What’s changed in the CPRA ? The California Privacy Rights Act of 2020

What’s Changed in the CPRA? The California Privacy Rights Act of 2020 

The California Privacy Rights Act of 2020 (CPRA) is the law now. With some exceptions, the CPRA expands privacy protections afforded under the current California Consumer Privacy Act of 2018 (CCPA), giving consumers more rights over their personal information and requiring greater transparency and obligations from businesses. Beyond new rights, the CPRA establishes a privacy enforcement agency - the California Privacy Protection Agency - that would be the first of its kind state agency dedicated to privacy enforcement. The CPRA also reaches areas of digital privacy untouched by the CCPA, including dark patterns, behavioral advertising, and profiling.

In addition to these remarkable changes, the CPRA significantly amends existing rights and responsibilities presently enforced under the CCPA. The CPRA’s amendments serve to clarify ambiguous areas of the CCPA and, if passed, will better align the law’s text with its intent. By understanding these changes now – and not waiting until the new law takes effect – businesses will gain a leg up on meeting their existing compliance obligations under the CCPA while priming themselves for the future of privacy enforcement under the CPRA.

So, what’s new in the CPRA? A lot more than you think. Definitions are a good place to start. 

New Definitions

The CPRA adds new defined terms and clarifies existing ones.

New Terms added

Among the new terms added in the CPRA – and not currently defined in the CCPA – are:

• Consent
• Contractor
• Cross-context behavioral advertising
• Dark pattern
• Household
• Intentionally interacts
• Non-personalized advertising
• Profiling
• Security and integrity 
• Sensitive personal information
• Sharing

A few of these new terms warrant a closer look, in order of significance. 

Sharing. The most significant addition might be the inclusion of “sharing,” defined as the disclosure of personal information to a third party for purposes of cross-context behavioral advertising (itself a new defined term), also known as targeted or interest-based advertising. “Sharing” therefore includes activity commonly viewed as fitting the definition of a “sale” under the current CCPA, although this has been a gray area of the law. CPRA helps resolve this ambiguity by regulating the activity in its own right, and, as explained below, granting consumers identical rights as they have with regard to a “sale” of their personal information. A business that has sat on the sidelines during the initial months of CCPA enforcement and declined to call this type of sharing a “sale” is well-advised to treat it as such given that CPRA makes clear that consumers are entitled to have a say when their personal information is used for this purpose.

Contractor. Perhaps easily overlooked, “contractor” may not mean what you think it does. Under CPRA, a contractor is similar to a service provider in that a contractor is not a third party, and it is bound by a written contract limiting its use of personal information that a business discloses to it. However, rather than processing information for the business, a contractor is a person to whom the business makes available personal information for a business purpose. The significance of this seemingly subtle distinction is not immediately apparent. But the big takeaway is that the cast of characters under CPRA would include: the consumer; the business; services providers; contractors; and third parties. 

Sensitive personal information. One of the most significant changes in the CPRA is that it adds an entirely new category of personal information – sensitive personal information – the collection of which triggers new rights and obligations described below. Sensitive personal information includes the contents of a consumer’s mail, email and text messages (unless the business is the intended recipient of the communication), a consumer’s genetic data, racial or ethnic origin, and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation, among others. This change will better conform to California’s privacy law to GDPR, which similarly recognizes a special class of highly sensitive personal data. 

Profiling. “Profiling” relates to automated processing of personal information used, for example, to analyze or predict aspects concerning a person’s performance at work, economic situation, personal preferences, and more. Like sensitive personal information, the regulation of profiling – which will be forthcoming as the CPRA only references, but does not establish, the new rules – would likewise conform California privacy law to more robust protections afforded by GDPR.

Dark pattern. Along with the newly defined term “consent” - a term relevant any time an opt-in is required, such as for selling or sharing the personal information of consumers under 16 years old - is the prohibition on obtaining consent through manipulation via the use of “dark patterns,” or user interfaces designed to impair user autonomy.

Changes To Existing Terms

In addition to adding new definitions, the CPRA amends defined terms that already exist in the current CCPA. Of these changes, the following are most significant.

Business. The thresholds for a business to be subject to regulation under the law would include buying, selling or sharing the personal information of 100,000 or more consumers or households. This amends - and relaxes - the previous threshold related to 50,000 or more consumers, and clarifies that (1) collection alone does not trigger this threshold, and (2) devices do not count toward the number of consumers, as they did under CCPA. Notably, the amended definition of “business” also expressly contemplates voluntary self-certification with – and agreement to be bound by – the CPRA for businesses that do not meet any of the threshold requirements. Self-certification might become a future badge of honor for businesses of all sizes – and consumers may come to expect compliance, regardless of annual revenue.

Business purpose. The CPRA’s amendments somewhat clarify the CCPA’s vague reference to “short-term, transient use” and add a new business purpose of “providing advertising and marketing services.” The new purpose expressly excludes cross-context behavioral advertising, meaning that such advertising is not considered a “business purpose” under the law.

