Privacy Law Review – What You Need to Know (May 2021)

By Andrew Scott
CIPP/E, CIPP/US, CIPM

On March 3, 2021, Google announced it is on pace to phase out its use of third-party cookies (with no alternative) for cross-site tracking.  Google started down this path in 2020, announcing that Chrome—Google’s web browser–would remove support for third-party cookies by 2022, making them obsolete.    Google’s plan is to substitute the one-to-one cookie-centric targeting with a privacy-first and interest-based technology that is being referred to as cohort targeting—Federated Learning of Cohorts (FLoCs).

The cookie ban does not apply to Google’s products, for example, Search and YouTube.  Google will still collect data from a user’s interactions with its products (first-party data) and will still target ads to users based upon that interaction.  The ban also does not apply to the company’s Software Development Kits (SDK) in mobile apps that collect data and target ads. 

Apple’s upcoming iOS 14 update will, however, stop cross-app tracking, reshaping the mobile app ecosystem.  The update includes the much-discussed anti-tracking features, which has received significant support from the privacy community.  Some of the new features include not only a user-required opt-in to app tracking but also a prominent notification on launch of new apps that explains what will be tracked.

While both initiatives are different, they seem to share common objectives:  promote web transparency, protect privacy, and enhance platform control.  Rather than rely on cookies, ad companies will have to find another way to target users (e.g., digital fingerprinting). 

So, who will enforce the initiatives?  Google and Apple will be taking a self-regulatory approach to enforcement.  Apple has indicated it will enforce its new requirements for all third-party data sources, including data sharing agreements.  With respect to its apps in the Apple App Store, Google stated it would comply with Apple’s new framework.

On March 17, the OAG announced the board appoints for the California Privacy Protection Agency (CPPA).  The CPPA is a “new administrative agency charged with protecting the fundamental privacy rights of consumers over their personal information.  This agency will have full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The agency may bring enforcement actions related to the CCPA or CPRA before an administrative law judge. The Attorney General will retain civil enforcement authority over the CCPA and the CPRA.

The CPPA’s board is comprised of experts in privacy, technology, and consumer rights.  The appointees are as follows:

• Jennifer M. Urban (Chair):  Ms. Urban has been appointed by Governor Newsom. Ms. Urban has been a Clinical Professor of Law and Director of Policy Initiatives for the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley – School of Law since 2009. This position does not require Senate confirmation and the compensation is $100 per diem. Urban is registered without party preference.
• John Christopher Thompson:  Mr. Thompson has been Appointed by Governor Newsom.  Mr. Thompson has been Senior Vice President of Government Relations at LA 2028 since 2020. This position does not require Senate confirmation and the compensation is $100 per diem. Thompson is a Democrat.
• Angela Sierra: Designated by Attorney General Xavier Becerra.  Ms. Sierra recently served as Chief Assistant Attorney General of the Public Rights Division.

• Lydia de la Torre:  Ms. de la Torre is the President Pro Tem’s nominee.  Since 2017, de la Torre has been a professor at Santa Clara University Law School, teaching privacy law and co-directing the Santa Clara Law Privacy Certificate Program.  Additionally, she also has been serving as of-counsel to Squire Patton Boggs, specializing in privacy, data protection, and cybersecurity.
  
• Vinhcent Le:  Mr. Le is the designee of Speaker Anthony Rendon. Mr. Le currently serves as a Technology Equity attorney at the Greenlining Institute, focusing on consumer privacy, closing the digital divide, and preventing algorithmic bias.

Moving forward, expect the board to hire an executive director and to appoint a chief privacy auditor to conduct audits of businesses to ensure compliance with the CPRA.  Within the next two years, the agency is expected to undertake the update of the existing CCPA rules and issue new ones/

CPPA enforcement will not start until July 1, 2023, which is six months after the CPRA goes into effect. The AG will continue to have power to enforce the CPRA through civil penalties while also be required to coordinate its efforts with the CPPA.

CCPA’s New Regulations

On March 15, the California Attorney General’s office (AG) announced that the Office of Administrative Law (OAL) has approved the Attorney General’s proposed changes to the CCPA regulations. The new regulations make three general changes relating to the right to opt out of sales and one change to authorized agent requests.  Below,

• Offline Opt-Out Methods. § 999.306(b)(3).  There is a requirement for businesses that sell personal information that is collected offline to inform consumers not only of their right to opt out but also of the instructions for exercising that right through an offline method. In providing an illustration of an offline opt-out method, the regulations propose that a brick-and-mortar store, for example, may inform consumers of their right to opt-out on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected.  There is another example offered.
• Opt-Out Icon. § 999.306(f)(1).  The new regulations include an opt-out icon (not button). It “may be used in addition to, but not in lieu of, posting a notice of the right to opt-out of sales and a ‘Do Not Sell My Personal Information’ link.” The requirement for the icon is that it “shall be approximately the same size as any other icons used by the business on its webpage.”  Businesses may download the icon here.

