A class action lawsuit, Seirafi et al v. Samsung Electronics America, Inc., Case 4:22-cv-05176-KAW, filed recently in the Northern District of California, alleges that Samsung’s unnecessary personal information collection, and failure to secure that information, violate the California Consumer Privacy Act (CCPA). This lawsuit was inspired by two recent data breaches that allegedly included personal data of American users. The plaintiffs go beyond the facts of the breaches, though, to allege that Samsung should never have collected that information in the first place.

The California Consumer Privacy Act provides: “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” According to the plaintiffs, Samsung acted unreasonably by requiring them to register accounts to use smart televisions and other devices. If this theory succeeds, tech companies could find that locking devices behind online registration is more risk than it’s worth.

In the first of its kind under the California Consumer Privacy Act (CCPA), Sephora settled an enforcement action with the California Attorney General for violation of the CCPA. Sephora must pay $1.2 million in penalties and implement a CCPA compliance program. The enforcement action alleged that Sephora permitted third parties to create customer profiles that included details related to the brand of their laptops or concealer and eyeliner to use for targeted advertising without consumer knowledge or consent.  

Sephora must inform customers in California that it sells their personal data, including their location and items in their online shopping cart, and let them opt out of a sale of that information if they choose to do so.

Attorney General Rob Bonta said in the office’s public statement, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. . . My office is watching, and we will hold you accountable.” This should be a reminder for companies to determine if the CCPA applies to them and get their processes in place before the AG’s office comes knocking on their door, too.

California Attorney General Rob Bonta is serious about compliance with the California Consumer Privacy Act (CCPA). So serious, that on January 28, 2022, also known as Data Privacy Day, he announced that his office was commencing an investigative “sweep” of “businesses operating loyalty programs in California” and sent notices of noncompliance to businesses requiring them to cure within thirty days.

According to the AG’s press release, “Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive. This notice must clearly describe the material terms of the financial incentive program to the consumer before they opt into the program.” Although the AG did not reveal how many letters were issued, he did say that letters were sent “to major corporations in the retail, home improvement, travel, and food services industries.”

The timing of the issuance of the letters appears to be no coincidence. The AG stated, “On Data Privacy Day, we’re issuing notices to business that operate loyalty programs and use personal information in violation of California’s data privacy law. I urge all businesses in California to take note and be transparent about how you’re using your customer’s data. My office continues to fight to protect consumer privacy, and we will enforce the law.”

Warnings from a regulator are words to follow closely. If you offer a loyalty program, these words from the enforcer of the CCPA are clear and strong. If you haven’t implemented a CCPA compliance program, there is no better time than now.

This is the time of year for thought pieces reflecting on the past year or so to speculate on the hot topics for next year. I began to wonder about California Consumer Privacy Act (CCPA) enforcement actions over the past year as this was something that we speculated about not that long ago. The California Attorney General’s office has been busy and has even posted a list on its website of 27 examples of recent California Consumer Privacy Act enforcement actions.

The most common violation on the list is that a company’s privacy policy was non-compliant with CCPA requirements. Of the 27 cases cited, at least 16 had some form of privacy policy violation. Some of the privacy policies failed to provide consumers with the required CCPA rights, failed to state whether the company sold personal information, or failed to provide a method for consumers to submit requests about their data. Other violations included failure to provide notice to consumers of opt-out processes and the failure to include a “Do Not Sell My Personal Information” link. One company even tried to charge consumers for making CCPA requests.

All the cases cited appear to have begun with consumer complaints that resulted in a notice of alleged non-compliance. That notice provided the companies the opportunity to correct their deficiencies. In one privacy policy violation, the company updated its privacy policy in response to a complaint that it failed to provide notice of the required CCPA consumer rights and also failed to state whether it had sold personal information within the past 12 months. The company updated its privacy policy, however it was “not easy to read or understandable to the average consumer, e.g. contained unnecessary legal jargon.” The company received a second notice of non-compliance and then revised its privacy policy accordingly.

Enforcement actions will no doubt continue in 2022, but the lesson learned from 2021 is that for companies that must comply with CCPA, having a CCPA-compliant privacy policy will be a great way to start the new year.

Blackbaud, which suffered a data breach of its customers’ data in a ransomware attack in 2020, in which it admitted paying the ransom in a double extortion attack [view related posts], is facing multiple class action cases following the attack. The cases have been consolidated in multi-district litigation and now comprise 29 cases.