Deidentified. The CPRA substantially revises this definition to address that de-identified information cannot be used to make inferences about the consumer. The new definition requires a public declaration by the business that it will maintain and use the information in the deidentified form and contractually requires any recipients to comply with this.

Personal information. This definition is largely the same except that, as amended, it applies to information that is “reasonably capable of being associated with” a consumer, which weakens the required connection between the consumer and the information. Practically speaking, however, this change is unlikely to have a big impact. The amended definition also, of course, includes the additional category of sensitive personal information described above.

Significantly, the CPRA excludes certain additional information from “personal information”:

• Lawfully obtained, truthful information that is a matter of public concern. This exclusion appears to exempt speech protected under the First Amendment. 
• In addition, “publicly available” information excluded from the definition of “personal information” would include – in addition to information lawfully made available in government records – information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.

Under these new exclusions, it appears that a business would no longer disclose when it collects widely available information such as a consumer’s social media handle or online profile.

Sell. The definition of “sell” includes several changes, but the most notable is the removal of the service provider exception. That exception, however, no longer appears necessary, as the definition now only pertains to disclosures of information involving third parties – and therefore, not service providers or contractors. It still is not clear under the CPRA whether all disclosures of information to third parties necessarily constitute a “sale” of information. Arguably they would not, as the definition retains the requirement of “monetary or other valuable consideration.”

Service provider. Under CPRA, service providers can be legal or natural persons - a change from CCPA, which applies the term only to legal entities. The amended definition expressly precludes a service provider from selling or sharing personal information a business discloses to it – a change that harmonizes the law’s text with its clear intent – and prohibits service providers from combining information received from a business with the information they receive from another business or from the service provider’s interaction with the consumer. The amended definition, however, references future regulations that will allow for certain exceptions to this rule for limited business purposes.

New Rights

It’s no secret that the CPRA creates several new privacy rights for consumers. Here they are:

Right to Correct Inaccurate Information. This right is self-explanatory, but notably the law endeavors to balance the consumer’s right with burdens on businesses by simply requiring businesses to use “commercially reasonable efforts to correct the inaccurate information.”

Right to Access. This is actually a right that already exists under the CCPA - the right to know specific pieces of information a business has collected about a consumer - but the CPRA introduces the new “access” terminology, which helps distinguish a request for specific information from a general request for categories of personal information.

Right to Opt-Out of Sharing. Along with the new concept of “sharing” information for purposes of cross-context behavioral advertising is the consumer’s right to opt-out of such sharing.

Right to Limit Use and Disclosure of Sensitive Personal Information. Alongside the establishment of “sensitive personal information” is the consumer’s right to limit a business’s use of such information specifically where the information is used to infer characteristics about a consumer. This new right would not apply when a business uses sensitive personal information for purposes other than inferring characteristics.

New Responsibilities

The CPRA makes numerous changes to the compliance obligations of businesses. Here’s a rundown of the more meaningful ones.

Privacy Principles

• Like the guiding principles of the GDPR, the CPRA injects certain reasonableness and proportionality standards into the law. Specifically, a business’s collection, retention, and disclosure of personal information must be necessary and proportional to achieve the intended purpose for collecting and processing it.

Notice at Collection

• The CPRA clarifies that if a business involuntarily accesses personal information, it need not provide notice of that collection at or before the point of collection.
• If a business collects sensitive personal information, it must disclose that fact.
• A business must disclose not only the business purposes for which it collects personal information, but also the purposes for which it sells or shares it.
• A business must disclose the length of time it intends to retain information collected, or, if not feasible to do so, the criteria used to determine the length of time.

Contractual Requirements

• CPRA imposes obligations on businesses to have in place contractual agreements with not only service providers and contractors, but also third parties to whom the business sells, or with whom the business shares, personal information.
• The law makes clear that a business generally will not be liable for any violations committed by these other parties if such agreements are in place.
• The CPRA requires that the contract cover several grounds, including compliance with CPRA and granting the business the right to ensure that the service provider, contractor, or third party is using personal information in a manner consistent with the business’s obligations under the CPRA. In this way, the CPRA contemplates annual audits and similar automated or manual checkups by businesses.

Security Procedures

• The CCPA currently includes a private right of action for security breaches and references definitions and rules set forth in a different part of the Civil Code – Section 1798.81.5. CPRA adds a new requirement for businesses that collect personal information: they must implement reasonable security measures to prevent unauthorized access or disclosure of personal information in accordance with Section 1798.81.5. This change more closely links the law’s affirmative requirements with the private right of action it establishes.

Handling a Request to Delete

• Businesses are required to notify not only service providers and contractors, but also third parties, about deletion requests - triggering those parties’ obligation to delete information in their possession, and directing their service providers and contractors to do the same - unless it proves “impossible or involves disproportionate effort.”
• The CPRA removes the general, catchall exception to deletion that currently exists under the CCPA at Section 1798.105(d)(9). Arguably, this exception was overbroad, unnecessary, and abuse-prone to begin with.

