InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court allows data sharing invasion of privacy claims to proceed
On May 4, the U.S. District Court for the Central District of California partially dismissed the majority of a putative class action accusing several large retailers and a data analytics company (collectively, “defendants”) of illegally sharing their consumer transaction data, allowing only an invasion of privacy claim to proceed. In 2020, plaintiffs’ claimed the retail defendants shared consumer data without authorization or consent, including “all unique identification information contained on or within a consumer’s driver’s license, government-issued ID card, or passport, e.g., the consumer’s name, date of birth, race, sex, photograph, complete street address, and zip code,” with the data analytics company who used the information to create “risk scores” that purportedly calculated a consumer’s likelihood of retail fraud or other criminal activity. The court permanently dismissed the plaintiffs’ California Consumer Privacy Act claims, finding that the state law was not in effect when some of the plaintiffs allegedly attempted returns or exchanges and that the law does not contain an express retroactivity provision. Additionally, while plaintiffs argued that the retail defendants engaged in “a pattern or practice of data sharing,” the court concluded that plaintiffs failed “to allege that they are continuing to return or exchange merchandise at these retailers such that their data is disclosed” to the data analytics company. The court also dismissed the FCRA claims, ruling that the data analytics company’s risk report is not a “consumer report” subject to the FCRA because it does not “bear on Plaintiff’s eligibility for credit.” Plaintiffs’ claims for unjust enrichment and violations of California's Unfair Competition Law were also dismissed. However, the court concluded that the plaintiffs had plausibly alleged a reasonable expectation of privacy against the defendants, pointing to “the wide discrepancy between Plaintiffs’ alleged expectations for Retail Defendants’ use of their data and its actual alleged use.”
“The court finds dismissing this claim at the pleading stage particularly inappropriate where, as is the case here, defendants are the only party privy to the true extent of the intrusion on Plaintiffs’ privacy,” the court stated. “Reading the Complaint in a light most favorable to Plaintiffs, Plaintiffs sufficiently allege that [] defendants’ intrusion into Plaintiffs’ privacy was highly offensive.”
District Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed
On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this information in online teaser profile advertisements. Plaintiffs contended that the “teasers” violated their rights of publicity, and that memberships give users access to data including location history, family members, court records, employment information, and more. Plaintiffs further stated that “they ‘did not consent to the commercial use of their personal information and personas to promote subscriptions to a website with which they have no relationship.’” Defendant moved to dismiss on numerous grounds, including lack of standing.
In denying the motion to dismiss, the court ruled that plaintiffs have Article III standing to sue and that plaintiffs sufficiently pleaded a cognizable injury in “that their names, likenesses, and related information have commercial value and were being used for a commercial purpose.” The court also reviewed the adequacy of pleadings with respect to the alleged state violations and concluded, among other things, that the defendant’s teasers “are not subject to statutory exceptions for newsworthiness or public interest information.” As to the defendant’s alleged violations of California’s Unfair Competition Law (UCL), the court considered whether the California Consumer Privacy Act (CCPA) “immunizes [defendant’s] behavior from UCL liability.” According to the defendant, the CCPA generally obligates businesses to notify California residents when personal information is being used, it also “contains an express exemption for the use of publicly available data.” Because this conduct is allegedly permitted by the CCPA, the defendant argued, it cannot violate the UCL. The court disagreed, writing that “all that these provisions of the CCPA do are exempt publicly available data from special notification and disclosure rules that the statute itself imposes on companies that collect Californians’ data. . . . They do not expressly or impliedly set aside privacy-based tort claims or related UCL claims.”
