• With the End of the 2024 Legislative Term, Governor Gavin Newsom Takes a Measured Approach To Data Privacy Legislation

    By Sabrina Larson and Amber Leong

    In a significant move that has drawn both praise and criticism, California Governor Gavin Newsom recently vetoed Senate Bill 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act (SB 1047), a highly publicized and debated AI bill, and Assembly Bill 1949 (AB 1949), a bill expanding data privacy rights for California minors. Both bills aimed to enhance data privacy protections for consumers, highlighting the ongoing efforts to balance technological advancement with individual privacy rights in an increasingly digital world.

    At the same time, Governor Newsom signed into law nearly a dozen targeted bills concerning AI, including a law governing transparency when consumer data is used for training AI models (AB 2013), and a law requiring AI-generated content to contain a “manifest disclosure” in its metadata to signal that such material is AI generated (SB 942). Governor Newsom also signed into law stricter requirements aimed at prohibiting social media companies from directing addictive feeds toward minors (SB 976).

    These noteworthy vetoes, paired with legislation signed into law by Governor Newsom, signal how California strives to be both at the helm of technological innovations and the leader in consumer data privacy protections in America.

    Generative AI

    Governor Newsom vetoed SB 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act, which many commentators viewed as the country’s first state-level comprehensive law regulating generative AI. SB 1047 was divisive and polarizing—with the tech industry and AI advocates championing for or against the bill. Absent a national law, states, and municipalities have been stepping in to fill the void and address growing concerns about the use of AI as it develops at an exponential rate. To date, enacted laws have been targeted toward specific uses of AI, including deep fakes and other specific scenarios.

    SB 1047 would have regulated and imposed various safety restrictions on AI systems, which would have had significant implications on the AI industry given that the majority of the world’s leading AI companies are headquartered in California. SB 1047 had passed the Legislature with overwhelming support and was seen as the blueprint for the nation. SB 1047 included a required “kill switch” for AI technology and required safety tests to be conducted by AI companies.

    Opponents of SB 1047, including Andreessen Horowitz, OpenAI, Google, and Meta, expressed concern that over-regulation would overburden and stifle a nascent and developing industry.

    Ultimately, in his veto statement for SB 1047, Governor Newsom expressed a “critical” need for “adaptability” as states race to “regulate a technology in its infancy.” This reflects a desire to avoid imposing overly burdensome regulations on a growing technology. His administration stated that while the intentions behind the bill were commendable, the potential consequences for businesses—especially small and medium-sized enterprises—could be detrimental. Governor Newsom emphasized the need for a balanced approach that fosters innovation while ensuring consumer protection, signaling that he is committed to working toward that approach. At the same time, he highlighted his signing into law over a dozen bills regulating specific, known risks of AI. For example, Governor Newsom signed AB 2013, which requires businesses using generative AI to make certain disclosures on their websites including providing high-level summaries of the datasets. Governor Newsom also signed into law SB 942, the California AI Transparency Act, which governs various methods of disclosing AI-generated content. The law requires AI companies to provide an “AI-detecting” tool and a “manifest” to accompany AI-generated content.

    Children’s Data

    Currently, there is a patchwork of laws governing the data of minors nationwide. To add more confusion for businesses, “minors” (which are generally understood as all individuals under the age of 18) and “children” (which has historically meant both individuals below the age of 13 and between the ages of 13 to 17) are defined differently under various federal and state laws. There are currently two general buckets of laws governing minors: laws governing data of children (those under the age of 13) and a new and developing regime for teenagers (those between the ages of 13 and 17).

    The federal Children’s Online Privacy Protection Act (COPPA) governs data for minors under the age of 13, and requires parental consent if a business has actual knowledge that it is collecting, using, or disclosing personal information of individuals under the age of 13. Recently, state data privacy laws have started regulating the collection, processing, sale, and sharing of minors’ data. The exact requirements differ from state to state.

    Comparatively, for example, California’s laws governing minors’ data are more nuanced than COPPA. California’s regulations governing minors’ data are found in its overall privacy act, the California Consumer Privacy Act (CCPA). California has an opt-in requirement for “minors” before a business can sell or share personal data. But how opt-in consent is obtained differs depending on the age of the minor. For individuals under the age of 13, affirmative parental consent must be obtained before a business sells or shares the data (notably, unlike COPPA, the CCPA does not require opt-in consent for collecting or processing such data). For teenage minors ages 13 to 16, affirmative consent from the teenager must be obtained before a business can sell or share the teenager’s personal information. The CCPA considers 16- to 17-year-olds as “adults” for CCPA purposes.

    The goal of AB 1949, the Kid’s Privacy Bill, was to “close the gap” on teenagers’ data under the CCPA. AB 1949 also sought to establish stricter regulations regarding the collection and usage of minors’ data by businesses. Specifically, the bill would have required businesses to obtain opt-in consent prior not only to selling or sharing data of all minors including teenagers, but also prior to collecting and processing data of all minors.

