Antitrust and Unfair Competition Law
Competition: 2016, Vol 25, No. 2
Content
- Biometric Privacy Litigation: Is Unique Personally Identifying Information Obtained From a Photograph Biometric Information?
- Chair's Column
- "Clear and Conspicuous" Disclosures Between Celebrity Endorsers and Advertisers On Social Media Websites
- Comments On Proposed Update On Intellectual Property Licensing Guidelines
- Dispatches From the West Coast: Federalism, Competition, and Comments On the United States' Proposed Update To the Antitrust Guidelines For Licensing Intellectual Property
- Editor's Column
- Exceptions To the Rule: Considering the Impact of Non-practicing Entities and Cooperative Regulatory Processes In the Update To the Antitrust Guidelines For the Licensing of Intellectual Property
- Ftc Privacy and Data Security Enforcement and Guidance Under Section 5
- Home Run or Strikeout? the Unsettled Relationship Between the Sports Broadcasting Act and Cable Programming
- Masthead
- Never Say Never: the Ninth Circuit's Misguided Categorical Approach To Individual Damages Questions When Assessing Rule 23(B)(3) Predominance
- The Rapidly Changing Landscape of Private Global Antitrust Litigation: Increasingly Serious Implications For U.S. Practitioners
- California Online Privacy Laws: the Battle For Personal Data
CALIFORNIA ONLINE PRIVACY LAWS: THE BATTLE FOR PERSONAL DATA
By Jonathan Levine and Heather Haggarty1
I. INTRODUCTION
In 2011, the World Economic Forum published a report describing personal data as the new asset class—the "new oil of the Internet and the new currency of the digital world."2 This is truer now than ever. With technology eliminating barriers to privacy and the demand for data creating both opportunities for economic growth and exploitation, legislatures and courts are scrambling to address privacy concerns in this ever-shifting technological landscape. While most online privacy laws and protections have only been enacted in the last decade, California is leading the way with key statutes to safeguard the privacy rights of individuals and businesses. This article focuses on a handful of these laws. Part II provides an overview of the Comprehensive Computer Data Access & Fraud Act (CDAFA),which prohibits unauthorized access to computer data and systems. Part III focuses on the Customer Records Act (CRA), also referred to as the Database Breach Act or the Breach Act, which protects personal information. Part IV discusses the Consumer Protection Against Computer Spyware Act, which prohibits unauthorized installation of spyware on an individual’s computer. Last, the article concludes with a discussion of the California Online Privacy Protection Act (OPPA), which addresses the collection of personal information by operators of commercial websites.
II. COMPREHENSIVE COMPUTER DATA ACCESS & FRAUD ACT3
With the intent of providing protection to individuals, businesses and government agencies against unauthorized access and interference with computer data and systems, the CDAFA imposes criminal penalties for knowingly accessing and using a computer, or data from a computer, without permission.4 A violation of section 502 is punishable as a felony or misdemeanor.5 The statute also provides for a private right of action.6
Specifically, a person is guilty if he or she knowingly and without permission:
- Accesses and alters, damages, deletes, destroys or otherwise uses any data, computer, computer system, or computer network in order to either (a) devise or execute any scheme or artifice to defraud, deceive, or extort, or (b) wrongfully control or obtain money, property, or data;
- Accesses and takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network;
- Uses or causes to be used computer services;
- Accesses and adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network;
- Disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network;
- Provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section;
- Accesses or causes to be accessed any computer, computer system, or computer network;
- Introduces any computer contaminant (i.e. a virus or worm) into any computer, computer system, or computer network;
- Uses the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages or posts and thereby damages or causes damage to a computer, computer data, computer system, or computer network;
- Disrupts or causes the disruption of government computer services or denies or causes the denial of government computer services to an authorized user of a government computer, computer system, or computer network;
- Accesses and adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a public safety infrastructure computer system computer, computer system, or computer network;
- Disrupts or causes the disruption of public safety infrastructure computer system computer services or denies or causes the denial of computer services to an authorized user of a public safety infrastructure computer system computer, computer system, or computer network;
- Provides or assists in providing a means of accessing a computer, computer system, or public safety infrastructure computer system computer, computer system, or computer network in violation of this section; or
- Introduces any computer virus or worm into any public safety infrastructure computer system computer, computer system, or computer network. 7
A. Application of "Access"
As discussed below, the California courts’ evolving interpretation of "access" which is defined under the CDAFA as "to gain entry to, instruct, cause input to, cause output from, cause data processing with, or communicate with, the logical, arithmetical, or memory function resources of a computer, computer system, or computer network"8 has broadened the scope and reach of the CDAFA beyond malicious hacking to include unauthorized taking or use of data.
