Hi friends

Eric J. Troutman here, mythical (or is it mystical?) Czar of the TCPAWorld.

It is no secret that I’ve been excited to expand our offerings beyond the TCPA–and the fact that SCOTUS may strike down the TCPA at any minute has a little something to do with it. Ha.

But in truth, the pursuit of this new legal WORLD to explore was driven by YOU, my esteemed and splendid readers and friends.

How many of you have asked at one of my many, many, many speaking engagements over the years a cross-over question regarding CCPA or data privacy? Indeed every company interested in TCPA is–to some degree or another–interested in data security and applicable law. (I even did a webinar on this once–and I hate webinars.)

How many of my dear clients have sought guidance on the FCRA–noting the complete lack of ANY meaningful internet resource on the subject? (For shame internet!)

And of course BIPA–who had ever even heard of that statute before Jay Edelson’s huge interview on my podcast last year? I don’t see many hands out there. And that’s because the phenomenon of BIPA litigation is taking root right before our very eyes.

All three of these areas of law–along with the alphabet soup of enactments like CIPA, SCA, ECPA, and yes even HIPAA (shy wonderful HIPAA)– are fast-paced and developing. They need attention and meaningful analysis by real privacy lawyers steeped in this stuff and from a firm with the resources to devote to tracking case law developments and spotting trends in real time–as they develop.

Why?

Well, because you’ve asked for it, that’s why. And so we delivered.

For those of you familiar with TCPAWorld.com–and you all are aren’t you?–we take the mission of chronicling and exploring case law and related developments incredibly seriously, but we don’t take ourselves too seriously. Pretense is dull. So are barriers to content. Plus lawyers often hide behind legalese when they don’t really understand what they’re trying to say. (But I’m not telling you anything you don’t already know now am I?)

None of that here.

We’ll review all the case law and give you exactly what you need to know, and we’ll try to do it in a way that is light-hearted and relatable. At times–dare I say–even entertaining (although some of us are better than that than others. Ha.)

Our formula is simple– if something happens out there in the wide world of consumer privacy law, we want to give it to you straight and as immediately as possible. You need to know this stuff right now–not days or *cough* weeks later. And you don’t want gobbledy gook or nonsense. We get it.

More than that, you want  to trust that you can rely on what you read and you want a single resource that will comprehensively cover the law that matters most to you–from all angles.

Ta-da!

Squire Patton Boggs has assembled its truly amazing team of privacy lawyers–I mean look at this team– and spared no resource to assure that consumerprivacyworld is exactly what you need it to be– timely, smart, engaging, analysis you can work with and learn from.

So welcome to your new privacy law wonderland! Please do make it YOUR wonderland. If you have questions or thoughts on how we can improve–reach out. Don’t like an article or disagree with some analysis? Let us know. And of course if you actually do like something you see here–tell us. We want to know how to make your experience on consumerprivacyworld.com as useful as possible.

We sincerely hope you’ll enjoy your stay and take your time to appreciate everything the website has to offer over time (we’ll be rolling out new features shortly–don’t worry if it feels a bit Spartan in the short term, bells and whistles and a merry-go-round will be installed shortly.)

It is great to have you here. Enjoy–and tell a few dozen pals.

Thanks friends. Chat soon.

Yahoo!’s data breach class action is finally being put to rest. Last month, the Northern District of California approved the proposed $117.5M settlement to resolve the claims of approximately 194 million class members in In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2020 U.S. Dist. LEXIS 129939 (N.D. Cal. July 22, 2020). This approval did not come easily. During several rounds before the Court to obtain settlement approval, the Court pointed out that while “other data breach cases focus on one data breach, the instant case involves multiple data breaches over a period of five years, each of which Yahoo failed to timely disclose.”

