Articles Posted in Consumer Law

Published on: | by

A business organization has legal responsibilities when it comes to data access, control, and management. The government has recently issued an opinion regarding disclosure requirements for the so-called “inferred data” which comprise of internally generated inferences within the context of a consumer’s right of access request. California Civil Code Section 1798.140(v)(1)(K) defines “inferred data” as inferences drawn from a consumer’s personal information to create a profile which reflects the consumer’s preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, abilities and aptitudes.

Under California Civil Code Section 1798.110(a)(1), consumers have the right to know the specific pieces of personal information a business organization has collected about them. The California Consumer Privacy Act (“CCPA”) did not address inferred data in its provisions and only implied that businesses should disclose personal data they collected from consumers. However, the Attorney General’s Office issued Opinion No. 20-303 to address whether business organizations that are subject to the CCPA should include inferred data when a consumer submits a Data Subject Access Request (“DSAR”). In short, with limited exceptions (e.g., trade secret protection), the answer was affirmative.

The question is whether inferred data elements fall under trade secret protection rules. In his opinion, the state Attorney General stated that the CCPA only mandates a business to share the product of its internal algorithms even though the algorithms themselves are protected trade secrets. In fact, internal algorithms fall under the classic definition of trade secrets because they’re not publicly accessible to competitors, they confer a competitive advantage, their secrecy is maintained from external disclosure. See California Civil Code § 3426.1(d)(2) for more information about trade secrets. In fact, trade secrets include customer lists, processes, and software or commercial methods. It is conceivable, and probably foreseeable that, a business may withhold inferences because they’re protected trade secrets but it has the burden of proof. So, in short, a business has two options when it comes to disclosing inferred data. First, it can fulfill the DSAR according to the most recent opinion and face the risk of exposing its internal algorithm. Second, it can withhold the data inferences and face the risk of receiving a non-compliance notice from the state Attorney General’s office.

Continue Reading ›

Published on: | by

We’ve discussed how the states have passed privacy laws to protect their residents. We have also referenced the state and federal rules or regulations that are designed to promote transparency, security, accuracy, proper data collection, and accountability.

The Federal Constitution has not expressly mentioned the right to privacy. However, under Article I Section 1, the California Constitution has mentioned the “inalienable right to privacy” that is applicable to the government and private individuals. The courts have confirmed this fundamental right. In White v. Davis (1975) 13 Cal.3d 757, 774, the Supreme Court analyzed the facts and confirmed the right of privacy. In Hill v. National Collegiate Athletic Association (1994) 7 Cal.4th 1, 39, the Supreme Court outlined the following framework to decide whether there is a constitutional violation: (1) there must be a legally protected privacy interest; (2) there must a reasonable expectation of privacy; and (3) there must be a serious invasion of privacy interest.

There is also a common law right of privacy. First, there is intrusion into plaintiff’s seclusion. Second, false light as a result of false and negative publicity. Third, public disclosure of private facts. Fourth, there is the commercial appropriation of plaintiff’s name or likeness without consent. The courts have also recognized negligence as a cause of action when the defendant fails or refuses to manage data in a reasonable manner. In other words, the defendant can be sued for failing to comply with the industry data management standards if it causes damages to the plaintiff.

Continue Reading ›

Published on: | by

We have briefly discussed some of the state and federal privacy laws that are applicable to consumers and commercial organizations. It is important to understand how personal information is being obtained and distributed by businesses. Personal information is also being obtained and distributed by bad actors – i.e., criminals who gain access to customer information through clandestine methods and sell the information for profit. This information can be extracted by using cookies which is a software program that records the customer’s activities when visiting the website. Yet, a computer can be configured to not automatically accept cookies. Tracking software is being used to follow and monitor the customer’s online activities. The Federal Trade Commission, which has the authority to bring legal action for unfair or deceptive trade practices affecting commerce, has prosecuted companies for their failure to properly disclose this information.

What are the federal privacy laws?

The Federal Constitution has implicitly granted privacy rights. The Fourth Amendment prohibits unreasonable searches and seizures. There has been a series of legal cases that have dealt with this provision in order to determine the definition of unreasonable searches and seizures. However, some courts have held website monitoring programs that may reveal Internet Protocol or electronic mail addresses do not implicate the Fourth Amendment. The federal privacy laws that have been promulgate by the federal government include: (1) Driver’s Privacy Protection Act; (2) Electronic Communications Privacy Act; (3) Family Educational Rights and Privacy Act; (4) Fair Credit Reporting Act; (5) Fair Debt Collection Practices Act; (6) Federal Privacy Act; (7) Financial Services Modernization Act a/k/a “Gramm-Leach Bliley Act;” and (8) Video Privacy Protection Act which grants consumers the right to opt-out from disclosure of their personal information and file a legal action if their rights are violated. Also, the Federal Identity Theft and Assumption Deterrence Act prohibits the production and possession of false or unauthorized documents or the usage of another person’s identity.