    Governor Newsom vetoed AB 1949, stating that it would be unduly burdensome on businesses.   At the same time, however, Governor Newsom signed into law a separate bill, SB 976, The Protecting Our Kids from Social Media Addiction Act. SB 976 prohibits social media companies from knowingly providing addictive feeds to minors (defined here as individuals under the age of 18) without parental consent. Governor Newsom’s veto of AB 1949 combined with signing into law SB 976 and other bills signals a measured approach to imposing data protections.

    Conclusion

    Governor Newsom’s veto of AB 1949 and SB 1047, while signing into law AB 2013, SB 942, and SB 976, among other laws, shows a thoughtful approach as California balances its role as a state fostering innovation while also maintaining its place as a leader in regulations protecting consumers’ privacy rights. The Governor’s decisions are at a complex intersection of consumer rights, business interests, and the evolving landscape of data privacy.

    As the demand for stronger data privacy regulations continues to rise, particularly for minors, stakeholders will need to engage in constructive dialogue to find a balance that protects consumers without stifling innovation. The outcome of this debate will be pivotal in shaping California’s—and potentially the nation’s—approach to data privacy in the years to come.

    For assistance navigating the ever-proliferating and changing landscape of data privacy laws, please contact the Coblentz Data Privacy Team.

     

     

     

    Categories: Publications
  • Trademark Trickery: Scams Are Surging—What Trademark Owners Should Watch Out For

    By Sabrina Larson

    Trademark scams are on the rise and include increasingly varied communications attempting to trick trademark applicants and registrants into paying fees. If you receive any communications regarding your trademarks from anyone other than your trademark attorney, it is most likely not legitimate. Below are common scams, red flags to watch out for, and best practices.  

    Common Scams to Watch Out For

    Notices Seeking Payment of Fees

    The most widespread trademark scam involves a notice seeking you to pay application, registration, or maintenance fees. These notices are formatted to mimic invoices from the U.S. Patent & Trademark Office (“USPTO”). Scammers pull information from pending applications or registrations approaching their maintenance deadlines and then send fake invoices seeking payment of fees. You may receive these scams via hard copy invoices or even by phone or text (if you have provided a phone number in your trademark application). A more recent trend involves a phone call from someone claiming to be a USPTO representative demanding immediate payment. Click here to see an example of a fake invoice from the “Patent & Trademark Office” with the header “PENDING TRADEMARK CANCELLATION” seeking payment of renewal fees.

    Trademark Registration of Business Name

    This scam purports to come from a trademark attorney offering services. It targets entities’ business names, claiming that another entity is seeking to register the same business name. This scam will include ominous language regarding violations and infringement, creating a sense of urgency to take action. Click here to see an example of a scam email regarding registration of a business name, with the alarming subject “Legal Notice: Immediate Confirmation Needed for Trademark Registration of ‘Business Name.’”

    USPTO Trademark Conflict

    Another type of scam seeks your immediate attention regarding a third party attempting to register your trademark. This type of scam will come from entities claiming to be trademark attorneys. They will claim that they have received an application to register your mark, and state that if they do not receive an objection from you, the third party will apply for your mark. These communications ask you to take action to avoid forfeiting your trademark rights. Click here to see an example of a scam email with the subject “Urgent Alert: Immediate Attention Needed for USPTO Trademark Conflict.”  

    Others

    Additional scams include offering to place trademark owners’ marks in a “trademark registry” to increase brand visibility; offering to obtain a “priority trademark registration” by expediting an applicant’s pending application; offers of trademark monitoring services; and offers to provide trademark registration certificates. All of these scams will include subject lines and language asking you to take immediate action to avoid losing your trademark rights, and none of these communications are legitimate.  

    Red Flags

    • Fake invoices: The USPTO does not send invoices. All communications from the USPTO will be sent to the attorney of record for your trademark with the USPTO.
    • Calls or texts seeking payment: The USPTO will never call or text you asking for payment or personal information.
    • Offer of trademark services to avoid forfeiting your rights: Law firms do not notify non-client entities of a conflicting mark, and reputable attorneys do not send unsolicited offers to act immediately or risk losing your rights.  

    Best Practices

    The USPTO’s website includes information on how to spot scams, examples of scam notices and communications, and guidance on what to do if you are scammed.  

    Consult your trademark attorney if you have any doubts on the authenticity of communications regarding your trademarks and before taking any action on them. 

  • 2024 Mid-Year Privacy Report

    A Comprehensive Look at New Developments in Data Privacy Laws

    By Scott HallMari CliffordSabrina Larson, Emily Lentz, Amber Leong, and Bina Patel

    2024 Mid-Year Privacy ReportDownload a PDF version of this report here.

    2024 has been another big year for privacy. Several new state privacy laws are going into effect, with several more coming in 2025, while a federal privacy law continues to be discussed that would further change the privacy landscape across the country. Businesses need to be aware of new developments, new legal requirements, and steps that should be taken to comply with these laws and reduce business risk.

    Our 2024 Mid-Year Privacy Report highlights some of the most important privacy developments to be aware of for the coming year.