In reaching its decision, the Court compared Yahoo!’s proposed settlement to a few other class action settlements, including in particular, In re Anthem, Inc. Data Breach Litigation, 327 F.R.D. 299, 318 (N.D. Cal. 2018), where the Court approved a $115 million settlement to a class of roughly 79 million members. The Court noted numerous differences between the Yahoo! settlement and that in Anthem, and ultimately deemed the Yahoo! settlement to be “fair, adequate, and reasonable.” In an 88-page opinion, the Court discussed its detailed criterion in granting the final approval, some of which included:

Criteria Favorable to Approval

Data at Issue: The Court acknowledged, and took into consideration “that the Personal Information impacted by the data breaches” with Yahoo!, varied significantly. Beyond email addresses, passwords, telephone numbers, birth dates, and security questions and answers, the more sensitive personal information, such as social security numbers, financial and bank records, and medical records, largely depended on the types of accounts the user’s had with Yahoo!. Thus, every class member was not equally impacted by the data breach, as is often the case in standard data breach cases.

Out-of-Pocket Costs: Yahoo!’s settlement class members’ out-of-pocket costs are capped at $25,000, whereas out-of-pocket costs for settlement class members in Anthem were capped at $10,000 figure. In both Yahoo! and Anthem, recovery for out-of-pocket costs included time spent responding to data breaches. Overall, what this came down to was that Yahoo!’s settlement class members who spent time responding to the data breaches are entitled to reimbursement at a minimum rate of $25 per hour, while Anthem’s settlement class members rate were entitled to $15 per hour.

Extent of Discovery Completed: Prior to the proposal of the settlement, both parties engaged in extensive discovery, which to the Court signaled that both parties had developed a perspective on the strengths and weaknesses of their respective cases in order to “make an informed decision about settlement.” For the Court, the extent of discovery was indicative of a lack of collusion, as the parties had litigated the case in an adversarial manner.

Number of Class Members Objecting to Proposed Settlement: Out of approximately 194 million settlement class members, only 31 settlement class members submitted objections. Although the Court analyzed and responded to each objection submitted, the Court was very comfortable in  concluding that none of the objections warranted rejection of the Settlement.

Criteria Unfavorable to Approval

Delayed Notification of Breach: Yahoo!’s data was breached in 2012, 2013, 2014, 2015, and 2016, but Yahoo! denied any knowledge of unauthorized access of personal data in its 2016 filings with the U.S. Securities and Exchange Commission, and delayed notification to users even when Yahoo! had contemporaneous knowledge of the breaches. By comparison, Anthem’s data breach occurred between December 2014 and January 2015 and Anthem disclosed the data breach to affected users in February and March 2015 (i.e. within weeks of the breach.) Anthem also, soon after disclosing the breach, provided two years of free credit monitoring to each affected user, prior to any settlement of litigation. On the other hand, although part of the final approved class action settlement, Yahoo!’s affected users did not receive free credit monitoring until nearly eight years after the data breach. The Court also identified Yahoo!’s delayed disclosure, and its denial of the breach despite having “contemporaneous knowledge,” as facts making Yahoo!’s breach much greater than Anthem’s.

Size of Class: Yahoo!’s total class size was far larger than any other data breach case this Court had previously handled. “Indeed, the 79 million class in Anthem was roughly 40% the size of the 194 million.” The large size of the settlement class is significant because it meant that the settlement fund yields a lower per-capita recovery for settlement class members than in cases involving similar funds for smaller classes. The Court was, in fact, recognizing the difference between $1.46, what each class member was awarded in Anthem, and $0.60, what each class member received in Yahoo!.

Severity of Data Breach: The Court stated that “Yahoo’s history of nondisclosure and lack of transparency related to the data breaches [is] egregious.” As a result of Yahoo!’s lack of disclosure, settlement class members were unaware of the need to take any steps to protect themselves for several months. Whereas with Anthem, not only were users notified within weeks of the data breach, they were also provided with free credit monitoring immediately following the breach.


All in all, despite the number of data breaches at issue, the large settlement class size, Yahoo!’s delayed disclosure to impacted individuals and the public, and the sale of the breached Yahoo! data on the web, after taking into consideration the overall relief offered by the proposed settlement, and the distinguishing factors of the data breaches, the Court deemed the $117.5 million settlement as fair, adequate, and reasonable.

Notably, approximately 1,779 of the settlement class members opted out of the approved settlement for a release of any claims against Yahoo!. Thus, with those class members’ claims still lingering, this may not be the last we hear of Yahoo!’s extensive litigation related to the data breaches.

