By Scott Hall, Fred Alvarez, and Amber Leong

On October 8, 2023, California Governor Gavin Newsom signed into law AB-947, which expanded the category of “sensitive personal information” to include citizenship or immigration status. The category of sensitive personal information under the California Privacy Rights Act (“CPRA”) already includes government identifiers, precise geolocation, information concerning sexual orientation, racial or ethnic origin, religious or philosophical beliefs, and union membership.

The CPRA contains special restrictions on the collection, use and disclosure of sensitive personal information. If your business collects citizenship or immigration information, you will need to update your privacy policy and revise and review your collection and processing of any sensitive personal information.

Importantly, employee information falls within the scope of the CPRA. That means if your business is subject to the CPRA and you have California-based employees, you are inevitably collecting citizenship or immigration status information that will now constitute sensitive personal information under the new law. If so, you will separately need to update your employee privacy notice and potentially adjust collection and processing procedures with respect to employee information.

The CPRA requires yearly updates of both your consumer privacy policy and employee privacy policy. If you do not have up-to-date consumer or employee privacy policies, there is no better time than now to get started. With the new year right around the corner, now is the time to get your data privacy ducks in a row for 2024.

Please reach out to Coblentz’s Data Privacy or Labor & Employment groups with further questions.

By Scott Hall, Mari Clifford, and Amber Leong

In 1988, Congress enacted the Video Protection Privacy Act (“VPPA”) in response to the confirmation hearing of Judge Robert Bork, where his video rental history was disclosed during his Supreme Court confirmation hearing. Creative plaintiffs’ lawyers in recent years have asserted new claims under this statute, arguing that the use of website tracking pixels that transmit a user’s visit to a website page containing an embedded video violates the VPPA. Some courts have allowed some of these claims to pass the pleading stage, resulting in a proliferation of pre-litigation demands and complaints against companies who embed videos on their websites and use pixel analytics.[1]

There are several defenses that have defeated these claims at the pleading stage, however.

First, courts are in agreement that the VPPA only applies to “subscribers” and not just any user who happens to watch a video on a website. What constitutes a “subscriber” can get tricky though. Some courts have held that subscribing to a mailing list or newsletter may be sufficient,[2] while other courts have reached a different conclusion and required a subscription to video services or video content.[3]

Second, what constitutes “personally identifiable information” under the VPPA is also litigated. The Third Circuit has held that under the VPPA, personally identifiable information (“PII”) is limited only to “information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.”[4] Thus, in In re Nickelodeon, the Third Circuit held that “static identifiers” such as an IP address would not allow an ordinary person to determine which videos were viewed online and thus, not actionable under the VPPA.[5] However, courts have regularly held that a Facebook ID is sufficient to constitute PII because it can be easily and directly tied to an individual through that individual’s Facebook account.

Third, the VPPA specifically pertains to pre-recorded videos, and does not apply to live-stream content.[6]

Lastly, the statutory language provides an explicit exemption from the VPPA if a company obtains affirmative, written consent from the user prior to the collection and transmission of a user’s purported video-watching history.[7] There are specific codified requirements to obtain consent under the VPPA including, among other things, providing “a form distinct and separate from any form setting forth other legal or financial obligations of the consumer.”[8] Thus, obtaining consent under the VPPA may look different than obtaining consent sufficient under wiretapping statutes as detailed in our article linked here.

If you have questions about how to navigate this legal landscape, or if your company has been served a pre-litigation demand letter, please reach out to the Coblentz Data Privacy & Cybersecurity Team to discuss the various legal defenses available to your company. There is no one-size-fits-all approach. Navigating this (constantly changing) area of law requires a determination of your business needs, business model, and a well-thought-out and bespoke approach.

 

[1] See e.g., Belozerov v. Gannett Co., Inc., —F. Supp. 3d—-, 2022 WL 17832185 (D. Mass. 2022).

[2] Harris v. Public Broadcasting Serv., —F.Supp.3d—-, 2023 WL 2583118, at *3 (N.D. Ga. 2023)

[3] See Salazar v. Paramount Global d/b/a 247Sports, 22-cv-00756, Dkt No. 33 (M.D. Tenn. July 18, 2023); see also Austin-Spearman v. AMC Network Entertainment LLC, 98 F. Supp. 3d 662 (S.D.N.Y. 2015).

[4] In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 284 (3d Cir. 2016).

[5] See also White v. Samsung Elec. Am., Inc., Civ. No. 17-1775, 2019 WL 8886485, at *5 (D. N.J. Aug. 21, 2019) (granting Samsung’s motion to dismiss the VPPA claim because allegations of only obtaining IP addresses, MAC addresses, and zip codes do not constitute PII under VPPA).

[6]  Stark v. Patreon, 635 F. Supp. 3d 841, 852 (N.D. Cal. 2022).

[7] 18 U.S.C. § 2710.

[8] Id. § 2710(b)(2)(B).

By Scott Hall, Mari Clifford, and Amber Leong

Numerous new website technologies and tools allow companies to more effectively interact with their customers. These include chatbots, session recording software, tracking pixels (snippets of code that can be used to identify certain designated behavior on a website like seeing which products users are clicking on), and cookies (which remember products previously added to a shopping cart). All of these tools are immensely helpful in engaging with and identifying user experiences, and they help improve and promote a company’s business operations.