    You can download the full report here. If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

  • Supreme Court Extends Copyright Damages Beyond Three Years

    By Christopher Wiener, Sabrina Larson, and Bina Patel 

    Key Takeaways

    • Last week, in Warner Chappell Music, Inc. v. Nealy, the Supreme Court held that a copyright owner with a timely claim for infringement can recover damages “no matter when the infringement occurred” and with “no time limit on monetary recovery.”
    • This decision will impact companies of all sizes that use copyrighted material, as it is likely to lead to a surge of litigation based on outdated actions and could substantially increase damages awards for plaintiffs.

    On May 9, 2024, the U.S. Supreme Court issued a landmark decision in Warner Chappell Music, Inc. v. Nealy, holding that under the Copyright Act, “a copyright owner possessing a timely claim for infringement is entitled to damages, no matter when the infringement occurred.” No. 22–1078, 601 U.S. ____ , Slip Op. at 5 (emphasis added). The Warner decision marks a significant retreat from the view that copyright damages are limited to the three years before an infringement suit is filed under Section 507(b) of the Copyright Act and raises the risk of more damages claims based on undiscovered copyright infringement. It also aligns the rest of the country with the Ninth Circuit’s view that a plaintiff can seek damages for all alleged infringing acts even if those acts occurred more than three years before the plaintiff filed suit. See Starz Ent., LLC v. MGM Domestic Television Distribution, LLC, 39 F.4th 1236, 1247 (9th Cir. 2022). Overall, this decision is significant for companies of all sizes that use copyrighted material, as it is likely to lead to a surge of litigation based on outdated actions. It will affect both plaintiff and defense strategies, and could result in substantially higher damages awards for plaintiffs.  

    The underlying dispute arose when Sherman Nealy discovered that, unbeknownst to him, his former business partner had licensed music from their prior company to Warner Chappell while he was in prison. In 2018, Nealy sued Warner Chappell, alleging that he held copyrights to the songs at issue and that Warner Chappell’s licensing activity had infringed his rights. The infringing acts dated back to 2008, ten years before Nealy brought suit. Nealy sought damages and profits for the alleged infringement under the Copyright Act.

    The Supreme Court held that Nealy could recover damages for Warner Chappell’s infringing acts beyond the three-year period before his lawsuit. While the Court acknowledged that Section 507(b) establishes a three-year statute of limitations for filing a lawsuit, it reasoned that that provision “establishes no separate three-year period for recovering damages.” Warner Chappell, Slip. Op. at 5. As a result, so long as the copyright infringement claim is timely filed, a successful plaintiff can recover damages with “no time limit on monetary recovery.” Id.    

    Most notably, the majority opinion did not resolve a longstanding question of whether the discovery rule governs the timeliness of copyright claims under Section 507(b), an issue that circuit courts are split on and that the Supreme Court has not directly addressed. Under the “injury rule”,  a copyright claim “accrue[s]”—meaning, the clock to bring a claim starts ticking—when “an infringing act occurs.” Petrella v. Metro-Goldwyn-Mayer, Inc., 572 U.S. 663, 670 (2014). The discovery rule, on the other hand, extends the accrual date for unknown infringements to the time “the plaintiff discovers, or with due diligence should have discovered” the infringing act. Id. n.4 (internal citations and quotations omitted). To establish the timeliness of his claims, Nealy invoked the discovery rule for infringing acts that occurred ten years before his lawsuit. The majority assumed that Nealy’s lawsuit was timely filed without actually deciding whether copyright claims are subject to the discovery rule.  

    Conversely, the dissent steadfastly argued that the Copyright Act “does not tolerate a discovery rule” and disagreed with the majority’s decision to assume—without deciding—that the discovery rule applied here. This question may well end up in front of the Supreme Court in the future, as there is a currently pending petition for certiorari that squarely presents the question of “[w]hether the ‘discovery rule’ applies to the Copyright Act’s statute of limitations for civil claims.” See Petition for Writ of Certiorari, Hearst Newspapers, L.L.C. v. Antonio Martinelli, No. 23–474, at i (Nov. 2, 2023).

    Following last week’s decision, the expanded timeframe for damages recovery means that businesses not only need to prepare to defend against older infringement claims—and to carefully vet the risk those potential claims may pose when considering acquisitions—but should also consider the viability of pursuing infringement claims that were previously considered time-barred.   

    Please contact the Coblentz Intellectual Property team with any questions.

  • Are You Ready? CPRA Regulations Are In Effect Immediately: Attorney General Rob Bonta Wins a Reversal at the California Court of Appeals

    By Scott Hall and Amber Leong

    The California Court of Appeal just issued an opinion reversing a trial court decision from last year that stayed enforcement of the California Privacy Rights Act (“CPRA”) Regulations.If you recall, last year, on June 30, 2023 – the eve of when the regulations were to take effect – a California trial court issued a ruling and injunction halting the regulations from going into effect. The trial court found that the statute required a one-year delay from when the regulations were finalized to when they could take effect. Accordingly, because the regulations were finalized on March 29, 2023, they would not take effect until March 29, 2024.

