Walsh Pizzi O'Reilly Falanga LLP

By: Peter J. Pizzi

The June 2018 California Consumer Privacy Act, which becomes effective in 2020, merits attention given the size and scope of the California economy and the pattern by which that state has served as a bellwether for all things digital. After all, California was early in passing a breach notification statute. Now, all 50 states have followed suit, leading to the current regulatory zoo that persists in the absence of an overarching federal breach notification statute. After an introduction to the California law, this article will focus on the constitutional challenges and other problems presented by the CCPA.

The CCPA marks the first attempt of any U.S. state to endow residents with strong rights regarding the collection and use of their data. With only a loose definition of “personal data” provided by this statute, businesses are on the hook for “any information that identifies, relates to, describes, is capable of being associated with, or could reasonable be linked, directly or indirectly with a particular consumer or household,” and the statute clarifies that this definition, though broad, does not encompass any data publicly available. Some of the more interesting or relevant examples of personal data in accordance with CCPA include:

• Identifiers, such as name, Social Security number, account name, physical address, email address, or internet protocol address.
• Biometric information.
• Internet activity, such as browsing history, search history, or a consumer’s past interaction with a website.
• Geolocation information.

Further, any data regarding preferences, abilities, psychological trends, or attitudes deduced by any of these (or other related) means or their intersections is also protected and falls under the sweeping definition of “personal data.” The CCPA furnishes residents with a data collection opt-out privilege, meaning that California consumers will have the right to demand the cessation of collection and sale of personal data. To facilitate this privilege, compliant websites must feature a conspicuous and prominent link titled “Do Not Sell My Personal Information.” Minors, defined as those under 16, default to this opt-out setting and must request to opt-in to any data collection or sales. Data collection opt-out serves as the main thrust of the legislation, but other important highlights include:

• Disclosure of Use: Businesses are obligated to provide upon consumer request the personal information, categories, intended purpose(s) of collected personal information, and categories of third parties with access.
• Deletion Privilege: Upon request, a business must delete a California consumer’s personal information.
• Role of Attorney General: The attorney general will enforce the act and its provisions and has rule-making authority. In fact, the AG shares authority with private litigants but has the right to veto consumer litigation.
• Private Right of Action: Before the CCPA, in the event of a breach, consumers whose data has been exposed typically file claims under common law and state consumer protection statutes. However, with the passage of the CCPA comes a (vague) cause of action for data breach casualties. In the case of “exfiltration, theft, or disclosure” of personal information due to a business’ “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information,” the CCPA enables class actions that provide for $100-$750 per victim in damages.

Even though the statute does not seek blanket application to every California business and acknowledges such limited scope, applicability thresholds are low enough that many businesses will be impacted. If a business (1) exceeds $25 million in annual revenue, (2) derives at least half of its revenues from selling consumer data, or (3) “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices,” CCPA strictures will apply. This third clause will trigger mandatory CCPA compliance for many businesses, including gas stations, relatively small websites using Google AdSense, manufacturers, health clubs and restaurants that average more than 140 unique customers per day. The CCPA goes into effect January 2020, giving these and other businesses a mere 18 months to adopt compliance procedures and action plans.

Constitutional Questions

The constitutionality of the CCPA remains murky. Although the statute is rife with kinks to be sorted out and budding problems, none looms bigger than the First Amendment infirmities that lurk within its provisions. Back in 2011, the U.S. Supreme Court ruled in Sorrell v. IMS Health Inc.[1] that the Vermont law requiring “content- and speaker-based restrictions on the sale, disclosure, and use of prescriber-identifying information” violated the First Amendment, despite Vermont’s stated public health intentions. The court opined, “the State cannot engage in content-based discrimination to advance its own side of a debate.” According to the Sorrell rationale, the CCPA’s mandatory disclosure requirement may infringe on commercial free speech precisely because it is so broadly applicable. The court in Sorrell distinguished the Health Insurance Portability and Accountability Act of 1996 because its compelled disclosures are narrowly crafted.[2]

Not only does the CCPA raise freedom of speech concerns, but the act also potentially conflicts with the commerce clause. This clause imparts Congress with the power “to regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes.” Since Chief Justice John Marshall considered the dormancy inherent in the commerce clause in Gibbons v. Ogden (1824), courts have long inferred from this statement the “dormant” commerce clause, which provides that state laws should not discriminate against or unduly burden interstate commerce. A compelling argument can be made in favor of a conflict between the CCPA and the dormant commerce clause, regardless of the actions of
other states.