Handling a Request to Know

• Under the CPRA, a business may comply with a consumer’s request to know when it seeks categories of information regarding collection by including such disclosures in its online privacy policy, so long as the information would be the same as for the requesting consumer. 
• However, it does not appear that a business can satisfy its right to know obligations related to sharing and selling (if the business sells or shares personal information) via its online privacy policy only. The business must still respond to individualized requests.
• In response to individual consumer requests, a business must disclose categories of third parties involved in selling or sharing, and also categories of service providers and contractors. This clarifies an ambiguous area of the CCPA, which appears to require that businesses categorize third parties only.

Handling Opt-Outs

• As noted above, businesses that “share” information must respect the same consumer opt-out rights that exist for a “sale” of personal information under the CCPA. Relatedly, the CPRA also requires businesses to include a “Do Not Sell or Share My Personal Information” link on their homepage where consumers can exercise this right.
• Similarly, a business that collects sensitive personal information must also provide a clear and conspicuous link titled “Limit the Use of My Sensitive Personal Information.”
• Significantly, the CPRA gives businesses an alternative manner of satisfying these “conspicuous link” requirements: they can allow consumers to opt-out through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism based on forthcoming technical specifications to be published by the Office of the Attorney General.

Exemptions

• The CPRA adds new provisions permitting exemptions from the law where necessary to comply with court orders, subpoenas, and directions from law enforcement, including in emergency situations.
• The CPRA clarifies how the exemption for the Fair Credit Reporting Act applies and adds an exemption for the Federal Farm Credit Act of 1971.
• It also adds exemptions for discrete circumstances involving education information and where a business has incurred a financial expense in reliance on a consumer’s consent to create a physical object, like a yearbook, or where compliance with a request to delete or opt-out would not be commercially reasonable.
• Importantly, the CPRA makes clear that the B2B exemption - which CPRA would extend to January 1, 2023 - would not apply to opt-out or non-discrimination rights.

Passage of the CPRA is sure to trigger a new set of compliance questions, such as how to meet CCPA obligations until CPRA is enforced, what to do until new regulatory guidance is issued, and how a business can navigate through differences in the two laws.

For training in CPRA, GDPR, or in any Privacy / Data Protection Laws across the world with certifications from CLC email : info@cyberlawconsulting.com 

Brexit effect on UK data protection Laws & GDPR

Brexit effect on UK data protection Laws & GDPR

The UK is coming to the end of the Brexit transition period with a resolution on the future relationship with the EU seemingly very far away. While a wide-ranging deal seems increasingly unlikely, it is still possible we will get a number of hastily organised last-minute sectoral agreements and in many ways, data protection would be a prime candidate for this kind of deal given that the UK has already made provision to continue with the current regime, at least in the short term. If, however, no deal is forthcoming, the UK will become a third country for GDPR purposes on 1 January 2021 (implementation day or ID). What does that mean?

The UK data protection regime from 1 January 2021

The UK has made preparations to adopt the GDPR to work as a piece of UK legislation in conjunction with the Data Protection Act 2018 (DPA18). The draft Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019 will come into force on ID.

The Regulations consolidate and amend the EU GDPR and UK DPA18 to create a new UK GDPR. The responsibilities of controllers in the UK will not change and GDPR standards will continue to apply. However, the ICO has not sat on the EDPB nor participated in the GDPR consistency mechanism since the date of the UK's exit from the EU.

The extraterritoriality of the UK's data protection framework will continue to apply. This means controllers or processors based outside the UK processing personal data about individuals in the UK in connection with offering them goods and services or monitoring their behaviour, will be caught. Crucially, this includes controllers and processors based in the EEA.

The impact of the UK sitting outside the EEA without an adequacy arrangement will be felt in a number of areas.

Data exports/imports under GDPR

From ID, the UK becomes a 'third country' for the purposes of transfers of personal data from the EU.

Under the GDPR, personal data may not be transferred outside the EEA unless there are protections in place to guarantee individuals equivalent rights and protections to those they enjoy in the EU. Those countries which are considered to have a data protection regime which provides an adequate level of protection equivalent to that in the EU, may benefit from a Commission adequacy decision which allows the free flow of personal data from the EU. Currently, 12 jurisdictions (including the Channel Islands), have adequacy decisions. South Korea is currently being assessed.

While the UK will start from a position of alignment with the EEA on data protection, the EU has expressed some reservations which could prove a stumbling block to adequacy. Concerns have been heightened following the publication of the UK's National Data Strategy which hinted the UK might depart from the GDPR in future and followed Boris Johnson's statement in February 2020 that the UK would seek to establish "sovereign controls" in data protection. Scrutiny will focus on the UK's arrangements for sharing data with the USA under the Access to Electronic Data for the purpose of Countering Serious Crime agreement, and on onward transfers to the US more generally. The EU is also concerned about potential access to EU data by UK law enforcement and national security agencies, an issue highlighted in the recent CJEU decision in Privacy International.

