A Comprehensive Look at New Developments in Data Privacy Laws

By Scott Hall, Mari Clifford, Sabrina Larson, Emily Lentz, Amber Leong, and Bina Patel

Download a PDF version of this report here.

2024 has been another big year for privacy. Several new state privacy laws are going into effect, with several more coming in 2025, while a federal privacy law continues to be discussed that would further change the privacy landscape across the country. Businesses need to be aware of new developments, new legal requirements, and steps that should be taken to comply with these laws and reduce business risk.

Our 2024 Mid-Year Privacy Report highlights some of the most important privacy developments to be aware of for the coming year.

You can download the full report here. If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

By Christopher Wiener, Sabrina Larson, and Bina Patel 

Key Takeaways

• Last week, in Warner Chappell Music, Inc. v. Nealy, the Supreme Court held that a copyright owner with a timely claim for infringement can recover damages “no matter when the infringement occurred” and with “no time limit on monetary recovery.”
• This decision will impact companies of all sizes that use copyrighted material, as it is likely to lead to a surge of litigation based on outdated actions and could substantially increase damages awards for plaintiffs.

On May 9, 2024, the U.S. Supreme Court issued a landmark decision in Warner Chappell Music, Inc. v. Nealy, holding that under the Copyright Act, “a copyright owner possessing a timely claim for infringement is entitled to damages, no matter when the infringement occurred.” No. 22–1078, 601 U.S. ____ , Slip Op. at 5 (emphasis added). The Warner decision marks a significant retreat from the view that copyright damages are limited to the three years before an infringement suit is filed under Section 507(b) of the Copyright Act and raises the risk of more damages claims based on undiscovered copyright infringement. It also aligns the rest of the country with the Ninth Circuit’s view that a plaintiff can seek damages for all alleged infringing acts even if those acts occurred more than three years before the plaintiff filed suit. See Starz Ent., LLC v. MGM Domestic Television Distribution, LLC, 39 F.4th 1236, 1247 (9th Cir. 2022). Overall, this decision is significant for companies of all sizes that use copyrighted material, as it is likely to lead to a surge of litigation based on outdated actions. It will affect both plaintiff and defense strategies, and could result in substantially higher damages awards for plaintiffs.  

The underlying dispute arose when Sherman Nealy discovered that, unbeknownst to him, his former business partner had licensed music from their prior company to Warner Chappell while he was in prison. In 2018, Nealy sued Warner Chappell, alleging that he held copyrights to the songs at issue and that Warner Chappell’s licensing activity had infringed his rights. The infringing acts dated back to 2008, ten years before Nealy brought suit. Nealy sought damages and profits for the alleged infringement under the Copyright Act.

The Supreme Court held that Nealy could recover damages for Warner Chappell’s infringing acts beyond the three-year period before his lawsuit. While the Court acknowledged that Section 507(b) establishes a three-year statute of limitations for filing a lawsuit, it reasoned that that provision “establishes no separate three-year period for recovering damages.” Warner Chappell, Slip. Op. at 5. As a result, so long as the copyright infringement claim is timely filed, a successful plaintiff can recover damages with “no time limit on monetary recovery.” Id.    

Most notably, the majority opinion did not resolve a longstanding question of whether the discovery rule governs the timeliness of copyright claims under Section 507(b), an issue that circuit courts are split on and that the Supreme Court has not directly addressed. Under the “injury rule”,  a copyright claim “accrue[s]”—meaning, the clock to bring a claim starts ticking—when “an infringing act occurs.” Petrella v. Metro-Goldwyn-Mayer, Inc., 572 U.S. 663, 670 (2014). The discovery rule, on the other hand, extends the accrual date for unknown infringements to the time “the plaintiff discovers, or with due diligence should have discovered” the infringing act. Id. n.4 (internal citations and quotations omitted). To establish the timeliness of his claims, Nealy invoked the discovery rule for infringing acts that occurred ten years before his lawsuit. The majority assumed that Nealy’s lawsuit was timely filed without actually deciding whether copyright claims are subject to the discovery rule.  

