Selected Developments in Business Law — Privacy Compliance and Litigation in California

Courtesy of CEB, we are bringing you selected legal developments in areas of California business law that are covered by CEB’s publications.  This month’s feature is from the September 2019 update to Privacy Compliance and Litigation in California.  References are to the book’s section numbers.  See CEB’s BLS Landing Page for special discounts for Business Law Section members.  The most significant legal developments since the last update include developments in such important topic areas as the California Consumer Privacy Act, the Internet of Things, data breaches, and health information privacy.   

PRIVACY COMPLIANCE AND LITIGATION IN CALIFORNIA – September 2019 Update

Among other important developments, California enacted the California Consumer Privacy Act of 2018 (CCPA) (CC §§1798.100–1798.198), operative January 1, 2020, to give customers of specified businesses in California expanded control over personal information that businesses collect about them and to expand the ability to bring lawsuits for data breach. See §§1.3, 3.4, 3.10A, 3.49D, 4.11A, 5.1, 5.68, 7.3A, 12.6. A completely new chapter has been added to the book discussing the CCPA in detail and including a website privacy policy that is compliant with the Act. See chap 10A.

In addition, the California Legislature enacted new “Internet of Things” legislation, which defines “connected devices” and requires that a manufacturer of such devices must equip them with reasonable security features. See §§1.3, 3.10B, 4.21A.

The California Legislature amended CC §47(c), which establishes the common interest privilege, to add language extending the privilege to communications about sexual harassment between a former employer and a prospective employer with regard to an applicant for employment. Stats 2018, ch 82. See §§2.21, 4.21A, 8.92.

The U.S. Supreme Court held that it is reasonable to require a person arrested for drunk driving to submit to a breath test, but not to a blood test, which is more intrusive and would violate a driver’s expectation of privacy (Birchfield v North Dakota (2016) __ US __, 136 S Ct 2160), unless the defendant voluntarily consented to a blood test (People v Gutierrez (2018) 27 CA5th 1155). See §2.4A.

The California Legislature amended CC §1939.23 to permit rental car companies to use authorized electronic surveillance technology in circumstances when the rental vehicle has not been returned within 72 hours after the contract return date. Stats 2018, ch 344. See §4.11.

In an exception to the normal rule that personnel records of peace officers are confidential, new California legislation provides that such records must be made public in certain cases including those when a gun was fired, when death or great bodily harm occurred, or when a peace officer assaulted a member of the public. Pen C §832.7. See §4.21.

The FTC has released a resource designed to help small businesses and nonprofits with cybersecurity issues, containing tips on 12 different topics, such as phishing, ransomware, vendor security, cyber insurance, physical security, and tech support scams. See https://www.us-cert.gov/ncas/current-activity/2018/10/25/FTC-Releases-Cyber-Resources-Small-Businesses. See also §4.56.

In one of the largest settlements to date, the FTC imposed civil penalties of $5.7 million on a music app producer for violating the Children’s Online Privacy Protection Act of 1998 (COPPA) by collecting personal information from children without parental consent. U.S. v Musical.ly (CD Cal, Feb. 27, 2019, No. 2:19-cv-01439) FTC File No. 172 3004. See §5.28.

After seeking public comment on possible technical updates to the existing rule under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), the FTC announced that it was retaining the rule without modification. See §5.39.

In June 2019, the FCC issued a declaratory ruling dramatically expanding previous policy and allowing phone carriers to start automatically blocking both illegal robocalls and robocalls that carriers believe customers do not want. FCC Declaratory Ruling and Third Further Notice of Rulemaking (June 6, 2019) CG Docket No. 17–59. See §5.53A.

In reviewing the issue of whether a business engaging a vendor is liable for the vendor’s violation of the Telephone Consumer Protection Act (TCPA), the Ninth Circuit held that that calls placed by an agent of an advertiser are treated as if the advertiser itself had placed the call. Kristensen v Credit Payment Servs. (9th Cir 2018) 879 F3d 1010. The court reached a similar conclusion in Jones v Royal Admins. Servs. (9th Cir 2018) 887 F3d 443. See §5.56A.

In 2019, California enacted the Parent’s Accountability and Child Protection Act, operative January 1, 2020, requiring businesses to take “reasonable steps” (as defined) to verify a purchaser’s age when selling products that are illegal to sell to minors, and permitting businesses to retain or use any information collected to verify age only when necessary to comply with the statute. CC §1798.99.1. A section has been added in chap 5 discussing this new law. See §5.68B.

When the California medical board sought to subpoena records of a pain management physician suspected of over-prescribing controlled substances, it was required to show good cause to overcome the patients’ constitutional rights to privacy, but it failed the test by showing merely that the physician occasionally prescribed more than the usual dose because that did not suggest that the physician was negligent in treating patients or prescribed controlled substances without meeting the relevant standard of care. Grafilo v Cohanshohet (2019) 32 CA5th 428; see Grafilo v Wolfsohn (2019) 33 CA5th 1024. See also §§7.2, 7.66.

On October 19, 2018, the California Department of Public Health issued proposed regulations to implement Health & S C §1280.15, which requires clinics, health facilities, and hospices to prevent unauthorized access to or disclosure of patients’ medical information. See https://www.cdph.ca.gov/Programs/OLS/Pages/DPH-11-009.aspx. See also §7.16.

Canada’s new security breach disclosure regulations require organizations to notify the Canadian Privacy Commissioner and affected individuals of any breach of security involving personal information in the control of the organization if it is reasonable to believe that a breach poses a risk of significant harm. Breach of Security Safeguards Regulations (SOR/2018-64). See §9.144A.

In a data breach case involving the question of US Const art III standing to bring a class action, the Ninth Circuit found that the data breach victims sufficiently alleged injury in fact to confer standing based on the substantial risk that the hackers would commit identity theft. Ree v Zappos.com (In re Zappos.com) (9th Cir 2018) 888 F3d 1020. See §§12.6A–12.6B.

In a case in which the parties negotiated a cy pres settlement, the U.S. Supreme Court found that, despite the settlement, substantial questions remained about whether any of the named plaintiffs had suffered sufficiently concrete injury to give them standing to sue, so the Court vacated and remanded the Ninth Circuit decision so that the lower court could determine standing. Frank v Gaos (2019) ___ US ___, 139 S Ct 1041.See §12.10.

The U.S. Supreme Court found that the exemption in the Freedom of Information Act (FOIA) (5 USC §522) for “confidential” commercial or financial information applies to all information treated as private by the owner. Food Mktg. Inst. v Argus Leader Media (Jan. 11, 2019, No. 18–481) 2019 US Lexis 577. See §12.34.

The Legislature has amended the Government Code to provide that certain video or audio recordings related to a critical incident cannot be withheld more than 45 days, even if they were otherwise confidential under the California Public Records Act. Stats 2018, ch 960. See §12.38.