    Attorney General Rob Bonta, on behalf of the California Privacy Protection Agency (“CPPA”),2 appealed the trial court’s ruling. Last Friday, on February 9, 2024, the California Court of Appeal issued its opinion in Cal. Priv. Protection Agency v. Sup. Ct. of Sac. Cty., C099130 (Cal. Ct. App. Feb. 9, 2024). In a unanimous opinion, the California Court of Appeal reversed the trial court decision. In so doing, the Court found that nothing in the statutory language of the CPRA “unambiguously require[s] a one-year gap between approval and enforcement regardless of when the approval occurs, and nothing in the relevant material[s] presented for our review signals that the voters intended such a gap,” id. at 19, “even if the specific statutory provision at issue . . . include[d] what amounts to a one-year delay,” ibid. (original emphasis included). Thus, the California Court of Appeal vacated the trial court’s order and judgment that had stayed the CPPA’s regulations “for a period of 12 months from the date that [each] individual regulation becomes final.” Id. at 22.

    What this means is that the regulations take effect now – a little less than two months earlier than the expected March 29, 2024 date.

    The California Court of Appeal’s ruling, though, has broader significance for pending and future regulations for which the CPPA has not issued final regulations yet – including cybersecurity audits, risk assessments, and automated decision-making. Under the Court of Appeal’s ruling, these regulations can presumably take immediate effect once they are finalized, rather than having a one-year waiting period. It remains to be seen whether the CPPA will provide a certain period of time for businesses to prepare for new regulations as they are finalized, or whether the CPPA will seek to enforce new regulations without delay in light of this ruling, though the CPRA regulations do provide that the CPPA should consider the time between the effective date of regulatory requirements and alleged violations, among other things, in deciding whether to pursue an investigation. (CPRA Regulations § 7301(b).)

    With the CCPA’s original 30-day notice-and-cure provision eliminated, and both Attorney General Rob Bonta and the CPPA signaling their intent to increase enforcement of California consumers’ privacy rights, companies should work to become immediately compliant with the current CPRA regulations and should also work towards compliance with draft regulations regarding cybersecurity audits, risk assessments, and automated decision-making as there is no clear waiting period before those regulations can go into effect once finalized. In sum, businesses will need to closely monitor and always be ready for CPRA regulatory enforcement.

    Please contact the Coblentz Data Privacy Team with any questions or assistance on these compliance issues.

    To view a PDF version of this article, please click here.

    [1] Pursuant to the CPRA, a law which was enacted by California voters through Proposition 24 and which amended the California Consumer Privacy Rights Act, authorized for regulations to be promulgated in support of therein and at issue here, and created the CPPA.

    [2] The CPPA is the enforcement agency created to enforce the privacy rights of California residents.

    Categories: Publications
  • California AG Proposes New Amendments To CCPA with the Children’s Data Privacy Act

    By Scott Hall and Bina Patel

    Key Takeaways

    • The Children’s Data Privacy Act (AB 1949) would require businesses to obtain affirmative authorization to collect, use or disclose personal data of children under 18 in California.
    • Businesses should focus on understanding what data from children they may be collecting through online or offline channels and prepare to implement opt-in mechanisms for the collection, use and disclosure of children’s data.

    Despite a court ruling late last year that blocked the California Age Appropriate Design Code Act (CAADCA) from going into effect in 2024, as scheduled, California’s Attorney General Rob Bonta is pressing forward with an amendment to the California Consumer Privacy Act (CCPA) aimed at protecting children’s data.

    The Children’s Data Privacy Act (AB 1949), a bill introduced on January 29, 2024, would further amend the CCPA to prohibit businesses from collecting personal data of individuals under the age of 18, unless they receive affirmative authorization (i.e., opt-in consent) to do so. For individuals under the age of 13, the affirmative authorization must come from the parent. Specifically, the proposed amendment states that “a business shall not collect the personal information of a consumer less than 18 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 18 years of age, or the consumer’s parent or guardian, in the case of a consumer less than 13 years of age, has affirmatively authorized the collection of the consumer’s personal information.” (Proposed amendment to Cal. Civil Code § 1798.100(g).) The bill authorizes the Office of the Attorney General to enforce the law and seek injunctive relief, damages, or civil penalties of up to $5,000 per violation.

    AB 1949 represents a significant change to the CCPA. The law currently only prohibits the selling or sharing (for cross-context behavioral advertising purposes) of minor’s data without affirmative opt-in consent and does not prohibit the collection of such data without informed consent. Notably, the changes proposed by AB 1949 will allow California to align its privacy law and increased focus on the protection of children’s data with the vast majority of other states. When the CCPA initially went into effect in January 2020, it was the first comprehensive state privacy law in the nation and blazed the trail for many other state laws that have followed in recent years. However, unlike the CCPA, the majority of other states that have passed privacy laws subsequent to the CCPA have defined “sensitive information” to include the data of minors and have required affirmative opt-in consent prior to collecting or processing sensitive information of minors. The proposed amendment would make California’s data collection requirements consistent with the majority of other states.

