Postal Customer Council Flyer - Data Protection Lunch and Learn on November 14

Metaverse Law to Speak at Postal Customer Council Lunch and Learn

Metaverse Law will be giving a zip talk and participating in a Q&A panel on Thursday, November 14 at the Phoenix Club in Anaheim, CA about Data Protection and Cyber Security.

The event itinerary includes registration at 11:00AM – 11:45AM, followed by lunch and a seminar which conclude at 1:30PM.

Registration details can be found at http://www.socalpcc.org/lock-it-or-lose-it.html.

Image of interconnected web of people

Website Accessibility for Privacy Policies – California Consumer Privacy Act Regulations

Image Credit: Gordon Johnson from Pixabay

On October 10, the California Attorney General released proposed guidelines to implement the California Consumer Protection Act (CCPA), which goes into effect in January 2020. One of the provisions that surprised many was a new requirement that privacy notices given to consumers “[b]e accessible to consumers with disabilities” and “[a]t a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.” [Note: the AG’s regulations are not final, and interested parties may submit comments about them before December 6, 2019 at a series of public hearings, by mail, or by email.]

The requirement to provide the privacy notice in a format that is accessible to people with disabilities is consistent with recent trends towards website compliance with the Americans with Disabilities Act (ADA). Whether out of a desire to advance equity or to comply with the spirit or letter of accessibility laws, we see more businesses and website operators making earnest attempts to make their websites accessible to the broadest audience possible.

Unfortunately, the AG did not provide very much guidance on how businesses could make their privacy notice or websites more accessible. Luckily, several organizations doing work in this area, including the W3 Web Accessibility InitiativeStanford Online Accessibility Program and Berkeley WebAccess, have put resources online for designers, developers and content creators.

While not exhaustive, the following is a list of fairly straightforward best practices distilled from other lists that businesses and website operators can implement to make their websites accessible to people with disabilities:

1.     Use headings correctly to organize the structure of your content

2.     Pay attention to color contrast

3.     Images should include alternate text in the markup/code; complex images should have more extensive descriptions near the image

4.     Provide transcripts for podcasts

5.     Websites with videos should provide visual access to the audio information through in-sync captioning

6.     Sites should consider using skiplinks

Millions of internet users have special needs, disabilities and impairments that make certain websites difficult or impossible to access and use. By designing your website with these challenges in mind, you can ensure that it is welcoming to as many users as possible.

Gold gavel on platform

California Attorney General Releases Proposed CCPA Regulations

Image Credit: 3D Animation Production Company from Pixabay

California Attorney Xavier Becerra unveiled highly-awaited regulations on October 10, 2019 to enforce the California Consumer Privacy Act, a sweeping new privacy law set to take effect on January 1, 2020.

The text of the CCPA proposed regulation is available here. As a few highlights, the proposed regulation:

  • Defines “categories of sources” and “categories of third parties” to include consumer data resellers, among other types of entities. This shows the Attorney General’s increased scrutiny on data brokers.
  • Requires privacy notices to “[b]e accessible to consumers with disabilities” and “[a]t a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.” This is consistent with recent trends towards ADA website compliance.
  • Requires businesses to either (1) notify consumers of the sale of their data, if they collected the data from third party sources, or (2) confirm or receive signed attestations from the source describing how they provided a notice of collection.
  • Requires greater offline rights to notice and opt-outs of sale, for businesses that substantially interact with consumers offline.
  • Contemplates a button or logo opt-out in a modified version of the regulation.
  • Recognizes the security risks of providing specific pieces of information in response to a request, with requirements around verification of identity and security of transmission.

Individuals and businesses interested in shaping the final CCPA regulations can attend public hearings or send comments by mail or email to the following:

  • Email: PrivacyRegulations@doj.ca.gov
  • Privacy Regulations Coordinator
    California Office of the Attorney General
    300 South Spring Street, First Floor
    Los Angeles, CA 90013

The public hearing dates and locations are as follows:

Public Hearing DatesLocations
Sacramento
December 2, 2019
10:00 a.m.
CalEPA Building
Coastal Room, 2nd Floor
1001 I Street
Sacramento, CA 95814
Los Angeles
December 3, 2019
10:00 a.m.
Ronald Reagan Building
Auditorium, 1st Floor
300 S. Spring Street
Los Angeles, CA 90013
San Francisco
December 4, 2019
10:00 a.m.
Milton Marks Conference Center
Lower Level
455 Golden Gate Ave.
San Francisco, CA 94102
Fresno
December 5, 2019
10:00 a.m.
Fresno Hugh Burns Building
Assembly Room #1036
2550 Mariposa Mall
Fresno, CA 93721

More information about the public hearings and proposed CCPA regulation is available on the Attorney General’s CCPA website.

