Data privacy litigators are well aware of the critical importance of a motion to dismiss to have meritless data incident claims kicked at the pleadings stage.  A recent decision underscores the importance of choice of law arguments as part of a comprehensive litigation strategy.  Why?  Well in some cases, differences between the laws of two states regarding frequently litigated data incident claims can be dispositive for purposes of a motion to dismiss.  Read on to learn more.

First, some background.  It is well-established that federal courts sitting in diversity apply the forum state’s conflict of laws rules.  For instance, in Greenstate Credit Union v. Hy-Vee, Inc., a data incident litigation recently pending in federal district court in Minnesota, the court noted that:

Under Minnesota law, the first inquiry is whether an actual conflict of laws exists.  Next, the court must determine ‘whether the law of both states can be constitutionally applied.’  If there is an outcome determinative conflict and the law of both states can be constitutionally applied, then the court applies Minnesota’s multifactor test . . .to determine which states’ law should apply.

2021 U.S. Dist. LEXIS 133894 (D. Minn. July 19, 2021).

Many data incident litigations involve common law tort claims (eg, negligence) that have some similarities across the jurisdictions.  As such, the reaction of some data privacy newbies may be reject choice of law considerations in a litigation.  After all, everyone knows a negligence claim always involves application of the same four elements (duty, breach, causation, damage) anyways, right?

Wrong answer.  Choice of law arguments can be dispositive regarding which party prevails in a litigation.  Therefore, making an informed assessment of which forum’s laws can and should apply in a data breach litigation is a mission critical inquiry at the onset of a case.

As an example, Greenstate Credit Union concerned a class action dispute arises out of Hy-Vee’s handling of a data breach that exposed consumers’ credit card data.  Plaintiff GreenState Federal Credit Union is a federally chartered credit union with its principal place of business in Iowa.  Defendant Hy-Vee is incorporated in Iowa and has its principal place of business in Iowa.  However, Hy-Vee operates supermarkets, convenience stores, and gas stations, with 240 retail stores in eight states, including Minnesota.

Why does this matter?  Plaintiff asserted claims under the Minnesota Plastic Card Security Act (PCSA), common law negligence, negligence per se, and for declaratory and injunctive relief.  Defendant argued, however, that instead of Minnesota law, the law of Iowa should govern Plaintiff’s claims.  This was motivated by the fact that unlike Minnesota, Iowa has adopted the economic loss doctrine.  As articulated by the Iowa Supreme Court, this doctrine “bars recovery in negligence when the plaintiff has suffered only economic loss.”

Here, the court found that:

GreenState’s negligence claim would be barred by Iowa’s economic loss doctrine.  GreenState’s alleged injuries – cancelling compromised cards, reissuing new cards, reimbursing members for fraudulent charges, and losing interest and transaction fees because of reduced card use — are all indirect economic losses . . .Because GreenState alleges nothing more than economic losses, Iowa law bars its negligence claims.

(emphasis supplied).

Additionally, based on Minnesota’s choice of law rules, the court found that “[a]ll of Hy-Vee’s relevant information security employees and decision-making are located in Iowa.  It is predictable that Iowa law would apply.”  For these reasons, among others, the court held that Iowa law should apply.  It then promptly dismissed Plaintiff’s claims pursuant to a straightforward application of Iowa’s damages law.

While the economic loss rule is one of the more well-known variations in state law, there are other areas involving even more nuance.  Which in turn makes choice of law considerations (and assessment of if a defendant should strategically advocate for the law of a different forum in which a litigation was filed to apply) absolutely essential.

For more on this developing area of the law, stay tuned.  CPW will be there to keep you in the loop.

 

 

In Ducharme v. Madewell Concrete, LLC, No. 6:20-1620-HMH, 2020 U.S. Dist. LEXIS 127615 (D.S.C. July 17, 2020), Defendants Madewell Concrete, LLC and Kevin Johnston’s (“Johnston”) (collectively, “Defendants”) motion to dismiss Plaintiff Robert Ducharme’s (“Plaintiff”) South Carolina Homeland Security Act (“SCHSA”) claim pursuant to Federal Rule of Civil Procedure 12(b)(6) was denied.

Plaintiff alleges that Defendants deliberately misclassified him as a salaried employee, which exempted him from the overtime requirements of the Fair Labor Standards Act (“FLSA”). Accordingly, Plaintiff contends that he was not compensated for his overtime work. Plaintiff also alleges that Defendant Johnston illegally and without authorization accessed Plaintiff’s personal email account.

Plaintiff’s lawsuit alleges three claims: violations of (1) the Stored Communications Act, (2) the SCHSA, and (3) the FLSA.