 

 

An individual’s background is often evaluated for important decisions.  When our society was smaller and more close-knit, individuals familiar with the interested person’s life and background filled this need.  As our society became larger, however, the need for objective information became greater, and companies began drafting background reports.  Several laws, including the Fair Credit Reporting Act (“FCRA”), began regulating this process.  This evolution is not complete, however, and anyone involved with background reports, either as a creator or subject of one, should be mindful of a recent lawsuit that may have significant implications.

In United States v. MyLife.com, Inc., No. 20-cv-6692 (C.D. Cal. June 27, 2020), the Department of Justice, on behalf of the FTC, filed a lawsuit against MyLife.com (“MyLife”) and its CEO, Jeffrey Tinsley, for violations of the FCRA.  The suit suggests that an organization that prepares reports containing information about a person’s background may be considered a consumer reporting agency (“CRA”) under the FCRA.  The FCRA defines a CRA as:

[A]ny person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

In relevant part, the FCRA defines a “consumer report” as:

[A]ny written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under Section 604.

Having to operate as a CRA under the FCRA would impose additional requirements, restrictions and liabilities on a business.  Under the FCRA, a CRA may only provide consumer reports to those who it believes have an enumerated “permissible purpose” to obtain that report.  CRAs must maintain and follow reasonable procedures to limit the furnishing of consumer reports and ensure that the information provided by the reports is as accurate as possible.  CRAs must also provide a Notice of Users to anyone who receives a consumer report.  These notices must advise recipients of their responsibilities when reviewing a consumer report and require a certification that the recipient will not use the report for any improper purposes.

In MyLife, the United States argues that MyLife is a CRA that provides “consumer reports” and should be held liable for evading its obligations under the FCRA.  According to the complaint, MyLife markets background reports for certain FCRA-regulated activities that contain information regarding an individual’s background, such as criminal convictions.  Notably, the complaint does not allege that MyLife’s reports include information related to an individual’s credit score.  Instead, the complaint alleges that MyLife touted its services with the slogan that “[r]eputation is more important than credit.”  The complaint also alleges that MyLife promoted its reports as a resource to consult when evaluating an individual’s eligibility for employment, loans, and housing.  The complaint also alleges that MyLife did not restrict who could access its reports, so long as a subscription fee was paid.

The takeaway from this complaint and other cases involving similar facts[1] is that a company that prepares and sells reports that include personal information of individuals must:  (a) be mindful of how it markets such reports and describes the potential uses for them—scrutinize your marketing materials very carefully, making clear what such reports may and may not be used for; and (b) implement a customer credentialing process by which they learn (and confirm) how the reports will be used.

Failing to do these things creates real and significant risk that either a regulator or plaintiffs’ counsel will characterize your business as a CRA subject to the FCRA.  Violation of the FCRA carries potential statutory penalties of up to $1,000 per violation, punitive damages and attorneys’ fees.  Adopting strict controls over how reports are used will help you avoid this liability.


[1] E.g., Spokeo v. Robins, 136 S.Ct. 1540 (2016).

On July 21, 2020, the FTC hosted its fifth annual PrivacyCon. This event is designed to inform on important and pressing topics in privacy and security, such as bias in AI and the use of cameras and voice technology. While focused on regulatory content, many of these topics directly relate to possible litigation risks. We’ve highlighted some of the main issues that were discussed and welcome you reaching out to discuss these issues.

You can find this overview here.

In Ducharme v. Madewell Concrete, LLC, No. 6:20-1620-HMH, 2020 U.S. Dist. LEXIS 127615 (D.S.C. July 17, 2020), Defendants Madewell Concrete, LLC and Kevin Johnston’s (“Johnston”) (collectively, “Defendants”) motion to dismiss Plaintiff Robert Ducharme’s (“Plaintiff”) South Carolina Homeland Security Act (“SCHSA”) claim pursuant to Federal Rule of Civil Procedure 12(b)(6) was denied.