File folders with a small lock in the corner

Will the CCPA and Other State Privacy Laws Face Constitutional Attack?

Image Credit: Pettycon from Pixabay

This article is Part 2 of 3 in a series exploring proposed federal privacy laws and constitutional concerns of privacy laws in the United States. Part 3 will discuss the constitutional challenges facing a proposed federal privacy law. 

In the first part of this series, we examined several federal privacy bills proposed this year, as Congress eagerly tries to pass a single harmonizing federal law. The issue of preemption continues to divide Republican and Democrat lawmakers, however, with the former in favor of an express provision allowing preemption stricter state privacy laws such as the CCPA and the latter largely against such a provision. 

Regardless of whether a federal law passes, with an express preemption provision, state privacy laws are still at risk of constitutional attacks. There are two primary ways that a state privacy law may be challenged: (1) invalidation under the Dormant Commerce Clause, and (2) invalidation under First Amendment grounds. State legislators contemplating the passage of their own privacy laws will need to consider these constitutional issues in the drafting phase, or risk facing opposition on constitutional grounds.

Dormant Commerce Clause

Extraterritoriality

Under the Dormant Commerce Clause, the doctrine of extraterritoriality invalidates state laws attempting to regulate commerce that occurs outside state borders. See Edgar v. MITE Corp., 457 U.S. 624, 642–643. Even if legislators did not intend a law to reach extraterritorially, that intention is not definitive of whether the law regulates commerce outside state borders. “The critical inquiry is whether the practical effect of the regulation is to control conduct beyond the boundaries of the State.” Healy v. Beer Inst., Inc., 491 U.S. 324, 336 (1989) (citing Brown-Forman Distillers Corp. v. N. Y. State Liquor Auth., 476 U.S. 573, 579 (1986)).

In evaluating a law’s extraterritorial reach, judges must also “[consider] how the challenged statute may interact with the legitimate regulatory regimes of other States and what effect would arise if not one, but many or every, State adopted similar legislation.” Healy, 491 U.S. at 336. The broad purpose of the Commerce Clause is to prevent one state from encroaching jurisdiction lines and imposing its own regulatory schema onto another state, and reducing onerous inconsistencies in legislation.

Therefore, the critical question becomes: does a state’s privacy law attempt to regulate commerce outside of state borders? 

Considering the nature of the internet—most likely yes. “The Internet is a decentralized, global communications medium linking people, institutions, corporations, and governments all across the world.” Am. Libraries Ass’n v. Pataki, 969 F. Supp. 160, 164 (S.D.N.Y. 1997). Given that the purpose of the Internet is to facilitate far-reaching communications between people and organizations across both state and country lines, a state’s privacy law will almost certainly regulate commerce outside state borders in practice, if not intentionally so. Many companies process data of internet visitors without gathering geolocation data. In such cases, rather than risk noncompliance, some businesses will ostensibly choose to comply with all state privacy laws regardless of the location of its customers. For instance, a small business located outside of California with minimal contacts with California consumers may have little choice but to comply with the CCPA if it has no idea where its users are located. Practically speaking, a state privacy law will invariably affect commerce outside state borders. 

Furthermore, the effects of privacy enforcement will be more apparent once more state and local governments pass their own privacy laws. The term “patchwork” is often used to describe state and local privacy laws today—but it could look even more disjointed. Theoretically, if every state passed its own version of California’s CCPA, then compliance with all 50 state privacy laws may not be feasible, if there are inconsistent instructions. Businesses already see this happening with state breach notification laws. Each law dictates its own special rules and thresholds for notifying the state Attorney General, state Department of Health Services, or other authority, as well as time to notification and contents of notification. 

Pike v. Bruce Church, Inc.

Even if a law may incidentally regulate extraterritorial commerce, that law may be justified when subjected to a balancing test weighing the burden of the law against a legitimate state interest. See Pike v. Bruce Church, Inc., 397 U.S. 137 (1970). In Pike, the Supreme Court held that a state law serving a legitimate interest is only invalid when “the burden imposed on [interstate] commerce is clearly excessive in relation to the putative local benefits.” Pike, 397 U.S. at 142.

The question then becomes: do the benefits to consumer privacy protection resulting from a state’s privacy law outweigh any burden on interstate commerce?

This is likely where the true battle will be fought. In 2017, the cost of privacy compliance for multinational companies ranged from $1.4 million to $21.6 million, with a median cost of $4 million per company. Predictably, a fair portion of these total costs include the price of compliance with a multitude of state and local privacy laws. Privacy compliance is a costly endeavor widely impacting organizational, operational, and technical business processes and will likely continue to grow in the next ten years. Despite these sky-rocketing costs, many opine that state privacy laws, even the most stringent laws like the CCPA, do not actually provide consumers with significant protection. There is much room for argument in this area and the balancing of interests will continue to shift as costs change and the benefits to consumers become more concrete.