In People v. Hawkins, one of the earlier cases to interpret the CDAFA, an employee was charged with violating section 502(c)(2) of the CDAFA9 after he left his employer to start a competing business and downloaded his entire computer directory from his employer’s computer system, which happened to include his employer’s proprietary source code.10 The employee argued that the statute lacked a mens rea requirement because "knowingly" only modifies "accesses," and that only knowing access triggers strict liability under the statute.11 He reasoned that he, therefore, could not be convicted of a felony.12 The court rejected the employee’s argument that the statute creates strict criminal liability, noting that evidence of accidental copying would have negated the mental element of section 502(c)(2).13
In People v. Childs, an employee was charged under section 502(c)(5)14 after refusing to provide his employer with the user name and password for his employer’s computer network.15 The employee argued that the charged offense did not apply because the legislative intent of the statute was to address unauthorized access to computers and data. He had authorized access to his employer’s computer network.16 The court rejected his interpretation, reasoning that unauthorized access was an implied element of section 502(c)(5) and that his reliance on the use of "unauthorized access" in subdivision (a) "too narrow."17 The court found that "[d]isrupting or denying computer services to an authorized user could reasonably be read to fall within ‘interference’ with computers, even without a showing of unauthorized access."18 The court further underscored this point, noting that only some of the offenses under section 502(c) mention access and that difference was intentional.19
In United States v. Christensen, the Ninth Circuit held that "access" included logging into a database with a valid password and subsequently taking, copying, or using information in the database improperly.20 The court distinguished the CDAFA from the federal Computer Fraud and Abuse Act (CFAA),21 noting that the CDAFA does not require unauthorized access, rather only knowing access.22 Citing United States v. Nosal, the court made clear that the CFAA is limited to criminalizing access that is not authorized, rather than use that is unauthorized, and noted that the CFAA was not intended to expand beyond an anti-hacking statute into a misappropriation statute.23 In contrast, the court held that, under the CDAFA, what is illegal is the taking, copying or use without permission, regardless of whether the individual was authorized to access the information itself.24
With United States v. Christensen holding that a showing of "unauthorized access" is not required for liability under section 502(c), the CDAFA has effectively become a powerful tool for prosecutors and plaintiffs seeking to impose civil and criminal liability for authorized users who take or copy data without authorization.
B. Application of "Without Permission"
In addition to interpreting what constitutes knowing access, the courts have also weighed in on what it means to act "without permission" under section 502(c). Expanding the definition of "unauthorized" under the CDAFA to include use that is not permitted, the courts, as the cases below highlight, have been forced to grapple with whether finding a website’s terms of use are enough to impose liability or whether there must be a higher threshold, such as overcoming technical or code-based barriers, required before finding a defendant liable under the CDAFA.
In Facebook, Inc. v. ConnectU, ConnectU obtained login information and passwords that were voluntarily submitted by Facebook users. The information allowed ConnectU to access Facebook to gather millions of e-mail addresses for solicitation.25 ConnectU argued that because the Facebook users voluntarily provided the access information, it did not constitute "unauthorized access." However, because using the email addresses for solicitation was prohibited by a standard clause in Facebook’s terms of use, the court denied ConnectU’s motion to dismiss, holding that such activity constituted knowing access and use "without permission" under the CDAFA.26 The court stated that notwithstanding the statutory title "unauthorized access," the violation turns on unauthorized (i.e., "without permission") taking, copying, or use of data.27 Moreover, the court found that ConnectU was subject to Facebook’s terms of use, and disputing ConnectU’s contention that this finding would allow private parties to determine what is criminal, the court held that "[t]he fact that private parties are free to set the conditions on which they will grant such permission does not mean that private parties are defining what is criminal and what is not."28
It is on this last point in Facebook v. ConnectU that the court in Facebook, Inc. v. Power Ventures, Inc. disagreed. 29 In Power Ventures, defendant Power moved for summary judgment on the basis that Facebook did not have standing to bring a claim under section 502 because it had not made an adequate showing that it had suffered damage or loss within the meaning of the statute.30 The court rejected this argument finding that defendant admitted that Facebook took steps to block Power’s access to the Facebook website.31 Finding that Facebook had standing to bring suit under section 502, the court also rejected Power’s argument that any steps taken were minimal—no more than few mouse clicks and keystrokes—stating that "[s]ection 502 sets no threshold level of damage or loss that must be reached to impart standing to bring suit. Under the plain language of the statute, any amount of damage or loss may be sufficient."32 Power also argued that it could not have liability under section 502 because there was "no evidence that Power ever accessed the Facebook website without the express permission of the user and rightful owner of the accessed data."33
In considering Power’s liability under section 502, the court found that the permission given by Facebook users to access Facebook was not a defense since Power’s use of "automated devices" (in this case, bots) violated an express term of Facebook’s terms of use.34 The court then looked at the question of whether such a violation of the terms of use constituted "without permission," noting that this is a challenging question because millions of internet users access websites every day without having read or understood the terms of use.35 The court disagreed with the holding in Facebook v. ConnectU, finding that allowing private parties to set the conditions upon which they will grant permission raises constitutional concerns because it essentially places "in private hands unbridled discretion to determine the scope of criminal liability recognized under the statute."36 The court went on to find that if private parties’ terms of use were used to determine whether "without permission" was established under section 502, internet users would not have adequate notice as to what actions could subject them to criminal liability as the terms of use could be changed at any time.37 "Thus, in order to avoid rendering the statute constitutionally infirm, the [c]ourt finds that a user of internet services does not access or use a computer, computer network, or website without permission simply because that user violated a contractual term of use."38 However, the court found that accessing or using a computer, network, or website "in a manner that overcomes technical or code-based barriers" constitutes "without permission," and may subject a user to liability under section 502.39