If there is no adequacy decision, a number of other data transfer mechanisms can be used, principally the EC's standard contractual clauses (SCCs), or Binding Corporate Rules (BCRs). There are other limited options but these are not usually available for regular transfers.

Data exports from the UK to the EEA

On ID, the EEA countries will become third countries with regard to exports from the UK. Under the Regulations, the UK government has done what it can to preserve the free flow of personal data from the UK to the EEA. The UK will transitionally recognise all EEA States, EU and EEA institutions and Gibraltar as providing an adequate level of protection for personal data, allowing personal data to flow freely to them from the UK.

Data exports between the UK and EU-adequate countries

The UK has confirmed that it has secured agreements with twelve of the thirteen EU-adequate countries to preserve the free flow of personal data from them to the UK. This covers Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. Negotiations with Andorra are ongoing.

Data exports from the UK to third countries outside the EEA

Again, the Regulations provide reassurance in this area by essentially preserving the effect of existing mechanisms:

• The effect of existing EU adequacy decisions will be preserved on a transitional basis.
• SCCs previously issued by the Commission will continue to be an effective basis for international data transfers from the UK in a no-deal scenario, so organisations which transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. The ICO will have the power to issue new SCCs after exit day.
• Existing authorisations of Binding Corporate Rules (BCRs) which allow for data to flow from the UK within a group, made by the ICO, will continue to be recognised in domestic law. The ICO will have the power to authorise new BCRs after exit day.

Onward transfers of data originating in the EEA could be more problematic as flow-down of EEA protections will be required.

Data transfers from the UK to the US

The Regulations provide for the effect of the EU-US Privacy Shield to be preserved with respect to UK personal data flowing to the US. However, the CJEU struck down the Privacy Shield in July 2020, a decision which applies to the UK under the terms of the transition period.

The UK will, in theory, be able to re-instate the Privacy Shield after ID, but if it does, it puts a future adequacy arrangement with the EU at risk given the concern about onward transfers. It is currently unclear whether or not the UK is likely to reach its own agreement with the US.

In the meantime, the Schrems II judgment cast doubt on all methods of data transfer from the EEA to the US and, by extension, from the UK to the US. This is a complex and developing area. See our article for more on data transfers to the US.

EEA to UK data transfers

The UK cannot unilaterally provide for the free flow of personal data from the EEA into the UK so these are the data flows most at risk. Those relying on such transfers will need to enter into one of the approved data transfer mechanisms in the absence of an adequacy decision. The most likely candidate being the easiest to arrange is Standard Contractual Clauses (SCCs) which should be in place by ID.

There are a number of potential issues with SCCs. They do not always match the data flow situation and cannot be used for the processor to processor transfers (although the EC hopes to have new SCCs in place by the end of the year). Another concern is that, following the CJEU judgment in Schrems II, exporters and importers are now required to assess whether or not the importing country allows its intelligence and law enforcement agencies access to EU data which would not adequately protect it by comparison with EU standards. In theory, as the UK was, until recently, an EU Member State, the level of protection should be adequate, but concerns have been raised that the UK regime is too intrusive and puts EU data at risk – something often cited as a potential stumbling block to the UK getting an adequacy arrangement and reinforced by the recent CJEU decision in Privacy International.

Whatever the pros and cons of the various transfer mechanisms, the message to take away are that something needs to be in place from ID in order to preserve the free flow of personal data from the EEA to the UK unless there is a last-minute deal on personal data flows.

What happens to current or pending BCRs?

The EDPB produced an information note on the impact of a no-deal Brexit on BCRs which have the ICO as their Lead SA. As the ICO will no longer play a part in the BCR community in the event of a no-deal/no adequacy ID, organisations headquartered in the UK will need to identify the most appropriate SA for BCRs under the Article 29 Working Party Opinion 263. Groups which currently have an application for BCRs pending with the ICO will also need go through the exercise and the new nominated SA will take over the application from the ICO. Where the ICO has approved an application which is before the EDPB for approval on ID, a new lead SA will have to be identified and will re-submit the application to the EDPB for approval. An organisation relying on EEA regulator-approved BCRs covering the UK will need to update them so that the UK is listed as a third country outside the EEA.

All Brexit-related changes to existing BCRs need to be made before the end of the transition period in order for data flows to be able to continue without interruption from 1 January 2021. See our article for more on BCRs.

Representatives

It's not just data exports/imports which are an issue. Businesses will also need to consider whether they have to appoint a representative in a third country jurisdiction. Under Article 27 GDPR, controllers and processors not established in the EU are required to appoint a representative unless they are a public authority; or their processing is only occasional, low risk and does not involve special category or criminal data on a large scale. With the UK outside the EU, businesses with establishments in the UK but not in the EU may be caught by Article 27 from ID.

Similarly, the UK GDPR replicates Article 27 so that controllers and processors not established in the UK (including those in the EEA) will be required to appoint a representative in the UK unless they are a public authority; or their processing is only occasional, low risk and does not involve special category or criminal data on a large scale. Read more about the role of the representative here.