Conversely, the dissent steadfastly argued that the Copyright Act “does not tolerate a discovery rule” and disagreed with the majority’s decision to assume—without deciding—that the discovery rule applied here. This question may well end up in front of the Supreme Court in the future, as there is a currently pending petition for certiorari that squarely presents the question of “[w]hether the ‘discovery rule’ applies to the Copyright Act’s statute of limitations for civil claims.” See Petition for Writ of Certiorari, Hearst Newspapers, L.L.C. v. Antonio Martinelli, No. 23–474, at i (Nov. 2, 2023).

Following last week’s decision, the expanded timeframe for damages recovery means that businesses not only need to prepare to defend against older infringement claims—and to carefully vet the risk those potential claims may pose when considering acquisitions—but should also consider the viability of pursuing infringement claims that were previously considered time-barred.   

Please contact the Coblentz Intellectual Property team with any questions.

By Scott Hall and Amber Leong

The California Court of Appeal just issued an opinion reversing a trial court decision from last year that stayed enforcement of the California Privacy Rights Act (“CPRA”) Regulations.¹ If you recall, last year, on June 30, 2023 – the eve of when the regulations were to take effect – a California trial court issued a ruling and injunction halting the regulations from going into effect. The trial court found that the statute required a one-year delay from when the regulations were finalized to when they could take effect. Accordingly, because the regulations were finalized on March 29, 2023, they would not take effect until March 29, 2024.

Attorney General Rob Bonta, on behalf of the California Privacy Protection Agency (“CPPA”),² appealed the trial court’s ruling. Last Friday, on February 9, 2024, the California Court of Appeal issued its opinion in Cal. Priv. Protection Agency v. Sup. Ct. of Sac. Cty., C099130 (Cal. Ct. App. Feb. 9, 2024). In a unanimous opinion, the California Court of Appeal reversed the trial court decision. In so doing, the Court found that nothing in the statutory language of the CPRA “unambiguously require[s] a one-year gap between approval and enforcement regardless of when the approval occurs, and nothing in the relevant material[s] presented for our review signals that the voters intended such a gap,” id. at 19, “even if the specific statutory provision at issue . . . include[d] what amounts to a one-year delay,” ibid. (original emphasis included). Thus, the California Court of Appeal vacated the trial court’s order and judgment that had stayed the CPPA’s regulations “for a period of 12 months from the date that [each] individual regulation becomes final.” Id. at 22.

What this means is that the regulations take effect now – a little less than two months earlier than the expected March 29, 2024 date.

The California Court of Appeal’s ruling, though, has broader significance for pending and future regulations for which the CPPA has not issued final regulations yet – including cybersecurity audits, risk assessments, and automated decision-making. Under the Court of Appeal’s ruling, these regulations can presumably take immediate effect once they are finalized, rather than having a one-year waiting period. It remains to be seen whether the CPPA will provide a certain period of time for businesses to prepare for new regulations as they are finalized, or whether the CPPA will seek to enforce new regulations without delay in light of this ruling, though the CPRA regulations do provide that the CPPA should consider the time between the effective date of regulatory requirements and alleged violations, among other things, in deciding whether to pursue an investigation. (CPRA Regulations § 7301(b).)

With the CCPA’s original 30-day notice-and-cure provision eliminated, and both Attorney General Rob Bonta and the CPPA signaling their intent to increase enforcement of California consumers’ privacy rights, companies should work to become immediately compliant with the current CPRA regulations and should also work towards compliance with draft regulations regarding cybersecurity audits, risk assessments, and automated decision-making as there is no clear waiting period before those regulations can go into effect once finalized. In sum, businesses will need to closely monitor and always be ready for CPRA regulatory enforcement.

Please contact the Coblentz Data Privacy Team with any questions or assistance on these compliance issues.

To view a PDF version of this article, please click here.

[1] Pursuant to the CPRA, a law which was enacted by California voters through Proposition 24 and which amended the California Consumer Privacy Rights Act, authorized for regulations to be promulgated in support of therein and at issue here, and created the CPPA.

