On Tuesday, December 3, 2024, a Texas federal judge granted a preliminary injunction halting the continuing implementation of the Corporate Transparency Act (CTA) and its beneficial ownership information (BOI) reporting requirements.

The court stated that (1) companies are not required to comply with the CTA’s January 1, 2025, BOI reporting deadline, and (2) the CTA and its implementing rules may not be enforced.

The court’s order is a preliminary injunction and not a final order. We expect the government may appeal the ruling and request a stay of the order. The court’s order temporarily pauses enforcement of the CTA on a nationwide basis, but enforcement may resume if the court’s order is overturned on appeal or the United States ultimately prevails on the merits.

Because it is uncertain at this time whether the order will be upheld, it would be prudent for reporting companies that have not filed to date to continue preparing to file in anticipation of a successful challenge by the government. In the event of a successful challenge, filing agents may be overwhelmed with filing requests and clients should be prepared to submit the BOI report to FinCEN directly.

If you have questions about the ruling or would like us to assist with your BOI submission, please contact us at CTA@coblentzlaw.com.

By Sabrina Larson and Katherine Gianelli

The United States Patent and Trademark Office (PTO) has issued its Final Rule with adjusted filing fees at all stages of trademark application and maintenance filings. The fee increases, which take effect on January 18, 2025, aim to provide sufficient financial resources to facilitate the effective administration of the trademark systems, while a new framework for application filing fees with surcharges aims to incentivize standard applications, decrease office actions during the examination of applications, and meet a long-term goal of shortening the prosecution timeline—but may require some adjustments to the preparation of applications and make budgeting for new applications more complex.

Background and Summary

Since 2021, the PTO has conducted a biennial review of fees, costs, and revenues. This latest review has concluded that fee adjustments are necessary to provide the agency with sufficient financial resources to facilitate the effective administration of the U.S. trademark system. The PTO has forecasted higher-than-expected inflation in the broader U.S. economy, coupled with an increased need for trademark services. As a result, the PTO’s goal with this change is to set a fee schedule that generates sufficient multiyear revenue to recover the aggregate costs of maintaining the PTO trademark services.

The fee changes align with the PTO’s four key fee setting policy factors to (1) promote innovation strategies, (2) align fees with the full cost of trademark services, (3) set fees to facilitate the effective administration of the trademark system, and (4) offer application processing options.

Below is a summary of the changes, followed by a chart of key fee increases for electronic filings.

Key Changes to Application Fees

The PTO is changing its initial filing fee framework with the goal of incentivizing more complete and timely filings and improving the prosecution of applications. To that end, it has introduced a standard base fee per class, with three types of surcharges for applications that may require more in-depth examination and likely office actions:

• Single base, per class application fee: The new fees include a single base of $350 per class for all applications (replacing the current system of $250 for standard descriptions and $350 for all other applications).
• Surcharge for non-standard description: This new fee of $200 per class will apply where an applicant enters a description of goods or services using the free-form text box instead of using pre-approved descriptions from the USPTO’s Acceptable Goods and Services Manual (ID Manual).[1]
• Surcharge for incomplete information: There will be a new fee of $100 per class for applications that do not include all of the information required for the specific filing.[2]
• Surcharge for long descriptions: Non-standard, free-form descriptions of goods or services in a single class that exceed 1,000 characters, including punctuation and spaces, will incur a fee of $200 for each additional 1,000 characters. This surcharge will not apply if all descriptions are selected from the ID Manual.

Madrid Protocol Applications and Registration Maintenance

Applications filed via the Madrid Protocol under section 66(a) will not be subject to the above new surcharges.[3] Instead, the existing flat application fee for Madrid applications, including subsequent designations, will increase from $500 to $600 per class, as paid in Swiss francs to the World Intellectual Property Organization (WIPO). The renewal fee filed with WIPO will increase from $300 to $350. These fee increases go into effect on February 18, 2025.

The Section 71 declaration fee, applicable to owners of registered extension of protection under the Madrid Protocol, is increasing from $225 to $325.

Statement of Use Increases

The PTO is increasing the fee to file evidence of use, both as a Statement of Use and Amendment to Allege Use, for the first time since 2022. The Final Rule states that the examination time for evidence of use has increased due to “increased submission of questionable specimens.” The fee for both filings is increasing from $100 per class to $150 per class.

Maintenance Filing Increases

Post-registration maintenance fees are increasing across the board. While the percentage of trademark registrants choosing to maintain their registrations has declined, costs to process maintenance filings have increased due to factors including post-registration audits and new review procedures to address potential fraud.

