Data privacy litigators are well aware of the critical importance of a motion to dismiss to have meritless data incident claims kicked at the pleadings stage.  A recent decision underscores the importance of choice of law arguments as part of a comprehensive litigation strategy.  Why?  Well in some cases, differences between the laws of two states regarding frequently litigated data incident claims can be dispositive for purposes of a motion to dismiss.  Read on to learn more.

First, some background.  It is well-established that federal courts sitting in diversity apply the forum state’s conflict of laws rules.  For instance, in Greenstate Credit Union v. Hy-Vee, Inc., a data incident litigation recently pending in federal district court in Minnesota, the court noted that:

Under Minnesota law, the first inquiry is whether an actual conflict of laws exists.  Next, the court must determine ‘whether the law of both states can be constitutionally applied.’  If there is an outcome determinative conflict and the law of both states can be constitutionally applied, then the court applies Minnesota’s multifactor test . . .to determine which states’ law should apply.

2021 U.S. Dist. LEXIS 133894 (D. Minn. July 19, 2021).

Many data incident litigations involve common law tort claims (eg, negligence) that have some similarities across the jurisdictions.  As such, the reaction of some data privacy newbies may be reject choice of law considerations in a litigation.  After all, everyone knows a negligence claim always involves application of the same four elements (duty, breach, causation, damage) anyways, right?

Wrong answer.  Choice of law arguments can be dispositive regarding which party prevails in a litigation.  Therefore, making an informed assessment of which forum’s laws can and should apply in a data breach litigation is a mission critical inquiry at the onset of a case.

As an example, Greenstate Credit Union concerned a class action dispute arises out of Hy-Vee’s handling of a data breach that exposed consumers’ credit card data.  Plaintiff GreenState Federal Credit Union is a federally chartered credit union with its principal place of business in Iowa.  Defendant Hy-Vee is incorporated in Iowa and has its principal place of business in Iowa.  However, Hy-Vee operates supermarkets, convenience stores, and gas stations, with 240 retail stores in eight states, including Minnesota.

Why does this matter?  Plaintiff asserted claims under the Minnesota Plastic Card Security Act (PCSA), common law negligence, negligence per se, and for declaratory and injunctive relief.  Defendant argued, however, that instead of Minnesota law, the law of Iowa should govern Plaintiff’s claims.  This was motivated by the fact that unlike Minnesota, Iowa has adopted the economic loss doctrine.  As articulated by the Iowa Supreme Court, this doctrine “bars recovery in negligence when the plaintiff has suffered only economic loss.”

Here, the court found that:

GreenState’s negligence claim would be barred by Iowa’s economic loss doctrine.  GreenState’s alleged injuries – cancelling compromised cards, reissuing new cards, reimbursing members for fraudulent charges, and losing interest and transaction fees because of reduced card use — are all indirect economic losses . . .Because GreenState alleges nothing more than economic losses, Iowa law bars its negligence claims.

(emphasis supplied).

Additionally, based on Minnesota’s choice of law rules, the court found that “[a]ll of Hy-Vee’s relevant information security employees and decision-making are located in Iowa.  It is predictable that Iowa law would apply.”  For these reasons, among others, the court held that Iowa law should apply.  It then promptly dismissed Plaintiff’s claims pursuant to a straightforward application of Iowa’s damages law.

While the economic loss rule is one of the more well-known variations in state law, there are other areas involving even more nuance.  Which in turn makes choice of law considerations (and assessment of if a defendant should strategically advocate for the law of a different forum in which a litigation was filed to apply) absolutely essential.

For more on this developing area of the law, stay tuned.  CPW will be there to keep you in the loop.



In Ducharme v. Madewell Concrete, LLC, No. 6:20-1620-HMH, 2020 U.S. Dist. LEXIS 127615 (D.S.C. July 17, 2020), Defendants Madewell Concrete, LLC and Kevin Johnston’s (“Johnston”) (collectively, “Defendants”) motion to dismiss Plaintiff Robert Ducharme’s (“Plaintiff”) South Carolina Homeland Security Act (“SCHSA”) claim pursuant to Federal Rule of Civil Procedure 12(b)(6) was denied.

Plaintiff alleges that Defendants deliberately misclassified him as a salaried employee, which exempted him from the overtime requirements of the Fair Labor Standards Act (“FLSA”). Accordingly, Plaintiff contends that he was not compensated for his overtime work. Plaintiff also alleges that Defendant Johnston illegally and without authorization accessed Plaintiff’s personal email account.