[2] The CPPA is the enforcement agency created to enforce the privacy rights of California residents.

By Scott Hall and Bina Patel

Key Takeaways

• The Children’s Data Privacy Act (AB 1949) would require businesses to obtain affirmative authorization to collect, use or disclose personal data of children under 18 in California.
• Businesses should focus on understanding what data from children they may be collecting through online or offline channels and prepare to implement opt-in mechanisms for the collection, use and disclosure of children’s data.

Despite a court ruling late last year that blocked the California Age Appropriate Design Code Act (CAADCA) from going into effect in 2024, as scheduled, California’s Attorney General Rob Bonta is pressing forward with an amendment to the California Consumer Privacy Act (CCPA) aimed at protecting children’s data.

The Children’s Data Privacy Act (AB 1949), a bill introduced on January 29, 2024, would further amend the CCPA to prohibit businesses from collecting personal data of individuals under the age of 18, unless they receive affirmative authorization (i.e., opt-in consent) to do so. For individuals under the age of 13, the affirmative authorization must come from the parent. Specifically, the proposed amendment states that “a business shall not collect the personal information of a consumer less than 18 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 18 years of age, or the consumer’s parent or guardian, in the case of a consumer less than 13 years of age, has affirmatively authorized the collection of the consumer’s personal information.” (Proposed amendment to Cal. Civil Code § 1798.100(g).) The bill authorizes the Office of the Attorney General to enforce the law and seek injunctive relief, damages, or civil penalties of up to $5,000 per violation.

AB 1949 represents a significant change to the CCPA. The law currently only prohibits the selling or sharing (for cross-context behavioral advertising purposes) of minor’s data without affirmative opt-in consent and does not prohibit the collection of such data without informed consent. Notably, the changes proposed by AB 1949 will allow California to align its privacy law and increased focus on the protection of children’s data with the vast majority of other states. When the CCPA initially went into effect in January 2020, it was the first comprehensive state privacy law in the nation and blazed the trail for many other state laws that have followed in recent years. However, unlike the CCPA, the majority of other states that have passed privacy laws subsequent to the CCPA have defined “sensitive information” to include the data of minors and have required affirmative opt-in consent prior to collecting or processing sensitive information of minors. The proposed amendment would make California’s data collection requirements consistent with the majority of other states.

Beyond restricting collection of minor data, AB 1949 also proposes amendments to the CCPA to prohibit the “use or disclos[ure]” of the personal information of minors without affirmative consent by the consumer or guardian. (Proposed amendment to Cal. Civil Code § 1798.121(e)). The law would also require – on or before July 1, 2025 – the California Privacy Protection Agency to issue regulations to establish technical specifications for an opt-out preference signal that allows a consumer (or a parent or guardian) to specify that the consumer is less than 13 years of age or less than 18 years of age, and to establish regulations regarding age verification and when a business must treat a consumer as being less than 13 or 18 years of age for purposes of the CCPA. (Proposed amendment to Cal. Civil Code § 1798.185(e).)

Admittedly, AB 1949 is not as comprehensive as CAADCA, which would require businesses to perform data protection impact assessments upon request from the Attorney General for products or services “likely to be accessed by children,” as well as implement stricter default privacy settings and terms. Even so, AB 1949 is an important step towards greater privacy protection for children and will make the patchwork of standards regarding children’s data collection and use more consistent across the country.

Having said that, CAADCA is still alive and, while the legal challenge continues, businesses may eventually have to deal with that stricter law or some modified version of it. To learn more about the requirements of CAADCA, see our prior article. Until then, given that AB 1949 will likely be enacted to put California on equal footing with other state privacy laws, businesses should focus on understanding whether and what data from minors may be collected through online or offline channels and prepare to implement opt-in mechanisms for the collection, use and disclosure of minor data.

Please contact the Coblentz Data Privacy Team with any questions about AB 1949 or other privacy issues.

To view a PDF version of this article, please click here.