Shortening Prosecution Timeline

The PTO also notes it is committed to improving trademark application pendency. As recent filers know, the current time from filing to a first office action is 7-8 months. This is 1-2 months after the priority foreign filing deadline, causing uncertainty at that deadline as to the status of the pending base U.S. application. The PTO describes the current timeline as a “trademark pendency challenge,” as a result of several years of surges in applications culminating in an “unprecedented, year-long influx” during the 2021 fiscal year that has resulted in a significant increase in unexamined applications. The PTO’s projected goal for application pendency to first office action for fiscal year 2025 remains the same as 2024 at 7.5 months, dropping to 6.3 months in 2026, 5.9 months in 2027, 5.5 months in 2028, and 4.9 months in 2029.

Key Takeaways

• The new application fee framework, with a base charge and surcharges, may require applicants to make adjustments in their approach and budgeting for applications.
• Going forward, trademark applicants will want to work with their trademark counsel to ensure complete applications and use standard descriptions to avoid surcharges, if possible.
• Advance budgeting for new applications will be more complex, as applicants may not know if their application will be suitable for standard descriptions from the ID Manual—particularly clients in emerging technology fields where the standard descriptions may not suffice.
• Trademark owners who intend to file new applications may wish to file their applications before the fee increases take effect.
• Trademark owners whose renewal windows open before January 18, 2025 may wish to consider filing early in that window, to avoid the increased fees.

The PTO’s Final Rule with all fee changes and increases can be found here. Please contact Sabrina Larson or Katherine Gianelli with any questions.

Key Filing Fee Changes (all for electronic filings)

	Current Fee	New Fee	Dollar Change	% Change
Application (TEAS Plus), per class	$250	Discontinued
Application (TEAS Standard), per class	$350	Discontinued
Base application per class	N/A	$350	N/A	N/A
Fee for insufficient information per class	N/A	$100	N/A	N/A
Fee for using the free-form text box to enter the identification of goods/services per class	N/A	$200	N/A	N/A
For each additional group of 1,000 characters beyond the first 1,000 per class	N/A	$200	N/A	N/A
Amendment to Allege Use or Statement of Use per class	$100	$150	$50	50%
Section 9 registration renewal application, per class	$300	$325	$25	8%
Section 8 declaration, per class	$225	$325	$100	44%
Section 15 declaration, per class	$200	$250	$50	25%
Section 71 declaration, per class	$225	$325	$100	44%
Letter of protest	$50	$150	$100	200%

 

[1] The PTO has clarified that this surcharge will not apply where an applicant adds exclusionary language (to differentiate from goods or services of third parties) to standard descriptions from the ID Manual.

[2] During the notice and comment period, commenters expressed concern that some of the requirements for sufficient information are subjective to the examining attorney’s opinions and discretion, rather than factual objective standards—such as whether a description of a mark is detailed enough and whether a translation is required. The PTO acknowledged these concerns and notes that applicants may request review of situations where it believes the surcharge should not have been applied.

[3] Madrid filers should note that these surcharges may apply to them in the future. The PTO initially proposed applying the surcharges to section 66(a) Madrid Protocol filings but dropped that due to WIPO’s inability to administer those charges at this time. WIPO therefore requested delayed implementation of any surcharges for Madrid filers.

By Sabrina Larson and Amber Leong

In a significant move that has drawn both praise and criticism, California Governor Gavin Newsom recently vetoed Senate Bill 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act (SB 1047), a highly publicized and debated AI bill, and Assembly Bill 1949 (AB 1949), a bill expanding data privacy rights for California minors. Both bills aimed to enhance data privacy protections for consumers, highlighting the ongoing efforts to balance technological advancement with individual privacy rights in an increasingly digital world.

At the same time, Governor Newsom signed into law nearly a dozen targeted bills concerning AI, including a law governing transparency when consumer data is used for training AI models (AB 2013), and a law requiring AI-generated content to contain a “manifest disclosure” in its metadata to signal that such material is AI generated (SB 942). Governor Newsom also signed into law stricter requirements aimed at prohibiting social media companies from directing addictive feeds toward minors (SB 976).

These noteworthy vetoes, paired with legislation signed into law by Governor Newsom, signal how California strives to be both at the helm of technological innovations and the leader in consumer data privacy protections in America.

Generative AI

Governor Newsom vetoed SB 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act, which many commentators viewed as the country’s first state-level comprehensive law regulating generative AI. SB 1047 was divisive and polarizing—with the tech industry and AI advocates championing for or against the bill. Absent a national law, states, and municipalities have been stepping in to fill the void and address growing concerns about the use of AI as it develops at an exponential rate. To date, enacted laws have been targeted toward specific uses of AI, including deep fakes and other specific scenarios.

