Search results for: state law

With no central federal data breach law, states have taken the reins, passing an increasing number of laws that require both the protection of citizens’ private data and prompt notice of any breach of that privacy.  Governors in the last two holdout states, South Dakota and Alabama, recently signed bills to enact laws governing data breaches.  Now, all 50 states (plus D.C., Guam, Puerto Rico, and the Virgin Islands) have passed data breach notification laws. Continue Reading Data Breach Laws on the Books in Every State; Federal Data Breach Law Hangs in the Balance

While the GDUnited Nations newsPR compliance clock is ticking for companies, EU Member States have also been preparing for the implementation of the General Data Protection Regulation (“GDPR”) which will become enforceable on May 25, 2018.

The GDPR will be directly applicable in all EU Member States without the need for implementing national laws. However, apart from the need to establish the supervisory authority, the GDPR provides Member States with the possibility to introduce more specific rules in a number of. This includes the areas of employment, sensitive personal data such as health data and in relation to the role of data protection officers.

Below is a survey of the GDPR guidance by Data Protection Authorities (DPAs) in several key Member States. Continue Reading Survey of the National GDPR Implementation Laws of Key Member States

Washington’s My Health My Data Act (“MHMDA”) and Nevada’s SB 370 (“NV CHD Law”) (collectively, “CHD Laws”) went into effect at the end of last month, on March 31, 2024 (as many know, MHMDA’s geofencing prohibition went into effect last summer). Unlike the Health Insurance Portability and Accountability Act (“HIPAA”), a federal law which governs privacy and security in traditional healthcare settings, CHD Laws regulate “consumer health data” or “CHD”– a very broadly defined term as we discuss below and in a prior post – collected by companies in a broad swath of health and non-health related industries alike. Even ancillary purposes like providing accessibility accommodations and defending personal injury claims are enough to trigger the laws. CHD Laws impose restrictions and obligations on regulated entities far more burdensome than state consumer privacy laws, many of which already regulate some of the same health data, and unlike those general consumer privacy laws are not proposed to be preempted by the potential federal America Privacy Rights Act.

As such, compliance programs that businesses may have developed to comply with state consumer privacy laws, such as the California Privacy Protection Act (“CCPA”), will not be sufficient to address the requirements of the CHD Laws, though they can be leveraged such as for consumer rights request and processor management. There are some material differences beyond the scope of the data regulated. For example, businesses must add another website footer link (and potentially elsewhere, such as in mobile apps) and post a separate privacy policy applicable to the processing of CHD. The facilitation of consumer rights must be CHD-specific, for example providing the right to delete just CHD, rather than all personal information. Moreover, businesses that have CHD use cases not within narrow exceptions (e.g., as necessary to provide a requested product or service), which differ somewhat as between the two laws, will have to grapple with the foreboding consent and authorization requirements which, in some cases, could result in subjecting visitors or customers to a litany of notices and pop-ups in an environment already plagued by what some dub as “consent fatigue.”

Continue Reading Are you Ready for Washington and Nevada’s Consumer Health Data Laws?

This week, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (APRA draft).[1] Chair Rodgers’ and Chair Cantwell’s announcement of the APRA draft surprised many congressional observers after comprehensive privacy legislation stalled in 2022.

Continue Reading April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?

In February 2023, Spain implemented Directive (EU) 2019/1937 (although it did not become fully applicable until December of that year) by means of Law 2/2023, of February 20, 2023, regulating the protection of persons who report regulatory violations and the fight against corruption (the “Law”). The Law, which requires all public and private organizations (with more than 50 employees or simply operating in certain sectors, even if they have fewer employees) to implement a whistleblowing system, has raised some doubts from a data protection perspective.

Continue Reading Never Beyond the Law – the Spanish AEPD’s Position on the Processing of Whistleblower Data

On January 16, Governor Murphy signed S332 (Sixth Reprint) into law, making New Jersey the 13th or 14th state (depending on if you count Florida) with a consumer privacy law on the books. We previously covered the now enacted law here. S332 applies to controllers and processors who conduct business in the state or produce products or services that are targeted to residents of the state, and meet certain processing thresholds. Non-profits, government entities and certain other regulated entities and data are exempt, and persons acting in a business-to-business or employment context are not “consumers” and therefore also exempt from the law’s coverage. 

In his statement, Governor Murphy specifically addressed enforcement of the law, stating concerns that the bill created a private right of action under other laws due to an amendment that removed language prohibiting “a private right of action ‘under any other law’’” are unfounded. According to Governor Murphy, “nothing in this bill expressly establishes such a private right of action,” and Section 16 of S332 specifically states that “[n]othing in [this law] shall be construed as providing the basis for, or subject to, a private right of action for violations of [this law].”

Most of New Jersey’s consumer privacy law will take effect one year from today, with the requirement to recognize universal opt-out mechanisms (“UOOM”) taking effect eighteen (18) months from the date of enactment. Enforcement will be handled by the New Jersey Attorney General and there will be a cure period for the first eighteen months following the effective date.