Defendants argue that Plaintiff’s SCHSA claim is preempted by the Electronic Communications Privacy Act (“ECPA”) because in 18 U.S.C. § 2518(10)(c), “Congress expressed clear intent that any alleged interception of any ‘electronic communications’ falls under the exclusive remedy of the [ECPA].” Accordingly, the Court describes the dispute as whether “the interception of electronic communications provisions of the ECPA preempt a claim based on the interception of electronic communications provisions of the SCHSA.”

In holding that § 2518(10)(c) does not expressly preempt state law claims, the Court noted that  “Congress could have easily and explicitly stated that the remedies in the ECPA are the exclusive remedies for all interceptions of electronic communications or that the ECPA preempts state law claims, but it did not do so.” The Court went on to find that the legislative history of § 2518(10)(c) indicates that “the interceptions of electronic communications were not subject to the exclusionary rule absent a Fourth Amendment violation.” Thus, state law remedies are permissible for certain intercepts of electronic communications (such as personal emails) and “the ECPA does not preempt Plaintiff’s claim under the SCHSA. This case is a good reminder that employers should be mindful to ensure compliance with applicable state privacy laws, in addition to the well-known federal ones.

CPW’s Kristin Bryan and Glenn Brown recently jointed James Lee, Chief Operating Officer of the Identity Theft Resource Center (“ITRC”) and Eva Velasquez, Chief Executive Officer of the ITRC to discuss recent developments in privacy laws and privacy litigation.  Their podcast, which addresses recently enacted privacy laws, litigation trends, and what may be on the horizon in this space, is available here.  Be sure to check it out.  And for more on data privacy, security and innovation, stay tuned.  CPW will be there to keep you in the loop.

On Friday, three of the four leaders of the Congressional committees with principal jurisdiction over privacy provided for review draft privacy legislation (the American Data Privacy and Protection Act) that if adopted would preempt certain recently-passed state privacy laws.  The bill, sponsored by House Energy and Commerce Chair Frank Pallone (D-N.J.), ranking member Cathy McMorris Rodgers (R-Wash.) and Sen. Roger Wicker (R-Miss.), ranking member of the Senate Commerce Committee, shares features of California’s privacy legislation, as well as the GDPR.  However, the legislation departs from these existing laws in important ways.  In this post, we analyze some of the most important features of the legislation from both a compliance and litigation risk perspective, as what is on the horizon going forward.

Background

There were a number of privacy bills introduced in the House and Senate in 2021-2022.  As one recent example, in February the Algorithmic Accountability Act of 2022 was introduced in the U.S. Senate by Sen. Rob Wyden to direct the Federal Trade Commission (“FTC”) to promulgate regulations that require any “covered entity” to perform impact assessments and meet other requirements regarding automated decision-making processes.  The bill would have required the promulgation of regulations on automated decision-making processes that implicate an “augmented critical decision process” – essentially, that result in any legal or other material effects – on a consumer.

Data privacy has also been a top of mind issue at the state level, with comprehensive privacy laws recently enacted in California, Colorado, Connecticut, Virginia and Utah.  Over 100 privacy bills were introduced in state legislatures in 2022 alone.  This wave of activity included other states seeking adopt broad privacy regimes (such as Florida’s twice failed efforts) while others focused on privacy bills that were narrowly tailored to specific areas such as biometric privacy, AI and facial recognition.  This proliferation of state laws and their diverging regulatory requirements has led to increasing calls for passage of a federal privacy law.  A uniform federal law, if enacted, would provide business interests much needed clarity while also ideally stemming the tide of putative class actions and other data privacy claims brought under various state laws.

Compliance Requirements

If passed, the American Data Privacy and Protection Act (the “Act”) would codify several privacy best practices into federal law.  Under the draft, businesses would be required to limit the collection, processing, and transfer of “covered data” to that which is “reasonably necessary, proportionate, and limited to” provide products or services to the individual, communicate with the individual, or perform another purpose permitted by the legislation.  Sec. 101(a).

Prohibited Practices

The Act would place an outright prohibition on certain data processing activities if very limited exceptions—like the consent of the individual, exigent circumstances, or a search warrant—are not satisfied.  Under the Act, the following activities would be prohibited:

  • Processing of Social Security numbers, except where necessary for the extension of credit, authentication of the individual, or payment and collection of taxes.
  • Transferring precise geolocation information to a third party, except to another device or service of the individual, with the individual’s affirmative express consent, “through a conspicuous notice explaining the manner in which the precise geolocation information will be transferred with such a notice provided for in each instance in which such transfer is to occur absent a search warrant or exigent circumstances.”
  • Collecting, processing, or transferring biometric information, “except for data security, authentication, to comply with a legal obligation, to exercise or defend a legal claim, for law-enforcement purposes, or with the affirmative express consent of the individual through a standalone conspicuous notice explaining the manner in which the biometric information will be collected, processed, or transferred with such a notice provided for each instance in which such collection, processing, or transferring is to occur.”
  • Transferring passwords, except to a password manager, a covered entity whose job it is to identify passwords being re-used across sites or accounts, without a search warrant or exigent circumstances.
  • Collection, processing, or transferring “known nonconsensual intimate images,” (what is sometimes referred to as “revenge porn”), “except for law enforcement purposes.”
  • Transferring “an individual’s aggregate internet search or browsing history, except with the affirmative express consent of the individual through a standalone conspicuous notice,” like that described above for biometric or precise geolocation information.
  • Transferring an individual’s physical activity information from a smart phone or wearable device, other than to another device or service of that individual with the affirmative express consent of the individual,” as described above.

Sec. 102(a).

Individual Rights

Like existing privacy laws, the Act would provide individuals rights like the right to access (in human and machine-readable, portable formats), correction (including for completeness), and deletion. Sec. 203(a). The Act also includes the right to opt out of targeted advertising (Sec. 204(d)), and also requires covered entities to obtain consent before processing “sensitive covered data.” Sec. 204(a). Notably, the Act construes “sensitive” broadly, including the following categories not previously included in other privacy laws:

  1. Clickstream data.
  2. “Calendar and address book information, phone or text logs, photos, audio recordings, or videos maintained for private use on an individual’s device.”
  3. Photos and videos showing “the naked or undergarment-clad private area of an individual.”
  4. Television, cable, or streaming content viewing information.
  5. Information regarding individuals under 17.
  6. “Any other covered data collected, processed, or transferred for the purpose of identifying the” sensitive data types.

In a more novel turn, the Act also includes the right to opt out of data transfers to third parties. Sec. 204(c).

Privacy by Design

If passed, the Act would mandate that covered entities develop and implement a privacy program that accounts for applicable Federal, State, or local laws, rules or regulations, mitigation of privacy risks to children, reduction of privacy risks arising from the products or services of the covered entity, and training for employees and staff.  Sec. 103(a).

Privacy Notices

Many of the Act’s requirements for privacy policies under the draft legislation mirror other laws. Departing from existing privacy laws, the Act also requires the privacy policy to include “the name of each third-party collecting entity to which the covered entity transfers covered data, and the purposes for which such data is transferred to such categories of service providers and third parties or third-party collecting entities[.]”  Sec. 202(b)(4).  Additionally, “large data holders” would be obligated to provide a short form notice that is, “concise, clear, and conspicuous,” “readily accessible, based on the way an individual interacts with the large data holder,” and include an overview of the individual rights provided under the legislation.  Sec. 202(e).

Preemption

In a welcome move for many businesses, the Act would preempt most state privacy laws.  It provides that “[n]o State or political subdivision of a State may adopt, maintain, enforce, prescribe, or continue in effect any law, regulation, rule, standard, requirement, or other provision having the force and effect of law of any State, or political subdivision of a State, covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act.”

However, the Act would not preempt various targeted state statutes, including “consumer protection laws of general applicability such as laws regulating deceptive, unfair, or unconscionable practices”, laws regarding the privacy rights of employees or students, data breach notification laws, the Illinois Biometric Information Privacy Act, the California Consumer Privacy Act (except its provisions concerning security breaches) and the California Privacy Rights Act , and laws governing facial recognition, unsolicited email, telephone solicitations, and caller ID, among other matters.  In practice, this means that the Act if enacted would explicitly preempt the new comprehensive privacy legislation enacted by Connecticut, Virginia, Utah and Colorado.

Private Right of Action

The Act also contains a complex private right of action that allows “any person or class of persons who suffers an injury” due to a violation of the bill that could be addressed by its civil remedies to file suit in federal court.  The Act’s civil remedies however are limited to compensatory damages, injunctive and/or declaratory relief and reasonable attorney’s fees and litigation costs.  Additionally, presumably in an effort to give the business community time to adjust to any new regulatory requirements, the Act includes a four-year delay on the availability of the private right of action.  The Act also prohibits mandatory arbitration clauses, albeit for minors only.

Path Forward

On June 7, it was announced that a hearing on the Act has been scheduled for Tuesday, June 14, at 10:30 a.m. (EDT).  However, it remains to be seen whether Senator Cantwell, the Chair of the Senate Commerce Committee, will lend her support to the Act (and what the Act’s path forward will look like if Senator Cantwell’s endorsement is not forthcoming).  Senator Cantwell had previously supported other privacy bills (including one in 2019 that included a private right of action and would have established a “duty of loyalty” for companies handle consumer data).  For most on this, stay tuned.  CPW will be there to keep you in the loop.