SB 1047 would have regulated and imposed various safety restrictions on AI systems, which would have had significant implications on the AI industry given that the majority of the world’s leading AI companies are headquartered in California. SB 1047 had passed the Legislature with overwhelming support and was seen as the blueprint for the nation. SB 1047 included a required “kill switch” for AI technology and required safety tests to be conducted by AI companies.

Opponents of SB 1047, including Andreessen Horowitz, OpenAI, Google, and Meta, expressed concern that over-regulation would overburden and stifle a nascent and developing industry.

Ultimately, in his veto statement for SB 1047, Governor Newsom expressed a “critical” need for “adaptability” as states race to “regulate a technology in its infancy.” This reflects a desire to avoid imposing overly burdensome regulations on a growing technology. His administration stated that while the intentions behind the bill were commendable, the potential consequences for businesses—especially small and medium-sized enterprises—could be detrimental. Governor Newsom emphasized the need for a balanced approach that fosters innovation while ensuring consumer protection, signaling that he is committed to working toward that approach. At the same time, he highlighted his signing into law over a dozen bills regulating specific, known risks of AI. For example, Governor Newsom signed AB 2013, which requires businesses using generative AI to make certain disclosures on their websites including providing high-level summaries of the datasets. Governor Newsom also signed into law SB 942, the California AI Transparency Act, which governs various methods of disclosing AI-generated content. The law requires AI companies to provide an “AI-detecting” tool and a “manifest” to accompany AI-generated content.

Children’s Data

Currently, there is a patchwork of laws governing the data of minors nationwide. To add more confusion for businesses, “minors” (which are generally understood as all individuals under the age of 18) and “children” (which has historically meant both individuals below the age of 13 and between the ages of 13 to 17) are defined differently under various federal and state laws. There are currently two general buckets of laws governing minors: laws governing data of children (those under the age of 13) and a new and developing regime for teenagers (those between the ages of 13 and 17).

The federal Children’s Online Privacy Protection Act (COPPA) governs data for minors under the age of 13, and requires parental consent if a business has actual knowledge that it is collecting, using, or disclosing personal information of individuals under the age of 13. Recently, state data privacy laws have started regulating the collection, processing, sale, and sharing of minors’ data. The exact requirements differ from state to state.

Comparatively, for example, California’s laws governing minors’ data are more nuanced than COPPA. California’s regulations governing minors’ data are found in its overall privacy act, the California Consumer Privacy Act (CCPA). California has an opt-in requirement for “minors” before a business can sell or share personal data. But how opt-in consent is obtained differs depending on the age of the minor. For individuals under the age of 13, affirmative parental consent must be obtained before a business sells or shares the data (notably, unlike COPPA, the CCPA does not require opt-in consent for collecting or processing such data). For teenage minors ages 13 to 16, affirmative consent from the teenager must be obtained before a business can sell or share the teenager’s personal information. The CCPA considers 16- to 17-year-olds as “adults” for CCPA purposes.

The goal of AB 1949, the Kid’s Privacy Bill, was to “close the gap” on teenagers’ data under the CCPA. AB 1949 also sought to establish stricter regulations regarding the collection and usage of minors’ data by businesses. Specifically, the bill would have required businesses to obtain opt-in consent prior not only to selling or sharing data of all minors including teenagers, but also prior to collecting and processing data of all minors.

Governor Newsom vetoed AB 1949, stating that it would be unduly burdensome on businesses.   At the same time, however, Governor Newsom signed into law a separate bill, SB 976, The Protecting Our Kids from Social Media Addiction Act. SB 976 prohibits social media companies from knowingly providing addictive feeds to minors (defined here as individuals under the age of 18) without parental consent. Governor Newsom’s veto of AB 1949 combined with signing into law SB 976 and other bills signals a measured approach to imposing data protections.

Conclusion

Governor Newsom’s veto of AB 1949 and SB 1047, while signing into law AB 2013, SB 942, and SB 976, among other laws, shows a thoughtful approach as California balances its role as a state fostering innovation while also maintaining its place as a leader in regulations protecting consumers’ privacy rights. The Governor’s decisions are at a complex intersection of consumer rights, business interests, and the evolving landscape of data privacy.

As the demand for stronger data privacy regulations continues to rise, particularly for minors, stakeholders will need to engage in constructive dialogue to find a balance that protects consumers without stifling innovation. The outcome of this debate will be pivotal in shaping California’s—and potentially the nation’s—approach to data privacy in the years to come.

For assistance navigating the ever-proliferating and changing landscape of data privacy laws, please contact the Coblentz Data Privacy Team.

 

 

 

By Sabrina Larson

Trademark scams are on the rise and include increasingly varied communications attempting to trick trademark applicants and registrants into paying fees. If you receive any communications regarding your trademarks from anyone other than your trademark attorney, it is most likely not legitimate. Below are common scams, red flags to watch out for, and best practices.  