Though many courts have followed the Power Ventures court’s broader interpretation, this split of authority regarding whether California law imposes a "technical or code-based barrier" requirement on CDAFA claims has not yet been resolved definitively, particularly with regard to the "without permission" language of CDAFA.40 In NovelPoster v. Javitch Canfield Group, the court noted the different interpretations. In holding that plaintiff had alleged sufficient facts to supports its claims under section 502(c) of the CDAFA, the court stated that "the holding in Power Ventures is best understood as applying only to those CDAFA provisions which, like the provisions specifically at issue in that case, require a showing of unpermitted access or use, not to section 502(c)(5)."41 The court also found that alleging that defendants changed the passwords to NovelPoster’s accounts, prohibiting plaintiff’s access by eliminating that technical barrier, was sufficient at the pleading stage to show that defendant’s overcame a technical barrier.42
C. Criminal Penalties
Depending on which violation a defendant is convicted under this statute, the defendant can be subject to imprisonment for up to three years and a $10,000 fine.43
D. Private Right of Action and Damages
In addition to criminal penalties, the statute provides a private right of action for compensatory damages and injunctive relief, or other equitable relief to the owner or lessee of the computer, computer system, computer network, computer program or data who has been damages or had losses as a result the violations described above.44 The action must be brought within three years of the date of the act complained of, or the date of discovery, whichever is later.45
Compensatory damages include any expenditure reasonably and necessarily incurred to verify that computer, computer system, computer network, computer program or data was or was not altered, deleted, or damaged by the access.46 Unlike the statute’s federal counterpart, there is no minimum level of monetary loss.47 A showing that the plaintiff expended resources to curtail the defendant’s access suffices for standing, even where the costs of investigating and responding to unwanted access are nominal.48
In addition, the court may award punitive or exemplary damages where it is proved by clear and convincing evidence that a defendant has been guilty of oppression, fraud or malice as defined in section 3294(3) of the Civil Code in willful violation of CDAFA.49 The court may also award reasonable attorneys’ fees.50
III. CALIFORNIA CUSTOMER RECORDS ACT (CRA)51
A. Sections 1798.81 and 1798.81.5—Obligation to Protect Personal Information
The CRA requires businesses that own, license, or maintain personal information about Californians, except those that are subject to certain other information and/ or privacy laws,52 to take reasonable steps to dispose of customer records containing personal information within its control by shredding, erasing or otherwise modifying the information to make it unreadable or indecipherable through any means.53 In addition, such a business must implement and maintain reasonable security procedures and practices to protect the personal information that a business maintains but does not own or license.54 "Personal information" refers to user name/email address plus password to access account, or an individual’s first name or initial and last name where combined with any of the following, when either the name or the data elements are not encrypted:55
- Social security number, driver’s license number or California Identification Card number;
- Account number, credit or debit card number along with any required security code, access code, or password giving access to an individual’s financial account;
- Medical or health insurance information; or
- Information collected by an automated license plate recognition system.
To sue, plaintiff must be a "customer" which is defined as "an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business."56 CRA does not require that notification be given to individuals residing outside of California as they do not have standing57
In In re Adobe Systems Privacy Litigation, customers whose personal information had been compromised alleged that computer hackers had accessed defendant’s servers with the intent to steal customer data, including names, usernames, passwords, e-mail addresses, telephone numbers, mailing addresses, and credit card numbers, that some of the personal information had been successfully decrypted, and that some of the information stolen in the data breach had already surfaced on websites used by the hackers.58 Defendants asserted that plaintiffs did not have standing to bring a claim based on its alleged violation of section 1798.82 because plaintiffs did not allege that they suffered any particular injury stemming from defendant’s failure to reasonably notify plaintiffs of the 2013 data breach.59 The court found that plaintiffs sufficiently alleged concrete and imminent threat of future harm to establish Article III injury-in-fact at the pleadings stage, as necessary to seek class action injunctive relief against defendant pursuant to the CRA provision governing failure to implement reasonable security measures.60 In holding this, the court noting that some of the stolen data already appeared on the Internet and that "to require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be ‘literally certain’ in order to constitute injury-in-fact."61
B. Section 1798.82—Breach of Security Obligations
If a person or business that conducts business in California and owns or licenses computerized data that includes personal information experiences a security breach of such information, it is required to notify residents of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized party expediently and without unreasonable delay62 If the person or business that maintains this computerized data does not own the data that was breached, they must notify the owner or licensee immediately upon discovery.63
A notification of security breach must be written in plain language and follow the template outlined by the statute.64 Notice may be provided by written notification, electronic notice, or under certain conditions substitute notice which includes email notice, conspicuous posting or major statewide media.65 If the person or business notifying was the source of the breach, it must also offer to provide identity theft prevention and mitigation services at no cost to the person affected for not less than 12 months.66
In Sony Gaming Networks and Customer Data Security Breach Litigation, plaintiffs alleged that Sony violated section 1798.82 of CRA by failing to notify plaintiffs of the breach in the most expedient time possible and without unreasonable delay.67 Plaintiffs sought injunctive relief, attorneys’ fees, and economic damages as a result of the violation.68 Sony moved to dismiss the claim arguing that plaintiffs failed to allege why notice of the breach within the 90—day safe harbor provision set forth in Section 1798.84(d) was unreasonable and how plaintiffs’ economic damages flowed from the purported unreasonable delay.69 The court rejected Sony’s safe harbor argument noting that it was inapplicable because it only applies to the sale of information to marketers without disclosure.70 The court however granted Sony’s motion to dismiss the claims seeking economic damages because plaintiffs failed to allege how they were damaged by the ten-day delay.71
C. Damages
A plaintiff must allege actual damages because of unreasonable delay in notifying about the breach (and not just the intrusion itself) to recover actual damages.72