By Scott Hall and Amber Leong

Key Takeaways

• Despite your recent efforts to comply with privacy law requirements for website cookies, pixels, and analytics, your business may be at risk of getting sued for violations of “pen register” or “trap and trace” laws based on information collected from website or mobile app users.
• A recent court decision has breathed new life into pen register and trap and trace claims. More than 75 complaints have been filed in California courts the past few months, and courts addressing these claims will need to reconcile the clear inconsistency between older pen register laws and more recent data privacy laws such as the EU’s GDPR and California’s CCPA/CPRA.
• Businesses should be aware of what cookies, analytics, and other website technologies they are running on their websites.

In the world of data privacy litigation, plaintiffs’ attorneys are always looking for the next big thing. Over the past couple of years, plaintiffs in California and elsewhere have tried to use decades-old wiretapping and eavesdropping statutes against companies, claiming that the use of website chat functions, session recording tools, cookies, pixels, and other tracking software amounted to “wiretapping” or “eavesdropping” on website visitors.

Having found limited success with these legal claims, the newest tactic in privacy litigation appears to rely on the theory that website cookies or other website analytics tools constitute “pen registers” or “trap and trace” devices under the California Invasion of Privacy Act (“CIPA”), California Penal Code § 638.51. The basis for these new claims appears to stem from a single recent decision, Greenley v. Kochava, 22-cv-01327-BAS-HSG, — F.Supp.3d —-, 2023 WL 4833466 (S.D. Cal. July 27, 2023) (“Kochava”), where the court – acknowledging that it was an issue of first impression[1] – allowed pen register claims to move beyond the motion to dismiss stage, at least in the context of that case. Kochava has opened the floodgates to pen register litigation, as over 75 complaints have been filed in California courts over just the past couple of months, asserting vague and formulaic violations of pen register laws, with many more cases likely to follow.

So, what is a “pen register”? Explaining the term requires remembering a time before the Internet and cellular telephones when special equipment was necessary to record numbers dialed to or from a landline telephone. Historically, pen registers were devices that could record numbers dialed to or from a particular telephone and were often used in criminal investigations. Laws prohibiting the use of pen registers without consent or a warrant were targeted at eliminating conduct akin to surveillance done under the color of law without proper authorization.[2] The federal pen register statute, passed in 1986, did not contemplate a world where cellular phones are ubiquitous portable handheld computer devices that now identify and record all phone numbers dialed to and from them, let alone application of the law to the Internet, where identification of computers and routers through IP addresses and other electronic source information is necessary to all website interactions. And, while the 2001 USA Patriot Act and certain state laws expanded the definition of a pen register to try to address computer and Internet communications, these laws were still largely based on older statutory language and definitions that are not a precise or comprehensive fit for all of the various electronic communications and interactions that occur online or through mobile devices today.

Returning to the present day, up to and until the Kochava case, there has been little to no civil litigation over the use of pen registers.[3] As noted above, there are good reasons for this. Cellular telephone technology, the Internet, and other advances have changed how we communicate. The pen register statutes apply, if at all, awkwardly to advancing technologies, and there are newer privacy laws specifically aimed at Internet privacy. However, because California’s pen register law defines “pen register” as a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, plaintiffs in Kochava sought to dust off the pen register law to apply it to Internet communications. In Kochava, plaintiffs asserted violations of the pen register law against a data broker company that provided a software development kit (“SDK”) to application developers. As the Kochava court noted, application-based companies could then embed Kochava’s SDK in their mobile applications to

‘deliver targeted advertising . . . by in essence ‘fingerprinting’
each unique device and user, as well as connecting users across
devices and devices across users.’ The data links longitude and
latitude coordinates with these fingerprints, which can be ‘easily
de-anonymized.’  In addition to geolocation, [the SDK allows
apps] to ‘search terms, click choices, purchase decisions and/or
payment methods.’  This data collection allows [Kochava to]
deliver ‘targeted advertising . . . while tracking [users’] locations,
spending habits, and personal characteristics’ and share this ‘rich
personal data simultaneously with untold numbers of third-party
companies.’

