Quick Links From the Past Year, Part 1 (CCPA and Privacy)

[My approach to quick links is obviously not working very well. C’est la vie.]


[Since I’ve got some CCPA links, it’s an excuse to resurrect the dumpster fire meme. Remember, the CPRA meme is the rolling van on fire.]

* Opinion of Rob Bonta, No. 20-303 (Office of Attorney General March 10, 2022): “internally generated inferences that a business holds about a consumer are personal information within the meaning of the CCPA, and must be disclosed to the consumer on request. A business that withholds inferences on the ground that they are protected trade secrets bears the ultimate burden of demonstrating that such inferences are indeed trade secrets under the applicable law.”

* In re: Marriott International Customer Data Security Breach Litig., 2022 WL 822925 (D. Md. March 18, 2022). Denying discovery into how Marriott computed the value of a consumer’s data under the CCPA.

* Gershfeld v. Teamviewer US, Inc., 2021 WL 3046775 (C.D. Cal. June 24, 2021)

The CCPA provides a private right of action to consumers whose “personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” In other words, to succeed on a CCPA claim, a plaintiff must allege that his personal information was subject to “unauthorized … disclosure as a result of” a business’s failure “to implement and maintain reasonable security procedures and practices.” Plaintiff has not made such an allegation here.

Plaintiff alleges that Defendant stored his personal information “in a nonencrypted and nonredacted fashion,” but the disclosure of Plaintiff’s personal information was not caused by this practice. Nor was the disclosure of Plaintiff’s information unauthorized. To the contrary, Defendant relayed Plaintiff’s personal information to its credit card processor when it automatically renewed Plaintiff’s subscription in accordance with Plaintiff’s authorization. When Plaintiff chose his payment method while purchasing his subscription from Defendant, he agreed to Defendant’s End-User License Agreement (“EULA”), which states that Plaintiff’s subscription would automatically renew unless “either party notifie[d] the other party no less than twenty-eight (28) days prior to the end of the [subscription term].” Then, after clicking “Proceed to Checkout,” he was directed to a “Summary” page which stated again in bold letters that his “subscription will automatically renew every 12 months, unless [he] terminate[s] [it].” After completing his purchase, Plaintiff received an invoice repeating Defendant’s automatic-renewal policy. And finally, on July 21, 2020—two months before Plaintiff’s subscription would renew—Defendant sent him an email reminder that he had to cancel his subscription if he did not want the automatic renewal to occur. Defendant’s disclosure of Plaintiff’s personal information was not a disclosure without authorization, and it was not caused by Defendant’s failure to implement reasonable security procedures and practices.

* Voodoo SAS v. SayGames LLC, 2020 WL 379165 (N.D. Cal. July 7, 2020): “The privacy policy includes a section titled “Rights of California Residents,” which addresses requirements of the California Consumer Privacy Act (“CCPA”), Cal. Civ. Code § 1798.100 et seq. While these references show that SayGames knew Jelly Shift might be purchased by California residents, they do not indicate that SayGames specifically aimed Jelly Shift at California residents.”

* In re Waste Management Data Breach Litigation, 2022 WL 561734 (SDNY Feb. 24, 2022): “the CAC fails to state a claim for violation of the CCPA, because it does not plausibly allege that Waste Management breached its ‘duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.’…The CAC alleges in conclusory terms that Waste Management has not changed its securities practices. But the CAC contains no allegations regarding any notice of cure from Waste Management, and does not explain what violations need to be remedied.”

* Bloomberg: Global Privacy Control Popularity Grows as Legal Status Up in Air

    Other Stuff

    * NYT: Facebook, Citing Societal Concerns, Plans to Shut Down Facial Recognition System

    * NYT: A Change by Apple Is Tormenting Internet Companies, Especially Meta

    * NYT: The Era of Borderless Data Is Ending

    * NYT: China’s Internet Censors Try a New Trick: Revealing Users’ Locations

    * WSJ: Why Age Verification Is So Difficult for Websites

    * NYT: “Who Is Behind QAnon? Linguistic Detectives Find Fingerprints”

    * Protocol: The FTC’s new enforcement weapon spells death for algorithms

    * Bugs in our Pockets: The Risks of Client-Side Scanning: “CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be abused.”

    * In re Robertelli,  2021 WL 4270216 (N.J. Sup. Ct. Sept. 21, 2021):

    When represented Facebook users fix their privacy settings to restrict information to “friends,” lawyers cannot attempt to communicate with them to gain access to that information, without the consent of the user’s counsel. To be sure, a lawyer litigating a case who — by whatever means, including through a surrogate — sends a “friend” request to a represented client does so for one purpose only: to secure information about the subject of the representation, certainly not to strike up a new friendship. Enticing or cajoling the represented client through a message that is intended to elicit a “friend” request that opens the door to the represented client’s private Facebook page is no different. Both are prohibited forms of conduct under RPC 4.2. When the communication is ethically proscribed, it makes no difference in what medium the message is communicated. The same rule applies to communications in-person or by letter, email, or telephone, or through social media, such as Facebook.