The location of your Lead SA and DPO

One of the long-heralded advantages of the GDPR is the 'one-stop shop' regulatory regime for organisations processing personal data across the EU. The UK will no longer be able to participate in this after ID (which means that businesses which currently have their Lead SA in the UK will need to consider the location of a Lead SA in the EU). They may also want to consider whether they need a DPO based in the EU. 

Check your contracts

However you decide to handle the issue of Brexit, it is important to check that any existing contracts and terms and conditions match your intentions. This is particularly the case for data transfer agreements or data processing agreements.

Don't forget that whatever lawful basis you rely on to export and/or import personal data, you may also need a data transfer agreement or data processing agreement. For example, for data exports to a processor or sub-processor, the GDPR sets out detailed requirements that an agreement must include in addition to addressing the transfer.

Existing agreements, policies and terms and conditions may need to be amended or replaced if, for example, you decide to change the location of your DPO or your Lead SA, or, perhaps the law under which the contract is governed (to jurisdiction in the EU). You will also need to ensure that there is appropriate provision made for the initial and onward transfers in accordance with GDPR and UK GDPR requirements, especially as the first transfer may no longer be one envisaged by the relevant contract or terms and conditions. 

Other resources

The UK's ICO has published guidance for businesses and SMEs on preparing for a no-deal Brexit ID. This includes a 'six-step' plan, broader guidance, FAQs, and an interactive tool to help assess whether SCCs are an appropriate data transfer solution. It also covers methods of preserving data flows and looks at when a business might need to appoint a representative in the EU. 

CCPA Cases 2020

 

CCPA Cases 2020 

Atkinson et al v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal.)

Date Filed: June 11, 2020

Cause of Action / Trigger of Claim

Suit against Minted.com arising out of an April 2020 data breach that resulted in the exfiltration of 73.2 million records that included passwords, names, email addresses, and other information. Complaint alleges a violation of § 1798.150 by defendant’s failure to prevent the unauthorized access and exfiltration, theft, or disclosure of class members’ non-encrypted PII.

Claims for Relief

Plaintiffs and class members seek injunctive or other equitable relief to ensure the defendant safeguards customers’ PII in the future. Plaintiffs will also seek statutory damages if the defendant “cannot cure the data breach within 30 days.”

Status

Pleadings

---

Alma Fidela Cercas et al v. Ambry Genetics Corp., No. 8:20-cv-00791 (C.D. Cal.)

Date Filed: April 27, 2020

Cause of Action / Trigger of Claim

Suit against a clinical genomic diagnostic company arising out of a January 2020 data breach that resulted in the exposure and exfiltration of sensitive personal and medical information of more than 232,200 patients. Defendant began notifying effected patients in April 2020.

Claims for Relief

Plaintiffs seek injunctive relief, and under § 1798.150(b)'s written notice to defendant provision, plaintiffs state “If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff also will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations.” 

Plaintiffs claim defendant violated § 1798.150(a)'s prohibition of unauthorized access and exfiltration, theft, or disclosure of PII.

Plaintiffs also bring various claims for violations of California Confidentiality of Medical Information Act, California Medical Records Act, California UCL, negligence, and unjust enrichment.

Status

Pleadings

---

In Re: Zoom Video Communications, Inc. Privacy Litigation, No. 5:20cv2155 (N.D. Cal.)

Date Filed: April 24, 2020

Cause of Action / Trigger of Claim

Claims arise out of a Vice Media report detailing unauthorized sharing and data vulnerabilities of Zoom. The claims specifically allege that Zoom collected personal data in the form of unique advertiser identifier data and shared that data with third party operators such as Facebook and LinkedIn without notifying consumers or giving them the right to opt out.

Buxbaum v. Zoom also tries to characterize the sharing of information as a data breach or “exfiltration” under §1798.150 alleging: “[b]y allowing user names and passwords to be exfiltrated, Zoom violated the CCPA.”

Under 798.100(b), Plaintiffs gave written notice of alleged violations forcing Zoom to “cure” the alleged violations within 30 days.

Plaintiffs claim that the Defendant violated:

• § 1798.100(b): Failure to provide adequate notice
• § 1798.150(a) and § 1798.120(b): Sharing information with a third party without notifying or giving individuals a right to opt out
• § 1798.150: Data breach or exfiltration violation

Plaintiffs also bring various claims for violations of UCL and CLRA and for negligence, invasion of privacy, and unjust enrichment.

Claims for Relief

• Injunctive Relief
• Declaratory Relief
• Attorneys Fees

Status

Pleadings

---

Sweeney v. Life On Air, et al., No. 20cv742 (S.D. Cal.)

Date Filed: April 17, 2020

Cause of Action / Trigger of Claim

Claim against Houseparty, a video chat and social media app, alleges that the company shared PII (including personal identifiers, IP addresses, time zone details, phone carrier, device information, and unique advertiser identifier (“IDFA”)) with Facebook and other third parties without notifying users or giving them the option to opt out. Similar to the operative facts in the Zoom cases, the complaint focuses on the use of Facebook’s software development kits (“SDKs”).

