Privacy Law Review – What You Need to Know (December 2020 – January 2021)

By Jeewon Kim Serrato

Happy new year! 

After launching the new Privacy Law Section last fall, we are off to an exciting start in the new year!

Below are some of the ways you can stay active with our Section, receive the latest news and alerts and network with global privacy leaders.

1. Have you joined the Privacy Law Section yet?

You can join by going to the new Privacy Law Section Homepage.  If you recently renewed the state bar license fees, you may not have seen us on the renewal statement.  We will be there this fall!  In the meantime, please join the Privacy Law Section by going to the CLA website.

Privacy Law Section Homepage: https://calawyers.org/section/privacy-law/

2. Are you interested in joining a committee?

We have three standing committees (described below) with several more about to be rolled out in the month ahead.  Join us to connect with fellow privacy lawyers and seize the opportunity to expand your privacy knowledge and footprint in the practice.  If you are interested in volunteering for a committee or learning more, contact us at privacy@calawyers.org. 

Education – Mary Ross and Alisa Hall
https://calawyers.org/section/privacy-law/events/
See the latest list of events we have planned to date.  If you are new to California privacy, be sure to check out our 12-part CCPA Intensive series, which we kicked off last month.

Publications – Sheri Porath Rockwell
https://calawyers.org/tag/privacy-news/
We curate and share the latest news and trends that are relevant to privacy practitioners.  Also, check out our latest “Profiles in California Privacy Law” where we interview Aaron Lawson (Edelson) and read all about his dynamic plaintiff’s side privacy litigation practice.

Treatise – Aaron Lawson, Brett Cook, and Jeewon Serrato
https://calawyers.org/section/privacy-law/publications/
We are in the final stages of preparing the CCPA Handbook for publication.  As soon as that manuscript is finalized, we will begin working on the California Privacy Treatise, to be completed in fall 2021.

3. CLA Privacy Law Section Monthly Meetings

We hold monthly meetings for Section members who are active in our committees every First Tuesday of the month, 11-11:30am PST.  If you would like to hear the latest programming and section news, please message us at privacy@calawyers.org to be added to our mailing list. 

4. Are you interested in applying for an Ex Com position?

We will provide updates in the next month on our governance processes, including application dates for Ex Com positions.  Our current Ex Com members list is found on our webpage.  If you are interested in serving as a leader within the CLA Privacy Law Section, please feel free to reach out to one of us.

Privacy Law Section Executive Committee Members: https://calawyers.org/section/privacy-law/committees/

5. Do you know someone else that would like to be active in CLA Privacy?

Please help us spread the word about the new Privacy Law Section.  Encourage them to join the section and send me a note so we can invite them to our monthly meetings.  Our formal way of communicating with our members will be through our monthly newsletters.  For those of you that are active in committees, the monthly meetings are used to provide more details and to allow members to actively engage with us. 

We are also looking for sponsors.  If your organization is interested in becoming a sponsor, please send me a note and we would be happy to send you our sponsorship packages.

Thanks and look forward to an exciting new year!

By Andrew Scott, CIPP/US & CIPP/E

On Thursday December 10, 2020, the California Attorney General (AG) provided Notice of a Fourth Set of Proposed Modifications (Fourth Set) made to the regulations regarding the California Consumer Privacy Act (CCPA).  This period for public comment ended on December 28, 2020, at 5:00pm (PST).

The AG must review the comments, draft a response, and either further modify the proposed modifications or submit them in their current form to the California Office of Administrative Law (OAL) for approval. Below, I provide a small summary of both the proposed modifications and the public comment responses to the modifications.    

The AG stated that this Fourth Set of proposed modifications came in response to receiving “around 20 comments” from the Third Set of Proposed Modifications (Third Set) released on October 12, 2020.  In its drafting this Fourth Set, the AG relied of New Materials which may be viewed here. 