Kochava, 2023 WL 4833466, at *2-3 (internal citations to complaint omitted). Given this unique software and its purported ability to collect a treasure trove of information that could create a personal unique identifier, the Kochava court held that the SDK at issue amounted to a “process” that could collect “dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” Id. at *27. Thus, Kochava “reject[ed] the contention that a private company’s surreptitiously embedded software installed in a telephone cannot constitute a ‘pen register’” and allowed the claim to proceed past the motion to dismiss stage.

For now, it is unclear how broadly or narrowly courts will apply Kochava. Kochava involved a data broker with particular software used on mobile applications. The Kochava court carefully parsed through the “pen register” statute to conclude that “software installed in a telephone” could constitute a “pen register.” Accordingly, the Kochava holding merely stands for the proposition that a pen register claim may proceed (but not necessarily succeed) against a data broker (an entity selling data for targeted advertising rather than simply collecting it for its purposes) that installed software on users’ telephones (as opposed to on websites), purportedly without consent. It would seem to require a broad leap for other courts to apply this holding generally to find that the mere collection of data through website cookies or analytics that facilitate online interactions and transactions with consumers – and which is necessary for website operations and done by every company that operates a website – violates the law. Such a holding would essentially cripple online commerce and all other Internet communications and activities.     

While the Kochava decision may have breathed new life into pen register and trap and trace theories for the moment, courts addressing these claims must confront and reconcile the clear inconsistency between older pen register laws and more recent data privacy statutes that specifically govern the processes and disclosures companies must use when collecting consumer information on their websites, including via cookies and other analytics.

For example, the European Union’s General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and many other state privacy laws all carefully and explicitly regulate how personal information may be collected from individuals, including on Internet websites. These statutes emphasize transparency and disclosure of data collection practices through privacy notices, cookie banners, and other just-in-time methods, which allow consumers to exercise their privacy rights and control the flow of information transmitted on the Internet. But even if companies are compliant with these more recent privacy laws, they may be found to violate the old pen register and trap and trace laws if applied broadly and extended to Internet technologies. This is because, taken broadly, every company in the world that operates a website necessarily collects certain device source information in connection with website interactions. Yet, avoiding the collection of such information in the context of the Internet – an ecosystem of connected computers – is impossible. Thus, it remains to be seen whether courts will find that every company is violating the law by participating in online commerce, even when (or especially when) they are complying with more recent privacy laws that specifically regulate how companies collect and process the precise information at issue in these new pen register cases.

For now, plaintiffs’ attorneys will use Kochava as a foothold in an attempt to expand the pen register statute and expand Kochava’s fact-specific holding. Until courts consistently determine how to apply the pen register laws, if at all, to Internet communications, and reconcile such laws and claims against the backdrop of recently enacted privacy laws, we will all be riding this new wave of privacy litigation together.

Please contact the Coblentz Data Privacy Team with questions or to assist with any privacy claims or needs.

To view a PDF version of this article, please click here.

 

[1] And in fact, Kochava was the first case to ever cite to the California pen register statute, and at the date of this publication, still the only case to have cited to and analyzed the provision.

[2] Notably, the United States Supreme Court has held that individuals do not have a reasonable expectation of privacy under the Fourth Amendment of the U.S. Constitution to suppress any evidence obtained from pen registers. Smith v. Maryland, 442 U.S. 735, 742 (1979) (noting that a pen register has “limited capabilities” and the petitioner had no “legitimate expectation of privacy” regarding the numbers he dialed).

[3] To the extent the litigation was not derivative of any criminal charges.

By Scott Hall, Fred Alvarez, and Amber Leong

On October 8, 2023, California Governor Gavin Newsom signed into law AB-947, which expanded the category of “sensitive personal information” to include citizenship or immigration status. The category of sensitive personal information under the California Privacy Rights Act (“CPRA”) already includes government identifiers, precise geolocation, information concerning sexual orientation, racial or ethnic origin, religious or philosophical beliefs, and union membership.