Legislatures, regulators, and enforcement agencies across the United States and in Germany have turned up the heat on subscription plans within the past year by updating their automatic renewal law (ARL). California and Germany have new ARL requirements starting July 1, 2022. Generally, an automatic renewal or negative option is a paid subscription plan that automatically renews at the end of the term for a subsequent term, until the subscribing consumer cancels. Many US states and the US Federal Trade Commission (FTC) require businesses offering subscription plans to obtain from the consumer affirmative consent to subscription plan terms, send confirmation emails with the subscription terms, send renewal notices within a set number of days prior to the plan automatically renewing, and allow consumers to easily cancel their subscriptions, among other requirements. The FTC’s enforcement power for automatic renewals rests in several laws and rules, such as Section 5 of the FTC Act, the Restore Online Shoppers’ Confidence Act (ROSCA), and the Telemarketing Sales Rule. Although most state ARLs target business-to-consumer contracts, some states have ARLs that regulate business-to-business contracts (e.g., New York and Wisconsin). We take a look at the varying requirements of the more stringent state ARLs regulating business-to-consumer contract below. New or updated ARLs have taken effect in Colorado, Delaware, New York, and Illinois. Notably, California’s new, more stringent requirements for businesses that offer consumers automatic renewals take effect July 1, 2022.

In Europe, the EU has had several Directives relating to consumer contracts, including the Unfair Contract Terms Directive, Consumer Rights Directive, and most recently, the Digital Content Directive and Sale of Goods Directive. However, in addition to these Directives, Germany passed the Fair Consumer Contracts Act, which will place stricter regulations on automatic renewals in e-commerce. An important new practical requirement is the cancellation button, the design of which is subject to detailed requirements. Non-compliant businesses will be subject to injunctive relief from both competitors and from consumer protection associations. Further, consumers can cancel contracts at any time if the business is non-compliant. Some of the provisions of the Fair Consumer Contracts Act entered into force on October 1, 2021, however, the implementation of the cancellation button is mandatory July 1, 2022, the same effective date as California’s updated ARL.

Updates to Laws

United States

Last year, New York strengthened its business-to-consumer ARL to include additional consent, disclosure, and cancellation requirements. In addition to this updated business-to-consumer ARL, New York’s original ARL covers business-to-business contracts “for service, maintenance or repair to or for any real or personal property” where the renewal period is longer than a month. New York’s enhanced ARL, which went into effect in 2021, has some notable new requirements for businesses that we have seen in other state consumer protection laws, including omnibus privacy laws:

  1. Obtain “affirmative consent” to the terms, including the cancellation policy, (which are clearly and conspicuously disclosed in “visual” or “temporal” proximity to the consent mechanism) prior to charging a consumer for an automatic renewal. Failure to obtain this consent will deem the “goods, wares, merchandise, or products” as “unconditional gifts to the consumer, who may dispose of the [gift] in any manner he or she sees fit without any obligation whatsoever on the consumer’s part to the business.” §527-a(6).
  2. “Clear[ly] and conspicuous[ly]” disclose the “terms, cancellation policy, and information regarding how to cancel in a manner that is capable of being retained by the consumer.” §527-a(1)(c). Think of this as a requirement to send a confirmation email or letter to the subscribing consumer. If the subscription includes a free gift, the business should provide the ability and include instructions in the confirmation for the consumer to cancel before being charged for the good or service.
  3. Allow cancellation online of subscriptions purchased online, as well as “cost-effective, timely, and easy-to-use mechanism for cancellation” for subscriptions not purchased online. §527-a(2)-(3).

Indicating that automatic renewals are an enforcement priority, New York Attorney General Letitia James issued a consumer alert in November 2021, reminding consumers and businesses that New York has updated its ARL for business-to-consumer contracts.

In October 2021, the FTC issued an enforcement policy statement “warning companies against deploying illegal dark patterns that trick or trap consumers into subscription services.” The enforcement policy states that sellers should obtain a consumer’s unambiguous affirmative consent for the automatic renewal. You can read our other coverage of dark patterns here.