The Proposed Modifications
The Fourth Set proposes modifications to Section 999.306 of the CCPA Regulations (Regulations).  Generally, these modifications relate to the consumer’s right to opt-out from the “sale” of personal information.  Some modifications aim to clarify ambiguities and correct errors remaining from the Third Set with respect to offline opt-out methods while a new section is added that seemingly revives the Opt-Out Button, which had previously been tabled when drafting the initial Regulations.  Brief summaries of the proposed modifications are listed below:  

• Offline Opt-Out Methods. The Fourth Set proposes modifications to the requirement for businesses that sell personal information that is collected offline to inform consumers not only of their right to opt out but also of the instructions for exercising that right through an offline method. § 999.306(b)(3).  In providing an illustration of an offline opt-out method, the Fourth Set proposes that a brick-and-mortar store, for example, may inform consumers of their right to opt-out on the paper forms that collect the personal information.  There are other examples offered, which can be viewed here.
  
  
• Opt-Out Button. The Fourth Set proposes an additional subsection:  Opt-Out Button. § 999.306(f). The goal of the Opt-Out Button is to offer a uniform button to promote consumer awareness of the opportunity to opt-out of the sale of personal information.  Summaries of key aspects of the section, including the official button presented in the modifications, are listed below:
  • It is optional,
  • It may be used in addition to, but not in lieu of, posting a notice of the right to opt-out of sales and a “Do Not Sell My Personal Information” link,  
  • It shall be approximately the same size as any other button used on the web page,
  • It must be placed to the left of the text where the business posts a “Do Not Sell My Personal Information” link (as seen above), and
  • It shall link to the location to which the consumer is directed after clicking “Do Not Sell my Personal Information” link.

The Process for Public Comment
As with prior proposed modifications, the AG will accept written comments to this Fourth Set of proposed modifications.  The AG requested that all comments be limited to the following: 1) the additions indicated in bold green double underline, 2) the deletions indicated in red double strike out, and 3) the New Materials relied upon added to the rule making file.  Notably, the Fourth Set leaves unmodified the proposed revisions made to Sections 999.315 and 999.326 in the Third Set.  

As previously mentioned, all written comments had to be submitted to the AG’s office no later than December 28, 2020, at 5:00pm (PST).   Comments could have been emailed (PrivacyRegulations@doj.ca.gov) or mailed to the AG’s office at the addresses provided in its Notice.  Now, the AG must review the comments, draft a response, and either further modify the proposed regulations or submit them in their current form to the California Office of Administrative Law (OAL) for approval.  

Summary of the Public Comments
The AG received over fifteen comments in response to the fourth set of proposed modifications. Comments came from various sources, including corporations, advertising alliance groups, consumer watch groups, and non-profits.  In general, the comments focused heavily on Sections 999.306(b) and 999.306(f).

In response to Section 999.306(b)(3), several comments applaud the revision, appreciating the “clarification” and finding it “useful.” One comment states the examples used in the proposed revision as aligning much more closely with the requirements of the statute which would “avoid significant potential consumer confusion.”  On the other hand, one comment suggests that the revision is “more restrictive and prescriptive than the current plain text of the CCPA regulations,” requesting the AG remove the proposed brick-and-mortar store example.

In response to Section 999.306(f), the public comments generally found confusion and wanted clarification.  One comment, however, indicated that the proposed icon is an improvement.  Other comments, however, did not welcome the button, finding, for example, the graphic “ugly and unhelpful” and the presence of both a checkmark and an ‘x’ potentially misleading.  One comment suggested the adaption of the Nutrition Label-Style framework, which would provide more consumer awareness than the button. 

Additionally, many comments heavily focus on the need for clarification from the AG as to whether or not the opt-out button is considered mandatory or voluntary.  These comments point to the confusion arising from the use of “may” in Section 999.306 (f)(1) being in conflict with the use of “shall” in (f)(2) and (f)(3).  While most of the comments seem to agree there is an ambiguity and need for clarification, they are not in agreement as to whether the button should be voluntary or mandatory.