Plaintiff claims that the defendant violated:

• 1798.100(b): Failure to provide adequate notice of collection, use or sale of PII
• 1798.120(b): Sharing information with a third party without notifying or giving individuals a right to opt out
• 1798.135(a)(1): Failure to provide a clear and conspicuous “do not sell my personal information” link on webpage
• 1798.135(a)(B)(6): Failure to keep PII private

Claims for Relief

Plaintiffs seek injunctive relief in the form of an order enjoining Defendant from continuing to violate CCPA and actual damages.

Status

Pleadings

---

Rahman v. Marriott International, No. 20-cv-00654 (C.D. Cal.)

Date Filed: April 3, 2020

Cause of Action / Trigger of Claim

Cal. Civ. Code § 1798.150(a)(1)

The CCPA provides consumers with the right to institute a civil action where the consumers’ “nonencrypted and nonredacted personal information” was the subject of “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”

This action arises out of a cybersecurity breach affecting 5.2 million consumers. Marriott announced the data breach on March 31, 2020 and sent e-mails to affected customers.

Claims for Relief

• injunctive relief
• enjoining Marriott from continuing to violate the CCPA
• requiring Marriott to employ adequate security practices consistent with law and industry standards to protect class members’ personal information
• requiring Marriott to complete its investigation
• issuing an amended statement to the public and affected guests that is not evasive and contains no equivocations (e.g., phrases such as “may have,” the investigation is “ongoing,” “no reason to believe,” etc.) and to instead confirm and confess, with certainty, what categories of data were stolen and accessed without class members’ authorization, how the data breach occurred, and what specifically occurred to cause the breach

Status

Pleadings

---

Fuentes v. Sunshine Behavioral Health Group, No. 8:20-cv-00487 (C.D. Cal.)

Date Filed: March 10, 2020

Cause of Action / Trigger of Claim

Sensitive PII including medical information of patients of a drug and alcohol rehabilitation center was searchable, findable, viewable, and downloadable by anyone with access to an internet search engine. The breach occurred for a period of almost 30 months from March 2017 to September 2019, and the company put up a public notice in January 2020.

CCPA is mentioned towards the end of the pleadings as Count X action (over less than a page, so it seems that it is not a significant part of this lawsuit).

Defendant violated CCPA by subjecting the nonencrypted and nonredacted Personal and Medical Information of Plaintiff and Class members to unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information. Cal. Civ. Code § 1798.150(a).

Claims for Relief

• Injunctive relief
• Plaintiff seeks injunctive relief in the form of an order enjoining Defendant from continuing to violate the CCPA. If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff also will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations.

Status

Pleadings

---

In Re Ring Litigation, No. 2:19-cv-10899 (C.D. Cal.)

Date Filed: February 18, 2020

Cause of Action / Trigger of Claim

Ring is a provider of smart security devices, notably a video surveillance doorbell. Ring disclosed PII of users with unauthorized third parties. PII included names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on devices of customers.

CCPA is mentioned at the very end of the pleadings as the final (8th) cause of action (over less than a page, so it seems that it is not a significant part of this lawsuit).

Plaintiff claims that the defendant violated:

• Cal. Civ. Civil Code § 1798.100(b): Use of PIIA without providing notice.
• Cal. Civ. Civil Code § 1798.120(b): Failure to provide notice to consumers regarding their right to opt-out.

Claims for Relief

• Injunctive relief
• On behalf of Class members, Plaintiff seeks injunctive relief in the form of an order enjoining Defendant from continuing to violate the CCPA. If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations

Summary of the Claim

• Ring devices used third-party trackers and disclosed a plethora of user PIIs with four analytics and marketing companies. Ring devices did not follow industry standards and did not require even basic measures like dual factor authentication to use its devices.
• Reasonable expectation of privacy was violated by failure of adequate security and disclosure of private and personal information to unauthorized third parties without consent.
• PII shared zone, device model, language preference, and unique identifiers in addition to sensor data exposing Plaintiffs to risk.
• Ring was negligent and breached its duty of care by ignoring consumer complaints as well as implied contracts of privacy with consumers.
• Ring’s video doorbell was not a product fit for merchantability as they were not secure and could easily be accessed by third parties.
• Ring received unjust enrichment by selling its products to the consumers.
• Ring violated CCPA by collecting PII without providing notice to consumers and by not proving consumers with an option to opt-out.

Status

Pleadings

---

In Re: Hanna Andersson and Salesforce.com Data Breach Litigation, No. 20-cv-00812 (N.D. Cal.)

Date Filed: February 3, 2020

Cause of Action / Trigger of Claim

Personally Identifiable Information (PII) of customers of Hanna Andersson was scraped through a ‘malware’ on Salesforce’s cloud-based platform used by the company. Stolen PII included customers’ names, addresses, credit card numbers, credit card expiration dates, and CVV codes.