• Ban on Dark Patterns. (§999.315 (h). Dark patterns are, essentially, interfaces or system designs that intentionally exploit cognitive and behavioral biases for the purpose of getting people to behave a certain way even if that behavior does not align with their preferences. The new regulations provide five examples of dark patterns that business must avoid, including (1) the use of confusing language, (2) the require that consumers click through or listen to reasons why they should not opt-out, and (3) the requirement that consumers scroll through privacy policies or similar documents after clicking the “Do Not Sell My Personal Information” link.
• Authorized Agent Verification.  (§999.326). A business may now require an authorized agent to provide proof that the consumer gave the agent signed permission to submit the request.

Of note, the Attorney General’s press release made two comments with respect to enforcement.  First, the press release stated the following: “Since CCPA enforcement began on July 1, 2020, the Department has seen widespread compliance by companies doing business in California, especially in response to notices to cure.”

Second, the AG’s press release stated “[s]ome of the Attorney General’s responsibilities under the CCPA will transition over to the California Privacy Protection Agency created under the CPRA” the Attorney General will still “retain the authority to go to court to enforce CPRA.”

By Aaron Lawson[1]

A motion to dismiss filed by Google, LLC in an enforcement action by the Mississippi Attorney General under the Children’s Online Privacy Protection Act (“COPPA”) was recently denied by the U.S. District Court for the Northern District of Mississippi.

Mississippi’s lawsuit generally alleges that, through its G Suite for Education (or “GSFE”), tracks the online behavior of students, and uses that data to build profiles of individual students that Google uses for commercial purposes.[2] The lawsuit began in state court in 2017, and was limited at the time to a state-law unfair-practices claim, under the Mississippi Consumer Protection Act, in which the State alleged that Google misrepresented its data-collection practices through its GSFE privacy policies and by signing the Student Privacy Pledge, a set of industry-backed measures meant to assuage concerns surrounding data privacy and educational technology. In state court, Google moved to dismiss on venue grounds, and the venue question went up to the state supreme court before it was resolved in the State’s favor.

After some discovery, Mississippi amended its complaint. It alleges that Google assigns GSFE users a unique ID that allows Google to track that individual’s behavior across devices. The State further alleges that Google retains all of this information and builds profiles on individual students, which it uses for commercial purposes. The State acknowledged that Google does not use data collected within certain “core” GSFE services to serve advertisements, but nevertheless alleges that Google uses this data to improve its advertising product overall. By virtue of these new allegations, the State expanded its unfair-practices theory to assert that Google misrepresented GSFE as COPPA-compliant.

On the basis of these COPPA references, Google removed the complaint to federal court, prompting the State to amend again to allege a freestanding claim under COPPA. As relevant to the lawsuit, the FTC’s COPPA regulations require operators of online services who know that they are collecting personal information from children to make “reasonable efforts to obtain verifiable parental consent” to that collection and to any subsequent use of that data. 16 C.F.R. § 312.5. Google moved to dismiss, arguing that Google had adequately obtained consent to its collection and use from GSFE account holders.[3] Google’s motion implicated a statement published by the FTC in the Statement of Basis and Purpose for its 1999 final rulemaking under COPPA: “The Rule [specifically § 312.5] does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parents’ agent in the process.” Google asserted that the terms of use to which schools were bound required the schools to act as intermediaries.

The district court denied Google’s motion, concluding that “whether the efforts taken by Google” to obtain parental consent “were reasonable is an issue that should not be decided at this stage of the proceedings.” The court specifically disagreed with the resolution of essentially the same arguments by the United States District Court for the District of New Mexico.[4] The New Mexico court concluded that Google’s terms of use did demonstrate compliance with COPPA. The Mississippi court took care to note that it was not concluding that Google was not in compliance with COPPA, only that compliance could not be determined at the pleadings stage because the reasonableness of Google’s approach is a fact question. The Mississippi court also sidestepped questions about how to interpret the 1999 Statement of Basis and Purpose, and whether it is consistent with the regulation, both of which were resolved by the New Mexico district court, and which are challenged on appeal in that case.

