


The venue where a corporate defendant can be sued is becoming more limited. Under the patent venue statute, 28 USC §1400(b), a patent infringement suit can be brought against a defendant “in the judicial district where the defendant resides, or where the defendant has committed acts of infringement and has a regular and established place of business.” With respect to the residency requirement, the Supreme Court has held “a domestic corporation ‘resides’ only in its State of incorporation for purposes of the patent venue statute.” TC Heartland v Kraft Foods Group Brands (2017) ___ US ___, 137 S Ct 1514, 1517. With respect to the requirement of a regular and established place of business, the Federal Circuit has held “(1) there must be aphysical place in the district; (2) it must be a regular and established place of business; and (3) it must be the place of the defendant.” In re Cray, Inc. (Fed Cir 2017) 871 F3d 1355, 1360. See §2.16A.

It is important to keep in mind that the two-step patent eligibility test is applied to the claims. Therefore, when relying on a feature of the invention to demonstrate patent-eligible subject matter, that feature should be expressly recited in the claims and not left as an inference based on the written description. In Ericsson v TCL Communication Technol. Holdings (Fed Cir 2020) 955 F3d 1317, Ericsson argued that the inventive concept that transforms the claims into patent-eligible subject matter was in a particular layered software architecture, which was described in the written description. 955 F3d at 1328. The Federal Circuit rejected Ericsson’s arguments because the features relied on were not expressly claimed: “Ericsson misstates the role of the specification, which ‘cannot be used to import details from the specification if those details are not claimed.'” 955 F3d at 1328 (citation omitted). See §2.18A.

In Simio, LLC v Flexsim Software Products, Inc. (Fed Cir 2020) 983 F3d 1353, however, the Federal Circuit continued to carve out a distinction between improving a computer’s functionality (which could be patent-eligible subject matter) versus improving a user’s experience (which is considered an abstract idea) with a new program or software. The court held that a computer-based system that utilizes graphics instead of writing programming code to create object-oriented simulations was directed to an abstract idea because it did not improve computer functionality, but rather, the user experience. Similarly, in Customedia Technol., LLC v Dish Network Corp. (Fed Cir 2020) 951 F3d 1359, the Federal Circuit found a data delivery system for providing automatic delivery of multimedia data products from one or more multimedia data product providers, although possibly improving the abstract concept of targeted advertising, did not improve the actual functioning of the computer itself because the computer was merely being used as a tool in a system for advertising. 951 F3d at 1365. See §2.19.


A generic second-level domain (SLD) combined with a top-level domain suffix such as “.com” or “.biz” (TLD) can create a descriptive mark that is eligible for protection on proof that it has acquired distinctiveness or secondary meaning. See United States Patent and Trademark Office v BV (2020) ___ US ___, 140 S Ct 2298. In, the U.S. Supreme Court rejected the USPTO’s sweeping rule that a trademark consisting of a generic word plus “.com” is generic as a matter of law. The Court found that “[a] compound of generic elements is generic if the combination yields no additional meaning to consumers capable of distinguishing the goods or services.” 140 S Ct at 2306 (emphasis in original). Finally, the Court held that “[w]hether any given ‘’ term is generic … depends on whether consumers in fact perceive that term as the name of a class or, instead, as a term capable of distinguishing among members of the class.” 140 S Ct at 2307. See §3.45.

“[A] famous mark is one that has become a ‘household name.'” Blumenthal Distrib., Inc. v Herman Miller, Inc. (9th Cir 2020) 963 F3d 859, 870 (quoting Thane Int’l, Inc. v Trek Bicycle Corp. (9th Cir 2002) 305 F3d 894, 908). Other examples of trademarks that have been found to be famous include NIKE (Nike, Inc. v Nikepal Int’l, Inc. (ED Cal Sep. 7, 2007, No. 2:05-cv-1468- GEB-JFM) 2007 US Dist Lexis 66686); STARBUCKS (Starbucks Corp. v Wolfe’s Borough Coffee, Inc. (2d Cir 2009) 588 F3d 97, 105); and the trade dress of Apple’s iPhone (Apple, Inc. v Samsung Electronics Co., Ltd. (ND Cal 2013) 920 F Supp 2d 1079, 1097). See §3.66.

