Privacy Law
PRIVACY LAW REVIEW – WHAT YOU NEED TO KNOW (AUGUST 2021)
CLA’s Privacy Law Section summarizes important developments in California privacy and beyond.
Acting Chair’s Message
By Sheri Porath Rockwell, Acting Chair, Privacy attorney, Sidley Austin
July was a big month in California privacy thanks to the Office of the Attorney General’s publication of new information about its CCPA enforcement efforts, its support for an evolving global privacy control standard, and the introduction of a consumer tool to flag possible CCPA violations. We summarize these developments for you. We also highlight another case that rejects attempts to maintain the privileged status of forensic reports created in the wake of cybersecurity attacks.
The Privacy Law Section is also busy developing robust programming for the fall. We are kicking it off with our event, COVID-19 Return to Work and Privacy Considerations for California Employers and Employees ,on August 31 at noon, (register here) and our September 15th section-wide membership meeting featuring Twitter’s Chetan Gupta, who will be interviewed by Orrick’s Melanie Phillips on his paper entitled The Market’s Law of Privacy: Case Studies in Privacy/Security Adoption. .5 CLE credits will be offered for attending the section-wide meeting, keep an eye on your email for details. Visit our website or our social sites (LinkedIn, Twitter, Facebook) for more information and to register for the events.
OAG Introduces Tool to Allow Consumers to Draft CCPA Noncompliance Notices
By Andrew Scott and Sheri Porath Rockwell
Disclaimer: This article reflects the thoughts and opinion of the authors and not their law firms and/or employers.
In honor of the anniversary of its enforcement of CCPA, the OAG also announced a new Consumer Privacy Interactive Tool that allows consumers to draft notices to businesses that do not post an easy-to-find “Do Not Sell My Personal Information” link on their website.
The OAG states it “takes no position on the truthfulness of the information submitted” or on whether submission of a complaint means the business has violated the CCPA. However, the OAG’s site also states that a notice “may satisfy” the 30-day notice to cure required by the CCPA.
The supporting documentation for the tool provides may helpful insight into what the OAG may be looking at when deciding whether a company is selling personal information within the meaning of the CCPA. For example, the site advises to look for language in privacy policies indicating it may share personal information for commercial purposes, such as “Our advertising partners may collect information about you” and “We provide information to other companies, sites, or platforms to develop services to offer you.”
OAG Addresses GPC Opt Outs and Business Groups Respond
By Andrew Scott and Sheri Porath Rockwell
Disclaimer: This article reflects the thoughts and opinion of the authors and not their law firms and/or employers.
Section 999.315, subsection a, of the CCPA provides that businesses are required to provide consumers with two or more methods for submitting opt-out requests (for example, Do Not Sell My PI link; toll free phone number; designated email address; in person form; mail in form; user-enabled global privacy controls, such as browser plug-ins or privacy settings; device settings; or a mechanism that communicates or signal’s the consumer’s opt out choice). The Section also provides that user-enabled global privacy controls shall be considered a request directly from the consumer, not through an authorized agent. The OAG stated in the Final Statement of Reasons that the idea of this control was “forward looking,” and was “intended to encourage innovation and the development of technological solutions to facilitate and govern the submission of requests to opt-out.”
The OAG has taken note and appears to be endorsing one group’s efforts to develop such a control, a non-profit organization aptly named “globalprivacycontrol.com.” The OAG recently updated its FAQs to include information about that organization’s control (GPC). The OAG also included in its summary of enforcement actions one that mentioned a business’s failure to observe a global privacy control (although it was not clear if the business had represented it would observe the control). Additionally, it has been reported that the OAG sent letters to 10 to 20 companies stating they are required to observe the GPC.
The current version of the GPC allows a consumer to request to opt out of sales of their personal information if they visit sites that observe the control and if they do so using the browser that has it enabled. Currently, the control is available only on some of the smaller browsers (e.g., Duck Duck Go, Brave) and on a relatively small number of websites. The developer’s website indicates the control is still in development.
Businesses groups are expressing concern about the OAG’s recent actions regarding the GPC. On July 28, 2021, a coalition of trade associations and industry groups sent the OAG a letter critical of the new FAQs and related enforcement letters, requesting that the OAG reconsider its approach to user-enabled controls. The letter maintains any attempt to make the GPC mandatory conflicts with the text of the California Privacy Rights Act (CPRA), which requires regulations be issued about the control and that such a control be optional. Additionally, the letter states any OAG guidance on the topic should be developed through a deliberative process that considers stakeholder input.