Law enforcement found unauthorized information on the dark web and informed Hanna Andersson of the breach that occurred from September 16, 2019 to November 11, 2019.

Claims for Relief

Plaintiff’s claim violation of California’s Unfair Competition Law and seek the following reliefs:

• Class Action Certification
• Enjoin Defendants from engaging in inadequate protection of Plaintiff’s PII
• Defendants provide funds for Credit Monitoring of all class members
• Compensatory, statutory, and punitive damages
• Equitable relief and restitution of revenues retained by Defendants as a result of wrongful acts
• Legal fees and costs of Plaintiffs

The CCPA is only mentioned incidentally:

“… (iv) deprivation of rights they possess under the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200) and California Consumer Privacy Act (Cal. Civ. Code § 1798.100, et seq.);” …

“Whether Defendants violated California’s California Consumer Privacy Act by failing to maintain reasonable security procedures and practices appropriate to the nature of the PII.”

Summary of the Claim

Hanna Andersson (retailer of high-end children’s apparel) and Salesforce (provider of e-cloud based services) both failed to:

1. adequately safeguard PII of users
2. warn users of inadequate information security practices and
3. effectively monitor their platforms for security vulnerabilities and incidents.

Defendants’ conduct amounts to negligence and violates several California statutes.

At least 10,000 California residents and multitudes nationwide were affected by the breach.

Some of this information is still being sold on the dark web and poses a lifetime risk of identity theft to users of Hanna Andersson.

Status

Pleadings

---

Shadi Hayden v. The Retail Equation, Inc., et al, No. 8:20-CV-01203 (C.D. Cal.)

Date Filed: July 7, 2020

Cause of Action / Trigger of Claim

Claim against Sephora USA, Inc., and The Retail Equation, Inc., alleging the sharing of consumer data collected for a consumer report and “risk score” used to advise Sephora whether attempted product returns and exchanges are fraudulent. Complaint alleges that Sephora shared PII, specifically customers’ name, date of birth, race, sex, photograph, street address, and zip code with the Retail Equation to create the reports and “risk scores” without their knowledge or consent. Complaint alleges Defendants unlawfully invaded Plaintiff’s and Class Members’ right to privacy under sections 1798.100(b), 1798.110(c), and 1798.115(c) of the CCPA.

Claims for Relief

Plaintiff seeks an order that Defendants are permanently enjoined from their improper conduct and practices as alleged, a judgment awarding appropriate monetary relief, and costs associated with the action, including attorneys’ fees and expenses.

Status

Pleadings

---

Flores-Mendez et al v. Zoosk, Inc., No. 3:20-cv-4929 (N.D. Cal.)

Date Filed: July 22, 2020

Cause of Action / Trigger of Claim

Claim against Zoosk, Inc., an online data company, arising out of a May 2020 data breach in which 30 million user records were subject to unauthorized access. The customer information disclosed in the data breach included a combination of individuals’ names, email addresses, dates of birth, demographical information, gender, and password information.

Complaint alleges a violation of § 1798.150 by Defendant’s failure to prevent the unauthorized access and exfiltration, theft or disclosure of Class Members’ PII.

Claims for Relief

Plaintiff and Class Members seek declaratory, injunctive, and other equitable relief necessary to protect their PII, including, but not limited to, an order compelling Defendants to adopt reasonable security procedures and practices to safeguard customers’ PII and prevent future data breaches.

Status

Pleadings

---

P. et al v. Shutterfly, Inc., No. 4:20-cv-04960-KAW (N.D. Cal.)

Date Filed: July 23, 2020

Cause of Action / Trigger of Claim

Claim against Shutterfly, Inc., arising out Shutterfly’s use of facial recognition technology to extract biometric identifiers associated with minors’ faces from user-uploaded photographs. The complaint further alleges that Shutterfly subsequently stored said biometric information of users and non-users in its database.

Complaint alleges a violation of § 1798.100(b) by Defendant’s failure to disclose the personal information of minors it collects and not giving consumers the right to decide whether their personal information is collected or have their information deleted.

Complaint also alleges a violation of § 1798.150 by equating the disclosure of minors’ nonencrypted and nonredacted personal information to other companies as a data breach.

Claims for Relief

Plaintiff seeks an order declaring that Defendant’s conduct violates the CCPA and requiring Shutterfly to cease alleged unlawful activities, in addition to an award of damages.

Status

Pleadings

---

Brekhus et al v. Google LLC and Alphabet Inc., No. 5:20-cv-05488 (N.D. Cal.)

Date Filed: August 7, 2020

Cause of Action / Trigger of Claim

Complaint against Google and Alphabet arising out of allegedly false representations by Google to consumers that it would not record or process conversations or other audio picked up by voice-activated hardware devices unless users say a specific activation phrase. Plaintiff and Class Members allege that information picked up through these devices included recordings of communications and activities inside users’ homes.