Continue Reading ›

Published on: | by

Part I: DMV Sale of Personal Information

A group has investigated and allegedly found that the California Department of Motor Vehicles has earned more than $50 million by selling personal information of drivers to third parties without consent. This data may include names, addresses, and registration information. The DMV claims on its website that it does not sell information to advertisers or marketers for advertising or direct marketing purposes. It also claims that:

Most information acquired by the DMV is subject to public inspection under Vehicle Code Section 1808. Other statutes, regulations or laws governing subpoenas, discovery for litigation, Public Records Act requests, and commercial requestor requester accounts also apply to information gathered at this website. However, various provisions of law do prohibit or restrict the disclosure of certain electronically transmitted information such as social security numbers, residence addresses, and credit card accounts numbers. DMV also uses the information gathered on this website to help improve this website. For example, by tracking the number of website visitors, the date of visit, and the pages visited, DMV can balance resources so that the maximum number of visitors can obtain needed information. Additionally, by tracking what visitor software is being used (e.g. browser) DMV can avoid using features that visitors can not view or use.

Continue Reading ›

Published on: | by

Internet spam violations have increased in the past years. For example, the spammers use the interconnected network of computers that links us together in the world to disseminate malware. The spammers also use the internet to send junk email that fills up email accounts and can be used to commit online fraud – e.g., identify theft.

Robocall violations have also increased in the past years. For example, the robocallers use the telephone systems to continuously call without proper authorization. They do not state their personal or business organization’s names. They call before or after the permissible time periods (i.e., before 8:00 am/after 9:00 pm). They call by using artificial voices or recordings. They may also use automated telephone equipment to make the phone calls.

What are the legal remedies?

Continue Reading ›

Published on: | by

Do you monitor what personal information companies access and store when you visit a website?  Do you wish you had more ability to know what companies do with such data?  In 2018, user data privacy rights have become a major topic for discussion. Starting with Europe’s enactment of the General Data Privacy Regulation earlier in the year, and California’s passing of the Consumer Privacy Act, we have seen many changes in the online legal world.  The trend continues, with internet giants now lobbying for a federal regulatory scheme, which would ease the number of laws they have to comply with if each state follows California and enacts its own user privacy legislation.  In this blog, we will provide an overview of the recent changes.

After California passed a law this year, which grants consumers greater data privacy rights, there has been much backlash from technology giants.  Facebook, Google, Microsoft, and IBM are currently lobbying officials in Washington for a federal privacy law that would overrule California’s legislation.  These technology giants are hoping for such legislation to be passed through Congress, as the lobbyists would influence how the law is written, giving them discretion over their ability to use personal data and information.  Because federal law on such a matter would supersede state law, California’s user privacy law may become naught.

According to Ernesto Falcon of Electronic Frontier Foundation, a user rights group, the strategy of Facebook, Google, and Microsoft here is “to neuter California[‘s law] for something much weaker on the federal level.  The companies are afraid of California because it sets the bar for other states.”  As user data and information is such a key part of the business model of the social media companies – who use such information to sell advertisements – they want as much freedom as possible to collect and exploit such data.

Continue Reading ›

Published on: | by

For this week’s blog post, we will continue with the topic of recent Supreme Court decisions that are affecting the business, e-commerce, and internet world.  Specifically, we will discuss Ohio v. American Express, a case involving the Sherman Antitrust Act and major credit card companies.

In the United States, credit card use is composed mainly of four cards: Visa (45%), American Express (26.4%), MasterCard (23.3%), and Discover (5.3%).  In 2010, the government and 17 states sued American Express, Visa, and Mastercard, alleging that the credit card companies were unreasonably restraining trade and therefore violating the Sherman Antitrust Act.  The government claimed that the credit card companies’ “anti-steering provisions” suppressed competition from rival credit card networks. These anti-steering provisions were between the credit card companies and merchants, and prohibited merchants from “steering” cardholders at the point-of-sale to use cards with lower merchant transaction fees.  Notably, American Express charged the highest transaction fee for merchants.