The CPRA contains special restrictions on the collection, use and disclosure of sensitive personal information. If your business collects citizenship or immigration information, you will need to update your privacy policy and revise and review your collection and processing of any sensitive personal information.

Importantly, employee information falls within the scope of the CPRA. That means if your business is subject to the CPRA and you have California-based employees, you are inevitably collecting citizenship or immigration status information that will now constitute sensitive personal information under the new law. If so, you will separately need to update your employee privacy notice and potentially adjust collection and processing procedures with respect to employee information.

The CPRA requires yearly updates of both your consumer privacy policy and employee privacy policy. If you do not have up-to-date consumer or employee privacy policies, there is no better time than now to get started. With the new year right around the corner, now is the time to get your data privacy ducks in a row for 2024.

Please reach out to Coblentz’s Data Privacy or Labor & Employment groups with further questions.

By Scott Hall, Mari Clifford, and Amber Leong

In 1988, Congress enacted the Video Protection Privacy Act (“VPPA”) in response to the confirmation hearing of Judge Robert Bork, where his video rental history was disclosed during his Supreme Court confirmation hearing. Creative plaintiffs’ lawyers in recent years have asserted new claims under this statute, arguing that the use of website tracking pixels that transmit a user’s visit to a website page containing an embedded video violates the VPPA. Some courts have allowed some of these claims to pass the pleading stage, resulting in a proliferation of pre-litigation demands and complaints against companies who embed videos on their websites and use pixel analytics.[1]

There are several defenses that have defeated these claims at the pleading stage, however.

First, courts are in agreement that the VPPA only applies to “subscribers” and not just any user who happens to watch a video on a website. What constitutes a “subscriber” can get tricky though. Some courts have held that subscribing to a mailing list or newsletter may be sufficient,[2] while other courts have reached a different conclusion and required a subscription to video services or video content.[3]

Second, what constitutes “personally identifiable information” under the VPPA is also litigated. The Third Circuit has held that under the VPPA, personally identifiable information (“PII”) is limited only to “information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.”[4] Thus, in In re Nickelodeon, the Third Circuit held that “static identifiers” such as an IP address would not allow an ordinary person to determine which videos were viewed online and thus, not actionable under the VPPA.[5] However, courts have regularly held that a Facebook ID is sufficient to constitute PII because it can be easily and directly tied to an individual through that individual’s Facebook account.

Third, the VPPA specifically pertains to pre-recorded videos, and does not apply to live-stream content.[6]

Lastly, the statutory language provides an explicit exemption from the VPPA if a company obtains affirmative, written consent from the user prior to the collection and transmission of a user’s purported video-watching history.[7] There are specific codified requirements to obtain consent under the VPPA including, among other things, providing “a form distinct and separate from any form setting forth other legal or financial obligations of the consumer.”[8] Thus, obtaining consent under the VPPA may look different than obtaining consent sufficient under wiretapping statutes as detailed in our article linked here.

If you have questions about how to navigate this legal landscape, or if your company has been served a pre-litigation demand letter, please reach out to the Coblentz Data Privacy & Cybersecurity Team to discuss the various legal defenses available to your company. There is no one-size-fits-all approach. Navigating this (constantly changing) area of law requires a determination of your business needs, business model, and a well-thought-out and bespoke approach.

 

[1] See e.g., Belozerov v. Gannett Co., Inc., —F. Supp. 3d—-, 2022 WL 17832185 (D. Mass. 2022).

[2] Harris v. Public Broadcasting Serv., —F.Supp.3d—-, 2023 WL 2583118, at *3 (N.D. Ga. 2023)

[3] See Salazar v. Paramount Global d/b/a 247Sports, 22-cv-00756, Dkt No. 33 (M.D. Tenn. July 18, 2023); see also Austin-Spearman v. AMC Network Entertainment LLC, 98 F. Supp. 3d 662 (S.D.N.Y. 2015).

[4] In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 284 (3d Cir. 2016).

