On March 20, 2019, the Supreme Court refused to address the adequacy of a $8.5 million Google privacy class action settlement and instead remanded to a lower court to determine whether the class action plaintiffs had standing to assert a claim under the Stored Communications Act (“SCA”).  The Court’s holding serves as a reminder that despite the recent trend in finding standing for privacy violations, it can still be an open issue.

Frank v. Gaos arose out of Google’s use of “referrer headers,” whereby Google allegedly transmitted users’ search terms to the servers that hosted the webpages the users selected as a result of the searches.  Plaintiffs alleged that Google’s transmission of users’ search terms violated the SCA, which prohibits an entity providing an electronic communication service to the public from “knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.”  After lengthy motion practice, Google agreed to pay $8.5 million, most of which would be distributed to six non-profit cy pres recipients selected by class counsel and Google to “promote public awareness and education, and/or to support research, development, and initiatives, related to protecting privacy on the Internet.”  Five class members objected to the settlement on several grounds relating to fairness.

During the pendency of the class action and settlement, the Supreme Court issued its 2016 ruling in Spokeo, Inc. v. Robins, which held that Article III standing requires a concrete injury even in the context of a statutory violation.  However, when the objecting class members’ appeal reached the Supreme Court, no party made any arguments relating to standing.  Nonetheless, the Solicitor General filed a brief as amicus curiae urging the Supreme Court to vacate and remand for the lower courts to address standing under the Spokeo standard.  The Supreme Court ordered supplemental briefing on the issue and ultimately remanded for the lower courts to do just that, emphasizing that its opinion should not be interpreted “as expressing a view on any particular resolution of the standing question.”  Justice Thomas filed a lone dissent to the per curiam  opinion, arguing that “[b]y alleging the violation of ‘private dut[ies] owed personally’ to them ‘as individuals,’ the plaintiffs established standing.”

Over recent years, the trend among lower courts and state supreme courts has been to find standing for privacy violations even where the plaintiff did not sustain actual damage beyond a violation of his or her statutory right.  Although the Court did not express a view on whether standing exists for such a claim under the SCA, its holding demonstrates—to plaintiffs, defendants, state legislatures, and Congress—that the issue of statutory standing in privacy cases has not been resolved.

The FTC has proposed amendments to its 2003 Safeguards Rule and the 2000 Privacy Rule, applicable to financial institutions under the Gramm Leach Bliley Act (GLBA). The proposed changes are informed by the FTC’s enforcement experience and are intended to keep pace with technological developments. Continue Reading FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

Following numerous privacy complaints, the State Office for Data Protection Supervision (BayLDA) recently conducted a random audit on 40 companies and found widespread problems with their cookie disclosures. The purpose of the audit was to determine whether website users were able to obtain transparent information regarding the use and tracking of their information by third-party providers. Ultimately, the BayLDA found that all 40 companies were in violation of the GDPR.

Based on their findings, BayLDA announced it is considering fining these companies under GDPR provisions regarding website cookie and tracking practices. Since none of the audited companies was technology-focused, the BayLDA’s findings should serve as a warning to all companies, no matter their industry. Below, we highlight the main takeaways from the BayLDA audit.

All Companies Are At Risk

The BayLDA did not discriminate when it selected companies to audit. While major technology companies have been at the forefront of these compliance discussions, the BayLDA audit shows that no company is safe and that all companies are potentially subject to oversight and enforcement by Data Protection Authorities. This audit should be a warning to all companies that have yet to comply with GDPR.

Cookie Banners Beware

All companies should be especially aware of the BayLDA findings regarding the use of cookie banners. The audit found that most cookie banners were a mere interference, hindering the user-friendliness of the website’s services, and were wholly ineffective in protecting users from unknown tracking.

Transparency Requires More Than Common Naming Techniques

The BayLDA findings also call for transparency on a more granular level. In particular, disclosures must be more specific as to the kinds of cookies being used. BayDLA suggests identification of the actual cookie utilized, rather than broad descriptors such as  “performance” or “analytic” cookies. Many companies already provide this level of granular disclosure but many do not.

Affirmative Consent of Users Is Not Automatic

One of the more problematic findings reported by the BayLDA is that the majority of companies automatically dropped tracking cookies on users as soon as the user visited a company’s website. In the view of the BayLDA, the timing of the cookie drop means that no audited company obtained active consent from users prior to the cookie drop. Rather, user tracking began before the user could make an informed decision as to the collection and processing of its data. Even if browsing a website constitutes active consent—an issue that has not been clearly decided—such consent cannot reasonably inferred if tracking begins prior to the user’s continued browsing.  Meanwhile, the German Data Processing Authority has advised it will release guidance on cookies and consent in the future.