D. Section 1798.83—Sharing Personal Information with Third Parties
Section 1798.83 of the CRA, coined the "Shine the Light Law," ("STL") regulates the business practice of sharing personal information of customers with third-parties for the purpose of direct marketing."73 STL does not bar sharing consumer marketing information with third parties.74 "Rather, it was designed to ‘shine the light’ on information-sharing practices by requiring businesses to establish a procedure by which the consumer can obtain information about such practices."75 STL applies to a "covered business" which includes any business with 20 or more full or part-time employees76 that has an established business relationship with at least one California resident,77 and has within the immediately preceding calendar year disclosed personal information as defined above to third parties for the purpose of direct marketing.78 79
As described by the court in Miller v. Hearst Communications, Inc:
The STL law allows consumers to make requests to covered businesses for information relating to how they have shared consumer information with third parties during the immediately preceding calendar year. These businesses may respond to consumer requests in two ways. First, they can simply disclose how they have shared consumer information with third parties. Alternatively, they can respond by providing the consumer the "right to prevent disclosure of personal information" in which case the businesses are not required to disclose their actual information sharing practices. To give consumers a central location to send STL inquiries, the law requires that a business "designate [and publicize] a mailing address, electronic mail address, or, if the business chooses to receive requests by telephone or facsimile, a toll-free telephone or facsimile number, to which customers may deliver requests." Finally, the law includes a remedy provision, which provides that any consumer who is "injured by a violation" may institute a civil action to recover damages.80
Thus in order to comply with section 1798.83 of STL, a business has two options. The business can designate a mailing address, electronic mail address, a toll-free telephone or facsimile number, to which customers may deliver a request for information concerning personal information collected and third parties that received the personal information for the third parties’ direct marketing purposes during the preceding calendar year as well as one of the following:
1) Notify all agents and managers who directly supervise employees who regularly have contact with customers of the designated addresses or numbers or the means to obtain those addresses or numbers and instruct those employees that customers who inquire about the business’s privacy practices or the business’s compliance with Section 1798.83 are to be informed of the designated addresses or numbers or the means to obtain the addresses or numbers;81
2) Add a link on the business’s homepage to a webpage titled "Your Privacy Rights" or add the words "Your Privacy Rights" to the homepage’s link to its privacy policy. "Your Privacy Rights" must be in the same style and font size as the link to the business’s privacy policy. If the business does not display a link to its privacy policy on its homepage, or does not have a privacy policy, the words "Your Privacy Rights" must be written in larger type than the surrounding text, or in contrasting type, font or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. The first page of the link must describe customers’ rights pursuant to Section 1798.83 and provide the designated mailing address, e-mail address, as required, or toll-free telephone number or facsimile number, as appropriate. If the business elects to add the words "Your California Privacy Rights" to the home page’s link to the business’s privacy policy in a manner that complies with this subdivision, and the first page of the link describes a customer’ s rights pursuant to this section, and provides the designated mailing address, electronic mailing address, as required, or toll-free telephone or facsimile number, as appropriate, the business need not respond to requests that are not received at one of the designated addresses or numbers; or82
3) Make the designated addresses or numbers or means to obtain the designated addresses or numbers readily available upon request of a customer at every place of business in California where the business or its agents regularly have contact with customers.83
Once the business receives the customer’s request, the business must provide all of the following in writing or by electronic mail free of charge within 30 days of a receipt of a request from a customer for information if sent to an address designated by the company, or 150 days if the request is sent to an address not designated by the business:84
1) a list of the categories of personal information disclosed by the business to third parties for the third parties’ direct marketing purposes during the immediately preceding calendar year; and85
2) the names and addresses of third parties that received personal information from the business for the third parties’ direct marketing purposes during the preceding calendar year and, if the nature of the third parties’ business cannot reasonably be determined from the third parties’ name, examples of the products or services marketed, if known to the business, sufficient to give the customer a reasonable indication of the nature of the third parties’ business.86
A business is not obligated to respond to an information request under STL from the same customer more than once during any calendar year.87 It’s also important to note that some disclosures are considered exempt, including, "the use of personal information (A) by bona fide tax exempt charitable or religious organizations to solicit charitable contributions, (B) to religious organizations to solicit charitable contributions, (C) by a third party when the third party receives personal information solely as a consequence of having obtained for consideration permanent ownership of accounts that might contain personal information, or (D) by a third party when the third party receives personal information solely as a consequence of a single transaction where, as a result of the transaction, personal information has to be disclosed in order to effectuate the transaction."88
Alternatively, if a business does not want to share such information in the manner required in section 1798.83(b), it can comply with section 1798.83 by including in its published privacy policy that it will not disclose a customer’s personal information to third parties for the third parties’ use in direct marketing without the customer’s consent (opt-in or opt-out) and then by (1) notifying the customer of his or her right to prevent disclosure of personal information, and (2) providing the customer with a cost-free means to exercise that right.89
Finally, a "safe harbor" is provided to businesses if a business is alleged to have not provided all the information required by Section 1798.83(a) or to have provided inaccurate information or to have not provided the information in a timely manner and its violation is not willful, intentional or reckless.90 In such a case, the business may assert as a complete defense in any action in law or equity that it thereafter provided the required information to all customers who were provided incomplete or inaccurate information within 90 days of the date the business knew that it had failed to provide as required.91
E. Application of STL