For more information, you may review our prior coverage of S332. If you would like to discuss the impact this law may have on your business, feel free to contact the authors or your usual firm contact.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Our lawyers are well known for thought leadership across many platforms, and that tradition continues over the coming weeks. Please join us for the events detailed in this post as they address the latest trends, updates and insights within the global Data Privacy realm. For more information, contact the presenters or your relationship attorney.

Continue Reading Squire Patton Boggs Lawyers to Present on Several Upcoming Webinars and Events

In a decision last week, the Ninth Circuit Court of Appeals affirmed dismissal of a putative class action concerning allegations that Shopify violated various California privacy and unfair competition laws by purportedly concealing its involvement in online consumer transactions.  Briskin v. Shopify, Inc., No. 22-15815, 2023 WL 8225346 (9th Cir. Nov. 28, 2023).  In this ruling of first impression, the Ninth Circuit outlined several “key principles” to govern the assessment of whether personal jurisdiction exists as to online platforms in consumer data collection and retention cases going forward.  Read on to learn more.

Case Background

Plaintiff in Briskin is a California resident who, allegedly while physically present in California, used his iPhone to purchase fitness apparel.  Plaintiff alleged in the Complaint that unknown to him, the company he purchased clothing from usedsoftware and code from Shopify, Inc. to process customer orders and payments.

Shopify is a Canadian corporation with its headquarters in Canada.  It provides participating merchants with a sales platform that enables the processing of online purchases.  As alleged in the Complaint, Shopify obtains, processes, stores, analyzes, and shares the information of consumers who complete transactions on Shopify’s merchant-customers’ websites.  Plaintiff in this case asserted that when he provided his personal information and credit card information for purposes of ordering fitness apparel online, Shopify: (i) “collected this information”; (ii) “installed cookies onto [Plaintiff’s] phone, connected his browser to its network, generated payment forms requiring [Plaintiff] to enter private identifying information, and stored [Plaintiff’s] personal and credit card information for later use and analysis; (iii) “transmitted [Plaintiff’s] payment information to a second payment processor”; and (iv) “used the customer information it received to create consumer profiles, which Shopify also shared with its merchant and other business partners.”

Plaintiff filed a putative class action in California federal court, asserting that Shopify violated various California privacy and unfair competition laws because it deliberately concealed its involvement in the consumer transactions.  Plaintiff sought to represent a putative class defined as “[a]ll natural persons who, between August 13, 2017 and the present, submitted payment information via Shopify’s software while located in California.”  Shopify and two of its wholly owned subsidiaries (neither of which were headquartered or had their principal place of business in California) were named as defendants.  Defendants moved to dismiss Plaintiff’s claims for lack of personal jurisdiction.

Overview of General vs. Specific Jurisdiction

Federal courts have limited jurisdiction, and generally may not exercise judicial power over defendants that do not reside in the forum.  In any case, the plaintiff bears the burden of establishing personal jurisdiction over a defendant.

Consistent with Supreme Court precedent, a court’s power to exercise personal jurisdiction manifests in two basic ways: general or all-purpose jurisdiction, and specific or case-linked jurisdiction. For a corporation, the paradigm forum for the exercise of general jurisdiction is one in which the corporation is fairly regarded as at home—which encompasses the corporation’s place of incorporation and its principal place of business.  By contrast, specific jurisdiction is narrower.  It covers defendants less intimately connected with a State, but only as to a narrower class of claimsThere are three requirements for a court to exercise specific jurisdiction over a defendant in a litigation.  First, the defendant must have “purposefully availed” itself of “the benefits and protections of the forum’s laws.” Burger King Corp. v. Rudzewicz, 471 U.S. 462, 475-76 & 482 (1985) (citation omitted).  Generally, this requires “some act by which the defendant purposefully avails itself of the privilege of conducting activities within the forum State.”  Hanson v. Denckla, 357 U.S. 235, 253 (1958).  Second, the plaintiff’s claims “must arise out of or relate to the defendant’s contacts” with the forum.  Ford Motor Co., 141 S. Ct. at 1025.  Third, the court must assess the reasonableness and substantial justice of exercising jurisdiction over the defendant in the particular case.

The Ninth Circuit’s Ruling on Personal Jurisdiction

Plaintiff in this case did not argue that there was general jurisdiction over Shopify or its subsidiaries named as Defendants.  Instead, the issue before the Ninth Circuit was whether the District Court had correctly dismissed the case for lack of specific jurisdiction on the basis that the Shopify “expressly aimed” its activities at the forum state so as to satisfy the second prong required for the exercise of specific jurisdiction in the litigation.

In addressing this issue, the Court noted that “[f]or specific jurisdiction to exist over Shopify, [Plaintiff’s] claim “must be one which arises out of or relates to the defendant’s forum-related activities.” (citation omitted).  As such, “[t]his is a claim-tailored inquiry that requires [the Court] to examine the plaintiff’s specific injury and its connection to the forum-related activities in question.”  On this basis, the Court held that the central jurisdictional inquiry boiled down to the question of causation, finding that [Plaintiff’s] claims do not “arise out of” Shopify’s broader forum-related activities in the state (its contracts with California merchants, physical Shopify offices, and so on)”  Rather, an injury arising “out of a defendant’s forum contacts require[s] ‘but for’ causation, in which ‘a direct nexus exists between a defendant’s contacts with the forum state and the cause of action.’”