Independent Contractors

In Vazquez v Jan-Pro Franchising Int’l, Inc. (2021) 10 C5th 944, the California Supreme Court held that Dynamex Operations W., Inc. v Superior Court (2018) 4 C5th 903 applies retroactively to all nonfinal cases that predate the effective date of the Dynamex decision. See §4.13.

The ABC test in the Dynamex decision was first codified by the California state legislature in 2019 with the enactment of AB 5 (Stats 2019, ch 296). Assembly Bill 5 specifically codified the presumption of employee status in Dynamex but added a number of exceptions. The legislature amended the provisions of AB 5 in 2020, by enacting AB 2257 (Stats 2020, ch 38) and AB 323 (Stats 2020, ch 31). The California statutes now applicable to independent contractor classification are Lab C §§2775–2787 and the statutes enacted by Proposition 22 (Bus & P C §§7448–7467 and Rev & T C §17037). See §4.13.

Labor Code §§2775–2787 apply generally for purposes of the Labor Code and the Unemployment Insurance Code, and for purposes of wage orders issued by the Industrial Welfare Commission. See Lab C §2775(b)(1). They do not distinguish between exempt and nonexempt employees, except those listed in Lab C §§2776–2784, subject to specified conditions. See §4.14.

Labor Code §§2776–2784 contain an extensive list of occupations and relationships that are excepted from the ABC test, subject to certain conditions specified in the statutes. The exceptions include, without limitation, professional service providers including graphic designers, fine artists, photographers, photojournalists, freelance writers, editors, and content contributors; recording artists, songwriters, and musicians; construction industry contractors and subcontractors; certain licensed professionals including insurance brokers, real estate brokers, physicians, dentists, other health care professionals, lawyers, architects, engineers, accountants, private investigators, securities brokers, and investment advisers; direct sales salespersons; and commercial fishermen. The conditions specified for each exception are detailed and must be reviewed carefully. Workers who do not satisfy the conditions of the ABC test and are not expressly excepted in the statutes are evaluated in accordance with the California Supreme Court’s prior decision in Borello. See Lab C §§2775(b)(3), 2785(d). See §4.14A.

In November 2020, California voters approved Proposition 22 (Bus & P C §§7448–7467 and Rev & T C §17037), a measure sponsored by Uber, Lyft, and DoorDash, which allows app-based ride-hailing and delivery companies (called “network companies” under the measure, see Bus & P C §7463) to continue treating their workers as independent contractors provided that the companies offer certain benefits to those workers. In effect, Proposition 22 creates an additional exception to Lab C §2775(b)(1). See §4.14A.

Cloud Computing: Ethical Issues

In 2020, the State Bar’s Standing Committee on Professional Responsibility and Conduct issued California State Bar Formal Opinion No. 2020–203, available at, to address lawyers’ obligations in the face of data breaches, i.e., situations where unauthorized third parties have obtained access to electronically stored confidential client information in a lawyer’s possession. The opinion provides that lawyers who use electronic devices containing confidential client information must assess the risks of keeping such data on electronic devices and computers, and take reasonable steps to secure their electronic systems to minimize risk of unauthorized access. In event of a breach, lawyers have an obligation to conduct a reasonable inquiry to determine the extent and consequences of the breach and to notify any client whose interests have a reasonable possibility of being negatively impacted by the breach. See §6.57.

Electronic Contracting

As evidenced by the court’s remarks in Wilson v HUUUGE, Inc. (9th Cir 2019) 944 F3d 1212, courts are becoming weary of parties seeking to enforce arbitration agreements buried in such a way that meaningful notice is not provided. HUUUGE provides a casino gaming app and, after downloading the app and playing it for over a year, the plaintiff sued HUUUGE on behalf of a putative class for alleged violations of Washington State gambling and consumer protection laws. 944 F3d at 1214. HUUUGE moved to compel arbitration based on the app’s terms of use. Users could review the terms before downloading the app, but only after scrolling through multiple screens of text and copying and pasting a URL, or during game play, but then only by clicking through screens in the app’s settings menu. The court stated that “the user would need Sherlock Holmes’s instincts” to discover the app’s terms, and concluded that the app did not give reasonably prudent users constructive notice of the arbitration provision. 944 F3d at 1214. The court rejected HUUUGE’s argument that repeated use of the app put the user on constructive notice, observing that “[o]nly curiosity or dumb luck might bring a user to discover the Terms” since “there is no reason to assume users will click on the settings menu simply because it exists.” 944 F3d at 1221. See also Stover v Experian Holdings, Inc. (9th Cir 2020) 978 F3d 1082, 1086. See §7.4.