In Boorstein v. Men’s Journal, LLC, the plaintiff alleged that defendant violated STL by failing to properly designate its contact information or provide a description of California consumers’ rights under the STL, and as a result defendant’s sale of his personal information to third parties decreased the market value of the information, causing him injury.92 The court rejected his "diminished-value-of-information theory" asserting that defendant’s failure to comply did not reduce the value of plaintiff’s personal information.93 The court reasoned that, unlike in established precedent in "information injury" cases in which the plaintiff requested information and was denied, the plaintiff here erroneously argued that it was not necessary for him to make an STL request in order to establish injury.94 The court also stated that defendant’s failure to provide its contact information in order to make an STL request is a procedural injury, not an "informational injury."95 The court also held that plaintiff’s did not establish economic harm by arguing that the value of plaintiff’s magazine subscription was reduced by defendant’s failure to comply and therefore did not establish statutory injury.96
In Miller v. Hearst Communications, Inc., the court applied the same analysis in finding that plaintiff lacked standing to sue.97 Because the plaintiff’s claim of statutory injury rested on the assertion that she was statutorily injured because the defendant violated the STL law by failing to properly designate and publicize on its website a location to send STL inquiries, the court found that she did not allege injury sufficient to meet the statutory requirement.98 The court concluded that "the STL law’s remedy provision requires an ‘injury’ in conjunction with a violation. Because Plaintiff fails to allege a cognizable injury, she lacks statutory standing for her STL claim, regardless of whether her allegations are sufficient to state a violation of the STL law."99
In Boorstein v. CBS Interactive, Inc., the plaintiff alleged that he provided personally identifiable information when he subscribed to a website of defendant’s; that defendant had shared personal information with third-parties for direct marketing purposes; and therefore was required to meet the notice requirements under STL which it failed to do.100 Similar to Boorstein v. Men’s Journal, LLC and Miller v. Hearst Comunications, Inc., the court found that the plaintiff lacked standing to pursue a claim under section 1798.83 because he failed to plead a statutory injury.101 The court reasoned that section 1798.84(b) requires that a plaintiff must be a "customer" who has been "injured by a violation of this title" to pursue an action for a violation of section 1798.83 and only then can a plaintiff seek any of the remedies provided by section 1798.84.102 Simply put, alleging a violation of the statute is not enough.
Further, the court opined that the fact that the statute authorizes penalties per violation would suggest that a statutory "violation" is a discrete event which can quantified.103 "A failure to timely, accurately, or completely respond to a disclosure request is a discrete event; a court can calculate a civil penalty for each failure by counting the number of disclosure requests to which the defendant did not appropriately respond."104 The court concluded that a failure to post information on a website is a continuing event which cannot easily be quantified and that "a continuing violation of this kind, without more, is not an actionable ‘violation of this title.’"105 Finally, the court stated that to construe a violation as anything less than a company’s failure to provide a timely, complete, and accurate response to disclosure requests would eviscerate the safe harbor intended by section 1798.84(d) and invite a "liability trap" which the legislature sought to avoid.106 "If we interpret the statute as plaintiff suggests, customers could bring suit whether or not they ever tried to contact a business about its privacy policy. Indeed, if the law is interpreted as plaintiff suggests, a customer who made a request for information and received a timely, complete, and accurate response could still sue for an STL violation by challenging the manner in which the company disclosed its contact information on its Web site."107
F. Safe Harbor for Record Custodians
Finding that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord, the legislature created a safe harbor for such a record custodian who properly disposes of the records as required in section 1798.84(f)(1).108 Accordingly, section 1798.84(f) states a cause action will not stand against a storage company or personal landlord who has come into possession of records containing personal information that have been disposed of by shredding, erasing or otherwise modifying the personal information in the records thereby rendering it unreadable or indecipherable under any means and abandoned by a business for disposing of records containing personal information.109
G. Civil Penalties
If a business fails to comply with the statute, it may be subject to fines from $500 up to $3,000 per violation if the violation is deemed willful.110 The remedies are cumulative to each other and any rights and remedies available and the court may award attorney’s fees.111
IV. CALIFORNIA CONSUMER PROTECTION AGAINST COMPUTER SPYWARE ACT112
The law prohibits any person that is not the authorized user of a computer to knowingly install software on a user’s computer in California without providing that user with a detailed notice of what the software is, how it functions, if and how it collects and uses personal information, and a variety of other information about the software. Though "spyware" is not defined in the statute, a person or entity that is not an authorized user113 is prohibited from (whether with actual knowledge, intentional avoidance of actual knowledge or willfully) causing computer software to be copied onto the computer of a consumer in this state and using the software to do any of the following through intentionally deceptive means:114
- Modify settings related to the computer’s access to, or use of, the internet, including the page that appears when an authorized user launches an internet browser or similar software program used to access and navigate the internet; the default provider or web proxy the authorized user uses to access or search the Internet; and the authorized user’s list of bookmarks used to access web pages.115
- Collect personally identifiable information through any of the following: the use of a keystroke-logging function that records all keystrokes made by an authorized user who uses the computer and transfers that information from the computer to another person; tracking all or substantially all of the websites visited by an authorized user if the computer software was installed in a manner designed to conceal from all authorized users of the computer the fact that the software is being installed; or extracting a data element116 from the consumer’s computer hard drive for a purpose wholly unrelated to any of the purposes of the software or service described to an authorized user.117
- Prevent, without the authorization of an authorized user, the authorized user’s reasonable efforts to disable or block the installation of software, by causing software that the authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer.118
- Intentionally misrepresent that software will be uninstalled or disabled by an authorized user’s action, with knowledge that the software will not be so uninstalled or disabled.119
- Remove, disable, or render inoperative security, antispyware, or antivirus software installed on the authorized user’s computer.