Plaintiffs’ attorneys have recently argued that the use of these website technologies – especially when provided or facilitated by a third-party vendor – constitutes violations of wiretapping and eavesdropping statutes. Under these statutes – both federal and state analogs – it is a violation if an individual uses a recording device to eavesdrop or intercept a confidential communication without the consent of the parties.

Historically, these statutes were used against individuals secretly listening in on private telephonic conversations. However, plaintiffs’ attorneys have revived these statutes to claim that companies are violating these laws through the use of website technologies. And some courts have allowed some of these claims to pass the motion to dismiss stage.[1]

This has created a flurry of pre-litigation demands against companies with consumer-facing websites. Many companies seek to settle these claims to avoid litigation costs, but several matters have gone to court. As more of these cases are making their way through the courts, we are able to see patterns in how courts are addressing these claims. There now appears to be a distinction emerging between claims that are allowed to proceed past the motion to dismiss stage and those that are not. Chatbots and session recording technologies used only to aid in servicing the website as a service provider have been found insufficient to state a claim under the wiretapping statutes.[2] By contrast, the use of these tools to collect user data that a third-party vendor is permitted to use for other purposes (including its own business purposes or with services to other companies) has been found to be sufficient to pass the motion to dismiss hurdle.[3]

The logic behind the reasoning is that there is no unlawful third-party “interception” by an entity that is acting as a service provider to provide a service for the company with whom the individual consumer is interacting. Put differently, a company cannot eavesdrop on itself or “intercept” its own communications.[4]

Given this guidance, companies should take the following steps if they use any chatbots, mouse click trackers, or session-recording technology to better understand their users:

• Service Provider Agreements: Companies should enter into service provider agreements with the chatbot, session recording, or mouse click providers. Contained within the agreements should be clear contractual language that companies providing such services cannot sell, share or use the personal information of users for their own purposes. This language thus captures that the service provider is there to provide a service and reaps no benefit in the form of personal information data.
• Update Privacy Policies: Companies should update their privacy policies and ensure that the policies adequately disclose the use of any chatbots, mouse clicks, or session recording. While updating the privacy policies alone will not be sufficient to be compliant with the various data privacy laws because courts have held that privacy policies at the bottom or footer of webpages may not give sufficient notice of recordings, the policies are nevertheless necessary for compliance as the bare minimum requirements.
• Disclose Immediately Prior to Recording: Companies should explicitly disclose that chat communications or other website interactions are being recorded by a vendor, and that if a user chooses to continue, they are consenting to such recording. Consent is an adequate defense to the wiretapping and eavesdropping claims. While the issues of adequate notice and consent continue to be litigated throughout the courts, generally, providing disclosure of such recordings immediately prior to the session with the opportunity to not proceed should work to provide sufficient notice and consent under the wiretapping laws.

Overall, the legal landscape of these claims is still in flux. However, a clear line that has developed is that a company’s use of “service providers” providing the recording services for companies is not in violation if that service provider cannot use the information collected for purposes other than to support the company, particularly if adequate notice has been provided to the users. This rule, however, does not include the use of analytics or pixels—which the courts have frequently found involve data exchanges with third parties for purposes beyond providing a service and which have been found sufficient to proceed past the motion to dismiss stage.[5]

If you have questions about whether your website collection procedures are compliant, or if you have received a threat or complaint about violation of the wiretapping statutes based on website technologies, please reach out to the Coblentz Data Privacy & Cybersecurity Team.

 

[1] See e.g., Hazel v. Prudential Financial, Inc., 22-cv-07465-CRB, 2023 WL 3933073 (N.D. Cal. June 9, 2023); Williams v. What If Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275 (N.D. Cal. Dec. 22, 2022).

[2] See Licea v. Vitacost.com, Inc., —F.Supp.3d—, 2023 WL 5086893 (S.D. Cal. 2023).

[3] See e.g., Hazel, 2023 WL 3933073.

[4] See also Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832-33 (N.D. Cal. 2021) (“[A]s a service provider, [third-party vendor] is an extension of [Defendant]. It provides a tool – like a tape recorder … that allows [Defendant] to record and analyze its own data in aid of [Defendant’s] business. It is not a third-party eavesdropper. As a result, [Defendant] is not liable for aiding and abetting [vendor’s] wrongdoing because there is no wrongdoing.”); Cody v. Boscov’s, Inc., ––– F.Supp.3d at ––––, 2023 WL 2338302, at *2 (C.D. Cal. 2023) (“Plaintiff must provide facts suggesting that [the vendors] are recording Defendant’s customers’ information for some use or potential future use beyond simply supplying this information back to Defendant.”).

[5] Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118 (N.D. Cal. Apr. 6, 2023) (Data broker was not a party to internet users’ communications, for purposes of exemption from liability for wiretapping claims under the federal Wiretap Act and the California Invasion of Privacy Act, where broker allegedly tracked users’ browsing activities on websites other than its own to intercept their personal information and sell it to third parties.)