Also in October 2021, California enacted its enhanced ARL that has an operative date of July 1, 2022. In the enhanced ARL, California has required additional consent, disclosure, and cancellation requirements on businesses that offer automatic renewals. Notably, California’s ARL will soon require:

  1. Businesses must provide a notice (i.e. an email or letter to the consumer stating that the automatic renewal will automatically renew) that clearly and conspicuously discloses (a) the renewal will occur “unless the consumer cancels,” (b) the length of the additional term, (c) how the consumer may cancel, (d) if sent electronically, a link that directs the consumer to the cancellation process or another electronic method to cancel, and (e) the contact information for the business. §17602(a)(4).
  2. Notice timing.
    1. Notice must be provided 3 to 21 days before the expiration of a free gift or trial period lasting more than 31 days. §17602(b)(1).
    2. Notice must be provided 15 to 45 days prior to the renewal for automatic renewals with subscriptions one year or longer, under certain conditions. §17602(b)(2).
  3. Easy-to-use cancellation. Consumers subscribing online, must be allowed to cancel online, “at will, and without engaging in any further steps that obstruct or delay the consumer’s ability to terminate” the subscription immediately. Businesses shall provide (a) “a prominently located direct link or button” located in the account profile, or device or user settings; (b) a preformatted termination email that the “consumer can send to the business without additional information.” §17602(d)(1). Businesses can require account authentication prior to cancelling the account online, but consumers can still cancel through the other methods outlined elsewhere in California’s ARL.

Many other states and Washington, D.C. have similar consent, disclosure, and cancellation requirements in their existing or recently updated automatic renewal laws. For instance, Colorado’s ARL became effective January 1, 2022, and requires notices be sent to consumers 25 to 45 days prior to the “first automatic renewal that would extend the contract beyond a continuous twelve-month period,” as well as any subsequent renewal that would extend the contract past the additional twelve-month period. Delaware also enacted an ARL which has specific notice and disclosure requirements. Illinois’ enhanced ARL, which became effective January 1, 2022, now includes a requirement for cancellation instructions and mechanisms in the renewal notice, and requires an online cancellation option for consumers that subscribe online.

Germany

With the passage of the Fair Consumer Contracts Act (Gesetz für faire Verbraucherverträge), the German Civil Code (Bürgerliches Gesetzbuch – “BGB”) was amended to include stricter rules on tacit contract renewals (automatic renewals) for certain businesses. Sect. 309 No. 9 lit. b BGB. Notably, as of July 1, 2022, businesses offering subscriptions must provide a cancellation button on their websites. There are specific requirements including:

  • The button must be legibly labeled a phrase like “Cancel contract here.”
  • The button must lead the consumer to a confirmation page that meets specific requirements, such as allowing the consumer to provide identifying information, cancellation reason, and subscription end date.
  • The button and confirmation page must be permanently available, and immediately and easily accessible (i.e., clear and conspicuous).
  • The business must allow the consumer to document the request for termination (e.g., by means of a downloadable summary of the data and time the cancellation button was pressed) and provide the consumer with an electronic receipt of the request, including the date of the cancellation request and the date on which the subscription is to be cancelled.
  • If the consumer does not specify a time for cancellation, the termination date must be the earliest date possible.

If a business fails to follow these cancellation requirements, a German consumer may terminate a contract at any time and without observing a notice period.

Enforcement and Class Action Threat

Violations of automatic renewal laws are typically addressed by government enforcement actions. However, there have been a number of large class action settlements over the past few years that alleged illegal automatic renewal programs in newspaper and magazine subscription programs. Recently, a lawsuit alleging violations of state consumer protection laws, as well as California’s ARL, based on a wellness company’s deceptive trial periods and consumers’ difficulty in cancelling and getting a refund, settled for over $50m.  Although this class action alleged a violation of California’s ARL, several courts have found there is no independent private right of action in the California ARL. See Johnson v. Pluralsight, LLC, 728 F. App’x 674, 676 (9th Cir. 2018); Lopez v. YP Holdings, LLC, 2019 WL 7905748, *4 (C.D. Cal. Jan. 23, 2019); Mayron v. Google LLC, No. H044592, 2020 WL 5494245 (Cal. Ct. App. Sept. 11, 2020). Private litigants may attempt to bring automatic renewal lawsuits under different consumer protection statutes, such as California’s Unfair Competition Law. See Morrell v. WW Int’l, Inc., 551 F. Supp. 3d 173, 182 (2nd Cir. 2021).

As to state government enforcement, the state attorney general usually enforces the ARL. In California, the state Attorney General, District Attorneys, County Attorneys, City Prosecutors, and City Attorneys can enforce the state’s ARL. But as noted above, private litigants may still try to bring an ARL claim under another consumer protection statute, such as a law prohibiting unfair or deceptive trade practices. Some states explicitly allow private rights of action in their ARL (e.g., Virginia).

The ramification for failing to comply with the state ARL varies by state. States, such as New York and Connecticut, have clauses in their ARLs that proscribe failure to comply with certain requirements means that the good or service is an unconditional gift, which would prevent the non-complying business from collecting from the consumer for non-payment. Florida, for example, states that a violation of the ARL “renders the automatic renewal provision void and unenforceable.”