Common Scams to Watch Out For

Notices Seeking Payment of Fees

The most widespread trademark scam involves a notice seeking you to pay application, registration, or maintenance fees. These notices are formatted to mimic invoices from the U.S. Patent & Trademark Office (“USPTO”). Scammers pull information from pending applications or registrations approaching their maintenance deadlines and then send fake invoices seeking payment of fees. You may receive these scams via hard copy invoices or even by phone or text (if you have provided a phone number in your trademark application). A more recent trend involves a phone call from someone claiming to be a USPTO representative demanding immediate payment. Click here to see an example of a fake invoice from the “Patent & Trademark Office” with the header “PENDING TRADEMARK CANCELLATION” seeking payment of renewal fees.

Trademark Registration of Business Name

This scam purports to come from a trademark attorney offering services. It targets entities’ business names, claiming that another entity is seeking to register the same business name. This scam will include ominous language regarding violations and infringement, creating a sense of urgency to take action. Click here to see an example of a scam email regarding registration of a business name, with the alarming subject “Legal Notice: Immediate Confirmation Needed for Trademark Registration of ‘Business Name.’”

USPTO Trademark Conflict

Another type of scam seeks your immediate attention regarding a third party attempting to register your trademark. This type of scam will come from entities claiming to be trademark attorneys. They will claim that they have received an application to register your mark, and state that if they do not receive an objection from you, the third party will apply for your mark. These communications ask you to take action to avoid forfeiting your trademark rights. Click here to see an example of a scam email with the subject “Urgent Alert: Immediate Attention Needed for USPTO Trademark Conflict.”  

Others

Additional scams include offering to place trademark owners’ marks in a “trademark registry” to increase brand visibility; offering to obtain a “priority trademark registration” by expediting an applicant’s pending application; offers of trademark monitoring services; and offers to provide trademark registration certificates. All of these scams will include subject lines and language asking you to take immediate action to avoid losing your trademark rights, and none of these communications are legitimate.  

Red Flags

• Fake invoices: The USPTO does not send invoices. All communications from the USPTO will be sent to the attorney of record for your trademark with the USPTO.
• Calls or texts seeking payment: The USPTO will never call or text you asking for payment or personal information.
• Offer of trademark services to avoid forfeiting your rights: Law firms do not notify non-client entities of a conflicting mark, and reputable attorneys do not send unsolicited offers to act immediately or risk losing your rights.  

Best Practices

The USPTO’s website includes information on how to spot scams, examples of scam notices and communications, and guidance on what to do if you are scammed.  

Consult your trademark attorney if you have any doubts on the authenticity of communications regarding your trademarks and before taking any action on them. 

A Comprehensive Look at New Developments in Data Privacy Laws

By Scott Hall, Mari Clifford, Sabrina Larson, Amber Leong, and Bina Patel

Download a PDF version of this report here.

2024 has been another big year for privacy. Several new state privacy laws are going into effect, with several more coming in 2025, while a federal privacy law continues to be discussed that would further change the privacy landscape across the country. Businesses need to be aware of new developments, new legal requirements, and steps that should be taken to comply with these laws and reduce business risk.

Our 2024 Mid-Year Privacy Report highlights some of the most important privacy developments to be aware of for the coming year.

You can download the full report here. If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

By Christopher Wiener, Sabrina Larson, and Bina Patel 

Key Takeaways

• Last week, in Warner Chappell Music, Inc. v. Nealy, the Supreme Court held that a copyright owner with a timely claim for infringement can recover damages “no matter when the infringement occurred” and with “no time limit on monetary recovery.”
• This decision will impact companies of all sizes that use copyrighted material, as it is likely to lead to a surge of litigation based on outdated actions and could substantially increase damages awards for plaintiffs.

On May 9, 2024, the U.S. Supreme Court issued a landmark decision in Warner Chappell Music, Inc. v. Nealy, holding that under the Copyright Act, “a copyright owner possessing a timely claim for infringement is entitled to damages, no matter when the infringement occurred.” No. 22–1078, 601 U.S. ____ , Slip Op. at 5 (emphasis added). The Warner decision marks a significant retreat from the view that copyright damages are limited to the three years before an infringement suit is filed under Section 507(b) of the Copyright Act and raises the risk of more damages claims based on undiscovered copyright infringement. It also aligns the rest of the country with the Ninth Circuit’s view that a plaintiff can seek damages for all alleged infringing acts even if those acts occurred more than three years before the plaintiff filed suit. See Starz Ent., LLC v. MGM Domestic Television Distribution, LLC, 39 F.4th 1236, 1247 (9th Cir. 2022). Overall, this decision is significant for companies of all sizes that use copyrighted material, as it is likely to lead to a surge of litigation based on outdated actions. It will affect both plaintiff and defense strategies, and could result in substantially higher damages awards for plaintiffs.  