    Beyond restricting collection of minor data, AB 1949 also proposes amendments to the CCPA to prohibit the “use or disclos[ure]” of the personal information of minors without affirmative consent by the consumer or guardian. (Proposed amendment to Cal. Civil Code § 1798.121(e)). The law would also require – on or before July 1, 2025 – the California Privacy Protection Agency to issue regulations to establish technical specifications for an opt-out preference signal that allows a consumer (or a parent or guardian) to specify that the consumer is less than 13 years of age or less than 18 years of age, and to establish regulations regarding age verification and when a business must treat a consumer as being less than 13 or 18 years of age for purposes of the CCPA. (Proposed amendment to Cal. Civil Code § 1798.185(e).)

    Admittedly, AB 1949 is not as comprehensive as CAADCA, which would require businesses to perform data protection impact assessments upon request from the Attorney General for products or services “likely to be accessed by children,” as well as implement stricter default privacy settings and terms. Even so, AB 1949 is an important step towards greater privacy protection for children and will make the patchwork of standards regarding children’s data collection and use more consistent across the country.

    Having said that, CAADCA is still alive and, while the legal challenge continues, businesses may eventually have to deal with that stricter law or some modified version of it. To learn more about the requirements of CAADCA, see our prior article. Until then, given that AB 1949 will likely be enacted to put California on equal footing with other state privacy laws, businesses should focus on understanding whether and what data from minors may be collected through online or offline channels and prepare to implement opt-in mechanisms for the collection, use and disclosure of minor data.

    Please contact the Coblentz Data Privacy Team with any questions about AB 1949 or other privacy issues.

    To view a PDF version of this article, please click here.

    Categories: Publications
  • You’ve Worked To Make Your Website Cookies, Pixels, and Chat Function Compliant With Privacy Laws; Now What Is A “Pen Register”?

    By Scott Hall and Amber Leong

    Key Takeaways

    • Despite your recent efforts to comply with privacy law requirements for website cookies, pixels, and analytics, your business may be at risk of getting sued for violations of “pen register” or “trap and trace” laws based on information collected from website or mobile app users.
    • A recent court decision has breathed new life into pen register and trap and trace claims. More than 75 complaints have been filed in California courts the past few months, and courts addressing these claims will need to reconcile the clear inconsistency between older pen register laws and more recent data privacy laws such as the EU’s GDPR and California’s CCPA/CPRA.
    • Businesses should be aware of what cookies, analytics, and other website technologies they are running on their websites.

    In the world of data privacy litigation, plaintiffs’ attorneys are always looking for the next big thing. Over the past couple of years, plaintiffs in California and elsewhere have tried to use decades-old wiretapping and eavesdropping statutes against companies, claiming that the use of website chat functions, session recording tools, cookies, pixels, and other tracking software amounted to “wiretapping” or “eavesdropping” on website visitors.

    Having found limited success with these legal claims, the newest tactic in privacy litigation appears to rely on the theory that website cookies or other website analytics tools constitute “pen registers” or “trap and trace” devices under the California Invasion of Privacy Act (“CIPA”), California Penal Code § 638.51. The basis for these new claims appears to stem from a single recent decision, Greenley v. Kochava, 22-cv-01327-BAS-HSG, — F.Supp.3d —-, 2023 WL 4833466 (S.D. Cal. July 27, 2023) (“Kochava”), where the court – acknowledging that it was an issue of first impression[1] – allowed pen register claims to move beyond the motion to dismiss stage, at least in the context of that case. Kochava has opened the floodgates to pen register litigation, as over 75 complaints have been filed in California courts over just the past couple of months, asserting vague and formulaic violations of pen register laws, with many more cases likely to follow.

    So, what is a “pen register”? Explaining the term requires remembering a time before the Internet and cellular telephones when special equipment was necessary to record numbers dialed to or from a landline telephone. Historically, pen registers were devices that could record numbers dialed to or from a particular telephone and were often used in criminal investigations. Laws prohibiting the use of pen registers without consent or a warrant were targeted at eliminating conduct akin to surveillance done under the color of law without proper authorization.[2] The federal pen register statute, passed in 1986, did not contemplate a world where cellular phones are ubiquitous portable handheld computer devices that now identify and record all phone numbers dialed to and from them, let alone application of the law to the Internet, where identification of computers and routers through IP addresses and other electronic source information is necessary to all website interactions. And, while the 2001 USA Patriot Act and certain state laws expanded the definition of a pen register to try to address computer and Internet communications, these laws were still largely based on older statutory language and definitions that are not a precise or comprehensive fit for all of the various electronic communications and interactions that occur online or through mobile devices today.