District Court approves $17 million data breach settlement
On March 15, the U.S. District Court for the Northern District of Illinois granted final approval of a class settlement to resolve claims alleging two defendant insurance companies failed to protect over six million employee/customers’ personal and private identifying information, including names, addresses, Social Security numbers, and driver’s license numbers, from two data breach and scraping incidents. According to the memorandum of law in support of the plaintiffs’ unopposed motion for final approval, plaintiffs separately filed complaints after learning the defendants were exposed to two separate data breaches in December 2020 and March 2021. The cases were consolidated, and parties engaged in settlement negotiations. Under the terms of the settlement agreement, the defendants will provide settling class members with at least $17.1 million in relief. Class members will also have automatic access to certain financial fraud services and may submit claims to receive compensation for out-of-pocket losses (capped at $10,000 per person) and lost-time losses (up to six hours of lost-time reimbursements at $18 per hour), in addition to receiving $50 per hour if they missed work to address the breaches. Additionally, a California subclass will also be able to file claims for $50 in statutory relief. Under the California Consumer Privacy Act, consumers may seek statutory damages of up to $750 per violation. Defendants are also responsible for a portion of attorneys’ fees and costs.
California clarifies that internally generated inferences are “personal information” under the CCPA
On March 10, the California Office of the Attorney General (OAG) issued an opinion on the question of whether, under the California Consumer Privacy Act (CCPA), a consumer’s right to know the specific pieces of personal information collected by a covered business about that consumer applies to internally generated inferences that the business holds about the consumer from either internal or external information sources. According to the OAG, the answer is yes—consumers have the right to know internally generated inferences about themselves, and a business must provide such information upon request, unless a business can demonstrate an applicable CCPA statutory exception. The CCPA, which was enacted in June 2018 and became effective January 1, 2020 (covered by a Buckley Special Alert), provides California consumers with new rights of control over the personal information held about them (with certain exceptions), including the right to know what information is being collected and how a business uses and shares that information, the right to delete personal information, and the right to opt out of certain transfers and sales of their personal information. The OAG noted that while the Consumer Privacy Rights Act of 2020 will become fully operative January 1, 2023, none of the act’s amendments to the CCPA will change the conclusions presented in the opinion.
The OAG’s opinion defines “inference” under the CCPA to mean “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” Example inferences such as “married,” “homeowner,” “online shopper,” or “likely voter,” the OAG explained, are derived from information collected by businesses such as online transactions, social network posts, or public records. OAG noted that some businesses also use proprietary methods to create inferences and “then sell or transfer the inferences to others for commercial purposes,” thus allowing, according to studies, “seemingly innocuous data points” to be combined with other data points “to deduce startlingly personal characteristics.” According to the OAG’s interpretation of the plain language of the CCPA, as well as legislative history, businesses are generally required “to disclose internally generated inferences to consumers” “regardless of whether the inferences were generated internally by the responding business or obtained by the responding business from another source.”
The OAG further explained that, inferences are “personal information” for purposes of the CCPA, and therefore must be disclosed provided two conditions exist: (i) “the inference is drawn ‘from any of the information identified”’ in subdivision (o) of Civil Code section 1798.140, which includes, among other things, personal identifiers such as names, addresses, account numbers, or identification numbers, customer records, age, gender, race, or religion, as well as inferences obtained from any of the provided items; and (ii) “the inference is used to ‘create a profile about a consumer,’ or in other words to predict a salient consumer characteristic.” For the purposes of responding to a consumer’s request to know, the OAG stated that “it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof.” The business is required to disclose the personal information it holds to the consumer upon request. The OAG noted, however, that the CCPA does not require businesses to disclose protected trade secrets used to derive its inferences, provided the business demonstrates “that such inferences are indeed trade secrets under the applicable law.”