The underlying dispute arose when Sherman Nealy discovered that, unbeknownst to him, his former business partner had licensed music from their prior company to Warner Chappell while he was in prison. In 2018, Nealy sued Warner Chappell, alleging that he held copyrights to the songs at issue and that Warner Chappell’s licensing activity had infringed his rights. The infringing acts dated back to 2008, ten years before Nealy brought suit. Nealy sought damages and profits for the alleged infringement under the Copyright Act.

The Supreme Court held that Nealy could recover damages for Warner Chappell’s infringing acts beyond the three-year period before his lawsuit. While the Court acknowledged that Section 507(b) establishes a three-year statute of limitations for filing a lawsuit, it reasoned that that provision “establishes no separate three-year period for recovering damages.” Warner Chappell, Slip. Op. at 5. As a result, so long as the copyright infringement claim is timely filed, a successful plaintiff can recover damages with “no time limit on monetary recovery.” Id.    

Most notably, the majority opinion did not resolve a longstanding question of whether the discovery rule governs the timeliness of copyright claims under Section 507(b), an issue that circuit courts are split on and that the Supreme Court has not directly addressed. Under the “injury rule”,  a copyright claim “accrue[s]”—meaning, the clock to bring a claim starts ticking—when “an infringing act occurs.” Petrella v. Metro-Goldwyn-Mayer, Inc., 572 U.S. 663, 670 (2014). The discovery rule, on the other hand, extends the accrual date for unknown infringements to the time “the plaintiff discovers, or with due diligence should have discovered” the infringing act. Id. n.4 (internal citations and quotations omitted). To establish the timeliness of his claims, Nealy invoked the discovery rule for infringing acts that occurred ten years before his lawsuit. The majority assumed that Nealy’s lawsuit was timely filed without actually deciding whether copyright claims are subject to the discovery rule.  

Conversely, the dissent steadfastly argued that the Copyright Act “does not tolerate a discovery rule” and disagreed with the majority’s decision to assume—without deciding—that the discovery rule applied here. This question may well end up in front of the Supreme Court in the future, as there is a currently pending petition for certiorari that squarely presents the question of “[w]hether the ‘discovery rule’ applies to the Copyright Act’s statute of limitations for civil claims.” See Petition for Writ of Certiorari, Hearst Newspapers, L.L.C. v. Antonio Martinelli, No. 23–474, at i (Nov. 2, 2023).

Following last week’s decision, the expanded timeframe for damages recovery means that businesses not only need to prepare to defend against older infringement claims—and to carefully vet the risk those potential claims may pose when considering acquisitions—but should also consider the viability of pursuing infringement claims that were previously considered time-barred.   

Please contact the Coblentz Intellectual Property team with any questions.

By Scott Hall and Amber Leong

The California Court of Appeal just issued an opinion reversing a trial court decision from last year that stayed enforcement of the California Privacy Rights Act (“CPRA”) Regulations.¹ If you recall, last year, on June 30, 2023 – the eve of when the regulations were to take effect – a California trial court issued a ruling and injunction halting the regulations from going into effect. The trial court found that the statute required a one-year delay from when the regulations were finalized to when they could take effect. Accordingly, because the regulations were finalized on March 29, 2023, they would not take effect until March 29, 2024.

Attorney General Rob Bonta, on behalf of the California Privacy Protection Agency (“CPPA”),² appealed the trial court’s ruling. Last Friday, on February 9, 2024, the California Court of Appeal issued its opinion in Cal. Priv. Protection Agency v. Sup. Ct. of Sac. Cty., C099130 (Cal. Ct. App. Feb. 9, 2024). In a unanimous opinion, the California Court of Appeal reversed the trial court decision. In so doing, the Court found that nothing in the statutory language of the CPRA “unambiguously require[s] a one-year gap between approval and enforcement regardless of when the approval occurs, and nothing in the relevant material[s] presented for our review signals that the voters intended such a gap,” id. at 19, “even if the specific statutory provision at issue . . . include[d] what amounts to a one-year delay,” ibid. (original emphasis included). Thus, the California Court of Appeal vacated the trial court’s order and judgment that had stayed the CPPA’s regulations “for a period of 12 months from the date that [each] individual regulation becomes final.” Id. at 22.

What this means is that the regulations take effect now – a little less than two months earlier than the expected March 29, 2024 date.