[5] See also White v. Samsung Elec. Am., Inc., Civ. No. 17-1775, 2019 WL 8886485, at *5 (D. N.J. Aug. 21, 2019) (granting Samsung’s motion to dismiss the VPPA claim because allegations of only obtaining IP addresses, MAC addresses, and zip codes do not constitute PII under VPPA).

[6]  Stark v. Patreon, 635 F. Supp. 3d 841, 852 (N.D. Cal. 2022).

[7] 18 U.S.C. § 2710.

[8] Id. § 2710(b)(2)(B).

By Scott Hall, Mari Clifford, and Amber Leong

Numerous new website technologies and tools allow companies to more effectively interact with their customers. These include chatbots, session recording software, tracking pixels (snippets of code that can be used to identify certain designated behavior on a website like seeing which products users are clicking on), and cookies (which remember products previously added to a shopping cart). All of these tools are immensely helpful in engaging with and identifying user experiences, and they help improve and promote a company’s business operations.

Plaintiffs’ attorneys have recently argued that the use of these website technologies – especially when provided or facilitated by a third-party vendor – constitutes violations of wiretapping and eavesdropping statutes. Under these statutes – both federal and state analogs – it is a violation if an individual uses a recording device to eavesdrop or intercept a confidential communication without the consent of the parties.

Historically, these statutes were used against individuals secretly listening in on private telephonic conversations. However, plaintiffs’ attorneys have revived these statutes to claim that companies are violating these laws through the use of website technologies. And some courts have allowed some of these claims to pass the motion to dismiss stage.[1]

This has created a flurry of pre-litigation demands against companies with consumer-facing websites. Many companies seek to settle these claims to avoid litigation costs, but several matters have gone to court. As more of these cases are making their way through the courts, we are able to see patterns in how courts are addressing these claims. There now appears to be a distinction emerging between claims that are allowed to proceed past the motion to dismiss stage and those that are not. Chatbots and session recording technologies used only to aid in servicing the website as a service provider have been found insufficient to state a claim under the wiretapping statutes.[2] By contrast, the use of these tools to collect user data that a third-party vendor is permitted to use for other purposes (including its own business purposes or with services to other companies) has been found to be sufficient to pass the motion to dismiss hurdle.[3]

The logic behind the reasoning is that there is no unlawful third-party “interception” by an entity that is acting as a service provider to provide a service for the company with whom the individual consumer is interacting. Put differently, a company cannot eavesdrop on itself or “intercept” its own communications.[4]

Given this guidance, companies should take the following steps if they use any chatbots, mouse click trackers, or session-recording technology to better understand their users:

• Service Provider Agreements: Companies should enter into service provider agreements with the chatbot, session recording, or mouse click providers. Contained within the agreements should be clear contractual language that companies providing such services cannot sell, share or use the personal information of users for their own purposes. This language thus captures that the service provider is there to provide a service and reaps no benefit in the form of personal information data.
• Update Privacy Policies: Companies should update their privacy policies and ensure that the policies adequately disclose the use of any chatbots, mouse clicks, or session recording. While updating the privacy policies alone will not be sufficient to be compliant with the various data privacy laws because courts have held that privacy policies at the bottom or footer of webpages may not give sufficient notice of recordings, the policies are nevertheless necessary for compliance as the bare minimum requirements.
• Disclose Immediately Prior to Recording: Companies should explicitly disclose that chat communications or other website interactions are being recorded by a vendor, and that if a user chooses to continue, they are consenting to such recording. Consent is an adequate defense to the wiretapping and eavesdropping claims. While the issues of adequate notice and consent continue to be litigated throughout the courts, generally, providing disclosure of such recordings immediately prior to the session with the opportunity to not proceed should work to provide sufficient notice and consent under the wiretapping laws.