District Court: Employees are not “customers” under California Customer Records Act in breach lawsuit
On February 24, the U.S. District Court for the Southern District of New York granted a waste management company’s motion to dismiss putative class action data breach claims after determining, in part, that the plaintiffs failed to allege how the company breached any duty of care. Plaintiffs, comprised of current and former employees, sued the company, claiming a 2021 data breach exposed their personal identifiable information (PII) to an unauthorized actor. Several plaintiffs were victims of apparent identity theft, the complaint stated, which alleged negligence, breach of contract and implied contract, breach of confidence, breach of fiduciary duty, unjust enrichment, and breach of the California Consumer Privacy Act, the state’s Unfair Competition Law, and the California Customer Records Act (CCRA). In dismissing the case, the court concluded, among other things, that the plaintiffs failed to plead facts showing specific measures that the company did or did not take, such as data encryption, to protect employee data. Additionally, the complaint did not “contain any allegations regarding the manner in which their systems were breached.” Moreover, the court determined that the complaint did not plausibly allege that the employees qualify as “customers” under the CCRA (a “customer” under the law is defined as “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business,” but in this matter, the court stated the plaintiffs did not allege that they provided their PII to the company in exchange for a product or service; rather, they were required to give their PII as part of their employment). The court also ruled that the plaintiffs did not plausibly allege that the company unreasonably delayed notifying them of the data breach by waiting 24 days after the breach to provide notice.
District Court: California privacy laws do not absolve discovery obligations in federal litigation
Last month, the U.S. District Court for the Central District of California granted plaintiffs’ motion to compel defendants’ responses to a request for production of documents after determining that defendants may not rely on the California Consumer Protection Act (CCPA) or other state laws to avoid discovery obligations in federal litigation. In 2020, the plaintiffs brought numerous claims, including violations of the Computer Fraud and Abuse Act and several related state law claims, alleging the defendants took the plaintiffs’ client database, marketing software, and computer to start their own business. After being served with a request for production of documents, the defendants asserted that producing the information would violate various California privacy laws, including the CCPA, the California Information Privacy Act, the California Privacy Rights Act, and Article 1, Section 1 of the California Constitution. The plaintiffs countered that the defendants’ objection should be overruled, as they had failed to establish “that there exists a reasonable right of privacy to the information sought to be disclosed,” arguing, among other things, that the defendants’ privacy concern “is undermined by their failure to enter into, or otherwise seek, a protective order.”
The court agreed with the plaintiffs, concluding that the defendants’ privacy objection is without merit. According to the court, the California privacy rights asserted by the defendants were not applicable in this discovery proceeding because “even to the extent the California constitution and these California statutes create a privilege—which this Court does not decide here—only federal law on privilege applies in cases, such as this one, involving federal question jurisdiction.” Although the court noted that a federal law counterpart to California’s privacy laws does not exist, it affirmed that “federal courts recognize a right of privacy implicit in Rule 26.” Nevertheless, the court stated that, “to the extent such a privacy interest exists, ‘corporations have a lesser right to privacy than human beings and are not entitled to claim a right to privacy in terms of a fundamental right, [although] some right to privacy exists.” Moreover, “[c]ourts routinely have found that a corporation’s privacy rights may give way where the information requested is material, not available from another source, and protected from disclosure by a protective order.” The court ultimately found that “a proper balancing of the competing interests weighs in favor of granting” the plaintiff’s discovery requests, adding that the defendants did not offer or suggest any alternative means by which the plaintiff could obtain the information and that a protective order would mitigate any risk of harm.
District Court approves settlement in data breach suit
On February 22, the U.S. District Court for the Central District of California granted final approval of a class settlement and ordered a final judgment between a plaintiff class and a provider of outpatient imaging (defendant) resolving allegations that the defendant was responsible for failing to establish adequate security measures to protect their customers’ and employees’ data. According to the preliminarily approval order, a third party gained unauthorized access to the defendant’s server which stored the plaintiffs’ sensitive personal identifying information. The order noted that the security incident put the plaintiffs “at a high risk of identity theft and other cybercrimes.” The plaintiffs alleged in the complaint that the defendants violated California's Unfair Competition Law, the California Consumer Privacy Act, and the FTC Act, among other things, by failing “to adequately ensure the privacy, confidentiality, and security of employee data entrusted to it and Defendant’s failure to have adequate data security measures in place.” Under the terms of the order, the defendants are required to establish a $2.6 million settlement fund to provide monetary settlement benefits to class members within forty-five days of a preliminary approval order directing class notice. The plaintiff class will be separated into two separate tiers: a nationwide class consisting of individuals residing in the U.S. who were or may have been impacted in the data breach, and a California subclass, consisting of individuals who resided in California on July 18, 2020, who were or may have been impacted in the data breach. The order also granted $650,000 in class counsel fees and approximately $50,000 in costs and expenses. Each lead plaintiff received $1,500 as part of the settlement.