Cookie technology has become very complex since cookies were first introduced. Businesses incorporate first party cookies (i.e., cookies created and stored by the website the user is visiting) and third party cookies (i.e., cookies created and placed by third parties on another website) within their websites, advertisements, and e-mails for a variety of purposes, including to match individuals across browsers and devices, and create complex profiles. Cookies are often used to sync information with pixels and other tracking technologies. These practices have led to significant privacy concerns around the use of cookies, especially when consumers do not have adequate notice or choice with respect to that usage. See §9.4.

Companies that use facial recognition technologies or that process biometric information likely need to obtain affirmative express consent from consumers prior to data collection or processing, but should always process data consistent with their privacy policies and other affirmative consumer-facing representations. See In re Everalbum, Inc. (January 11, 2021) FTC File No. 1923172 (see In its administrative complaint, the FTC alleged that a California company, Everalbum, Inc., misrepresented the manner in which it applied facial recognition technology to photos and videos that consumers uploaded through the “Ever” mobile application, browser application, and social media accounts for storage on Everalbum’s cloud-based storage service. See §9.9.

In, Inc. v Becerra (9th Cir 2020) 962 F3d 1111, the court ruled that CC §1798.83.5 was unconstitutional for violating a website’s First Amendment speech rights. Civil Code §1798.83.5 was passed with the intention of prohibiting commercial online entertainment employment service providers from publishing or sharing a subscriber’s date of birth or age information in online profiles; however, it was subsequently found to restrict noncommercial speech in violation of the First Amendment and invalidated. See §9.18.

In November 2020, California voters approved Proposition 24, called the California Privacy Rights Act of 2020 (CPRA). See As described in §9.18B, when it becomes effective, the CPRA will make significant changes to the California Consumer Privacy Act of 2018 (CCPA) (CC §§1798.100–1798.199.100). The CPRA amends the original CCPA in several significant ways, including the establishment of a new law enforcement agency, a new definition of “sensitive data” with further limits on use and sharing, and expanded liability for data breaches. The CPRA grants consumers the right to opt out of a business’s sharing of personal information and requires that business implement certain methods to allow consumers to exercise that right. A business engaged in sharing must provide a link on the homepage of the business’s website titled “Do Not Sell or Share My Personal Information.” CC §1798.135(a). The CPRA broadens the scope of the original CCPA’s small business exemption by raising the threshold for applicability to businesses that process for commercial purposes personal information of from 50,000 to 100,000 consumers or households. See CC §1798.140(d)(1)(A). In general, the CPRA takes effect on January 1, 2023. Many of the obligations found in the original CCPA remain in effect in the CPRA, but the CPRA includes additional obligations. Businesses should start preparing now for the CPRA because it has a “look back” provision to January 1, 2022. See §§9.18A–9.18B.

In 2020, mobile app developer Hyperbeard settled FTC charges that it violated the Children’s Online Privacy Protection Act of 1998 (COPPA) (15 USC §§6501–6506) by allowing third-party ad networks to collect personal information from children playing the company’s child-directed games, without notifying parents or obtaining verifiable parental consent as required by COPPA. The settlement highlights an operator’s strict liability under COPPA for data collected by third parties through its service. Here, Hyperbeard had not notified the third-party ad networks embedded within its apps that the apps were directed to children. In the settlement, Hyperbeard agreed to pay a $4 million civil penalty, suspended on payment of $150,000. See See §9.33.