Plaintiff alleges that Defendants deliberately misclassified him as a salaried employee, which exempted him from the overtime requirements of the Fair Labor Standards Act (“FLSA”). Accordingly, Plaintiff contends that he was not compensated for his overtime work. Plaintiff also alleges that Defendant Johnston illegally and without authorization accessed Plaintiff’s personal email account.

Plaintiff’s lawsuit alleges three claims: violations of (1) the Stored Communications Act, (2) the SCHSA, and (3) the FLSA.

Defendants argue that Plaintiff’s SCHSA claim is preempted by the Electronic Communications Privacy Act (“ECPA”) because in 18 U.S.C. § 2518(10)(c), “Congress expressed clear intent that any alleged interception of any ‘electronic communications’ falls under the exclusive remedy of the [ECPA].” Accordingly, the Court describes the dispute as whether “the interception of electronic communications provisions of the ECPA preempt a claim based on the interception of electronic communications provisions of the SCHSA.”

In holding that § 2518(10)(c) does not expressly preempt state law claims, the Court noted that  “Congress could have easily and explicitly stated that the remedies in the ECPA are the exclusive remedies for all interceptions of electronic communications or that the ECPA preempts state law claims, but it did not do so.” The Court went on to find that the legislative history of § 2518(10)(c) indicates that “the interceptions of electronic communications were not subject to the exclusionary rule absent a Fourth Amendment violation.” Thus, state law remedies are permissible for certain intercepts of electronic communications (such as personal emails) and “the ECPA does not preempt Plaintiff’s claim under the SCHSA. This case is a good reminder that employers should be mindful to ensure compliance with applicable state privacy laws, in addition to the well-known federal ones.

The European Union’s highest court has ruled that the EU-US Privacy Shield data transfer mechanism is invalid and many business are struggling with what to do now.

Please join us on July 30, 2020 for a roundtable discussion featuring our top EU and US data protection experts who will outline what the viable options are going forward.

Details and registration  

The Credit Reporting Resource Guide (“CRRG”) is a resource guide prepared by the Consumer Data Industry Association that provides codes that facilitate compliance with the Fair Credit Reporting Act (FCRA). (Learn more here.) Courts in the Sixth Circuit have previously established that the CRRG is not dispositive on FCRA compliance. Thus, when Plaintiff tried to use the CRRG requirements to assert that Defendant acted negligently in not changing a closed tradeline to show a “zero” balance, the court was not impressed. In Calvin v. Mich. First Credit Union, No. 19-cv-11519, 2020 U.S. Dist. LEXIS 123322, at *10 (E.D. Mich. July 14, 2020), Plaintiff alleged that Michigan First violated §623 of the FCRA because it did not change Plaintiff’s tradeline, on a closed account, to show a payment balance of zero. Ruling in favor of Defendant, the Court determined that Plaintiff failed to show that the tradeline in question was inaccurate, failed to show Defendant’s alleged actions created an injury-in-fact, and failed to show negligence in Defendant’s conduct.

This case was not much different from cases routinely filed against Michigan First for inaccurate credit reporting (see the most recent one we covered here). It was thus not surprising to review the Court’s decision in determining that Michigan First’s reporting was not inaccurate. Indeed, a non-zero balance on a closed account, is not, in and of itself inaccurate reporting. The accuracy of credit information is assessed under the “materially misleading” standard test. “The fact that a layperson could be misled or that the consumer was misled is insufficient.” Plaintiff here was unable to show that any “any creditor was misled….Since Plaintiff did not show that a creditor was misled by the non-zero scheduled monthly payment tradeline or that a creditor’s decision was based on the non-zero scheduled monthly payment balance rather than other issues with her credit, Plaintiff failed to show Defendant’s tradeline resulted in a creditor being misled.”

Plaintiff tried using the CRRG to establish Michigan First’s negligence. CRRG requires the monthly payment amount on closed or charged off accounts to be changed to zero-what Plaintiff demanded from Michigan First. However, federal laws of commerce and trade, including the FCRA, do not mandate compliance with CRRG, which is, after all, only the publication of an industry trade association. Courts in the Eastern District of Michigan have concluded that CRRG is not industry standard AND “compliance or non-compliance with its provisions was [not] conclusive evidence of accuracy or inaccuracy.” In fact, they have gone so far to say that, “CRRG requirements are inadmissible hearsay because CRRG’s guidelines are out-of-court statements by an industry group.” Thus, Defendant’s noncompliance with the CRRG did not show negligence or willful misconduct in adherence to the FCRA.