[1]           Aaron Lawson is an associate at the law firm Edelson PC, and is a member of the firm’s Issues & Appeals Group. He is also a member of the Executive Committee of the CLA’s Privacy Section.

[2]           Google changed the name of this product to “Google Workspace for Education” after the lawsuit was filed.

[3]           Google also argued that the second amendment to the complaint was improper because the State had not sought leave. The State urged that it had one amendment as of right post-removal. The district court sidestepped that dispute by determining that granting leave to amend was in the interests of justice.

[4]           The author’s firm represents the Attorney General of the State of New Mexico in this litigation against Google. The author has appeared on behalf of the New Mexico Attorney General in the appeal in that case.

By Jennifer Oliver

Two Cases Accusing Google of Privacy Violations are Allowed to Proceed

On March 12, 2021, a Northern District of California court ruled that Google must face lawsuit accusing it of collecting data from users who are browsing the internet in “incognito mode,” violating California privacy laws.

Brown v. Google LLC, 20-3664 was filed in June 2020 and alleges that even when consumers turn off data collection in Chrome, their personal data is gathered by other Google tools, claiming “Google tracks and collects consumer browsing history and other web activity data no matter what safeguards consumers undertake to protect their data privacy. … Indeed, even when Google users launch a web browser with ‘private browsing mode’ activated (as Google recommends to users wishing to browse the web privately), Google nevertheless tracks the users’ browsing data and other identifying information.”

Google’s parent company Alphabet Inc. asked the court to dismiss the case, arguing that plaintiffs had consented to the company’s privacy policy.  In allowing the case to proceed, Judge Koh concluded that “Google did not notify users that Google engages in the alleged data collection while the user is in private browsing mode.”  Plaintiffs say they will seek at least $5,000 in damages per user for the alleged violations.

Similarly, on March 18 Judge Koh held that a proposed class action accusing Google of collecting personal data from Chrome browser users without permission, may move forward, but only certain claims may proceed.  Judge Koh found that the plaintiffs hadn’t adequately pled “unlawful interception” claims, but rejected Google’s argument that the remaining allegations should also be tossed because users consented to the collection of their data. 

Judge Koh allowed the remaining claims for violation of the California Invasion of Privacy Act, intrusion upon seclusion, breach of contract, breach of the implied covenant of good faith and fair dealing, statutory larceny, and violation of the California Unfair Competition Law to move forward. In finding that that the plaintiffs had adequately alleged d a reasonable expectation of privacy Judge Koh described the intrusion as “highly offensive,” in terms of ”the amount of data collected, the sensitivity of the data collected, and the nature of the data collection” as well as the “reasonable” assumption users could have drawn from Google’s representations it would not collect their data while the users weren’t synced with their Google accounts. The case is Calhoun v. Google, LLC, 20-cv-051460-LHK.

TCPA Plaintiffs Dealt a Blow by SCOTUS

Meanwhile on April 1, the Supreme Court issued a decision that will greatly impact Telephone Consumer Protection Act (TCPA) class action litigation.  The court has ruled that to qualify as an “automatic telephone dialing system”, a device must be able to either “store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator,” reversing and remanding the Ninth Circuit’s decision on this point.  The case is captioned Facebook Inc. v. Duguid et al.

Many hope that this decision will help resolve the circuit split on the definition of “Automatic Telephone Dialing Systems” and provide greater clarity for parties seeking to comply with the TCPA and avoid class litigation.

CA Prohibition On Secretly Recording Phone Calls Applies To Parties, Not Just Eavesdroppers

And finally, on April 1 the California Supreme Court ruled that California’s penal code Section 632.7, which makes it a crime to record or intercept a phone call “without the consent of all parties,” applies not only to nonparties but also those on the call from recording each other without consent.

The 2016 lawsuit that spurred this decision was filed by Jeremiah Smith, who claimed the loan provider LoanMe Inc. recorded him without his consent during an 18-second call in violation of Section 632.7.  The case is Smith v. LoanMe Inc., California Supreme Court (No. S260391).

Writing for the unanimous court, Chief Justice Cantil-Sakauye found that the statute should be read to mean that it prohibits both parties and nonparties from making non-consensual recordings, though it “conceivably could support the Court of Appeal’s interpretation as well.”

Jennifer Oliver is the Secretary of the CLA’s Privacy section and a partner at MoginRubin LLP where she specializes in antitrust and privacy matters.