From 2016 to 2020, many U.S. data importers relied on the Privacy Shield Framework agreed to by the EU Commission and the U.S. for data transfers and enforced by the U.S. Department of Commerce and the FTC through cooperation with EU data protection authorities. However, in July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield as a transfer mechanism in the Schrems II case. See Data Protection Commissioner v Facebook Ireland Ltd & Maximillian Schrems, Case C-311/18 (July 16, 2020). Data transfers reliant on Privacy Shield are no longer lawful, and U.S. data importers that relied on Privacy Shield must update their policies and practices, as well as turn to an alternative transfer mechanism. See §9.38.

Most U.S. data importers rely on Standard Contractual Clauses (SCCs), which are agreements executed by data exporters and data importers to ensure appropriate safeguards for the transfer of personal data. SCCs are not without risk, however, because the CJEU indicated in its July 2020 ruling that data transfers to the U.S. may be inherently problematic due to government surveillance issues and may require supplemental measures by data exporters and data importers to protect personal data. In addition, in November 2020, the EU Commission published revised draft SCCs that, if approved, would replace the current SCCs. Businesses that export or receive personal data from the EU should pay close attention to developments around the SCCs. See §9.38.

California’s enactment of the California Consumer Privacy Act (CCPA) (CC §§1798.100–1798.199.100) fundamentally changed the requirements of a privacy policy for any business operating within the state (whether based in California or not). The CCPA expanded both the requirements for a privacy policy under the California Online Privacy Protection Act of 2003 (OPPA) (Bus & P C §§22575–22579) and the applicability of OPPA, requiring more specific disclosures and information regarding consumer rights and how to exercise them. The form of privacy policy in §9.44 has been revised to conform with the CCPA and OPPA. See §§9.43 –9.44.

Advertising on the Internet

An attorney is not responsible for the content of an attorney’s profile on a professional online directory and rating website created and maintained by a third party. However, if the attorney chooses to exercise control over the profile’s content by “adopting” the profile on the directory itself or otherwise using the profile to market the attorney’s practice, the attorney becomes responsible for its content. State Bar Formal Opinion No. 2019 –199. See §17.10D.


As part of the Notification and Federal Employee Anti-discrimination and Retaliation Act of 2002 (No FEAR Act) (Pub L 107–174, 116 Stat 566), the federal government creates and disseminates resources for individuals to protect themselves and recover from cyberattacks. These resources are available at this website, which is continually updated: See §18.3.

In United States v Peterson (9th Cir 2019) 776 Fed Appx 533, 534 n.3, the court identified “refrigerators with Internet connectivity, Fitbit™ watches, etc.” as likely falling within the definition of “computer” in the Computer Fraud and Abuse Act (CFAA) (18 USC §1030). See §18.17.

On November 30, 2020, the Supreme Court heard oral argument in Van Buren v United States (11th Cir 2019) 940 F3d 1192, cert. granted (2020) ___ US ___, 140 S Ct 2667. The certified question presented was whether a person who is authorized to access information on a computer for certain purposes violates 47 USC §1030(a)(2) if that person accesses the same information for an unauthorized purpose. In other words, can a defendant be criminally liable for exceeding authorized access? The case should resolve a Circuit split between the First, Fifth, Seventh, and Eleventh Circuits (which have answered “yes”) and the Second, Fourth, Sixth, and Ninth Circuits (which have answered “no”). See §18.19.

The Ninth Circuit, in In re Facebook Inc. Internet Tracking Litig. (9th Cir 2020) 956 F3d 589, addressed whether Facebook’s placement of a persistent cookie on a Facebook user’s computer, and the transmission of URL and other information by that cookie, violated the prohibition in the Electronic Communications Privacy Act of 1986 (ECPA) (Pub L 99–508, 100 Stat 1848) on the interception of electronic communications. Based on the technical nature of the transmission of information to Facebook, the court concluded that Facebook was not a party to the intercepted communication. As a result, the party exception to the ECPA and Facebook could, in theory, be subject to liability under the ECPA. The Ninth Circuit reversed the dismissal of that claim, and remanded to the district court. See §18.28.

The Federal Bureau of Investigation (FBI) provides a mechanism for filing complaints regarding ransomware attacks: and has issued a Public Service Announcement, available at, warning that ransomware attacks are becoming more targeted, sophisticated, and costly. Ransomware attacks constituted 81 percent of financial-based cyberattacks in 2020. See §18.38.