The federal judge overseeing the cases has refused to dismiss all of the claims that the plaintiffs alleged against Blackbaud, and ruled that Blackbaud must face claims of violation of the California Consumer Privacy Act (CCPA), deceptive and unfair trade practice allegations made by Florida and New York plaintiffs, and a separate claim by a California plaintiff alleging the compromise of medical information.

The judge declared that the plaintiffs had sufficiently alleged that Blackbaud was a “business” as that term is defined in CCPA partly because Blackbaud was a registered data broker in the state of California.

The judge did dismiss several state statutory claims that had been made by the plaintiffs. We will continue to watch this case and Blackbaud’s defenses to the CCPA claims.

The California Attorney General recently approved modified regulations under the California Consumer Privacy Act (CCPA). One part of the modified regulations bans “dark patterns” on a website. What are dark patterns? Public comments to the proposed regulations describe dark patterns as deliberate attempts to subvert or impair a consumer’s choice to opt-out on a website. Dark patterns could be used on a website to confuse or distract a consumer into granting knowing consent instead of choosing the opt-out option.

The modified regulations therefore ban the use of dark patterns that:

  • Use an opt-out request process that requires more steps than the process for a consumer to opt back into the sale of personal information after previously opting out;
  • Use confusing language (e.g., double-negatives, “Don’t Not Sell My Personal Information”);
  • Require consumers to click through or listen to unnecessary reasons why they should not submit a request to opt-out before confirming their request;
  • Require a consumer to provide personal information that is unnecessary to implement an opt-out request; or
  • Require a consumer to search or scroll through the text of a website or privacy policy to submit the opt-out request after clicking the “Do Not Sell My Personal Information” link (but before actually choosing the option).

If your website uses any such dark patterns you may wish to revise those mechanisms and implement clearer, more transparent methods for your website’s users to opt-out.

Gardiner v. Walmart provided some guidance as to the specificity required to state a claim under the California Consumer Privacy Act (CCPA) and the types of damages that may be recoverable for breaches of California consumer data. On July 10, 2020, Lavarious Gardiner filed a proposed class action against Walmart, alleging that unauthorized individuals accessed his personal information through Walmart’s website. Although Walmart never disclosed the alleged breach or provided any formal notification to consumers (and maintains that no breach occurred), Gardiner claimed that he discovered his personal information on the dark web and was told by hackers that the information came from his Walmart online account. He also claims that by using cybersecurity scan software he discovered many vulnerabilities on Walmart’s website.

Gardiner claimed Walmart violated the CCPA and California’s Unfair Competition Law. In response, Walmart filed a motion to dismiss, which was granted on March 5, 2021 (of note – with leave to amend). While Gardiner has now amended his complaint, the court’s ruling on Walmart’s motion to dismiss addresses some important points related to data breach class actions, including:

  • The compliant MUST state when the alleged breach occurred. Gardiner had only alleged that his information was on the dark web, not when the breach actually occurred. The court also stated that for purposes of a CCPA claim, the relevant conduct is the actual data breach resulting from a “failure to implement and maintain reasonable security procedures and practices.” This means that the breach must have occurred on or after January 1, 2020, the effective date of the CCPA.
  • The complaint must sufficiently allege disclosure of personal information. Gardiner had only alleged that his credit card number was disclosed, but had not alleged that his 3-digit access code was affected.
  • Plaintiff’s damages arising from a data breach MUST not be speculative -this is common across courts that dismiss class action data breach suits. Here, Gardiner had not alleged that he incurred any fraudulent charges or suffered any identity theft or other harm.

The court also dismissed Gardiner’s unfair competition claims that were based on a benefit of the bargain theory.

The court also addressed the disclaimers in Walmart’s privacy policy.; Walmart argued that Gardiner’s contract-based claims were barred by the its website Terms of Use, which included a warranty disclaimer and limitation of liability for data breaches. The court said that the limitation of liability was clear and emphasized with capitalization, which put Gardiner on notice of its contents. This is an important part of the decision for ANY company with online presence -a company’s website Privacy Policy and Terms of Use could be the final line of defense.

Gardiner has since his complaint. Whether the amendments will avoid another motion to dismiss is unknown. Still, this decision provides valuable insight for claims made under the CCPA and important lessons about website Privacy Policies and Terms of Use.

California Attorney General Xavier Becerra announced this week that the Office of Administrative Law approved additional California Consumer Privacy Act (CCPA) regulations, which became effective March 15, 2021.

The additional changes to the regulations primarily affect businesses that sell the personal information of California residents. The changes include a uniform Opt-Out Icon for the purpose of promoting consumer awareness of the right to opt-out of the sale of personal information, guidance to businesses regarding opt-out requests, including what not to do, and changes regarding the proof that a business may require for authorized agents and consumer verifications.