In addition, an unauthorized user120 shall not (whether with actual knowledge, intentional avoidance of actual knowledge or willfully) cause computer software to be copied onto the computer of a consumer in this state and using the software to do any of the following without the authorized user’s permission:121
- Take control of the consumer’s computer by transmitting or relaying commercial electronic mail or a computer virus from the consumer’s computer for the purpose of causing damage to the consumer’s computer;122 accessing or using the consumer’s modem or internet service for the purpose of causing an authorized user to incur financial charges for a service that is not authorized by an authorized user;123 using the consumer’s computer for the purpose of causing damage to another computer, including, but not limited to, launching a denial of service attack;124 or opening multiple, sequential, stand-alone advertisements in the consumer’s Internet browser without the authorization of an authorized user and with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the consumer’s Internet browser;125
- Modify any of the following settings related to the computer’s access to, or use of, the Internet: an authorized user’s security or other settings that protect information about the authorized user for the purpose of stealing personal information of an authorized user; the security settings of the computer for the purpose of causing damage to one or more computers; or126
- Prevent an authorized user’s reasonable efforts to block the installation of, or to disable, software, by presenting the authorized user with an option to decline installation of software with knowledge that, when the option is selected by the authorized user, the installation nevertheless proceeds, or by falsely representing that software has been disabled.127
[Page 84]
Finally, a person or entity,128 who is not an authorized user shall not do any of the following with regard to the computer of a consumer in this state:
- Induce an authorized user to install a software component onto the computer by intentionally misrepresenting that installing software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content.129
- Deceptively cause the copying and execution on the computer of a computer software component with the intent of causing an authorized user to use the component in a way that violates any other provision of this section.
[Page 85]
One of the few cases to be found interpreting or applying this statute is the marital dissolution case Vertkin v. Vertkin130 in which the court upheld plaintiff’s cause of action alleging that defendant installed "keystroke" software on her home and office computers and in doing so, obtained plaintiff’s personal financial information.131
V. CALIFORNIA ONLINE PRIVACY PROTECTION ACT (OPPA)132
OPPA requires any operator133 of a commercial website or online service that collects personally identifiable information about California residents to conspicuously post its privacy policy and comply with its policy’s terms.134 The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form including: a first and last name, a home or other physical address, including street name and name of a city or town, an e-mail address, a telephone number, a social security number, any other identifier that permits the physical or online contacting of a specific individual, or information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.135
In addition to mandating conspicuous posting of the operator’s privacy policy, the statute also requires that the following be included in a privacy policy:136
- the categories of personally identifiable information that the operator collects through the website or online service about its users and/or visitors;137
- any third parties that the operator may share the personally identifiable information;138
- a description of the process for a user or visitor to review and request changes to his or her personally identifiable information collected through the site or service, if the operator maintains such a process;139
- a description of the process for notifying users and visitors of material changes to the privacy policy;140
- an effective date of the privacy policy;141
- a disclosure as to how the operator responds to web browser "do not track" signals or other mechanisms that allow consumers to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services if the operator engages in that type of collection;142 and
- a disclosure as to whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.143
Under CalOPPA, any of the following would suffice to meet the requirement that the operator’s privacy policy be "conspicuously posted":
- displayed on the websites homepage or first significant page after entering the website;144
- an icon that hyperlinks to a web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word "privacy." The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable;145
- a text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following: includes the word "privacy," is written in capital letters equal to or greater in size than the surrounding text, is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language, any other functional hyperlink that is so displayed that a reasonable person would notice it, and in the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service;146
- any other functional hyperlink that is displayed such that a reasonable person would notice it;147 or
- any other reasonably accessible means of making the privacy policy available for consumers of online service.
A. Failure to Comply
If an operator receives notice of non-compliance for failure to post its privacy policy, to post it conspicuously, the operator has a 30-day grace period to comply. An operator shall be in violation of this section if the operator fails to comply with the provisions of section 22575 or with the provisions of its posted privacy policy in either of the following ways: knowingly and willfully or negligently and materially.148 Hence, an operator who negligently is in material noncompliance with OPPA or with the terms of its privacy policy has violated OPPA. Thus, a non-material (i.e., trivial) but deliberate breach can be a basis for liability, as can minor technical defects in the posting or the contents of a privacy policy.
B. Application
There is almost no California case law applying this statute.149 One court in holding that the federal Airline Deregulation Act of 1978 preemption provision barred state enforcement of OPPA provided a detailed analysis of the legislative intent of OPPA and noted that OPAA does not provide for a private right of action or public prosecution for violation of any of its provisions.150
VI. CONCLUSION
California digital privacy laws have begun to expand the protections afforded to individuals and businesses by establishing a legal framework that sets important standards for the gathering of and use of personal information and by imposing civil and criminal penalties for violations of these laws. As demand for data continues to grow in our post-industrial society, the courts and legislature will no doubt continue to have to navigate the murky waters of privacy, technology and economic demands.