In fact, both Visa and MasterCard settled with the government in a consent decree in 2011 to change their anti-steering provisions.  American Express, however, continued to litigate up until the Supreme Court case was decided on June 25, 2018. American Express’s business model is different than most credit card companies, which generate revenue mainly from the credit portion of the transactions.  It instead focuses on offering better rewards to consumers than other credit cards, typically attracting a higher-spending for the wealthier consumer.  It then generates the majority of its revenue from merchant fees, arguing that higher merchant fees are justified by the higher spending clientele that it brings to merchants (AmEx also has a higher minimum spending amount for cardholders than other credit cards).

Continue Reading ›

Published on: | by

On May 30, 2018, the California State Senate voted to pass a bill that will ensure net neutrality on the internet in the State of California.  With the FCC’s repealing of Obama-era net neutrality rules going into effect on June 11, 2018, California’s bill will provide for continued net neutrality protection.  Officially known as Senate Bill 822, the senate passed SB 822 by a vote of 23-12.  The bill will next go to the State Assembly to be voted on by the end of August.  If the bill passes the Assembly, it must finally be signed by Governor Jerry Brown in order to become law.

If made into law, the bill will prohibit Internet Service Providers (ISPs) from manipulating internet traffic.  Net neutrality rules ensure that ISPs cannot slow down or block access to certain websites, or give some websites and content quicker access speeds than others.  Preventing willful alteration by ISPs of internet connections between devices and sources of content is the key focus of net neutrality rules.  SB 822 will also allow the state to supervise commercial interconnection deals between corporate customers and ISPs to ensure that corporate customers are not taken advantage of by ISPs’ dominant market power.  Interconnection arrangements typically occur between content providers such as YouTube and Netflix, and ISPs such as Spectrum or AT&T.

The net neutrality rules would also ban third-party paid prioritization, as well as application-specific differential pricing.  Paid prioritization occurs when content providers pay ISPs a fee in order to ensure that users have higher access speeds to their websites than competitors’ websites.  ISPs claim that preventing this business model may cause an increase in the price that consumers pay for internet service.  Differential pricing is when goods or services are offered at different price points to different consumers.  For example, a company such as Microsoft may charge a higher fee to corporate customers for Microsoft Office software than to a personal user who purchases the software for use at home.  Differential pricing comes into play in the net neutrality laws with regards to user access to applications, content, and platforms (ACP).

Continue Reading ›

Published on: | by

In general, internet commerce transpires on the national and international levels. Naturally, data protection is an important concern for private and public agencies.  The European Union’s remaining members are currently in the process of another process to protect data with the “General Data Protection Regulation” (GDPR) set to take effect next year. This differs from the previous Privacy Shield in some respects, as it is broader, and expands beyond the European Union and deals with any individual that may have a shred of a connection to the European Union. So, what is GDPR? What does it require? Also, what are the consequences for non-compliance?

What is the GDPR?

The GDPR grants the following as rights to a data subject (i.e., a user): breach notification; right to access a copy of personal data free of charge in electronic format; right to be forgotten; data portability, allowing transmission to another provider; privacy by design for systems; and data protection officers in cases where constant monitoring of data subjects on a large scale may occur, or for special categories of data regarding criminal convictions.

Continue Reading ›

Published on: | by

Spam, for those lucky enough to be unfamiliar about it, are those unsolicited commercial emails that often clutter up inboxes with offers of sales and services that range from the reliable to the questionable.  Due to the issues presented to consumers, Congress, in its wisdom, enacted a law called the CAN-SPAM Act, and began enforcing it in 2004. First, what is the CAN-SPAM Act and what does it prohibit?  Second, as a federal law, does the CAN-SPAM Act override, or preempt those laws a state may already have in place?  How can you tell if that may happen?

What is the CAN-SPAM Act?

The CAN-SPAM Act places prohibitions on transmission of any email that contains false or misleading headers or “from” lines.  For example, a business that is not Facebook, and has nothing to do with Facebook, would be prohibited from sending an email with the subject “Your Facebook account has been compromised” or send an email from www.facebook.com.  In addition, this law places a requirement for three disclosures: (1) clear and conspicuous identification that the message is an advertisement or solicitation; (2) clear and conspicuous notice of the opportunity to decline to receive further commercial email messages from the sender; and (3) a valid physical postal address of the sender.  This is done, in part, due to the interest of the legislation in helping consumers under the principle that they should not be misled and should have a right to say no to unsolicited commercial emails.

Continue Reading ›