In In re Facebook, Inc. Internet Tracking Litig. (9th Cir 2020) 956 F3d 589, the district court had dismissed a trespass to chattels claim based on its conclusion that the plaintiffs had failed to demonstrate that an actual injury occurred through the transmission of plaintiffs’ browsing history to Facebook. See generally Intel Corp. v Hamidi (2003) 30 C4th 1342, 1351. The Ninth Circuit reversed, finding that plaintiffs’ allegation that Facebook was unjustly enriched was sufficient to confer standing in federal court. 956 F3d at 599. See §18.41.

The defendant in WhatsApp Inc. v NSO Grp. Techs. Ltd. (ND Cal. 2020) 472 F Supp 3d 649, was alleged to be an agent of the Israeli government that manufactured, distributed, and operated surveillance technology designed to intercept and extract information and communications from mobile phones, in particular through the WhatsApp app. Among other claims, WhatsApp Inc. asserted trespass to chattels. The plaintiff did not assert that the actions of the defendant, sending “approximately 1,400 messages out of the 1.5 billion people in 180 countries who use the WhatsApp service … impaired the physical functioning of WhatsApp’s servers.” 472 F Supp 3d at 684. Instead, WhatsApp asserted it had suffered “consequential economic damages, such as the expenditure of resources responding to the breach, and the loss of goodwill in WhatsApp’s business due to a perceived weakness in WhatsApp’s encryption or its services.” 472 F Supp 3d at 685. The court found that WhatsApp had not sufficiently alleged any actual harm arising from the defendant’s actions, and dismissed the complaint with leave to amend. See §18.41A.


In AMA Multimedia, LLC v Wanat (9th Cir 2020) 970 F3d 1201, the court held that the defendant was not subject to personal jurisdiction because he did not purposefully direct his activities at the United States, the U.S. was not the focal point of the website or the harm suffered by the plaintiff; the website lacked a forum-specific focus and the volume of U.S.-generated content did not show that the site was expressly aimed at the U.S. market. See §19.8.

Making a substantial number of sales of goods or services to California residents via one’s own website is sufficient to establish personal jurisdiction. However, sales must be substantial, not random, isolated, or fortuitous. Thurston v Fairfield Collectibles of Georgia, LLC (2020) 53 CA5th 1231, 1240 (company made 8 to 10 percent of its sales to California residents, totaling $320,000 to $375,000 a year; court found that this was “the equivalent of having a brick-and-mortar store in California—a ‘virtual store'”). See §19.9.

First Amendment and Other Speech-Related Liability

The First and Fourteenth Amendments prohibit content-based restrictions on speech. Reed v Town of Gilbert (2015) 576 US 155, 135 S Ct 2218. A content-based restriction is one that “by its very terms, singles out particular content for differential treatment.” Inc. v Becerra (9th Cir 2020) 962 F3d 1111, 1120. Content-based restrictions are “presumptively invalid.” 962 F3d at 1120, quoting R.A.V. v City of St. Paul (1992) 505 US 377, 382, 112 S Ct 2538, 2542. Content-based restrictions are subject to strict scrutiny (i.e., the government must show a compelling state interest for the action and that it was narrowly tailored to achieve that interest). Reed, 576 US at 164, 135 S Ct at 2227. See §20.19B.

If an anti-SLAPP motion is granted, the plaintiff cannot seek leave to amend the dismissed causes of action, even when those actions are based on completely different conduct. See Medical Marijuana, Inc. v (2020) 46 CA5th 869, 900; Simmons v Allstate Ins. Co. (2001) 92 CA4th 1068, 1073. The policy consideration is that allowing leave to amend would effectively circumvent the purpose of the anti-SLAPP statute by allowing protracted and costly litigation. See §20.77.

If federal claims are brought in state court, they may be subject of an anti-SLAPP statute. Patel v Chavez (2020) 48 CA5th 484, 487; Vergos v McNeal (2007) 146 CA4th 1387, 1402. The anti-SLAPP statute will apply to federal claims in state court unless (1) the federal statute provides otherwise, or (2) the anti-SLAPP statute affects plaintiffs’ substantive federal rights and is, therefore, preempted. To date, the federal claims brought in state court that have involved the anti-SLAPP statute have been civil rights claims under 42 USC §1983. Those cases have uniformly held that the anti-SLAPP statute applies to those claims. See Patel, 48 CA5th at 488; Vergos, 146 CA4th at 1392 n4; Bradbury v Supreme Ct. (1996) 49 CA4th 1108, 1118. However, if a federal claim is brought in federal court, the claim is not subject to an anti-SLAPP motion. See §20.77.