The California Court of Appeal’s ruling, though, has broader significance for pending and future regulations for which the CPPA has not issued final regulations yet – including cybersecurity audits, risk assessments, and automated decision-making. Under the Court of Appeal’s ruling, these regulations can presumably take immediate effect once they are finalized, rather than having a one-year waiting period. It remains to be seen whether the CPPA will provide a certain period of time for businesses to prepare for new regulations as they are finalized, or whether the CPPA will seek to enforce new regulations without delay in light of this ruling, though the CPRA regulations do provide that the CPPA should consider the time between the effective date of regulatory requirements and alleged violations, among other things, in deciding whether to pursue an investigation. (CPRA Regulations § 7301(b).)

With the CCPA’s original 30-day notice-and-cure provision eliminated, and both Attorney General Rob Bonta and the CPPA signaling their intent to increase enforcement of California consumers’ privacy rights, companies should work to become immediately compliant with the current CPRA regulations and should also work towards compliance with draft regulations regarding cybersecurity audits, risk assessments, and automated decision-making as there is no clear waiting period before those regulations can go into effect once finalized. In sum, businesses will need to closely monitor and always be ready for CPRA regulatory enforcement.

Please contact the Coblentz Data Privacy Team with any questions or assistance on these compliance issues.

To view a PDF version of this article, please click here.

[1] Pursuant to the CPRA, a law which was enacted by California voters through Proposition 24 and which amended the California Consumer Privacy Rights Act, authorized for regulations to be promulgated in support of therein and at issue here, and created the CPPA.

[2] The CPPA is the enforcement agency created to enforce the privacy rights of California residents.

By Scott Hall and Bina Patel

Key Takeaways

• The Children’s Data Privacy Act (AB 1949) would require businesses to obtain affirmative authorization to collect, use or disclose personal data of children under 18 in California.
• Businesses should focus on understanding what data from children they may be collecting through online or offline channels and prepare to implement opt-in mechanisms for the collection, use and disclosure of children’s data.

Despite a court ruling late last year that blocked the California Age Appropriate Design Code Act (CAADCA) from going into effect in 2024, as scheduled, California’s Attorney General Rob Bonta is pressing forward with an amendment to the California Consumer Privacy Act (CCPA) aimed at protecting children’s data.

The Children’s Data Privacy Act (AB 1949), a bill introduced on January 29, 2024, would further amend the CCPA to prohibit businesses from collecting personal data of individuals under the age of 18, unless they receive affirmative authorization (i.e., opt-in consent) to do so. For individuals under the age of 13, the affirmative authorization must come from the parent. Specifically, the proposed amendment states that “a business shall not collect the personal information of a consumer less than 18 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 18 years of age, or the consumer’s parent or guardian, in the case of a consumer less than 13 years of age, has affirmatively authorized the collection of the consumer’s personal information.” (Proposed amendment to Cal. Civil Code § 1798.100(g).) The bill authorizes the Office of the Attorney General to enforce the law and seek injunctive relief, damages, or civil penalties of up to $5,000 per violation.

AB 1949 represents a significant change to the CCPA. The law currently only prohibits the selling or sharing (for cross-context behavioral advertising purposes) of minor’s data without affirmative opt-in consent and does not prohibit the collection of such data without informed consent. Notably, the changes proposed by AB 1949 will allow California to align its privacy law and increased focus on the protection of children’s data with the vast majority of other states. When the CCPA initially went into effect in January 2020, it was the first comprehensive state privacy law in the nation and blazed the trail for many other state laws that have followed in recent years. However, unlike the CCPA, the majority of other states that have passed privacy laws subsequent to the CCPA have defined “sensitive information” to include the data of minors and have required affirmative opt-in consent prior to collecting or processing sensitive information of minors. The proposed amendment would make California’s data collection requirements consistent with the majority of other states.

Beyond restricting collection of minor data, AB 1949 also proposes amendments to the CCPA to prohibit the “use or disclos[ure]” of the personal information of minors without affirmative consent by the consumer or guardian. (Proposed amendment to Cal. Civil Code § 1798.121(e)). The law would also require – on or before July 1, 2025 – the California Privacy Protection Agency to issue regulations to establish technical specifications for an opt-out preference signal that allows a consumer (or a parent or guardian) to specify that the consumer is less than 13 years of age or less than 18 years of age, and to establish regulations regarding age verification and when a business must treat a consumer as being less than 13 or 18 years of age for purposes of the CCPA. (Proposed amendment to Cal. Civil Code § 1798.185(e).)

Admittedly, AB 1949 is not as comprehensive as CAADCA, which would require businesses to perform data protection impact assessments upon request from the Attorney General for products or services “likely to be accessed by children,” as well as implement stricter default privacy settings and terms. Even so, AB 1949 is an important step towards greater privacy protection for children and will make the patchwork of standards regarding children’s data collection and use more consistent across the country.