In addition to state enforcement, it is likely that the FTC will be looking more closely at automatic renewal programs in 2022 based on the October 2021 enforcement statement. For example, on March 8, 2022, the FTC announced a settlement with an online investment site for more than $2.4m based on allegations of bogus stock earnings claims and hard-to-cancel subscription plans, in violation of Section 5(a) of the FTC Act and Section 4 of ROSCA. The FTC’s press release notes that the settlement “continues the FTC’s crackdown on false earnings claims, returning millions to consumers and requiring click-to-cancel online subscriptions” signaling that more enforcement actions may be on the horizon and online cancellation is an FTC requirement for online subscriptions.

Recommendations

The consent, disclosure, and cancellation requirements vary by state and businesses should be vigilant in complying with the state specific requirements. Businesses that offer subscription plans should ensure that customers are notified of the automatic renewal provision prior to beginning the transaction. Businesses should obtain a subscribing customer’s affirmative consent to the automatic renewal provision and send the subscriber a descriptive confirmation email after the initial purchase. Consumers should also receive a renewal notice prior to the subscription automatically renewing. Finally, businesses must be cautious of the difference between clever marketing and dark patterns in the subscription process.

These enhanced ARL requirements are already the law in certain states, and will soon be required of businesses selling automatic renewals to Californians. Businesses should implement the best practices outlined above as soon as possible, and prior to July 1, 2022, if subject to California’s law.

In Germany, we recommend that businesses review their subscription terms and conditions to ensure that no stipulations can be construed to bar consumers from using the cancellation button, and ensure that the cancellation flow complies with Germany’s specific requirements, prior to July 1, 2022.

For more information, please contact the authors or your usual point of contact at Squire Patton Boggs.

As readers of CPW know, although the California Consumer Protection Act (“CCPA”) and other state statutes provides California residents additional privacy protections there are limits on the laws’ scope.  This includes as was the case here and, consistent with prior rulings, that a defendant may not rely on the CCPA and other state privacy laws as a shield to avoid its discovery obligations in federal litigation.  RG Abrams Ins. v. Law Offices of C.R. Abrams, 2022 U.S. Dist. LEXIS 25044 (C.D. Cal. Jan. 19, 2022).  Read on to learn more.

Although many data privacy disputes are brought as class actions, this is not always the case.  In this instance, Plaintiff filed suit against Defendants alleging that Defendants appropriated Plaintiff’s client database, marketing software, and computer to start a competing business venture.  Plaintiff brought claims under the federal Computer Fraud and Abuse Act a number of related state law claims.  The litigation eventually entered discovery, where Plaintiff served a number of requests on Defendants concerning the conduct underscoring the claims at issue.

In objecting to Plaintiff’s written discovery, the Defendants creatively relied in part on various California privacy laws that would be violated if they produced the information and documents requested.  Plaintiff, in turn, urged the Court to reject these objections because Defendants failed to establish that Defendants had a “reasonable right of privacy to the information sought to be disclosed.”

Ultimately the Court agreed with Plaintiffs.

As an initial matter, the Court held that the California privacy rights asserted by the Defendants (including in relation to the CCPA, the California Information Privacy Act, the California Privacy Rights Act, and Article 1, Section 1 of the California Constitution) were not applicable here.  This is because, the Court explained “even to the extent the California constitution and these California statutes create a privilege—which this Court does not decide here—only federal law on privilege applies in cases, such as this one, involving federal question jurisdiction.” (citing Kalinoski v. Evans, 377 F. Supp. 2d 136, 140-41 (D.D.C. 2005) (“The Supremacy Clause of the United States Constitution (as well as Federal Rule of Evidence 501) prevent a State from directing a federal court with regard to the evidence it may order produced in the adjudication of a federal claim.”).

Although the Court acknowledged that although there “is no federal law counterpart to California’s privacy statutes, federal courts recognize a right of privacy implicit in Rule 26.”  (quotation omitted).  Moreover, in the Ninth Circuit courts have recognized a limited corporate privacy interest—albeit one that is narrowly circumscribed:

To the extent such a privacy interest exists, “corporations have a lesser right to privacy than human beings and are not entitled to claim a right to privacy in terms of a fundamental right, [although] some right to privacy exists.”  Indeed, “[p]rivacy rights accorded artificial entities are not stagnant, but depend on the circumstances.”

(quotations omitted).

As such, to the extent a corporate privacy right exists, it gives way when information requested in discovery “is material, not available from another source, and protected from disclosure by a protective order.”  The Court readily found this standard was satisfied here and ordered production of the requested materials and information.  First, the discovery was relevant to Plaintiff’s claim.  Second, Defendants did not offer or suggest any alternative means by which Plaintiff could obtain the requested information.  And third, the Court found that a protective order would adequately protect Defendants’ privacy interests.