The rules governing the use of cookies, and cookie disclosures more generally, is one of the more complex and undecided areas of European privacy law. While the BayLDA’s audit does not rise to the level of formal guidance or regulation, the findings do point in the direction of an emerging consensus given the respect the BayLDA commands among EU data privacy regulators. If nothing else, US companies subject to the GDPR should pay careful attention to the findings and consider modest changes to their policies while formal guidance and regulation develops.

 

As tax season winds on, the W-2 form scam has emerged as one of the most dangerous and common phishing email schemes during this time of year.

W-2s are information-rich documents containing an employee’s name, Social Security number, address, salary, and other personal information. Each year, cyber criminals target these documents in order to sell the sensitive information contained therein and to submit fraudulent tax returns in hopes of defrauding the IRS. Continue Reading Avoid Taking the Bait of W-2 Phishing Schemes

New proposed legislation in California, backed by state Attorney General (AG) Xavier Becerra, would amend the new California Consumer Privacy Act (CCPA) to make it easier for private plaintiffs and public officials to sue for violations while further increasing regulatory uncertainty and compliance costs for businesses.  Specifically, SB 561 would expand the CCPA’s private right of action, remove the Act’s public enforcement “cure” provision, and eliminate the ability of affected companies to seek compliance guidance from the AG.

The CCPA is a sweeping new privacy law which goes into effect in January 2020.  It gives California residents substantial control over personal data held by certain California businesses, requiring disclosure of what personal information the business collects, how that information is used or sold, and allowing consumers to control or delete that information upon request.  It currently allows private plaintiffs to seek statutory damages of up to $750 per violation for certain violations, and it allows the AG to seek civil penalties of up to $2,500 for most violations, and up to $7,500 for violations found to be intentional. Continue Reading California Legislation Would Make CCPA Even Worse for Businesses

The Equifax and Facebook-Cambridge Analytica scandals, coupled with the proliferation of state privacy and security laws such as the California Consumer Privacy Act (CCPA)—as well as proposed laws in Washington and Massachusetts—have increased demand for a comprehensive national privacy law.  Last week, the Senate announced plans to hold hearings to discuss a proposed privacy law.  The Government Accountability Office (GAO) has just released its report recommending that Congress develop comprehensive privacy legislation to enhance consumer protections.  Continue Reading Government Accountability Office Recommends Comprehensive Privacy Legislation

On February 7, 2019, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services published the resolution agreement for its final HIPAA settlement of 2018.  The resolution agreement cited two breach notifications that OCR received from the parent of several hospitals in California.  In 2013, the provider notified OCR of a breach that occurred when one of its contractors removed electronic security protections from a server.  This breach affected more than 50,000 individuals.  In 2015, the provider submitted notice of a second breach, this one resulting from an employee’s activation of the wrong website, affecting more than 11,000 individuals. Continue Reading OCR Closes the Book on 2018 With $3 Million HIPAA Settlement

The Illinois Supreme Court held on January 25, 2019, that plaintiffs filing suit under the Biometric Information Privacy Act—which regulates how private entities disclose and discard biometric identifiers—do not need actual damages for standing. The decision has serious implications for companies collecting biometric data from Illinois residents.

The Act provides a private right of action to individuals “aggrieved” by any violation, allowing them to seek, among other remedies, liquidated or actual damages, attorneys’ fees, and costs. However, there has been widespread uncertainty as to whether an aggrieved individual asserting a private action under the Act needed to show that he or she suffered an actual injury as a result of an alleged violation, or if a violation of the Act in and of itself conveys standing. Continue Reading Illinois Supreme Court: No ‘Actual Harm’ Required for Biometric Information Privacy Act Claims

The prevailing wisdom after last year’s enactment of the California Consumer Privacy Act (CCPA) was that it would result in other states enacting consumer privacy legislation. The perceived inevitability of a “50-state solution to privacy” motivated businesses previously opposed to federal privacy legislation to push for its enactment. With state legislatures now convening, we have identified what could be the first such proposed legislation in New York Senate Bill 224.

The proposed legislation is not nearly as extensive as the CCPA and is perhaps more analogous to California’s Shine the Light Law. The proposed legislation would require a “business that retains a customer’s personal information [to] make available to the customer free of charge access to, or copies of, all of the customer’s personal information retained by the business.” It also would require businesses that disclose customer personal information to third parties to disclose certain information to customers about the third parties and the personal information that is shared. Businesses would have to provide this information within 30 days of a customer request and for a twelve-month lookback period. The rights also would have to be disclosed in online privacy notices. Notably, the bill would create a private right of action for violations of its provisions.

We will continue to monitor this legislation and any other proposed legislation.

As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.

Owning the Mega-Breach

2018 was the year in which data breaches in mergers and acquisitions became the iceberg in full view. This fuller realization of cyber risk in transactions, though, actually has its origin in September 2016 – when Yahoo and Marriott were in the midst of deals that would involve some of the largest data breaches on record. Continue Reading Some Thoughts on the Year in Privacy and Data Security Law