Having said that, CAADCA is still alive and, while the legal challenge continues, businesses may eventually have to deal with that stricter law or some modified version of it. To learn more about the requirements of CAADCA, see our prior article. Until then, given that AB 1949 will likely be enacted to put California on equal footing with other state privacy laws, businesses should focus on understanding whether and what data from minors may be collected through online or offline channels and prepare to implement opt-in mechanisms for the collection, use and disclosure of minor data.

Please contact the Coblentz Data Privacy Team with any questions about AB 1949 or other privacy issues.

To view a PDF version of this article, please click here.

By Scott Hall and Amber Leong

Key Takeaways

• Despite your recent efforts to comply with privacy law requirements for website cookies, pixels, and analytics, your business may be at risk of getting sued for violations of “pen register” or “trap and trace” laws based on information collected from website or mobile app users.
• A recent court decision has breathed new life into pen register and trap and trace claims. More than 75 complaints have been filed in California courts the past few months, and courts addressing these claims will need to reconcile the clear inconsistency between older pen register laws and more recent data privacy laws such as the EU’s GDPR and California’s CCPA/CPRA.
• Businesses should be aware of what cookies, analytics, and other website technologies they are running on their websites.

In the world of data privacy litigation, plaintiffs’ attorneys are always looking for the next big thing. Over the past couple of years, plaintiffs in California and elsewhere have tried to use decades-old wiretapping and eavesdropping statutes against companies, claiming that the use of website chat functions, session recording tools, cookies, pixels, and other tracking software amounted to “wiretapping” or “eavesdropping” on website visitors.

Having found limited success with these legal claims, the newest tactic in privacy litigation appears to rely on the theory that website cookies or other website analytics tools constitute “pen registers” or “trap and trace” devices under the California Invasion of Privacy Act (“CIPA”), California Penal Code § 638.51. The basis for these new claims appears to stem from a single recent decision, Greenley v. Kochava, 22-cv-01327-BAS-HSG, — F.Supp.3d —-, 2023 WL 4833466 (S.D. Cal. July 27, 2023) (“Kochava”), where the court – acknowledging that it was an issue of first impression[1] – allowed pen register claims to move beyond the motion to dismiss stage, at least in the context of that case. Kochava has opened the floodgates to pen register litigation, as over 75 complaints have been filed in California courts over just the past couple of months, asserting vague and formulaic violations of pen register laws, with many more cases likely to follow.

So, what is a “pen register”? Explaining the term requires remembering a time before the Internet and cellular telephones when special equipment was necessary to record numbers dialed to or from a landline telephone. Historically, pen registers were devices that could record numbers dialed to or from a particular telephone and were often used in criminal investigations. Laws prohibiting the use of pen registers without consent or a warrant were targeted at eliminating conduct akin to surveillance done under the color of law without proper authorization.[2] The federal pen register statute, passed in 1986, did not contemplate a world where cellular phones are ubiquitous portable handheld computer devices that now identify and record all phone numbers dialed to and from them, let alone application of the law to the Internet, where identification of computers and routers through IP addresses and other electronic source information is necessary to all website interactions. And, while the 2001 USA Patriot Act and certain state laws expanded the definition of a pen register to try to address computer and Internet communications, these laws were still largely based on older statutory language and definitions that are not a precise or comprehensive fit for all of the various electronic communications and interactions that occur online or through mobile devices today.

Returning to the present day, up to and until the Kochava case, there has been little to no civil litigation over the use of pen registers.[3] As noted above, there are good reasons for this. Cellular telephone technology, the Internet, and other advances have changed how we communicate. The pen register statutes apply, if at all, awkwardly to advancing technologies, and there are newer privacy laws specifically aimed at Internet privacy. However, because California’s pen register law defines “pen register” as a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, plaintiffs in Kochava sought to dust off the pen register law to apply it to Internet communications. In Kochava, plaintiffs asserted violations of the pen register law against a data broker company that provided a software development kit (“SDK”) to application developers. As the Kochava court noted, application-based companies could then embed Kochava’s SDK in their mobile applications to

‘deliver targeted advertising . . . by in essence ‘fingerprinting’
each unique device and user, as well as connecting users across
devices and devices across users.’ The data links longitude and
latitude coordinates with these fingerprints, which can be ‘easily
de-anonymized.’  In addition to geolocation, [the SDK allows
apps] to ‘search terms, click choices, purchase decisions and/or
payment methods.’  This data collection allows [Kochava to]
deliver ‘targeted advertising . . . while tracking [users’] locations,
spending habits, and personal characteristics’ and share this ‘rich
personal data simultaneously with untold numbers of third-party
companies.’