As such, the Court determined that “[t]here is no such causal relationship between Shopify’s broader California business contacts and [Plaintiff’s] claims because these contacts did not cause [Plaintiff’s] harm.”  Nor, the Court held, did Plaintiff’s claims “relate to” Shopify’s “broader business activities in California outside of its extraction and retention of [Plaintiff’s] data.”  The Ninth Circuit reasoned that:

[Plaintiff] would have suffered the same injury regardless of whether he purchased items from a California merchant or was physically present in California when he did so.  To the extent [Plaintiff] suggests that Shopify’s broader business actions in California set the wheels in motion for Shopify to eventually inflict privacy-related harm on him in California, such a butterfly effect theory of specific jurisdiction would be far too expansive to satisfy due process.
(emphasis supplied).

Other Principles Set Forth by the Ninth Circuit to Guide Other Cases

The Ninth Circuit framed the core issue presented in this question was a novel one, concerning “whether Shopify, which provides web-based payment processing services to online merchants throughout the nation (and the world), thereby expressly aimed its conduct toward California.” 

Because Shopify operates a web-based platform, the Court found (and the parties agreed) that Ninth Circuit personal jurisdiction cases involving interactive websites should govern the jurisdictional inquiry as to Shopify and litigations other involving a broadly accessible back-end web platform.  The Court stated the core principles governing the personal jurisdiction inquiry were the following:

  • “First, the fact that a broadly accessible web platform knowingly profits from consumers in the forum state is not sufficient to show that the defendant is expressly aiming its intentional conduct there.” (emphasis supplied).
  • “Second, to establish the ‘something more’ needed to demonstrate express aiming in suits against internet platforms, the plaintiff must allege that the defendant platform has a forum-specific focus.”  In the alternative, “the plaintiff must allege that the defendant is specifically ‘appeal[ing] to … an audience in a particular state’ or ‘actively target[ing]’” the forum state (citations omitted).  The Court explained that what is needed in either instance, however, is “differentiation of the forum state from other locations . . . which permits the conclusion that the defendant’s suit-related conduct ‘create[s] a substantial connection” with the forum.’” (citations omitted).
  • “Third, the specific nature and structure of the defendant’s business matters.”  The Court explained that “how the defendant operates and organizes its web-based platform” and how the defendant interacts with relevant third parties all affect the “something more” analysis.

Conclusion

In ruling that Shopify was not subject to specific jurisdiction for Plaintiff’s claims, the Court cautioned that it was not suggested “that the extraction and retention of consumer data can never qualify as express aiming” for purposes of establishing specific jurisdiction over a defendant.  The Court noted that because “the nature and structure of a defendant’s business can affect the personal jurisdiction analysis,” personal jurisdiction in all instances depends on a “fact-intensive” assessment.  Therefore, the Court’s ruling in this case was based on an application to the facts as alleged in Plaintiff’s Complaint.  However, the principles set forth in the decision will undoubtably guide consumer privacy litigations in the Ninth Circuit going forward, and will be persuasive authority to defendants in other cases.  For more, stay tuned.  Privacy World will be there to keep you in the loop.

Earlier this fall, the Fourth Circuit vacated the district court’s class certification order in the Marriott data breach MDL because of the potential applicability of a class action waiver defense. See In re Marriott Int’l Consumer Data Security Breach Litig., 78 F.4th 677 (4th Cir. 2023). Our post on this decision can be found here. On remand, the district court took little time to conclude that Marriott had waived the class action waiver in the Choice of Law and Venue provision of the putative class members’ contracts and that regardless “the adhesive provision, buried on the last page of the Terms cannot direct this Court to ignore the provisions of Rule 23 of the Federal Rules of Civil Procedure.”  In re Marriott Int’l Consumer Data Security Breach Litig., 2023 WL 8247865 (D. Md. Nov. 29, 2023). The district court thus reinstated the classes as earlier certified.

Continue Reading District Court Quickly Reinstates Class Certification in Marriott Data Breach Litigation

We originally published an in July 2022, and have refreshed the article to include new information below.

There is increasing public pressure on internet companies to intervene with content moderation, particularly to tackle disinformation, harmful speech, copyright infringement, sexual abuse, automation and bias, terrorism and violent extremism. The new Online Safety Act is the British response to such public demand.

The Online Safety Act received Royal Assent on 26 October 2023, giving Ofcom powers as online safety regulator in the UK. Online platforms around the world will get the first detail of requirements for complying with the Online Safety Act on 9 November, when Ofcom says it will publish its first draft codes of practice and enforcement guidance for consultation. Ofcom has published a timeline with a comprehensive implementation schedule extending over three years.

Continue Reading UPDATED BLOGPOST: Online Safety in Digital Markets Needs a Joined-Up Approach with Competition Law in the UK