In Balla v Hall (2021) 59 CA5th 652, the court of appeal held that anti-SLAPP motions do not have to be denied entirely if the claims are actionable in part because an anti-SLAPP motion can reach separate claims within a single pleaded cause of action. See §20.78.

Reviews posted to an Internet website are protected activity under CCP §425.16(e)(3). Abir Cohen Treyzon Salo, LLP v Lahiji (2019) 40 CA5th 882, 887 (negative Yelp! review for law firm); Wilbanks v Wolk (2004) 121 CA4th 883, 895 (negative review posted on defendant’s own website). The website constitutes a public forum and the consumer protection information is a matter of public interest. Chaker v Mateo (2012) 209 CA4th 1138, 1144. See §20.88.

Speech that might ordinarily be lawful under ordinary circumstances can constitute a breach of contract if a confidentiality agreement is in place. In Monster Energy Co. v Schechter (2019) 7 C5th 781, the California Supreme Court held that, when a settlement agreement contains terms binding the attorney and the attorney signs, the attorney is bound to the agreement, even when the signature block states “approved as to form and content.” 7 C5th at 791. When the agreement does not contain provisions demonstrating the attorney is to be bound, an attorney’s signature under a signature block with the phrase “approved as to form and content” merely signifies that counsel has read the document, the document embodies the parties’ agreement, and counsel sees no issue with the client signing the document. 7 C5th at 792. See §20.93A.

In Murphy v Twitter, Inc. (2021) 60 CA5th 12, 25, the court held that Twitter exercised traditional publisher functions in removing a user’s tweets and suspending his account, thus the lawsuit was barred by 47 USC 230. See §20.125

In Bolger v, LLC (2020) 53 CA5th 431, 465, the court held that 47 USC §230 did not apply because the plaintiff’s products liability claim was based on the role of in the chain of production and distribution of a defective product, not the contents of the product listing. See §20.126.


On January 21, 2019, the French Data Protection Authority (CNIL) imposed a financial penalty of €50 million against Google, LLC under the GDPR, for lack of transparency, inadequate information, and lack of valid consent to process data for targeted advertising purposes. Google appealed, and on June 19, 2020, the French Administrative Supreme Court (Conseil d’Etat) dismissed Google LLC’s appeal and upheld the fines. This decision represents a landmark in GDPR enforcement, levying the highest fine issued to date under the GDPR in the European Union. See See §21.11A.

On July 16, 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II) (Case C-311/18) invalidated the EU-U.S. Privacy Shield as an adequate safeguard when transferring personal data from the EU to the United States. This decision was made primarily due to potential unrestricted U.S. government access. The court stated: “Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons,” For a summary of the ruling, see: See §21.11C.

The Schrems II case did uphold the use of EU Commission standard contractual clauses (SCCs) for data transfers outside the EU. Note that additional supplementary contractual provisions may be required to be imposed by the data controller to ensure compliance beyond the SCCs depending on the circumstances, in accordance with the European Data Protection Board’s guidance. See Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data at Therefore, all data transfers from the EU to other countries now must be assessed on a case-by-case basis to determine whether additional clauses, in addition to those afforded under the SCCs are required. See §21.11C.

Before the Schrems II decision, organizations had been able to self-certify with the International Trade Administration (ITA), which was administering the so-called EU-U.S. Privacy Shield Framework within the U.S. Department of Commerce, through this link: As a result of Schrems II (and a parallel decision of a Swiss commission), the ITA’s website now states that the Privacy Shield Framework is no longer a valid mechanism to comply with EU or Swiss data protection requirements when transferring personal data from the European Union or Switzerland to the United States. However, the ITA also states that participants are not relieved of their obligations under the EU-U.S. Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Framework and maintaining the Privacy Shield list. See §21.12.

Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.