Plaintiff’s lawsuit alleges three claims: violations of (1) the Stored Communications Act, (2) the SCHSA, and (3) the FLSA.

Defendants argue that Plaintiff’s SCHSA claim is preempted by the Electronic Communications Privacy Act (“ECPA”) because in 18 U.S.C. § 2518(10)(c), “Congress expressed clear intent that any alleged interception of any ‘electronic communications’ falls under the exclusive remedy of the [ECPA].” Accordingly, the Court describes the dispute as whether “the interception of electronic communications provisions of the ECPA preempt a claim based on the interception of electronic communications provisions of the SCHSA.”

In holding that § 2518(10)(c) does not expressly preempt state law claims, the Court noted that  “Congress could have easily and explicitly stated that the remedies in the ECPA are the exclusive remedies for all interceptions of electronic communications or that the ECPA preempts state law claims, but it did not do so.” The Court went on to find that the legislative history of § 2518(10)(c) indicates that “the interceptions of electronic communications were not subject to the exclusionary rule absent a Fourth Amendment violation.” Thus, state law remedies are permissible for certain intercepts of electronic communications (such as personal emails) and “the ECPA does not preempt Plaintiff’s claim under the SCHSA. This case is a good reminder that employers should be mindful to ensure compliance with applicable state privacy laws, in addition to the well-known federal ones.

Beginning on May 7, 2022, employers in New York State who engage in electronic monitoring of employee communications will be required to notify their workers of such monitoring.

S2628, signed into law on November 8, 2021, requires all employers in the state of New York to provide prior written notice to newly hired employees if they intend to monitor or otherwise intercept telephone conversations or transmissions, email, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems.  This likely includes videoconferencing platforms such as Zoom or Teams.  Notice must be:

  • Provided in writing;
  • In an electronic record, or in another electronic form; and
  • Acknowledged by each employee either in writing or electronically.

Electronic monitoring “solely for the purpose of computer system maintenance and/or protection” does not trigger S2628’s notice requirements.

Employers must also post a notice of electronic monitoring in a conspicuous place which is readily available for viewing by its employees who are subject to electronic monitoring.

S2628 does not contain a private right of action.  However, as has been seen with other data privacy statutes, the absence of such a provision will not necessarily preclude plaintiffs from filing suits against defendants for purported violations of their obligations under S2628.  A common practice in data privacy litigations is for plaintiffs to seek to use violations of a statutory right to privacy as a predicate for imposing liability under other theories of recovery, such as negligence per se.  This is frequently done by plaintiffs in data event and cybersecurity class actions and the same approach could be used here.

Further, S2628 is enforceable by the New York state office of the attorney general, which is authorized to seek penalties of up to $500 for the first offense, $1,000 for a second offense, and $3,000 for third and subsequent offenses.

More broadly, S2628 fits within a recent trend of increased focus on measures to protect the privacy of individuals in the employment context.  The California Consumer Privacy Act (“CCPA”) which took effect in 2020 provides consumers—including employees (subject to several significant exemptions)—certain rights regarding the personal information that businesses collect about them. Although the California Privacy Rights Act (“CPRA”) extended the CCPA’s employee-related exemptions until January 1, 2023, employers are still required to provide employees with a notice at collection.  There are laws similar to S2628 in Connecticut and Delaware.

This proliferation of state laws has been accompanied by a rise in data privacy lawsuits brought by employees concerning their employers’ privacy practices.  Cases have been frequently brought this year in the wake of cyberattacks directed against employers that results in the purported disclosure of employees’ personal information.  There have also been increased privacy litigations filed regarding employers’ collection of the biometric data and sensitive financial information of employees (with suits filed under the Illinois Biometric Information Privacy Act (“BIPA”) and the Fair Credit Reporting Act (“FCRA”), among others).

For more on this, stay tuned.  CPW will be there to keep you in the loop.


Unlike the European Union and many countries, the US does not have a holistic, comprehensive federal law generally regulating privacy and the collection, processing, disclosure and security of “personal information” (typically defined as information that identifies, relates to, describes, is reasonably capable of being linked to, a particular individual). Rather, a patchwork of sectoral federal

New: Live and Virtual Privacy Law CLE Event | September 22, 2021

We’re hosting the Southwest Ohio Chapter of the ACC virtually and live in our Cincinnati office.