——–
Notes:
1. Jonathan Levine is a founding partner of Pritzker Levine LLP and a member of the Privacy Law Subcommittee of the Antitrust, UCL and Privacy Section of the State Bar of California. Heather Haggarty is an associate with Pritzker Levine LLP.
2. World Economic Forum, Personal Data: The Emergence of a New Asset Class (Feb. 17, 2011) http:// www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011.pdf.
3. Cal. Penal Code § 502.
4. Facebook v. Grunin, 77 F. Supp. 3d 965, 971-72 (N.D. Ca. 2015).
5. People v. Hawkins, 98 Cal. App. 4th 1428, 1437-38 (2002).
6. Cal. Penal Code § 502(e)(1).
7. Id. §§ 502(c)(1)—502(c)(14).
8. Id. § 502(b)(1).
9. Cal. Penal Code § 502(c)(2) ("Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.").
10. People v. Hawkins, 98 Cal. App. 4th 1433, 1437 (2002).
11. Id. at 1439.
12. Id.
13. Id.
14. Cal. Penal Code § 502(c)(5) ("Disrupting or causing the disruption of computer services or denying or causes the denial of computer services to an authorized user of a computer, computer system, or computer network for refusing to provide passwords and access codes to a city computer network.").
15. People v. Childs, 220 Cal. App. 4th 1079 (2013).
16. Id. at 1098-99.
17. Id. at 1101.
18. Id. at 1101-02.
19. Id. at 1102. See also NovelPoster v. Javitch Canfield Grp., 140 F. Supp. 3d 954, 966 (N.D. Cal. 2014).
20. United States v. Christensen, 801 F.3d 970, 994 (9th Cir. 2015) (opinion amended and superseded on denial of rehearing United States v. Christensen, 828 F.3d 763 (9th Cir. 2015)).
21. Id.
22. Id.
23. Id. at 992.
24. Id. at 994.
25. Facebook v. ConnectU LLC, 489 F. Supp. 2d 1087,1091 (N.D. Cal. 2007).
26. Id.
27. Id.
28. Id.
29. Facebook v. Power Ventures, No. C 08-05780, 2010 WL 3291750 (N.D. Cal. July 20, 2010).
30. Id. at *3.
31. Id. at *4.
32. Id.
33. Id. at *5.
34. Id. at *7.
35. Id.
36. Id. at *8.
37. Id. at
38. Id.
39. Id.
40. See NovelPoster v. Javitch Canfield Grp., 140 F. Supp. 3d 954, 966 (N.D. Cal. 2014); Loop Al Labs v. Gatti, 2015 WL 5158639, at *4 (N.D. Cal. Sept. 2, 2015); Synopsys v. A Top Tech, No. C13-cv-02965SC, 2013 WL 5770542, at *11 (N.D. Cal. Oct. 24, 2013).
41. NovelPoster, 140 F. Supp. 3d at 967.
42. Id.
43. Cal. Penal Code § 502(d).
44. Id. § 502(e); see also Mintz v. Mark Bartelstein and Assocs., 906 F. Supp. 2d 1017, 1032 (C.D. Cal. 2012).
45. Cal. Penal Code § 502(e)(5).
46. Id. § 502(e).
47. See Facebook v. Power Ventures, No. C 08-05780 JW, 2010 WL 3291750, at *4 (July 20, 2010).
48. Id.
49 Cal. Penal Code §502(e)(4).
50. Id. § 502(e)(2).
51. Cal. Civ. Code § 1798 et. seq. This statute is also referred to as the Database Breach Act or the Breach Act. See In re Adobe Sys. Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1208 n.3 (N.D. Cal. 2014).
52. See Cal. Civ. Code § 1798.81 and §1798.81.5(a) and (b).
53. Id. § 1798.81.
54. Id. § 1798.81.5(b) and (c).
55. Id. § 1798.82(i) (defining "encrypted" as "rendered unusable, unreadable, or indecipherable to an unauthorized person through security technology or methodology generally accepted in the field of information security").
56. Id. § 1798.80(c).
57. See In Re Sony Gaming Networks and Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012).
58. In re Adobe Sys. Privacy Litig., 66 F. Supp. 3d 1197, 1207 (N.D. Cal. 2014).
59. Id. at 1211.
60. Id. at 1216.
61. Id. at 1215.
62. Cal. Civ. Code §1798.29(a).
63. Id. § 1798.82(b).
64. Id. § 1798.82(d)(1).
65. Id. § 1798.82(j).
66. Id. § 1798.82(d)(2)(G).
67. In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 955 (S.D. Cal. 2014).
68. Id. at 1009.
69. Id.
70. Id.
71. Id.
72. Id.
73. Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456, 460 (2013) (internal citations omitted).
74. Cal. Civ. Code § 1798.83(e)(8) ("’Third party’ is defined as any business that is a separate legal entity from the business that has an established business relationship with a customer; that has access to a database that is shared among businesses, if the business is authorized to use the database for direct marketing purposes, unless the use of the database is exempt from being considered a disclosure for direct marketing purposes pursuant to subdivision (d).").
75. Boorstein v. Men’s Journal, LLC, No. CV 12-771 DSF, 2012 WL 2152815, at *1 (C.D. Cal. June 14, 2012).
76. Cal. Civ. Code §1798.83(c)(1).
77. Id. § 1798.83(a).
78. Id. § 1798.83(e)(2) ("Direct marketing purposes" is defined as "the use of personal information to solicit or induce a purchase, rental, lease, or exchange of products, goods, property, or services directly to individuals by means of the mail, telephone, or electronic mail for their personal, family, or household purposes. The sale, rental, exchange, or lease of personal information for consideration to businesses is a direct marketing purpose of the business that sells, rents, exchanges, or obtains consideration for the personal information.").