So there you have it.  Although many states have enacted new privacy laws, Courts are consistently interpreting them as not interfering with the scope of discovery in federal court litigation.  For more on this, and other news concerning data privacy more broadly, stay tuned.  CPW is here to keep you in the loop.

Beginning on May 7, 2022, employers in New York State who engage in electronic monitoring of employee communications will be required to notify their workers of such monitoring.

S2628, signed into law on November 8, 2021, requires all employers in the state of New York to provide prior written notice to newly hired employees if they intend to monitor or otherwise intercept telephone conversations or transmissions, email, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems.  This likely includes videoconferencing platforms such as Zoom or Teams.  Notice must be:

  • Provided in writing;
  • In an electronic record, or in another electronic form; and
  • Acknowledged by each employee either in writing or electronically.

Electronic monitoring “solely for the purpose of computer system maintenance and/or protection” does not trigger S2628’s notice requirements.

Employers must also post a notice of electronic monitoring in a conspicuous place which is readily available for viewing by its employees who are subject to electronic monitoring.

S2628 does not contain a private right of action.  However, as has been seen with other data privacy statutes, the absence of such a provision will not necessarily preclude plaintiffs from filing suits against defendants for purported violations of their obligations under S2628.  A common practice in data privacy litigations is for plaintiffs to seek to use violations of a statutory right to privacy as a predicate for imposing liability under other theories of recovery, such as negligence per se.  This is frequently done by plaintiffs in data event and cybersecurity class actions and the same approach could be used here.

Further, S2628 is enforceable by the New York state office of the attorney general, which is authorized to seek penalties of up to $500 for the first offense, $1,000 for a second offense, and $3,000 for third and subsequent offenses.

More broadly, S2628 fits within a recent trend of increased focus on measures to protect the privacy of individuals in the employment context.  The California Consumer Privacy Act (“CCPA”) which took effect in 2020 provides consumers—including employees (subject to several significant exemptions)—certain rights regarding the personal information that businesses collect about them. Although the California Privacy Rights Act (“CPRA”) extended the CCPA’s employee-related exemptions until January 1, 2023, employers are still required to provide employees with a notice at collection.  There are laws similar to S2628 in Connecticut and Delaware.

This proliferation of state laws has been accompanied by a rise in data privacy lawsuits brought by employees concerning their employers’ privacy practices.  Cases have been frequently brought this year in the wake of cyberattacks directed against employers that results in the purported disclosure of employees’ personal information.  There have also been increased privacy litigations filed regarding employers’ collection of the biometric data and sensitive financial information of employees (with suits filed under the Illinois Biometric Information Privacy Act (“BIPA”) and the Fair Credit Reporting Act (“FCRA”), among others).

For more on this, stay tuned.  CPW will be there to keep you in the loop.

 

Unlike the European Union and many countries, the US does not have a holistic, comprehensive federal law generally regulating privacy and the collection, processing, disclosure and security of “personal information” (typically defined as information that identifies, relates to, describes, is reasonably capable of being linked to, a particular individual). Rather, a patchwork of sectoral federal

New: Live and Virtual Privacy Law CLE Event | September 22, 2021

We’re hosting the Southwest Ohio Chapter of the ACC virtually and live in our Cincinnati office.

Join Scott Kane, Alan Friel, Kyle Fath and Kristin Bryan for an up-to-the-minute review of US consumer privacy laws, an in-depth discussion of a proposed new Ohio law, best practices for managing an information governance program, and the latest data security and breach litigation trends and developments.

Click here for complete details.

Date: September 22, 2021

Time: 4:00 PM – 6:00 PM ET; beverages and hors d’oeuvres will be served.

Place: Squire Patton Boggs, 201 E. Fourth Street, Suite 1900, Cincinnati, OH 45202

Privacy at the state level can get messy and confusing—particularly in the current moment with the record number of proposed bills under consideration.  So let’s face it: it is great to read about all those proposed bills but what US privacy professionals really want to know is which bills will pass and which bills will fail.  Law firms are internally creating “2021 State Comprehensive Privacy Bill Brackets” but none are publishing them since predictions are hard and, candidly, we attorneys do like to be proven wrong.

That ends today.

The new deputy chair of SPB’s Privacy, Cybersecurity practice Alan Friel is not only a veteran of the many privacy legislation battles of the past but also a fearless leader who believes publishing our predictions will add real value to our readers (and clients).