American Libraries Association v. Pataki

The Dormant Commerce Clause has already been invoked to analyze the constitutionality of a state law regulating internet activity. In 1997, the U.S. District Court for the Southern District of New York overturned a state law prohibiting the online dissemination of content depicting “nudity, sexual conduct or sado-masochistic abuse” to minors. Pataki, 969 F. Supp. at 163. The plaintiffs to the action included content-providing library organizations and the ACLU, among others, who sought to enjoin enforcement of the law for fear of prosecution.

The limitation of this case is obvious—being only a federal trial court opinion, it cannot command precedent as mandatory authority. However, Pataki provides persuasive authority and a line of reasoning that other courts may adopt in the context of Internet regulation.

First Amendment

A court may also invalidate a state’s privacy law if it finds a violation of a speaker’s First Amendment right to free speech.

Judges examine the constitutionality of laws through several levels of scrutiny depending on the interests involved. For example, in the context of First Amendment rights, political and ideological speech is generally protected under the strict scrutiny standard. If the government regulates political or ideological speech, the government must show that the law is narrowly tailored to achieve a compelling government interest. However, judges examine laws regulating commercial speech—regarded as less important to protect—with intermediate scrutiny. Restrictions that are based on the content of speech or the identity of the speaker receive a “heightened” scrutiny—somewhere in between intermediate and strict scrutiny. Therefore, the type of speech that a privacy law purports to regulate will be very significant to the determination of which standard to apply, and by proxy, whether it is likely to be found constitutional or unconstitutional.

Finally, First Amendment jurisprudence not only protects the rights of speakers, but also the rights of listeners to access papers, information, and ideas. While individuals more frequently wield First Amendment law as a shield rather than a sword, some have argued for access to public court records using First Amendment law as a sword when those records are in danger of deletion due to privacy concerns. (For more in-depth discussion on the right to access public court records subject to a “right to deletion” or “right to be forgotten” request, please see Personal Privacy Should Not Outweigh Access to Public Court Records.)

Sorrell v. IMS Health Inc.

In Sorrell, a Vermont law prohibited the sale of pharmacy records (“prescriber-identifying information”) that tracked doctors’ prescribing practices to marketers of pharmaceutical and drug companies. The intended purpose of the law was to protect medical privacy. The Supreme Court struck down the law, finding it to be a content-based restriction of commercial speech because the law prohibited the disclosure of records for marketing purposes, but not for others, such as for research or educational purposes. Therefore, the Vermont law was subject to a heightened scrutiny standard. Under the heightened standard, the Court did not find the law necessary to protect medical privacy.

Sorrell is instrumental for the proposition that a state law’s limitations on who may receive data may lead the court to a finding that the law restricts speech based on content or speaker, leading to application of a heightened scrutiny standard. Notably, the dicta in the opinion also points to possible treatment of the processing and sale of data as speech worthy of First Amendment protections—not as conduct nor a commodity.

While federal lawmakers continue to debate over the provisions to be included in a federal privacy law, state legislators may themselves be deliberating over whether to pass a state privacy law as a gap filler. However, any state legislator should consider the above issues and work proactively to eliminate constitutional concerns through careful drafting.

Image of scale weighing human against law section code

Privacy Rights in Class Action Lawsuits – Should Putative Class Members Opt-In Before Their Personal Information Is Disclosed in California Consumer Privacy Act Litigation?

[Originally published in Orange County Lawyer Magazine, May 2019, Vol. 61 No.5.,by Lily Li and Matthew Wegner; Image Credit: kmicican from pixabay.com]

In 2020, the nation’s toughest data privacy law will take effect in California. The California Consumer Privacy Act of 2018 (CCPA) imposes harsh restrictions on companies seeking to sell consumers’ data, including statutory penalties for any breaches of data. This legislation was spurred by public outrage against the Facebook-Cambridge Analytica scandal and Equifax, Target, and Yahoo data hacks, and reflects a growing trend to protect consumer data privacy.

As with so many legislative and judicial movements in California—for example, the Save-On decision, which ushered in a wave of wage-and-hour class actions in the early 2000s, or Business & Professions Code section 17200, which before Proposition 64 was tacked-on to countless consumer class actions—the CCPA is likely to usher in a host of new class action litigation as plaintiffs (and their attorneys) seek to recover statutory damages for data privacy violations.

Continue Reading Privacy Rights in Class Action Lawsuits – Should Putative Class Members Opt-In Before Their Personal Information Is Disclosed in California Consumer Privacy Act Litigation?
1 2 3