    Returning to the present day, up to and until the Kochava case, there has been little to no civil litigation over the use of pen registers.[3] As noted above, there are good reasons for this. Cellular telephone technology, the Internet, and other advances have changed how we communicate. The pen register statutes apply, if at all, awkwardly to advancing technologies, and there are newer privacy laws specifically aimed at Internet privacy. However, because California’s pen register law defines “pen register” as a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, plaintiffs in Kochava sought to dust off the pen register law to apply it to Internet communications. In Kochava, plaintiffs asserted violations of the pen register law against a data broker company that provided a software development kit (“SDK”) to application developers. As the Kochava court noted, application-based companies could then embed Kochava’s SDK in their mobile applications to

    ‘deliver targeted advertising . . . by in essence ‘fingerprinting’
    each unique device and user, as well as connecting users across
    devices and devices across users.’ The data links longitude and
    latitude coordinates with these fingerprints, which can be ‘easily
    de-anonymized.’  In addition to geolocation, [the SDK allows
    apps] to ‘search terms, click choices, purchase decisions and/or
    payment methods.’  This data collection allows [Kochava to]
    deliver ‘targeted advertising . . . while tracking [users’] locations,
    spending habits, and personal characteristics’ and share this ‘rich
    personal data simultaneously with untold numbers of third-party
    companies.’

    Kochava, 2023 WL 4833466, at *2-3 (internal citations to complaint omitted). Given this unique software and its purported ability to collect a treasure trove of information that could create a personal unique identifier, the Kochava court held that the SDK at issue amounted to a “process” that could collect “dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” Id. at *27. Thus, Kochava “reject[ed] the contention that a private company’s surreptitiously embedded software installed in a telephone cannot constitute a ‘pen register’” and allowed the claim to proceed past the motion to dismiss stage.

    For now, it is unclear how broadly or narrowly courts will apply Kochava. Kochava involved a data broker with particular software used on mobile applications. The Kochava court carefully parsed through the “pen register” statute to conclude that “software installed in a telephone” could constitute a “pen register.” Accordingly, the Kochava holding merely stands for the proposition that a pen register claim may proceed (but not necessarily succeed) against a data broker (an entity selling data for targeted advertising rather than simply collecting it for its purposes) that installed software on users’ telephones (as opposed to on websites), purportedly without consent. It would seem to require a broad leap for other courts to apply this holding generally to find that the mere collection of data through website cookies or analytics that facilitate online interactions and transactions with consumers – and which is necessary for website operations and done by every company that operates a website – violates the law. Such a holding would essentially cripple online commerce and all other Internet communications and activities.     

    While the Kochava decision may have breathed new life into pen register and trap and trace theories for the moment, courts addressing these claims must confront and reconcile the clear inconsistency between older pen register laws and more recent data privacy statutes that specifically govern the processes and disclosures companies must use when collecting consumer information on their websites, including via cookies and other analytics.

    For example, the European Union’s General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and many other state privacy laws all carefully and explicitly regulate how personal information may be collected from individuals, including on Internet websites. These statutes emphasize transparency and disclosure of data collection practices through privacy notices, cookie banners, and other just-in-time methods, which allow consumers to exercise their privacy rights and control the flow of information transmitted on the Internet. But even if companies are compliant with these more recent privacy laws, they may be found to violate the old pen register and trap and trace laws if applied broadly and extended to Internet technologies. This is because, taken broadly, every company in the world that operates a website necessarily collects certain device source information in connection with website interactions. Yet, avoiding the collection of such information in the context of the Internet – an ecosystem of connected computers – is impossible. Thus, it remains to be seen whether courts will find that every company is violating the law by participating in online commerce, even when (or especially when) they are complying with more recent privacy laws that specifically regulate how companies collect and process the precise information at issue in these new pen register cases.

    For now, plaintiffs’ attorneys will use Kochava as a foothold in an attempt to expand the pen register statute and expand Kochava’s fact-specific holding. Until courts consistently determine how to apply the pen register laws, if at all, to Internet communications, and reconcile such laws and claims against the backdrop of recently enacted privacy laws, we will all be riding this new wave of privacy litigation together.

    Please contact the Coblentz Data Privacy Team with questions or to assist with any privacy claims or needs.

    To view a PDF version of this article, please click here.

     

    [1] And in fact, Kochava was the first case to ever cite to the California pen register statute, and at the date of this publication, still the only case to have cited to and analyzed the provision.

    [2] Notably, the United States Supreme Court has held that individuals do not have a reasonable expectation of privacy under the Fourth Amendment of the U.S. Constitution to suppress any evidence obtained from pen registers. Smith v. Maryland, 442 U.S. 735, 742 (1979) (noting that a pen register has “limited capabilities” and the petitioner had no “legitimate expectation of privacy” regarding the numbers he dialed).

    [3] To the extent the litigation was not derivative of any criminal charges.

    Categories: Publications
  • Citizenship and Immigration Status Is Now Categorized as Sensitive Personal Information under California Law

    By Scott Hall, Fred Alvarez, and Amber Leong

    On October 8, 2023, California Governor Gavin Newsom signed into law AB-947, which expanded the category of “sensitive personal information” to include citizenship or immigration status. The category of sensitive personal information under the California Privacy Rights Act (“CPRA”) already includes government identifiers, precise geolocation, information concerning sexual orientation, racial or ethnic origin, religious or philosophical beliefs, and union membership.

    The CPRA contains special restrictions on the collection, use and disclosure of sensitive personal information. If your business collects citizenship or immigration information, you will need to update your privacy policy and revise and review your collection and processing of any sensitive personal information.