Join Scott Kane, Alan Friel, Kyle Fath and Kristin Bryan for an up-to-the-minute review of US consumer privacy laws, an in-depth discussion of a proposed new Ohio law, best practices for managing an information governance program, and the latest data security and breach litigation trends and developments.

Click here for complete details.

Date: September 22, 2021

Time: 4:00 PM – 6:00 PM ET; beverages and hors d’oeuvres will be served.

Place: Squire Patton Boggs, 201 E. Fourth Street, Suite 1900, Cincinnati, OH 45202

Privacy at the state level can get messy and confusing—particularly in the current moment with the record number of proposed bills under consideration.  So let’s face it: it is great to read about all those proposed bills but what US privacy professionals really want to know is which bills will pass and which bills will fail.  Law firms are internally creating “2021 State Comprehensive Privacy Bill Brackets” but none are publishing them since predictions are hard and, candidly, we attorneys do like to be proven wrong.

That ends today.

The new deputy chair of SPB’s Privacy, Cybersecurity practice Alan Friel is not only a veteran of the many privacy legislation battles of the past but also a fearless leader who believes publishing our predictions will add real value to our readers (and clients).

As a reminder, SPB privacy blogs were granted the 2020 Go to Thought Leadership Award by National Review.  This year we were the first major law firm to predict the Virginia Consumer Data Protection Act (VCDPA) would pass.  Incidentally, our talented colleague Glenn Brown has posted great content explaining VCDPA’s requirements and even analysis comparing the right to delete under VCDPA and CCPA/CPRA  (including a handy chart that you should definitely bookmark).

So, without further delay, here are the 2021 SPB’s State Comprehensive Privacy Bill predictions.

Our 2021 Final Four: Connecticut, Florida, Oklahoma and Washington

No.1: Connecticut’s Act Concerning Consumer Privacy (SB 893)

Arguably it is too early to predict the outcome of SB 893.  After all, the bill is still stuck in Committee, and there were several comments filed in opposition during the February 25 public hearing.  Why are we bullish on Connecticut then?  The bill has the support of the Connecticut ACLU (although it is worth noting that the private right of action was removed after the ACLU expressed its support).  More importantly, the Connecticut’s Attorney General Office and the Connecticut’s Senate Majority Leader strongly support the bill and Connecticut (like Virginia) is a democratic trifecta where the DNC has full control of the governorship, the state senate, and the state house.  As currently drafted, Connecticut’s Act Concerning Consumer Privacy is very similar to the Virginia VCDPA (see our posting on the requirements under the VCDPA here.) The Connecticut legislature has time to reach consensus (it does not adjourn until June 9th) and we plan on keeping a close eye on developments in the state.

No 2: Florida’s Consumer Privacy Acts (SB 1734 and HB 969)

It has been reported that an unknown activist is behind the progress of these two Florida bills.  Not surprising-this is consistent with a trend seen these past couple of years of other privacy activists similarly reshaping states’ legislative agendas.  These bills are inching closer and closer to California’s CPRA in an indisputably red state, which is a remarkable development in and of itself.  Florida is also the third most populous state in the nation, which means any privacy legislation enacted in the state will likely have significant sway in any future talks about federal privacy legislation.  Although the Florida legislature is adjourning on April 30th, the fact that very closely aligned bills are progressing in tandem through the Senate and the House fairs well for a potential opportunity to compromise leading to enactment.  We will find out soon the outcome in Florida but, in the meanwhile, here is our most recent posting on the Florida developments.

No. 3: The Oklahoma Computer Data Privacy Act (HB 1602)

Nobody seems to be paying attention to this bill but it is well-positioned to become the 2021 Cinderella Story. HB 1602 significantly differs from already enacted comprehensive privacy bills with the current version including no private right of action but featuring an opt-in consent requirement across the board before collecting, using or selling any personal information. The bill sailed through the Oklahoma house with overwhelming bi-partisan support (Ayes: 85 Nays: 11.)  Oklahoma was our number one until we heard last week the chair of the Oklahoma Senate Judiciary Committee (through which the bill must pass before being brought to the floor of the Senate) may not be willing to take it up.  That said, there is enough time left in the legislative calendar to build consensus and get it to the finish line (the Oklahoma legislature will not adjourn until May 28th).  Oklahoma is currently a Republican trifecta, which should help avoid a governor veto.  If enacted, it will be the first comprehensive privacy bill to become the law of the land in a republican controlled state and could become a viable model for other republican controlled state legislatures.  For more details read our post here.