By Michael Dore

From “scooter bills” to the Suspense File¹, the Privacy Law breakout session during last week’s CLA Legislative Day covered topics showing the full breadth of policy and procedural issues confronting the California Legislature as it wades through a number of new proposed laws related to data privacy. 

Key insiders Nichole Rocha (Chief Consultant for the California Assembly’s Committee on Privacy and Consumer Protection chaired by Assembly Member Ed Chau), Melissa Immel (Deputy Legislative Secretary & Chief of Legislative Operations in the Office of Governor Gavin Newsom), and Ariel Fox Johnson (Senior Counsel, Global Policy at Common Sense Media) each offered insights about the status of current bills and potential changes to California’s data privacy law on the horizon.  They addressed heavily scrutinized legal developments like the staffing of and rulemaking by the new California Privacy Protection Agency, as well as attention-getting bills related to genetic privacy and constitutional speech protections.  Ironically, though, one of the things that stood out the most was the discussion of a proposed law about boats.      

The California Consumer Privacy Act of 2018 (CCPA) grants a consumer the right to direct a business not to sell personal information about the consumer to third parties.  The California Privacy Rights Act (CPRA) also gives consumers an “opt-out” right with respect to sharing of the consumer’s personal information.  Assembly Bill (AB) 335 would exempt from the right to opt out “vessel” information or ownership information retained or shared between a vessel dealer and its manufacturer, if the information is shared to effectuate or in anticipation of effectuating a vessel repair covered by a vessel warranty or a recall. 

In 2019, the Legislature passed, and the Governor signed into law, AB 1146, which established a virtually identical exemption from the CCPA for vehicle information.  AB 335 merely applies this same exemption to watercraft.  But between the passage of AB 1146 (exempting vehicle information from a consumer’s opt-out right) in 2019, and the introduction of AB 335 (exempting vessel information from a consumer’s opt-out right) in 2021, California voters passed Proposition 24, which expanded and clarified privacy rights and obligations under State law and renamed the CCPA as the CPRA. 

The California Constitution prohibits the Legislature from amending a statute created by a ballot proposition unless the initiative (here, Proposition 24) permits amendment or repeal without the electors’ approval.  (Cal. Const. art. II Sec. 10(c)).  Proposition 24 permits legislative amendment, provided that “such amendments are consistent with and further the purpose and intent of this Act as set forth in Section 3 [of Proposition 24], including amendments to the exemptions in Section 1798.145 if the laws upon which the exemptions are based are intended to enhance privacy and are consistent with and further the purposes and intent of this Act ….”  Prop. 24 at Sec. 25(a).  Section 3(c) of the proposition states that, “[t]he law should be amended, if necessary, to improve its operation, provided that the amendments do not compromise or weaken consumer privacy, while giving attention to the impact on business and innovation.”  (Emphasis added.)

As noted during the Privacy Law breakout session, and in the thorough bill analysis by the Assembly Committee on Privacy and Consumer Protection, the exemption for vessels arguably already exists as a matter of federal law.  So any California bill expressly exempting vessel information, just like the 2019 bill expressly exempting vehicle information, could be construed as merely a specific statement of an already existing general exemption.  These laws would not “weaken” consumer privacy through a new exemption, and thus run afoul of Section 3(c) of Proposition 24; they would merely give assurance to vehicle and vessel dealers and manufacturers that they are shielded from CPRA liability where they are complying with federal recall laws.    

Nevertheless, the seemingly mundane AB 335 raises what likely will be an ongoing issue as legislators navigate the restrictions of Proposition 24.  The proposition does not inherently bar every new exemption from the opt-out right.  And what it means to say that an amendment to  the CPRA compromises or weakens customer privacy itself may become a subject of debate.  Either way, as discussed during the Legislative Day breakout sessions, legislators’ willingness to expand the opt-out-right exemptions and their rationale for doing so bear watching, including with respect to personal information that a business collects in the context of an employment relationship.            

Michael Dore is a partner at the law firm Gibson, Dunn & Crutcher LLP and a member of the firm’s Media, Entertainment & Technology Practice Group and its White Collar Defense and Investigations Practice Group. He is a member of the CLA Privacy Section Legislative Committee.

[1]   The Assembly Appropriations Committee sends any bill with an annual cost of more than $150,000 to a Suspense File, after which those bills are considered at a Suspense File hearing to determine if the bill should be released for further consideration.  In the Senate, the criteria for referral to the Suspense File is a cost of $50,000 or more to the General Fund or $150,000 or more to a special fund.