    Importantly, employee information falls within the scope of the CPRA. That means if your business is subject to the CPRA and you have California-based employees, you are inevitably collecting citizenship or immigration status information that will now constitute sensitive personal information under the new law. If so, you will separately need to update your employee privacy notice and potentially adjust collection and processing procedures with respect to employee information.

    The CPRA requires yearly updates of both your consumer privacy policy and employee privacy policy. If you do not have up-to-date consumer or employee privacy policies, there is no better time than now to get started. With the new year right around the corner, now is the time to get your data privacy ducks in a row for 2024.

    Please reach out to Coblentz’s Data Privacy or Labor & Employment groups with further questions.

    Categories: Publications
  • Plaintiffs Continue Website Privacy Lawsuits Using 35-Year-Old Statute

    By Scott HallMari Clifford, and Amber Leong

    In 1988, Congress enacted the Video Protection Privacy Act (“VPPA”) in response to the confirmation hearing of Judge Robert Bork, where his video rental history was disclosed during his Supreme Court confirmation hearing. Creative plaintiffs’ lawyers in recent years have asserted new claims under this statute, arguing that the use of website tracking pixels that transmit a user’s visit to a website page containing an embedded video violates the VPPA. Some courts have allowed some of these claims to pass the pleading stage, resulting in a proliferation of pre-litigation demands and complaints against companies who embed videos on their websites and use pixel analytics.[1]

    There are several defenses that have defeated these claims at the pleading stage, however.

    First, courts are in agreement that the VPPA only applies to “subscribers” and not just any user who happens to watch a video on a website. What constitutes a “subscriber” can get tricky though. Some courts have held that subscribing to a mailing list or newsletter may be sufficient,[2] while other courts have reached a different conclusion and required a subscription to video services or video content.[3]

    Second, what constitutes “personally identifiable information” under the VPPA is also litigated. The Third Circuit has held that under the VPPA, personally identifiable information (“PII”) is limited only to “information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.”[4] Thus, in In re Nickelodeon, the Third Circuit held that “static identifiers” such as an IP address would not allow an ordinary person to determine which videos were viewed online and thus, not actionable under the VPPA.[5] However, courts have regularly held that a Facebook ID is sufficient to constitute PII because it can be easily and directly tied to an individual through that individual’s Facebook account.

    Third, the VPPA specifically pertains to pre-recorded videos, and does not apply to live-stream content.[6]

    Lastly, the statutory language provides an explicit exemption from the VPPA if a company obtains affirmative, written consent from the user prior to the collection and transmission of a user’s purported video-watching history.[7] There are specific codified requirements to obtain consent under the VPPA including, among other things, providing “a form distinct and separate from any form setting forth other legal or financial obligations of the consumer.”[8] Thus, obtaining consent under the VPPA may look different than obtaining consent sufficient under wiretapping statutes as detailed in our article linked here.

    If you have questions about how to navigate this legal landscape, or if your company has been served a pre-litigation demand letter, please reach out to the Coblentz Data Privacy & Cybersecurity Team to discuss the various legal defenses available to your company. There is no one-size-fits-all approach. Navigating this (constantly changing) area of law requires a determination of your business needs, business model, and a well-thought-out and bespoke approach.

     

    [1] See e.g., Belozerov v. Gannett Co., Inc., —F. Supp. 3d—-, 2022 WL 17832185 (D. Mass. 2022).

    [2] Harris v. Public Broadcasting Serv., —F.Supp.3d—-, 2023 WL 2583118, at *3 (N.D. Ga. 2023)

    [3] See Salazar v. Paramount Global d/b/a 247Sports, 22-cv-00756, Dkt No. 33 (M.D. Tenn. July 18, 2023); see also Austin-Spearman v. AMC Network Entertainment LLC, 98 F. Supp. 3d 662 (S.D.N.Y. 2015).

    [4] In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 284 (3d Cir. 2016).

    [5] See also White v. Samsung Elec. Am., Inc., Civ. No. 17-1775, 2019 WL 8886485, at *5 (D. N.J. Aug. 21, 2019) (granting Samsung’s motion to dismiss the VPPA claim because allegations of only obtaining IP addresses, MAC addresses, and zip codes do not constitute PII under VPPA).

    [6]  Stark v. Patreon, 635 F. Supp. 3d 841, 852 (N.D. Cal. 2022).

    [7] 18 U.S.C. § 2710.

    [8] Id. § 2710(b)(2)(B).

    Categories: Publications
  • Companies Should Keep in Mind Chatbots, Session Recordings, Mouseclicks: New Consumer Privacy Suits Continue Under Decades-Old Wiretapping Statutes

    By Scott Hall, Mari Clifford, and Amber Leong

    Numerous new website technologies and tools allow companies to more effectively interact with their customers. These include chatbots, session recording software, tracking pixels (snippets of code that can be used to identify certain designated behavior on a website like seeing which products users are clicking on), and cookies (which remember products previously added to a shopping cart). All of these tools are immensely helpful in engaging with and identifying user experiences, and they help improve and promote a company’s business operations.

