Articles Posted in Consumer Law

California has enacted several laws to protect consumer privacy with one of the most significant being the California Consumer Privacy Act (CCPA) which was expanded by the California Privacy Rights Act (CPRA). These laws grant consumers various rights regarding their personal data, including, but not necessarily limited to, the right to request the deletion of their personal information. Here’s how these rights apply to deleting personal information from third-party websites:

Key Consumer Rights Under CCPA/CPRA

1. Right to Request Deletion (Under CCPA/CPRA)

Virtual Reality (VR) technology is rapidly transforming industries from entertainment and gaming to education and healthcare. As VR becomes more integrated into daily life, it also raises unique legal questions. In California, a state known for being at the forefront of both technology and regulation, various laws already impact VR technology, even though there are no VR-specific laws currently on the books. This article explores the key areas of California law that intersect with the use and development of VR, including privacy, data protection, consumer protection, and intellectual property.

Privacy and Data Protection Laws

Privacy is one of the most critical legal issues in VR, especially in California, which has some of the strongest privacy protections in the United States. Two major pieces of legislation stand out:

The genetic testing company, 23andMe, known for its popular DNA ancestry and health reports, is facing a class-action lawsuit following a data breach that resulted in the personal information of Jewish customers being exposed on the dark web.

The so-called “dark web” is the world wide web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user’s location. The dark web forms a small part of the deep web, the part of the web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web. The breach raises significant concerns not only about the security of sensitive genetic data but also the potential for this information to be exploited in harmful ways. This lawsuit underscores the growing need for robust cybersecurity measures in the genetic testing industry.

The Data Breach

In the digital era, where personal interactions, commerce, and even the way we perceive reality have migrated to online platforms, data privacy has become a paramount concern. Among the technology giants, Facebook, now rebranded as Meta, stands as a towering figure in the realm of social media and virtual reality. As the company’s influence expands, its data collection practices, utilization of pixel technology, and implications for wiretapping laws have sparked profound discussions about the balance between innovation and individual privacy.

The Meta Transformation

In October 2021, Facebook announced a significant rebranding effort, transforming itself into Meta. This rebranding signaled the company’s intention to shift its focus towards the metaverse—a digital realm where virtual reality, augmented reality, and interconnected experiences converge. This transition raises pertinent questions about data privacy within the metaverse, as these interconnected experiences often involve the seamless sharing of personal information.

The rapid growth of the internet and the widespread use of social media platforms have provided individuals with new avenues for communication, networking, and information sharing. However, the rise of the digital age has also brought about the concerning issue of internet cyberspace harassment. Online harassment encompasses various forms of abusive behavior, including cyberbullying, online stalking, revenge porn, hate speech, and other forms of malicious online activities. To combat this pervasive problem, lawmakers around the world have been enacting laws and regulations specifically targeting internet cyberspace harassment. In this article, we will explore the significance of these laws and regulations in addressing online harassment and ensuring a safer digital environment.

Defining Internet Harassment

Internet cyberspace harassment refers to the intentional use of digital platforms to harass, intimidate, threaten, or harm individuals or groups. It can take various forms, such as sending abusive messages, sharing explicit or defamatory content, spreading false information, or engaging in persistent online stalking. These acts of harassment can have severe psychological, emotional, and even physical consequences for the victims.

A business organization has legal responsibilities when it comes to data access, control, and management. The government has recently issued an opinion regarding disclosure requirements for the so-called “inferred data” which comprise of internally generated inferences within the context of a consumer’s right of access request. California Civil Code Section 1798.140(v)(1)(K) defines “inferred data” as inferences drawn from a consumer’s personal information to create a profile which reflects the consumer’s preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, abilities and aptitudes.

Under California Civil Code Section 1798.110(a)(1), consumers have the right to know the specific pieces of personal information a business organization has collected about them. The California Consumer Privacy Act (“CCPA”) did not address inferred data in its provisions and only implied that businesses should disclose personal data they collected from consumers. However, the Attorney General’s Office issued Opinion No. 20-303 to address whether business organizations that are subject to the CCPA should include inferred data when a consumer submits a Data Subject Access Request (“DSAR”). In short, with limited exceptions (e.g., trade secret protection), the answer was affirmative.

The question is whether inferred data elements fall under trade secret protection rules. In his opinion, the state Attorney General stated that the CCPA only mandates a business to share the product of its internal algorithms even though the algorithms themselves are protected trade secrets. In fact, internal algorithms fall under the classic definition of trade secrets because they’re not publicly accessible to competitors, they confer a competitive advantage, their secrecy is maintained from external disclosure. See California Civil Code § 3426.1(d)(2) for more information about trade secrets. In fact, trade secrets include customer lists, processes, and software or commercial methods. It is conceivable, and probably foreseeable that, a business may withhold inferences because they’re protected trade secrets but it has the burden of proof. So, in short, a business has two options when it comes to disclosing inferred data. First, it can fulfill the DSAR according to the most recent opinion and face the risk of exposing its internal algorithm. Second, it can withhold the data inferences and face the risk of receiving a non-compliance notice from the state Attorney General’s office.