As a reminder, SPB privacy blogs were granted the 2020 Go to Thought Leadership Award by National Review.  This year we were the first major law firm to predict the Virginia Consumer Data Protection Act (VCDPA) would pass.  Incidentally, our talented colleague Glenn Brown has posted great content explaining VCDPA’s requirements and even analysis comparing the right to delete under VCDPA and CCPA/CPRA  (including a handy chart that you should definitely bookmark).

So, without further delay, here are the 2021 SPB’s State Comprehensive Privacy Bill predictions.

Our 2021 Final Four: Connecticut, Florida, Oklahoma and Washington

No.1: Connecticut’s Act Concerning Consumer Privacy (SB 893)

Arguably it is too early to predict the outcome of SB 893.  After all, the bill is still stuck in Committee, and there were several comments filed in opposition during the February 25 public hearing.  Why are we bullish on Connecticut then?  The bill has the support of the Connecticut ACLU (although it is worth noting that the private right of action was removed after the ACLU expressed its support).  More importantly, the Connecticut’s Attorney General Office and the Connecticut’s Senate Majority Leader strongly support the bill and Connecticut (like Virginia) is a democratic trifecta where the DNC has full control of the governorship, the state senate, and the state house.  As currently drafted, Connecticut’s Act Concerning Consumer Privacy is very similar to the Virginia VCDPA (see our posting on the requirements under the VCDPA here.) The Connecticut legislature has time to reach consensus (it does not adjourn until June 9th) and we plan on keeping a close eye on developments in the state.

No 2: Florida’s Consumer Privacy Acts (SB 1734 and HB 969)

It has been reported that an unknown activist is behind the progress of these two Florida bills.  Not surprising-this is consistent with a trend seen these past couple of years of other privacy activists similarly reshaping states’ legislative agendas.  These bills are inching closer and closer to California’s CPRA in an indisputably red state, which is a remarkable development in and of itself.  Florida is also the third most populous state in the nation, which means any privacy legislation enacted in the state will likely have significant sway in any future talks about federal privacy legislation.  Although the Florida legislature is adjourning on April 30th, the fact that very closely aligned bills are progressing in tandem through the Senate and the House fairs well for a potential opportunity to compromise leading to enactment.  We will find out soon the outcome in Florida but, in the meanwhile, here is our most recent posting on the Florida developments.

No. 3: The Oklahoma Computer Data Privacy Act (HB 1602)

Nobody seems to be paying attention to this bill but it is well-positioned to become the 2021 Cinderella Story. HB 1602 significantly differs from already enacted comprehensive privacy bills with the current version including no private right of action but featuring an opt-in consent requirement across the board before collecting, using or selling any personal information. The bill sailed through the Oklahoma house with overwhelming bi-partisan support (Ayes: 85 Nays: 11.)  Oklahoma was our number one until we heard last week the chair of the Oklahoma Senate Judiciary Committee (through which the bill must pass before being brought to the floor of the Senate) may not be willing to take it up.  That said, there is enough time left in the legislative calendar to build consensus and get it to the finish line (the Oklahoma legislature will not adjourn until May 28th).  Oklahoma is currently a Republican trifecta, which should help avoid a governor veto.  If enacted, it will be the first comprehensive privacy bill to become the law of the land in a republican controlled state and could become a viable model for other republican controlled state legislatures.  For more details read our post here.

No 4: Washington Privacy Bills (HB 1433 and (SB 5062)

Washington certainly deserves “an A for effort.”  The state legislature has been trying to enact the Washington Privacy Act (SB 5062) for 2 years and counting.  Last year it actually enacted regulations affecting the public sector handling of personal information but consensus on enforcement effectively brought legislative progress for the private sector to a halt.  In 2021 the ACLU decided to back a new bill (the People’s Privacy Act – HB 1433) and has published a chart comparing its bill to the WPA here.  Why are we still optimistic on Washington?  In a surprise move, on March 26 SB 5062 was amended to add a private right of action allowing state residents to sue over alleged violations. Significantly, however, the private right of action does not include a provision for monetary damages—leaving residents with the exclusive option of seeking injunctive relief (or alternatively filing a complaint with the consumer protection division of the attorney general’s office).  Will this suffice to swing enough votes to get WPA through the finish line?  On April 1st it passed the Civil Rights & Judiciary Committee and is now heading for the floor of the house.  We will find the ultimate outcome soon (the Washington legislature is set to adjourn April 25th). Just like last year this promises to be a real nail-biter.  For more information see our posting here.

How about the rest of the States?

If your favorite state privacy bill did not make it to our final four, not to worry.  There are many close calls that we had to make to come up with our final four bracket and we predict many last minute twists and turns.  And never forget the still possible comprehensive federal privacy law.  With those developments, we will continue to keep you informed of what you need to know in this rapidly developing area.  Stay tuned!