Consider the hypothetical options: either (1) at least one other state enacts a data protection law which is not identical to the CCPA, or (2) no other state follows suit. Fleshing out this hypothetical scenario, if (1) holds, then any business processing consumer data in these two or more states must establish different compliance procedures for each state. Since data privacy laws mandate the ways consumer data can be collected, held and sold, businesses must ensure unceasing compliance to each state law. Unlike data breach laws that vary by state, which regulate the procedures and actions necessary in the event of a breach, data collection and privacy laws demand substantial commitments to specific infrastructure and operations. Thus, different state laws potentially mandating different data collection practices (or even practices that are at odds with each other) may pass the (admittedly) high bar sufficient to trigger dormant commerce clause concerns, since businesses could argue that such laws unduly burden participation in interstate commerce.

In the alternative case (2), the CCPA still arguably violates the dormant commerce clause. A business located outside California that predominantly does business outside the state (but does enough to trigger CCPA applicability) would have to completely overhaul its systems and procedures in order to comply. Given California’s economic scale and impact, many businesses will likely continue to do business with California residents and learn to deal with the regulatory load. The burden, however, may amount to “discrimination” in interstate commerce and trigger application of the commerce clause.

Further Problems

The CCPA suffers not only from constitutional concerns, but other challenges reflective of the haste by which it came into existence. The act includes contradictions, unclear language and half-baked solutions.

For instance, the CCPA “would authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.” While the first clause of this statement suggests that businesses may not retaliate against consumers who choose to opt out by charging more, the second clause introduces a legal quagmire: How is reasonability to be determined, and moreover, what business would not argue that consumer data provides value?

The CCPA also “would authorize businesses to offer financial incentives for collection of personal information.” If businesses may “offer financial incentives,” does that not imply the right to charge different rates to different consumers, depending on their assertion of opt-out privilege? It remains unclear to what extent businesses may engage in privacy-based price discrimination, if a business may now require consumers to effectively pay for privacy, or how a business may treat a consumer that has elected to execute CCPA-granted rights.

More ambiguity lies with the CCPA’s establishment of a private cause of action. After alerting a business of his intention to file lawsuit, a plaintiff seeking to pursue CCPA claims must wait 30 days to provide the business with a limited window in which to “cure” the violation. Then, if the business “actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur,” the plaintiff cannot earn statutory damages. What would it mean for a company to “cure” a data breach? Since consumer data has already been compromised, would a “cure” constitute future safeguards against such type of breach, or does this term mean to take a stronger stance that a “cure” indicates reclamation of the data from the hackers?

Substantial reliance upon the attorney general marks a third problem. Recognizing the haste with which the statute was drafted, California legislators provided the state attorney general with teeth to steer the CCPA in its desired direction. In doing so, lawmakers furnished the attorney general with rule-making authority and the right to veto consumer litigation, and they further encourage the attorney general to “solicit broad participation to adopt regulations,” including clarifying definitions or “adopt[ing] additional regulation as necessary to further the purposes of this title.” Such deference to the attorney general not only reflects the legislators’ fears of contradictions baked into the CCPA but stands as a problem in and of itself.

The CCPA’s broad scope stands as another roadblock to the act’s success. Although many associate data privacy, data collection, and data sales with internet companies, the CCPA makes no such limitation. As indicated throughout this article (but worth further emphasis), the provisions of the CCPA apply to any business meeting one of the three applicability thresholds. However, because of the association between “data collection” and “the internet,” many businesses with weak internet presences may shrug off the CCPA’s passage and provisions prematurely, and thus may find themselves wholly unprepared for or scrambling to comply with compliance measures when the CCPA rolls into effect in 2020. Moreover, given California’s substantial size and economy, many businesses select to have a presence in the state. The CCPA broadly applies to these businesses as well, upon meeting applicability requirements.

Conclusion

Attempting to follow the lead set by the EU’s General Data Protection Regulation and in reaction to a growing trend of data breaches, California hastily passed the Consumer Protection Act in a well-intentioned but poorly executed bid to protect its residents. Although enacted with the intent to protect the average person’s digital trail and endow citizens with certain data privacy rights, the act will have to hurdle substantial constitutional concerns. With only 18 months to set in place compliance procedures, businesses across the U.S. must expeditiously begin and continue to prepare for this data collection regulation — all while feverishly working to comply with the GDPR and still attempting to remain abreast of developments as other states flirt with data privacy legislation. The clock is ticking.

Author’s note:  Walsh 2018 Summer Intern Sabrina Solow contributed to this article.

For more information, please contact Peter Pizzi at (973)757-1100 or ppizzi@walsh.law.