It is difficult to know when and what the AG will do in response to the public comments.  The AG has a lot on its plate at the moment:  rulemaking provisions of the California Privacy Rights Act (“CPRA”) are already in effect, the CCPA implementation process is now in its second year, and California’s outgoing Attorney General, Xavier Becerra, has not been replaced.  More shall be revealed.

By Cody Venzke, Policy Counsel, Center for Democracy & Technology^[1]

Privacy practitioners and app developers should be aware of two changes to the Apple App Store: new data use disclosure requirements for apps on the platform and Apple’s coming opt-in consent regime for apps that track users as they move across the internet.

In December 2020, Apple updated its requirements for use of the App Store to require developers to post a privacy policy and make detailed disclosures about the types of data their apps collect and how the data are used. The disclosures are used to populate labels in the App Store that users now see on each app’s download page, describing categories of data that are collected from, linked to, or used to track users.  

These so-called “nutrition labels” will accompany Apple’s AppTrackingTransparency framework, which was first announced last June at Apple’s annual WWDC developer conference, but was subsequently delayed to “give developers time to make necessary changes.” The Transparency framework is now scheduled to “roll out broadly in the early spring.”

The new requirements, when implemented, will require applications on iOS, MacOS, and other Apple operating systems to receive permission from users before “tracking” them across websites, platforms, and devices. “Tracking” means linking user or device data collected by the developer’s app with user or device data collected by other companies for targeting or measuring advertising. Examples of tracking include displaying targeted ads based on third-party data or sharing device location or email addresses with data brokers. The requirements apply to tracking by software development kits — third-party code provided as a package for developers to include in their applications — and applications must receive user opt-in for tracking by SDKs.

As described at WWDC, there are steps developers can take to prepare. First, developers should catalog and disclose their data collection and tracking practices as now required by the App Store. Second, developers should seek to understand how the SDKs they have incorporated into their applications collect data. Third, developers should set up apps to call the AppTrackingTransparency framework in the iOS 14 SDK, including a specific usage description. Finally, developers should create a plan for honoring when a user does not opt-into tracking, including by eliminating any unnecessary “gates” on functionality and means of identifying users such as device “fingerprints.” The requirements apply to all apps, with a few limited exceptions, such as apps that do not send data off-device. If a developer fails to comply with either the disclosure or opt-in requirements, its app will not be removed from the App Store, but it will not be able to update the app until it comes into compliance.

Legal departments will want to be sure to work cooperatively with the app developers responsible for setting up App Store disclosures to ensure these new public-facing statements accurately reflect related data and privacy practices and are consistent with other public-facing statements about the company’s privacy practices, including online privacy policies and, if applicable, cookie policies.

[1] The views expressed in this article are exclusively those of the author and do not necessarily reflect those of the Center for Democracy & Technology. This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

By Jennifer Oliver, Partner, MoginRubin LLP^[1]

To supplement our fall update on CCPA litigation to date, which can be found here, the CLA Privacy Section’s Publications Committee has summarized seven additional CCPA cases initiated in 2020, all of which were class actions filed in California federal courts. 

1. In re Dickey’s Data Security Breach Litigation (SD CA)In this series of cases plaintiffs allege claims for negligence and violation of the CCPA on behalf of classes of consumers affected by payment card data breaches at more than 100 franchise locations of the national restaurant chain Dickey’s Barbecue Pit. There are currently at least five federal cases on file, three in California and two in Texas. In November the Diczhazy plaintiff group petitioned The Judicial Panel on Multidistrict Litigation to consolidate and transfer these cases to California because, among other things, it is the state with the most breached franchises, and novel issues under the CCPA should be decided by a California court.  On February 4, the JPML issued a ruling that the cases pending did not require consolidation or transfer, and therefore six separate cases remain pending in three federal jurisdictions.
   