    Plaintiffs’ attorneys have recently argued that the use of these website technologies – especially when provided or facilitated by a third-party vendor – constitutes violations of wiretapping and eavesdropping statutes. Under these statutes – both federal and state analogs – it is a violation if an individual uses a recording device to eavesdrop or intercept a confidential communication without the consent of the parties.

    Historically, these statutes were used against individuals secretly listening in on private telephonic conversations. However, plaintiffs’ attorneys have revived these statutes to claim that companies are violating these laws through the use of website technologies. And some courts have allowed some of these claims to pass the motion to dismiss stage.[1]

    This has created a flurry of pre-litigation demands against companies with consumer-facing websites. Many companies seek to settle these claims to avoid litigation costs, but several matters have gone to court. As more of these cases are making their way through the courts, we are able to see patterns in how courts are addressing these claims. There now appears to be a distinction emerging between claims that are allowed to proceed past the motion to dismiss stage and those that are not. Chatbots and session recording technologies used only to aid in servicing the website as a service provider have been found insufficient to state a claim under the wiretapping statutes.[2] By contrast, the use of these tools to collect user data that a third-party vendor is permitted to use for other purposes (including its own business purposes or with services to other companies) has been found to be sufficient to pass the motion to dismiss hurdle.[3]

    The logic behind the reasoning is that there is no unlawful third-party “interception” by an entity that is acting as a service provider to provide a service for the company with whom the individual consumer is interacting. Put differently, a company cannot eavesdrop on itself or “intercept” its own communications.[4]

    Given this guidance, companies should take the following steps if they use any chatbots, mouse click trackers, or session-recording technology to better understand their users:

    • Service Provider Agreements: Companies should enter into service provider agreements with the chatbot, session recording, or mouse click providers. Contained within the agreements should be clear contractual language that companies providing such services cannot sell, share or use the personal information of users for their own purposes. This language thus captures that the service provider is there to provide a service and reaps no benefit in the form of personal information data.
    • Update Privacy Policies: Companies should update their privacy policies and ensure that the policies adequately disclose the use of any chatbots, mouse clicks, or session recording. While updating the privacy policies alone will not be sufficient to be compliant with the various data privacy laws because courts have held that privacy policies at the bottom or footer of webpages may not give sufficient notice of recordings, the policies are nevertheless necessary for compliance as the bare minimum requirements.
    • Disclose Immediately Prior to Recording: Companies should explicitly disclose that chat communications or other website interactions are being recorded by a vendor, and that if a user chooses to continue, they are consenting to such recording. Consent is an adequate defense to the wiretapping and eavesdropping claims. While the issues of adequate notice and consent continue to be litigated throughout the courts, generally, providing disclosure of such recordings immediately prior to the session with the opportunity to not proceed should work to provide sufficient notice and consent under the wiretapping laws.

    Overall, the legal landscape of these claims is still in flux. However, a clear line that has developed is that a company’s use of “service providers” providing the recording services for companies is not in violation if that service provider cannot use the information collected for purposes other than to support the company, particularly if adequate notice has been provided to the users. This rule, however, does not include the use of analytics or pixels—which the courts have frequently found involve data exchanges with third parties for purposes beyond providing a service and which have been found sufficient to proceed past the motion to dismiss stage.[5]

    If you have questions about whether your website collection procedures are compliant, or if you have received a threat or complaint about violation of the wiretapping statutes based on website technologies, please reach out to the Coblentz Data Privacy & Cybersecurity Team.

     

    [1] See e.g., Hazel v. Prudential Financial, Inc., 22-cv-07465-CRB, 2023 WL 3933073 (N.D. Cal. June 9, 2023); Williams v. What If Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275 (N.D. Cal. Dec. 22, 2022).

    [2] See Licea v. Vitacost.com, Inc., —F.Supp.3d—, 2023 WL 5086893 (S.D. Cal. 2023).

    [3] See e.g., Hazel, 2023 WL 3933073.

    [4] See also Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832-33 (N.D. Cal. 2021) (“[A]s a service provider, [third-party vendor] is an extension of [Defendant]. It provides a tool – like a tape recorder … that allows [Defendant] to record and analyze its own data in aid of [Defendant’s] business. It is not a third-party eavesdropper. As a result, [Defendant] is not liable for aiding and abetting [vendor’s] wrongdoing because there is no wrongdoing.”); Cody v. Boscov’s, Inc., ––– F.Supp.3d at ––––, 2023 WL 2338302, at *2 (C.D. Cal. 2023) (“Plaintiff must provide facts suggesting that [the vendors] are recording Defendant’s customers’ information for some use or potential future use beyond simply supplying this information back to Defendant.”).

    [5] Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118 (N.D. Cal. Apr. 6, 2023) (Data broker was not a party to internet users’ communications, for purposes of exemption from liability for wiretapping claims under the federal Wiretap Act and the California Invasion of Privacy Act, where broker allegedly tracked users’ browsing activities on websites other than its own to intercept their personal information and sell it to third parties.)