Another win for Michigan First-despite Plaintiff’s creativity in attempting to use the CRRG guidelines.

On July 21, 2020 the FTC hosted its Fifth PrivacyCon-an event where researchers convene with FTC officials to discuss cutting-edge issues related to consumer privacy and security.  Because PrivacyCon can be a harbinger of FTC activity, CPW attended PrivacyCon and reported on various developments of interest.  Much of the focus this year was on healthcare data privacy—a particularly pertinent topic in light of the COVID outbreak.

Andrew Smith, the Director of the FTC Bureau of Consumer Protection, opened PrivacyCon with remarks on FTC’s enforcement activity this past year.  He also touched upon what might lie ahead in the future, with particular emphasis on FTC action in the healthcare arena.  [As you all at CPW probably know already, while the Department of Health and Human Services (“HHS”) Office for Civil Rights is responsible for enforcing the Health Insurance Portability and Accountability Act, the FTC has general oversight over deceptive and unfair practices.]  This past year, Smith observed, FTC has taken various enforcement actions directed at protecting consumer privacy.  This included what Smith described as “record-shattering” settlements reached against companies for privacy and security protections under various regulatory regimes, including the Fair Credit Reporting Act, the Gramm-Leach Bliley Act and the FTC Act.  Smith noted that many of these settlements included structural changes to how consumers’ and children’s data was treated.

Looking forward, Smith said the FTC would be paying increased attention to mobile health apps as consumers are increasingly relying on these tools in a variety of contexts (health trackers, sleep monitors, smoking cessation apps, diet guides, etc.).  Contract tracing brought on with the COVID outbreak has added additional complexity to this area.  Smith noted that HHS had issued rules that made it easier for consumers to access their medical records on various apps, but cautioned that “whenever data flow increases the opportunities for data compromise increase.”  Smith reiterated that the FTC would not hesitate to take action against entities that misrepresent what they are doing with consumers’ health data or put consumers’ health data at undue risk.

Smith said that the FTC’s call for papers to present at PrivacyCon this year included matters related to mobile health, interconnected devices, online ad delivery assistance, technological developments that could be a boon to consumers but also pose risks to privacy, security and equal opportunity.  Consistent with this approach, the first panel, consisting of researchers from Harvard Medical School, the University of Toronto and Elektra Labs, discussed various technology related concerns pertaining to the development of healthcare apps.  Based on the panelists’ comments, it is possible that areas of focus regarding healthcare apps could include evaluating and securing the connected sensor technologies that power health apps, as well as broader concerns related to cybersecurity, data aggregation, de-identification and informed consent.

This a fast-growing area that, in light of Director Smith’s comments, is anticipated to evolve in the near future.  CPW is here every step of the way and will report on these developments to keep you informed.

 

 

Those of you familiar with the area of data privacy already know that the International Association of Privacy Professionals’ (“IAPP”) CIPP/US certification is the global gold standard for privacy professionals and a key industry benchmark.  The CIPP/US designation demonstrates familiarity with U.S. privacy laws and regulations.  Well, CPW is proud to announce that one of our extremely talented litigators Kristin Bryan has joined the group of CIPP/US certified attorneys, which already included CPW’s privacy pros Elliot Golding and Lauren Kitces.  As you may know, here at CPW we have assembled one of the most experienced and dedicated consumer privacy teams on the planet—powerful class action litigators working together with privacy compliance professionals who have real-world experience operationalizing cutting-edge guidance.  Adding this important certification to our deep bench of litigators further enhances our team’s capabilities.

Do you know Kristin?  Kristin is a world class litigator who graduated with honors from Columbia Law School.  She has a multi-faceted data privacy practice, which includes experience defending clients in federal class action and multidistrict litigation concerning allegations that their online privacy and marketing practices violated federal and state privacy laws.  But that’s not all folks.  As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing practical, business-oriented privacy advice to a wide range of clients and has represented them in government investigations regarding their privacy practices.  Kristin is a regular contributor to CPW and routinely publishes and speaks on cutting edge developments in data privacy.  She is also the co-chair of the IAPP Knowledge Net Chapter of Cleveland and admitted to practice in New York and Ohio.