Kochava, 2023 WL 4833466, at *2-3 (internal citations to complaint omitted). Given this unique software and its purported ability to collect a treasure trove of information that could create a personal unique identifier, the Kochava court held that the SDK at issue amounted to a “process” that could collect “dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” Id. at *27. Thus, Kochava “reject[ed] the contention that a private company’s surreptitiously embedded software installed in a telephone cannot constitute a ‘pen register’” and allowed the claim to proceed past the motion to dismiss stage.

For now, it is unclear how broadly or narrowly courts will apply Kochava. Kochava involved a data broker with particular software used on mobile applications. The Kochava court carefully parsed through the “pen register” statute to conclude that “software installed in a telephone” could constitute a “pen register.” Accordingly, the Kochava holding merely stands for the proposition that a pen register claim may proceed (but not necessarily succeed) against a data broker (an entity selling data for targeted advertising rather than simply collecting it for its purposes) that installed software on users’ telephones (as opposed to on websites), purportedly without consent. It would seem to require a broad leap for other courts to apply this holding generally to find that the mere collection of data through website cookies or analytics that facilitate online interactions and transactions with consumers – and which is necessary for website operations and done by every company that operates a website – violates the law. Such a holding would essentially cripple online commerce and all other Internet communications and activities.     

While the Kochava decision may have breathed new life into pen register and trap and trace theories for the moment, courts addressing these claims must confront and reconcile the clear inconsistency between older pen register laws and more recent data privacy statutes that specifically govern the processes and disclosures companies must use when collecting consumer information on their websites, including via cookies and other analytics.

For example, the European Union’s General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and many other state privacy laws all carefully and explicitly regulate how personal information may be collected from individuals, including on Internet websites. These statutes emphasize transparency and disclosure of data collection practices through privacy notices, cookie banners, and other just-in-time methods, which allow consumers to exercise their privacy rights and control the flow of information transmitted on the Internet. But even if companies are compliant with these more recent privacy laws, they may be found to violate the old pen register and trap and trace laws if applied broadly and extended to Internet technologies. This is because, taken broadly, every company in the world that operates a website necessarily collects certain device source information in connection with website interactions. Yet, avoiding the collection of such information in the context of the Internet – an ecosystem of connected computers – is impossible. Thus, it remains to be seen whether courts will find that every company is violating the law by participating in online commerce, even when (or especially when) they are complying with more recent privacy laws that specifically regulate how companies collect and process the precise information at issue in these new pen register cases.

For now, plaintiffs’ attorneys will use Kochava as a foothold in an attempt to expand the pen register statute and expand Kochava’s fact-specific holding. Until courts consistently determine how to apply the pen register laws, if at all, to Internet communications, and reconcile such laws and claims against the backdrop of recently enacted privacy laws, we will all be riding this new wave of privacy litigation together.

Please contact the Coblentz Data Privacy Team with questions or to assist with any privacy claims or needs.

To view a PDF version of this article, please click here.

 

[1] And in fact, Kochava was the first case to ever cite to the California pen register statute, and at the date of this publication, still the only case to have cited to and analyzed the provision.

[2] Notably, the United States Supreme Court has held that individuals do not have a reasonable expectation of privacy under the Fourth Amendment of the U.S. Constitution to suppress any evidence obtained from pen registers. Smith v. Maryland, 442 U.S. 735, 742 (1979) (noting that a pen register has “limited capabilities” and the petitioner had no “legitimate expectation of privacy” regarding the numbers he dialed).

[3] To the extent the litigation was not derivative of any criminal charges.

By Scott Hall, Fred Alvarez, and Amber Leong

On October 8, 2023, California Governor Gavin Newsom signed into law AB-947, which expanded the category of “sensitive personal information” to include citizenship or immigration status. The category of sensitive personal information under the California Privacy Rights Act (“CPRA”) already includes government identifiers, precise geolocation, information concerning sexual orientation, racial or ethnic origin, religious or philosophical beliefs, and union membership.

The CPRA contains special restrictions on the collection, use and disclosure of sensitive personal information. If your business collects citizenship or immigration information, you will need to update your privacy policy and revise and review your collection and processing of any sensitive personal information.

Importantly, employee information falls within the scope of the CPRA. That means if your business is subject to the CPRA and you have California-based employees, you are inevitably collecting citizenship or immigration status information that will now constitute sensitive personal information under the new law. If so, you will separately need to update your employee privacy notice and potentially adjust collection and processing procedures with respect to employee information.

The CPRA requires yearly updates of both your consumer privacy policy and employee privacy policy. If you do not have up-to-date consumer or employee privacy policies, there is no better time than now to get started. With the new year right around the corner, now is the time to get your data privacy ducks in a row for 2024.

Please reach out to Coblentz’s Data Privacy or Labor & Employment groups with further questions.