Growing Number of Federal Courts Order Production of Forensic Reports in Data Breach Cases
By Jennifer Oliver and Oliver Kiefer
A growing number of federal courts have held that the attorney-client privilege and work-product doctrine do not apply to forensic reports and related communications created in data breach litigation.
Many privacy professionals are already familiar with some cases holding that privilege did not apply to those reports. On July 22, yet another federal court ordered production of materials prepared in the wake of a data incident. In In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021), plaintiffs filed suit regarding a payment card breach involving the defendant’s point-of-sale (POS) devices.
According to plaintiffs, Rutter’s received two alerts detailing the execution of suspicious scripts and indications of the use of potentially compromised credentials. Rutter’s then hired outside counsel to advise Rutter’s on any potential notification obligations. In turn, outside counsel hired a third-party security firm to conduct forensic analyses on Rutter’s card environment and determine the scope of the incident.
Upon learning of the third-party investigation during a deposition, plaintiffs sought production of the third-party security firm’s written report and related communications. Rutter’s objected, citing the work product doctrine and attorney-client privilege.
Rule 26(b)(3) of the Federal Rules of Civil Procedure specifies that “for the work product doctrine to apply, the document must be prepared ‘in anticipation of litigation.’” Additionally, the Third Circuit Court of Appeals has specified that aiding in “identifiable” or “impending” litigation must have been the “primary motivating purpose behind the creation of the document.” This involves a two-step inquiry: whether (1) the party which ordered or prepared the document had a “unilateral belief” that litigation would result, and (2) the anticipation of litigation was objectively reasonable.
Applying this test in Rutter’s, the Court held that “[t]he purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred,” and therefore Rutter’s cannot be said to have unilaterally believed that litigation would ensue.
Supporting this finding, Rutter’s corporate designee testified that: (1) he was not considering the possibility of forthcoming lawsuits at the time the security firm was performing its work, and (2) the security firm “would have . . . done this work and prepared its incident response investigation regardless of whether or not lawsuits were filed.”.
The court also held that attorney-client privilege would not apply. In the Third Circuit, attorney-client privilege attaches to: (1) a communication (2) made between privileged persons (3) in confidence (4) for the purpose of obtaining or providing legal assistance for the client. A communication is privileged only if its “primary purpose” is to gain or provide legal assistance, and it does not protect the communication of facts.
Here, the court rejected Rutter’s assertion of attorney-client privilege because the defendant did not meet its burden of establishing that the report and related communications had a primary purpose of providing or obtaining legal assistance. Rather, the evidence showed that the security firm was engaged to collect data, monitor IT equipment, and determine whether the IT equipment had been compromised.
This decision adds to a growing body of cases rejecting the claim that forensic reports created in the wake of data breaches should routinely be shielded from discovery on work-product or attorney-client privilege grounds. Privacy practitioners will undoubtedly continue to pay special attention to this important development.
OAG Releases Summary of Sample Enforcement Actions
By Andrew Scott
Disclaimer: This article reflects the thoughts and opinion of the authors and not their law firms and/or employers.
This July, California Office of the Attorney General (OAG) rolled out three major updates to its CCPA webpage to mark the one-year anniversary of the California Consumer Privacy Act (CCPA)’s July 1, 2020 statutory date of enforcement. First, OAG released a summary of sample enforcement actions to date, which provides helpful guidance about how the office is interpreting the statute. Second, the OAG updated FAQs on its CCPA website and took related actions that indicate support for a new global privacy control tool. And, finally, the OAG unveiled a new privacy tool that helps consumers send letters to businesses if consumers believe they are not complying with the CCPA’s Do Not Sell requirements. We address each of these substantial developments below.
We address the first update below. Posts on the other two developments are found in separate posts in this month’s CLA Privacy Section update.
In mid-2020, the OAG began sending notices of alleged noncompliance to CCPA businesses. Under the CCPA, the notices are required to give businesses thirty days to cure the OAG’s allegations of noncompliance. If a business cannot cure the alleged noncompliance, the OAG may initiate a civil action for civil penalties not to exceed $2,500 for each violation or $7,500 for each intentional violation.
On July 19, 2021, the OAG published twenty-seven “illustrative examples of situations in which it sent a notice of alleged noncompliance and steps taken by each company in response.” The examples provide insight into the industries and issues that the OAG has focused on. Provided below is an overview of some of the important issues the OAG seemed to focus on, including providing insight into the office’s priorities heading into the CCPA’s second year.