New sections of the regulations include a requirement that a business that sells personal information it collects from consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out. The new regulations state that the Opt-Out Icon may be used in addition to posting the notice of the right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a “Do Not Sell My Personal Information” link. (A link to download the Opt-Out Icon can be found here.)

With respect to authorized agents, a business may require that the consumer authorized agent provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following: (1) verify their own identity directly with the business or (2) directly confirm with the business that it provided the authorized agent permission to submit the request.

Other new sections of the regulations state that a business’s methods for submitting requests to opt-out should be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. Examples of methods that businesses should not use are specified in the regulations and include:

  • The process for opting out shall not require more steps than the business process for opting in to the sale of personal information;
  • The business should not use confusing language such as double negatives (Don’t Not Sell My Personal Information);
  • The business shall not require consumers to click through or to listen to reasons they should not submit a request to opt-out before confirming their request;
  • The business cannot require the process for submitting a request to opt-out to require the consumer to provide personal information that is not necessary to implement the request; and
  • Upon clicking the “Do Not Sell My Personal Information” link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.

The bottom line for these additional changes to the CCPA regulations is that the overriding principles remain the same: inform consumers of their right to opt-out of the sale of their personal information and present this information to consumers in a way that is easy to read and understand.

A federal District Court in California recently dismissed a lawsuit against Walmart that arose from an alleged data breach. (Gardiner v. Walmart, Inc., 20-cv-04618-JSW (N.D. Cal., March 5, 2021). Among other things, the court determined that California’s Consumer Privacy Act (CCPA) does not apply retroactively, dismissing the CCPA claim because the plaintiff had not specified the date of the alleged breach.

According to the allegations of the complaint, the plaintiff had provided certain personal identifying information (PII) to Walmart, including credit card information, when he created an online account. Plaintiff claimed that Walmart has been targeted numerous times by individuals who have hacked its website and its customers’ computers, and that the hackers posted stolen account information—including his—on the dark web. As a result, plaintiff asserted that he and others faced an imminent threat of identity theft and fraud, had to spend time and resources to mitigate the effects of the data breach, and suffered economic damages. The complaint alleged violations of the CCPA and also California’s Unfair Competition Law, along with common law claims such as negligence and breach of contract.

Walmart, which disputed that there was any breach of its network, moved to dismiss the complaint. The court granted the motion. As to the CCPA claim, the court concluded that CCPA only applies to breaches occurring on or after January 1, 2020, and does not apply retroactively. Plaintiff therefore had to allege that Walmart’s purported violation of its duty to implement reasonable security procedures to prevent the breach occurred on or after that date. Because plaintiff did not allege a specific date of the alleged breach, he did not have a viable CCPA claim. The court held that the CCPA claim also failed because the complaint did not sufficiently allege disclosure of plaintiff’s PII, such as disclosure of his credit card number and security code.

In addition, the court dismissed all of plaintiff’s remaining claims for negligence, contract, and unfair competition on the grounds that plaintiff had failed to plead a cognizable injury. In doing so, the court found that, without factual allegations identifying what PII was stolen, plaintiff’s bare assertion that his PII had economic value was insufficient to support his claims. The court also determined, among other things, that conclusory allegations of an increased risk of identity theft were insufficient to establish injury. The decision may not end the litigation, however, as the court granted plaintiff leave to amend his complaint to cure the identified deficiencies. It remains to be seen if he will do so.

Marriott recently won dismissal of a proposed class action data breach lawsuit alleging several violations, including a violation of the California Consumer Privacy Act (CCPA). The case, Arifur Rahman v. Marriott International, Inc. et al., Case No.: 8:20-cv-00654, was dismissed in an Order by U.S. District Court Judge David O. Carter on January 12, 2021.

The Plaintiff in the lawsuit alleged that he was a member of a “class that were victims of a cybersecurity breach at Marriott when to employees of a Marriott franchise in Russia accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization.” Marriott admitted there was a breach, sent letters to affected individuals, and confirmed that no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.

The matter was dismissed, as the Court found that it lacked subject matter jurisdiction as the Plaintiff lacked standing to sue. The Court was clear that in the 9th Circuit, the sensitivity of the personal information, combined with its theft, are prerequisites to finding that plaintiffs alleged injury in fact. Injury in fact is one of the three elements necessary to support Article III standing.

The data breach in this case affected approximately 5.2 million Marriott customers, but the information accessed by hackers was not “sensitive information,” which was a required element to be able to continue the lawsuit.