Bravo Zulu, Kristin.

Once a lawsuit has been filed, standing is often the first issue that defense counsel will address.  After all, if standing opens the door to the merits of a suit, then counsel is generally tempted to keep that door shut and locked.  A recent case reminds us that standing is always an issue, even when counsel does not argue against it, and a court may not hesitate to lock the door itself.

In Hebert v. Barnes & Noble, No. 19-cv-591-BEN (JLB), 2020 U.S. Dist. LEXIS 123325, at *11 (S.D. Cal. July 13, 2020), the court remanded a case to state court at the summary judgment stage after sua sponte finding against standing on the basis that the plaintiff did not allege any actual harm.  At issue was the sufficiency of a FCRA disclosure provided by Barnes & Noble to job applicants.  If an employer wants to obtain a consumer report to screen a prospective employee, then the FCRA requires that employer to provide applicants with a FCRA disclosure in a document containing nothing other than the disclosure itself.  The plaintiff here claimed that between 2016 and 2018, Barnes & Noble provided defective FCRA disclosures to 27,000 job applicants.  Despite the large number of applicants that received the allegedly defective disclosures, Barnes & Noble did not receive any complaints, including from the plaintiff, who eventually accepted a job offer from it.

Although the defendant never made the argument, the Hebert court found that the plaintiff lacked standing due to her failure to allege actual harm.  To make this point, the court cited a recent case, Sierra Club v. Trump, 2020 WL 3478900, at *6 & n.9 (9th Cir. June 26, 2020), to state that “[a] federal court has an independent obligation to satisfy itself that a plaintiff has standing at all stages of litigation.”

To address the strength of the plaintiff’s allegations, the Hebert court looked to Syed v. M-I, 853 F.3d 492, n.4 (9th Cir. 2017) and contrasted it against this case.  Syed was a case of first impression that interpreted Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1550 (2016) to state, “bare technical violations of the FCRA may not result in a concrete injury.”  In Syed, the plaintiff alleged that he was “confused by the inclusion of the liability waiver with the [FCRA] disclosure and would not have signed it had it contained a sufficiently clear disclosure, as required in the statute.”  The court found that this was a sufficient allegation of actual harm and not only a “bare procedural violation,” which would not pass muster under its interpretation of Spokeo.

In contrast, the Hebert court found that its plaintiff did not allege harm.  The court noted that the plaintiff neither alleged confusion nor an unwillingness to consent to a consumer report had she “clearly understood the required FCRA disclosure.”  The court went on to note that the situation was “[q]uite the opposite” – the plaintiff wanted a job, she understood that it required a background screening, she consented to the consumer report, and ultimately went on to obtain a job with Barnes & Noble.

Between its lines, Hebert has two takeaways.  First, Sierra Club has highlighted a court’s ability to examine standing regardless of whether the issue has been briefed or how far the litigation has proceeded.  The Hebert defendant never disputed standing and the court brought it up at the summary judgment stage.  Second, even if a defendant finds itself pleased with the court evaluating standing sua sponte, the elation should be tempered.  Hebert did not dismiss the case, but rather remanded it back to the state trial court where it started for further consideration.

The Court of Justice of the European Union invalidated the EU-US Privacy Shield in a profound decision on July 16. They also reminded both companies and the Data Protection Authorities of their respective responsibilities to assess the ability for transfers made under the commonly used Standard Contractual Clauses (SCCs) to be done so consistent with the GDPR. The invalidation of Privacy Shield due to aspects of the US Government’s surveillance programs raises new questions as to whether the use of SCCs and other transfer mechanisms when conveying personal data to the US may also not be valid. At a minimum, the Court reminded everyone of the obligations that accompany using SCCs and the process of doing so just became much more burdensome and uncertain.

Read our Data Privacy and Cybersecurity Team’s assessment of this decision and recommended steps for those transferring personal data  here.