Issues:
- Non-Compliant Privacy Policy (14): With fourteen of the twenty-seven examples including a non-compliant privacy policy, the OAG has signaled it is seriously looking for CCPA privacy policy compliance from companies. In one example, a company received a second notice that its updated privacy still did not comply with the CCPA regulations. The OAG found non-compliant notices in a variety of industries, including online dating, online event sales (2x), online advertising, automotive, grocery retail (2x), education technology, online clothing retail, video game distribution, and others. Clearly, a compliant privacy notice is of paramount importance for any company subject to the CCPA. In its examples, the OAG found the following issues of non-compliance in the privacy policies:
- Claiming a fee may be charged for processing a consumer’s request to know;
- Containing unnecessary legal jargon, making the notice not easy to read or understandable to the average consumer;
- Failing to disclose information about the collection, the use, and the selling of consumer personal information;
- Failing to inform consumers of how to submit requests to know, delete, and opt-out of the sale of personal information;
- Failing to include a notice of financial incentive;
- Inadequately disclosing CCPA consumer rights, including the right to know, to delete, and to not be discriminated against;
- Inadequately disclosing what personal information is sold;
- Inadequately identifying the categories of personal information transferred to others for a business purpose;
- Inadequately listing the categories of personal information disclosed;
- Inadequately stating whether or not the company had sold personal information in the past 12 months;
- Providing incorrect instructions for how consumers could exercise their CCPA rights to request to know and delete;
- Lacking the required information about how consumers or their agents could exercise their opt-out rights; and
- Lack of Request Methods (6): With six examples, it is clear that the OAG is focused on consumers being provided with methods to exercise their CCPA rights (e.g., to request, to know, and to delete). Defective online methods for submitting CCPA requests are not compliant.
- No “Do Not Sell My Personal Information” Link (4): In one example, the Do Not Sell My Personal Information link (DNSMPI) did not function properly. In another example, a business that sold personal information neither had the link on its homepage nor had adequate disclosures about what personal information it sold in its privacy policy. If a company determines that it sells personal information within the meaning of the CCPA, it is important to have the DNSMPI link on any of the business’s digital properties and functioning properly.
- Notice to Consumers (5): In addition to the online businesses that collect consumer data, brick and mortar businesses that collect information offline may also be subject to the CCPA. Accordingly, such brick and mortar businesses must have methods in place to ensure that when a consumer’s data is collected, notice of that collection is provided.
- Sales of Personal Information (4): Non-compliance included a business’s disclosures regarding its sale of data being “confusing” while another business did not provide consumers with methods to opt-out of the sale of personal information
- Non-Compliant Opt-Out Process (3): The OAG took the position that a conglomerate requiring consumers to submit multiple, separate requests to opt-out of the sale of their personal information is not a CCPA-compliant practice.
- Non-Compliant Service Provider Contracts (2): Businesses that enter into contracts with service providers (known in the GDPR as processors) must ensure that language exists in those contracts to restrict how these entities retain, use, or disclose the personal information they receive. Moreover, one example highlighted that a business failed to impose a service provider contractual relationship on advertisers that the company shared data with from its retail site. Finally, the OAG determined that a service provider was also classified as a business in some contexts; the service providers’ privacy notice was subsequently found non-compliant. This highlights the importance of companies really needing to understand their own data practices (e.g., use, disclosure, and retention practices) because if they do not recognize whether they are service providers and/or businesses, they could end up misrepresenting their status to consumers or other business partners.
- Authorized Agent: Authorized agents need to be provided with instructions on how they can submit requests on behalf of consumers; however, requiring an authorized agent to submit a notarized verification when invoking CCPA rights was found by the OAG to be a non-compliant practice.
- Untimely Responses to CCPA Requests: A business was found not to be timely in responding to CCPA requests to know and delete personal information.
- Sales of Minors’ Personal Information: A business did not provide an opt-out mechanism to adults or obtain an opt-in for minors.
- Verification: A business no longer requires that a consumer be verified to opt-out of the sale of personal information.
- Account Creation for Verification: A business no longer requires a customer to create an account in order to make a CCPA request.
It is important to note that OAG stated that each business that received a notice has cured the alleged violation(s); the OAG did not assess penalties. In January 2023, the right to cure will sunset when the California Privacy Rights Act takes effect.