By: Peter J. Pizzi

To facilitate more effective governmental response to data security threats against New Jersey residents, the State’s Attorney General Gurbir Grewal revealed on May 7, 2018 his plan to establish the Data Privacy & Cybersecurity (“DPC”) Section within his office. The DPC Section, composed of attorneys, is tasked with managing data privacy-related investigations and will act in concert with state agencies such as the State Police and the Division of Consumer Affairs.  In cases where the personal information of New Jersey residents has been collected without authorization and distributed or used, the DPC Section will pursue civil litigation. Under the state’s current breach notification law, and in line with breach notification protocol in virtually every other state, there is no private right of action, meaning that New Jersey residents victimized by a breach do not possess a civil cause of action against the entity which suffered the breach. Attorney General Grewal’s proposal, then, reflects a plan to protect the interests of New Jersey citizens by asserting claims on their behalf.

On his decision, Attorney General Grewal explained, “The Attorney General’s Office has long played a role in protecting our residents from cyber threats, but given recent developments, we realized that we needed to double down on those efforts. That’s why we are creating a new unit of attorneys dedicated to enforcing data privacy and cybersecurity laws. This unit will be tasked with making sure that we’re looking out for the interests of New Jersey’s residents whenever there’s a major data breach or improper use of customers’ online information.”

The announcement comes in the wake of the Facebook/Cambridge Analytica scandal, which affected an estimated 1.6 million Facebook users in New Jersey. With the hopes of compiling detailed voter profiles and selling this voter data to political campaigns, Cambridge Analytica in 2014 acquired private Facebook data on tens of millions of users and allegedly then used that data for purposes not permitted under the application program interface (API) agreement pursuant to which it obtained access to Facebook user data. Mark Zuckerberg, Facebook CEO, testified before Congress in April of 2018, fielding the ensuing questions surrounding Facebook’s lost control of colossal quantities of data. Since that time, many have grown disappointed with the company’s response, though its stock continues to reach new highs. In light of such recent events, New Jersey opted to create this new DPC Section within the Attorney General’s Office, and this group will assume responsibility for the Office’s current Facebook/Cambridge Analytica investigation.

Other states have felt the pressure mounting to address citizens’ growing privacy concerns post-Cambridge Analytica scandal and other large data breaches. For instance, the California legislature recently passed a bill that empowers internet users by requiring that users have the right to opt-out of the sale of their private information to third-parties. This bill has now become law, to be effective in January 2020. Other states may soon follow the lead of New Jersey and California.

The N.J. Attorney General’s Office reports successes in reaching settlements upon pursuit of N.J. residents’ data privacy rights. In the last five years, the Office has disclosed settlements relating to data incidents involving Horizon Health Care Services, app-developer Dokogeo, Inc., and Target, Inc. Hoping to build upon this record, the DPC Section intends to continue to enforce data privacy laws by holding violators responsible through affirmative civil litigation. Additionally, the DPC Section will also provide State Executive Branch agencies with legal advice surrounding cyber-related compliance.

Seeking to protect the personal information with which they have been entrusted and adhere to current regulatory laws, N.J. businesses must understand the consequences of a breach and how to comply with state and federal legislation. To implement suitable compliance practices, companies must first understand the types of personally identifiable information collected from their clients (e.g. individual’s name and Social Security Number, driver’s license number, and/or financial account number) and what needs to be protected. Internal policies, such as robust passwords, usage policies for laptops and mobile phones, secure disposal policies, and data encryption, should be enforced. Further, companies must comply with promises made to consumers or employees regarding privacy and security of personal information, and disclosures about collection, maintenance, use and dissemination of personal information must be accurate and complete.

The United States has no national uniform data breach notification standard, but 47 states, including New Jersey, have breach notification laws. New Jersey law mandates that all entities conducting business in the state with computerized “personal information” must disclose any breach to any residents whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person. At the federal level, however, the Federal Trade Commission enforces privacy policies and challenges data security practices deemed “deceptive” or “unfair” to protect consumers’ personal information. Since 2002, the FTC has brought over 50 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk. Consumers and employees often pursue individual or class actions, but the challenge is to prove standing or “injury in fact” to sustain such suits.  While many theories are advanced –negligence, breach of contract, breach of implied covenant, breach of fiduciary duty, or alleging violations of state consumer protection statutes or the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, or Stored Communications Act – a plaintiff has standing only if she can substantiate allegations of (1) injury, (2) causation, and (3) redressability.

While no company is immune from the threat of a breach, the coup de grâce is not a data breach itself, but rather the mishandling of a breach once it occurs. In the worst-case scenario, the company should execute a pre-determined action plan prepared with the assistance of outside counsel to advise as to state and federal laws and litigation updates.

Author’s note:  Walsh 2018 Summer Intern Sabrina Solow contributed to this article.