California Privacy Protection Agency plans to finish rulemaking by Q4 of 2022
On February 17, the California Privacy Protection Agency (CPPA) Board held a public meeting to provide an update on the California Privacy Rights Act (CPRA or the Act) rulemaking process. According to sources, the CPPA, which was established under the CPRA, stated it intends to finalize rulemaking in the third or fourth quarter of 2022. As previously covered by InfoBytes, last September, the CPPA formally called on stakeholders to provide preliminary comments on proposed CPRA rulemaking. The Act (effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 (covered by InfoBytes here) and amended the existing California Consumer Privacy Act. The invitation for comments highlighted several areas of interest for the CPPA, including topics concerning cybersecurity audits and risk assessments, automated decision-making, consumer privacy rights and requests to know, sensitive personal information, and dark patterns. While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the meeting that the rulemaking process will extend into the second half of the year. Soltani noted that preliminary and informational proceedings will take place sometime this March and April, and will include instructive sessions with various subject matter experts and public sessions to obtain stakeholder input, and will take into account responses from the comment solicitation period that ended November 8, 2021. Following these proceedings, the Board will begin the formal rulemaking process during the second and third quarters, with final rules being finished by the end of the year. Soltani acknowledged that while the Board is behind schedule with respect to the July deadline, the CPPA expects to use the extra time to fill open positions at the agency.
California investigating loyalty programs for CCPA compliance
On January 28, the California attorney general announced an “investigative sweep” of businesses operating loyalty programs in the state. The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, requires businesses that offer financial incentives in exchange for personal information, including loyalty programs, to provide consumers with a notice that clearly describes the material terms of the financial incentive program before consumers opt-in. (See InfoBytes coverage of the CCPA here.) Notices of noncompliance were sent to several businesses whose loyalty programs allegedly violated the CCPA, including data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers. Businesses have 30 days to cure or fix the alleged violation and come into compliance with the law before the initiation of an enforcement action. “I urge all businesses in California to take note and be transparent about how you’re using your customer’s data,” Attorney General Rob Bonta stated in the announcement. “My office continues to fight to protect consumer privacy, and we will enforce the law.”
District Court approves CCPA class action settlement
On October 27, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims against an Illinois-based insurance provider and its subsidiary (collectively, defendants) for allegedly failing to adequately protect plaintiffs’ personal and private information when defendants were the targets of security breach incidents where an unauthorized user’s access to the defendants’ network and computer systems resulted in unauthorized access of personal, private information (PII). According to the memorandum of law in support of the plaintiffs’ motion for preliminary approval, the plaintiffs sued after learning that the defendants were targeted by hackers in December 2020, which affected over 5.8 million customers, and again in March 2021, which affected more than 324,000 customers. This conduct, the plaintiffs contended, violated the California Consumer Privacy Act, the California Consumers Legal Remedies Act, California’s Unfair Competition Law, and various state common laws. While the defendants denied allegations of wrongdoing and liability, and asserted defenses to the individual and class claims, the parties reached a proposed settlement, in which class members (defined as “all natural persons residing in the United States who were sent notice letters notifying them that their PII was compromised in the Data Incidents announced by Defendants on or about March 16, 2021 and on or about May 25, 2021”) will be provided automatic access to 18 months of credit monitoring and financial account protection. Additionally, every class member can make a claim for up to $10,000 in reimbursement for out-of-pocket losses. The preliminarily approved settlement also provides for class counsel fees and expenses not to exceed roughly $2.5 million and class representative service awards of $1,500.