2. Gardiner v. Walmart Inc. (20-cv-04618) (ND CA) In this case the plaintiffs allege CCPA and negligence claims against Walmart on the basis that there are over 2 million Walmart accounts available on the dark web.  Plaintiffs do not identify a single data breach as the source of this information, and Walmart has acknowledged no such breach. Rather, plaintiffs allege that a scan of Walmart’s domains using Open Web Application Security Project Zed Attack Proxy revealed a number of vulnerabilities that plaintiffs believe led to the unauthorized exfiltration of Walmart customer data.  It will be interesting to see whether these allegations, which defendant Walmart characterizes as based on a “mere suspicion,” are found sufficient to state a CCPA claim.  Walmart’s motions to dismiss and strike class allegations are pending.
   
3. Sweeney v. Life On Air, et al. Case No. 20- cv-0742 (SD CA) Here, Plaintiffs alleged defendants did not make the requisite privacy disclosure pursuant to the notice provisions of the CCPA, but do not allege unauthorized disclosure of California residents’ unencrypted information.  The CCPA does not provide a private right of action for such failures, and we likely will not see how a court rules on defendants’ motion to dismiss these claims: defendants filed a motion to compel arbitration and plaintiffs did not oppose that motion, so the matter is now proceeding in arbitration.
   
4. Flores-Mendez et al. v. Zoosk Inc., Case No. 3:20-cv-04929 (ND CA) Like the Minted case summarized in our previous summary, this case arises from the Shiny Hunter data breach that targeted more than 10 companies in early 2020.  Plaintiffs allege violation of the CCPA, the CA UCL, negligence, and a claim for declaratory relief.  Defendants have moved to dismiss the amended complaint for lack of personal jurisdiction and failure to state a claim.  Plaintiffs subsequently dismissed their CCPA claim with prejudice, mooting the motion to dismiss with respect to that claim.  On January 30, the court granted defendants’ motion to dismiss in part and denied it in part; dismissing the UCL 17200 claim but allowing the negligence claim to proceed.
   
5. Shadi Hayden v. The Retail Equation, Inc. et al., Case No. 8:20-cv-01203 (CD CA) Here plaintiffs allege that Sephora, The Home Depot, CVS, and numerous other well-known defendants unlawfully shared consumers’ Consumer Commercial Activity Data and Consumer ID Data with consumer risk score vendor The Retail Equation (“TRE”).  Plaintiffs allege defendants violated the CCPA by sharing consumers’ PII with TRE to create consumer reports and generate a “risk score” that TRE then shared with other defendant retailers alongside other personal information without authorization, amounting to a “widespread, unauthorized dissemination” of plaintiffs’ information.  Motions to dismiss and to compel arbitration are pending.
   
6. Guzman v. RLI Corp., et al. Case No. 2:20-cv-08356 (CD CA) In this class action case plaintiffs allege that defendants allowed any person with access to the PACER system to view the unredacted personal information of users of the Nexus Libre system, which is used to track the whereabouts of undocumented immigrants in the US.  Plaintiffs moved for a temporary restraining order and preliminary injunction, and defendants opposed that application based in part on alleged lack of standing.  Plaintiffs’ application was denied and the court requested additional briefing on the standing issue, after which plaintiffs voluntarily dismissed the case without prejudice.
   
7. Brekhus et al. v. Google LLC and Alphabet Inc., Case No. 5:20-cv-5488 (ND CA) The plaintiffs in Brekhus allege that defendants’ Google Home product unlawfully listened to consumers without permission or disclosure in violation of the CCPA, various other statutes, and common law.  This case is unique because it does not allege that consumers’ unencrypted data was disclosed to a third party without authorization, but rather that defendants’ unauthorized collection of consumers’ PII constitutes a cognizable private action under CCPA.  In September this case was consolidated and transferred as part of In Re Google Assistant Privacy Litigation, motions to dismiss the plaintiffs’ third amended complaint in that action are pending.

[1]The views expressed in this article are exclusively those of the author and do not necessarily reflect those of the MoginRubin LLP. This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.