For more information, please contact Peter Pizzi at (973)757-1100 or ppizzi@walsh.law. Walsh Pizzi O’Reilly Falanga LLP’s attorneys are available to discuss data breach preparedness, compliance, current law, and litigation, as well as related data-privacy topics. Firms are encouraged to evaluate their current cyber policies and applicable law to ensure that all sensitive information is kept secure and that a suitable action plan is in place in the event of a breach.

By: Peter J. Pizzi

Citing a violation of the Fourth Amendment, which protects U.S. citizens from “unreasonable search and seizure,” on June 22, 2018, the U.S. Supreme Court overturned the burglary conviction of Timothy Carpenter. Carpenter v. United States, 16-402 (2018). The Court opined that the location information culled from his phone service provider used in Carpenter’s conviction was inadmissible.

Casually logged by Carpenter’s wireless provider, this location data enabled prosecutors to establish Carpenter’s close proximation to a series of burglaries, thus helping jurors find sufficient evidence with which to convict. Crucially, prosecutors had obtained Carpenter’s historical cellphone location data by court orders—not a warrant, calling into question the defendant’s Fourth Amendment rights and his “reasonable” expectation of privacy in a digital age. With the reversal, the Court acknowledges an individual’s right to a “reasonable” amount of location privacy and confirms that a warrant is necessary to obtain an individual’s historical cellphone location data.

Modern society features a chronic and increasingly inescapable tethering to technology – and to cell phones in particular. Seeking to meet consumer demand for reliable, fast data use as demand for copious amounts of data rises and to remain competitive with other providers’ data speeds, cell providers build more cell towers. As the number of such towers increases, each cell tower consequently serves users in increasingly smaller areas. By design, each cell phone automatically connects to the nearest tower and triggers the creation of an entry with the wireless carrier denoting time and cell-site; these entries are known as cell-site location information (“CSLI”). As Mr. Carpenter allegedly participated in a series of armed robberies targeting RadioShack and T-Mobile stores, CSLI reflexively accrued and documented his relative whereabouts at specific times. While lacking the meticulous precision of a GPS, Carpenter’s CSLI data still proved accurate enough to assign blame by pinning him to the area near four of the burglaries, helping to secure an initial conviction.

The Fourth Amendment protects an individual’s right to a “reasonable” amount of privacy in the absence of a search warrant, which can only be issued with probable cause. Without a warrant, Carpenter argued, the location of his person as provided by CSLI fails the litmus test of reasonability. Pointing to the Fourth Amendment, courts have previously upheld an individual’s right to a reasonable amount of privacy in his physical movements. On the flip side, the third-party doctrine developed by the courts negates the expectation of privacy since a user’s phone contract itself explicitly gives consent to furnish the wireless provider (a third party) with records and information. Caught between conflicting precedent and with consideration of the implications of a digital age, the Supreme Court ruled 5-4 that Carpenter indeed possesses a reasonable expectation of privacy in his person, especially because CSLI reflects a comprehensive record of his location data that his provider assembled.

Chief Justice Roberts delivered the ruling of the Court, which Justices Ginsburg, Breyer, Sotomayor, and Kagan joined. He emphasized its narrow scope, subtly considering the implications of the Court’s decision as technology continues to improve, and explained, “When the Government tracks the location of a cell phone it achieves near-perfect surveillance as if it had attached an ankle monitor to the phone’s user.” Responding to the government’s plea for application of the third-party doctrine, Roberts writes, “The Government’s position fails to contend with the seismic shifts in digital technology that made possible the tracking of not only Carpenter’s location but also everyone else’s, not for a short period but for years and years.” Justices Thomas, Kennedy, Alito, and Gorsuch each wrote their own dissenting opinions, revealing disagreement amongst the dissenters. Justice Kennedy, in his dissent which Thomas and Alito joined, argues that third-party precedent, in fact, does apply, declaring, “Customers like [Carpenter] do not own, possess, control, or use the records, and for that reason have no reasonable expectation that they cannot be disclosed pursuant to lawful compulsory process.” Because Carpenter did not make the property-based argument Gorsuch sought in order to revisit more broadly the third-party doctrine (and thus find it at odds with the Fourth Amendment, as he has indicated a desire to do), Gorsuch filed a dissent that followed a different argumentative arc.

The reversal shows that five justices, on this occasion and in this digital privacy sphere, were willing to read the Constitution as a living document, interpreting the rights provided all Americans through a modern-day lens and flex the applicability of the document to modern issues of technology and unprecedented capabilities of surveillance.  With the departure of Justice Kennedy, any predictions for the future based upon Carpenter amount to little more than conjecture.

Author’s note:  Walsh 2018 Summer Intern Sabrina Solow contributed to this article.

For more information, please contact Peter Pizzi at (973)757-1100 or ppizzi@walsh.law. Walsh Pizzi O’Reilly Falanga LLP’s attorneys are available to discuss this case and related cases.