No 4: Washington Privacy Bills (HB 1433 and (SB 5062)

Washington certainly deserves “an A for effort.”  The state legislature has been trying to enact the Washington Privacy Act (SB 5062) for 2 years and counting.  Last year it actually enacted regulations affecting the public sector handling of personal information but consensus on enforcement effectively brought legislative progress for the private sector to a halt.  In 2021 the ACLU decided to back a new bill (the People’s Privacy Act – HB 1433) and has published a chart comparing its bill to the WPA here.  Why are we still optimistic on Washington?  In a surprise move, on March 26 SB 5062 was amended to add a private right of action allowing state residents to sue over alleged violations. Significantly, however, the private right of action does not include a provision for monetary damages—leaving residents with the exclusive option of seeking injunctive relief (or alternatively filing a complaint with the consumer protection division of the attorney general’s office).  Will this suffice to swing enough votes to get WPA through the finish line?  On April 1st it passed the Civil Rights & Judiciary Committee and is now heading for the floor of the house.  We will find the ultimate outcome soon (the Washington legislature is set to adjourn April 25th). Just like last year this promises to be a real nail-biter.  For more information see our posting here.

How about the rest of the States?

If your favorite state privacy bill did not make it to our final four, not to worry.  There are many close calls that we had to make to come up with our final four bracket and we predict many last minute twists and turns.  And never forget the still possible comprehensive federal privacy law.  With those developments, we will continue to keep you informed of what you need to know in this rapidly developing area.  Stay tuned!

Among the challenges presented by the increasing number of state privacy laws are identifying how consumer rights differ under each of the various laws and operationalizing a workflow for responding to rights requests that ensures compliance with each.  In this post, we will focus on consumers’ “right to delete” under the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”). We note that the EU General Data Protection Regulation (“GDPR”) and laws around the world that are being adopted following the GDPR model also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.

Please see our previous posts here, here and here for a broader discussion of the CCPA, CPRA and VCDPA, respectively, including how certain key terms used below are defined. Continue Reading Consumers’ “Right to Delete” under US State Privacy Laws

This article originally published on February 23, 2021, by the American Bar Association, and is republished here with permission. For more information visit   

The article expands on our original report on the Virginia Consumer Data Protection Act published on February 2, 2021.

Computer securityIn the coming days, Governor Ralph Northam is expected to sign into law the Virginia Consumer Data Protection Act (the “Act”), which, if enacted, will become effective on January 1, 2023. As a result, Virginia would become the second state in the US to enact a holistic data privacy law that purports to regulate the collection, use and disclosure of the personal data of its residents generally.

Overview and Quick Take

In many ways, the Act is similar to the California Consumer Privacy Act (the “CCPA”), the first holistic data privacy law in the US, and to the California Privacy Rights Act (the “CPRA”), which was enacted by ballot referendum in November 2020. It also shares some concepts with the EU’s General Data Privacy Regulation (the “GDPR”).  However, it is sufficiently dissimilar to each of those laws that a business developing a compliance strategy for the Act will not be able to rely solely on its previous compliance efforts in complying with the Act.

Continue Reading Virginia Set to Become Second State to Enact Holistic Data Privacy Law

With no central federal data breach law, states have taken the reins, passing an increasing number of laws that require both the protection of citizens’ private data and prompt notice of any breach of that privacy.  Governors in the last two holdout states, South Dakota and Alabama, recently signed bills to enact laws governing data breaches.  Now, all 50 states (plus D.C., Guam, Puerto Rico, and the Virgin Islands) have passed data breach notification laws. Continue Reading Data Breach Laws on the Books in Every State; Federal Data Breach Law Hangs in the Balance

While the GDUnited Nations newsPR compliance clock is ticking for companies, EU Member States have also been preparing for the implementation of the General Data Protection Regulation (“GDPR”) which will become enforceable on May 25, 2018.

The GDPR will be directly applicable in all EU Member States without the need for implementing national laws. However, apart from the need to establish the supervisory authority, the GDPR provides Member States with the possibility to introduce more specific rules in a number of. This includes the areas of employment, sensitive personal data such as health data and in relation to the role of data protection officers.

Below is a survey of the GDPR guidance by Data Protection Authorities (DPAs) in several key Member States. Continue Reading Survey of the National GDPR Implementation Laws of Key Member States