Overall, the legal landscape of these claims is still in flux. However, a clear line that has developed is that a company’s use of “service providers” providing the recording services for companies is not in violation if that service provider cannot use the information collected for purposes other than to support the company, particularly if adequate notice has been provided to the users. This rule, however, does not include the use of analytics or pixels—which the courts have frequently found involve data exchanges with third parties for purposes beyond providing a service and which have been found sufficient to proceed past the motion to dismiss stage.[5]

If you have questions about whether your website collection procedures are compliant, or if you have received a threat or complaint about violation of the wiretapping statutes based on website technologies, please reach out to the Coblentz Data Privacy & Cybersecurity Team.

 

[1] See e.g., Hazel v. Prudential Financial, Inc., 22-cv-07465-CRB, 2023 WL 3933073 (N.D. Cal. June 9, 2023); Williams v. What If Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275 (N.D. Cal. Dec. 22, 2022).

[2] See Licea v. Vitacost.com, Inc., —F.Supp.3d—, 2023 WL 5086893 (S.D. Cal. 2023).

[3] See e.g., Hazel, 2023 WL 3933073.

[4] See also Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832-33 (N.D. Cal. 2021) (“[A]s a service provider, [third-party vendor] is an extension of [Defendant]. It provides a tool – like a tape recorder … that allows [Defendant] to record and analyze its own data in aid of [Defendant’s] business. It is not a third-party eavesdropper. As a result, [Defendant] is not liable for aiding and abetting [vendor’s] wrongdoing because there is no wrongdoing.”); Cody v. Boscov’s, Inc., ––– F.Supp.3d at ––––, 2023 WL 2338302, at *2 (C.D. Cal. 2023) (“Plaintiff must provide facts suggesting that [the vendors] are recording Defendant’s customers’ information for some use or potential future use beyond simply supplying this information back to Defendant.”).

[5] Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118 (N.D. Cal. Apr. 6, 2023) (Data broker was not a party to internet users’ communications, for purposes of exemption from liability for wiretapping claims under the federal Wiretap Act and the California Invasion of Privacy Act, where broker allegedly tracked users’ browsing activities on websites other than its own to intercept their personal information and sell it to third parties.)

 

Office vacancies have caused the values of Bay Area commercial real property to significantly decline in 2022. The value of real property that is used to determine the property tax assessment for the 2023-2024 fiscal year (which runs from July 1, 2023 to June 30, 2024) is determined as of the January 1, 2023 valuation date.

Depending on the extent to which the value of your property has declined, it is likely that the assessed value of your property, as of January 1, 2023, is considerably lower than the value currently listed on the assessment roll. If a property owner requests a reduction, the Assessor has the authority to proactively change the assessed value of a property to recognize a decrease in value (a one-time Proposition 8 reduction). In addition, if a property owner disputes the assessed value, the owner can file an Appeal with the Assessment Appeals Board and receive an Administrative Hearing. The deadline for filing an Appeal in most counties is September 15, although a few are November 30.

Our tax partner, Jeff Bernstein, has extensive experience in property tax assessment matters, and has attained significant reductions in property tax valuations for many owners of commercial and multi-family residential properties. If a reduced valuation can be achieved, the property tax savings could be substantial.

Please contact Jeff directly (jbernstein@coblentzlaw.com) if you are interested in discussing your potential for a reduced property tax valuation.

A Comprehensive Look at New Developments in Labor and Employment Law

By Fred Alvarez, Hannah Jones, Stephen Lanctot, Allison Moser, Kenneth Nabity

Download a PDF version of this report here.

We are halfway through 2023 so it is a good time to look back on this year’s employment law developments so far and look forward to what lies ahead.

Our 2023 Mid-Year Labor and Employment Update provides a short overview of the legal changes that we are monitoring the closest and that we think our clients should be aware of. These changes include new laws, regulations, and decisions in the areas of workplace diversity programs, pay transparency, non-compete agreements, religious accommodations, non-disclosure and confidentiality restrictions, independent contractor relationships, whistleblowing, drug-free workplaces, and remote employee onboarding. We’ve also included our thoughts on “what now?” regarding each key legal development and potential ways to help mitigate employment law risk.

You can download the full report here. If you have any questions about any of the issues discussed in this mid-year update, please reach out to a member of the Coblentz Employment Team.