79. Id. § 1798.83(a) ("If the business knows or reasonably should know that the third parties used a customer’s personal information for the third parties’ direct marketing purposes, that business shall, after the receipt of a written or electronic mail request, or, if the business chooses to receive requests by toll-free telephone or facsimile numbers, a telephone or facsimile request from the customer" provide certain information free of charge. For detailed notice requirements, see Cal. Civ. Code § 1798.83(a) and (b).
80. Miller v. Hearst Comm’ns, Inc., No. CV 12-0733-GHK (PLAx), 2012 WL 3205241, at *4 (C.D. Cal. Aug. 3, 2013) (internal citations omitted).
81. Cal. Civ. Code §1798.83(b)(1)(A).
82. Id. § 1798.83(b)(1)(B).
83. Id. § 1798.83(b)(1)(C).
84. Id. § 1798.83(b)(1)(C).
85. Id. § 1798.83(a)(1).
86. Id. § 1798.83(a)(2).
87. Id. § 1798.83(c)(1).
88. Id. § 1798.83(e)(2).
89. Id. § 1798.83(c)(2) ("If a business that is required to comply with this section adopts and discloses to the public, in its privacy policy, a policy of not disclosing personal information of customers to third parties for the third parties’ direct marketing purposes unless the customer first affirmatively agrees to that disclosure, or of not disclosing the personal information of customers to third parties for the third parties’ direct marketing purposes if the customer has exercised an option that prevents that information from being disclosed to third parties for those purposes, as long as the business maintains and discloses the policies, the business may comply with subdivision (a) by notifying the customer of his or her right to prevent disclosure of personal information, and providing the customer with a cost-free means to exercise that right.").
90. Id. § 1798.84(d).
91. Id. § 1798.84(d).
92. Boorstein v. Men’s Journal, LLC, No. CV 12-771 DSF, 2012 WL 2152815, at *2 (C.D. Cal. June 14, 2012).
93. Id. at *3.
94. Id.
95. Id. at *4.
96. Id.
97. Miller v. Hearst Comm’ns, Inc., No. CV 12-0733-GHK (PLAx), 2012 WL 3205241, at *5 (C.D. Cal. Aug. 3, 2013).
98. Id. at *6.
99. Id. at *7.
100. Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456, 461 (2013).
101. Id. at 467.
102. Id.
103. Id. at 469.
104. Id.
105. Id. at 470.
106. Id. at 471.
107. Id.
108. Cal. Civ. Code § 1798.84(f)(2).
109. Id. § 1798.84(f)(1).
110. Id. § 1798.84(c).
111. Id. § 1798.84(c)-(h).
112. Cal. Bus. & Prof. Code § 22947.
113. Id. § 22947.1.
114. Id. § 22947.2.
115. Id. § 22947.2(a)(1-3).
116. "Data element" is defined in Cal. Civ. Code § 22947.1(k)(2), (3), (4) or (5)(A) or (B).
117. Cal. Civ. Code § 22947.2(b)(1-3).
118. Id. § 22947.2(c).
119. Id. § 22947.2(d).
120. Exempt from the following prohibitions are "any monitoring of, or interaction with, a subscriber’s Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software . . . " Cal. Civ. Code § 22947.3(d).
121. Id. § 22947.3.
122. Id. § 22947.3(a)(1).
123. Id. § 22947.3(a)(2).
124. Id. § 22947.3(a)(3).
125. Id. § 22947.3(a)(4).
126. Id. § 22947.3(b)(1-2).
127. Id. § 22947.3(c)(1-2).
128. Exempt from the following prohibitions are "any monitoring of, or interaction with, a subscriber’s Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software . . . " Cal. Civ. Code § 22947.4(b).
129. Cal. Civ. Code § 22947.4(a)(1).
130. Vertkin v. Vertkin, 2007 WL 4287512, No. 07-4471 SC (N.D. Cal Dec. 6, 2007).
131. Id.
132. Cal. Bus. & Prof. Code 22575 (2003).
133. "Operator" is defined as "any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner’s behalf or by processing information on behalf of the owner." Cal. Civ. Code § 22577(c).
134. Id. § 22947.4(a)(1).
135. Id. § 22577(a).
136. Id. § 22575(b).
137. Id. § 22575(b)(1).
138. Id.
139. Id. § 22575(b)(3).
140. Id.
141. Id. § 22575(b)(4).
142. Id. § 22575(b)(5); an operator may satisfy this requirement by providing " a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice." Id. 22575(b)(7).
143. Cal. Civ. Code § 22575(b)(6).
144. Id. § 22576(b)(1).
145. Id. § 22576(b)(2).
146. Id. § 22576(b)(3)(A-C).
147. Id. § 22576(b)(4).
148. Id. § 22576.
149. Two cases mention OPPA. See In re Adobe Sys. Inc. Privacy Litig., 66 F. Supp. 3d 11973 (2014); Svenson v. Google Inc., No. 13-cv-04080-BLF, 2015 WL 1503429 (N.D. Cal. April 1, 2015).
150. People ex rel. Harris v. Delta Air Lines, Inc., 247 Cal. App. 4th 884, 888-90 (2016).