Complaint alleges a violation of § 1798.100 by failing to inform Plaintiffs that Google would collect categories of personal data beyond those that Google had identified in its Privacy Policy as being subject to collection. Complaint further alleges that Google’s inability to implement and maintain reasonable security procedures and practices violated § 1798.150 since it subjected the Plaintiffs to a scheme whereby Defendants gained unauthorized access to their private information.

Claims for Relief

Plaintiff and Class Members seek an order enjoining Defendants from continuing to violate the CCPA.

Status

Pleadings

---

Guzman v. RLI Corp, et al., 2:20-cv-08356 (C.D. Cal.)

Date Filed: September 10, 2020

Cause of Action / Trigger of Claim

Proposed class action arising from an alleged data breach of RLI, a federal sureties company that contracts with an immigration bail bond company, when it failed to redact the personal information of respondents’ date of birth, ssn, addresses and names and contact information of family members, including minor children, in PACER filings.

Complaint alleges violations of § 1798.100(b) and § 1798.115(d) for failing to inform the proposed California Sub-Class of the collection of their personal information and sharing access to that personal information with third parties in violation of § 1798.110(c).

Plaintiffs also allege a violation of § 1798.150(a) because the PACER filing failed to prevent nonencrypted and nonredacted personal information from unauthorized disclosure.

Claims for Relief

Plaintiffs seek actual, punitive, and statutory damages, attorneys’ fees and costs, and any other relief the Court deems proper as a result of RLI’s alleged CCPA violations.

Status

Pleadings

---

Stoffers v. Dave, Inc., et al., 20STCV35381 (L.A. Superior Court)

Date Filed: September 16, 2020

Cause of Action / Trigger of Claim

Proposed class action arising from a July 2020 data breach of users of Dave, an application that monitors bank accounts and notifies users when their expenses are likely to exceed available funds. The hack allegedly accessed personal information, including names, emails, birth dates, physical addresses, phone numbers, and encrypted social security numbers of over seven million individual user records, and then posted the entire database on a hacker forum.

Complaint alleges a violation of § 1798.150(a) for the exfiltration, theft or disclosure of users’ PII. Complaint also alleges violations of § 1798.81.5(c) for failure to require the third party handling the users’ PII to implement and maintain reasonable security procedures and processes.

Claims for Relief

Plaintiffs seek actual damages, injunctive relief, including public injunctive relief, and declaratory relief, and any other relief as deemed appropriate by the court.

Status

Pleadings

---

Deborah Wesch v. Yoddlee Inc., et al, No. 3:20-cv-06534-AGT (N.D. Cal)

Date Filed: September 17, 2020

Cause of Action / Trigger of Claim

Proposed class action against Yoddlee, a financial data aggregator, alleging that the company used its API to access the Plaintiff’s bank account and sensitive personal data without her knowledge or consent when she used her PayPal account.

Complaint alleges a violation of § 1798.100(b) for failure to give notice that the business was allegedly collecting personal information.

Claims for Relief

The CCPA is not a cause of action, but rather plead as an example of how the Defendant’s alleged “failure to disclose violates several privacy laws.”

Complaint seeks relief for violation of the Stored Communications Act (18 U.S.C. § 2701); the Computer Fraud and Abuse Act (18 U.S.C. § 103); California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200); California’s Comprehensive Data Access and Fraud Act (Cal. Pen. Code § 502); California’s Anti-Phishing Act of 2005 (Cal. Bus. & Prof. Code § 22948.2); Unjust Enrichment, and Common Law Invasion of Privacy.

Status

Pleadings

Cyber Security Threats in Online Schooling or Colleging

 Cyber Security Threats in Online Schooling and Colleging

With all the talk about washing hands, students need to also think about how to practise good cyber hygiene using encryption, VPNs, software updates and password management. Software that takes over a device can expose the user to spyware, malware or data exfiltration that can compromise health and personal information, or academic research and intellectual property in a competitive field.

With more teachers and students online, particularly if they’re doing it from less controlled environments outside of the school, the attack surface of the school community is increased, Schools and Universities tend to be quite careful about doing intrusion detection, and putting up fairly sophisticated access controls.

Threat from Zoom Video meetings

Video-teleconferencing platform Zoom has security and privacy issues, prompting Indian Government and later even New York’s Department of Education to ban its use as a digital classroom, Singapore banned teachers from using Zoom after hackers crashed sessions, sharing obscene images and making lewd comments. Yes but in India schools and colleges which charge their student's considerable fees yet use free Zoom and bring the whole family of a student at Privacy risk.

Hijacking control of Zoom calls, also called “Zoom-bombing,” In Chandigarh, when a science teacher was about to begin a lecture on the reproductive system for her Class X students over video conferencing app Zoom. The teacher had recently learned how to use the app from her son. After about 45 students had joined the session, the teacher locked the conference room and stepped out to do a final audio and video test on her son’s computer. While she was away, a pornographic movie began playing on the screen from a student’s screen. It took almost five minutes for the teacher to realize what was happening and rush back to end the session. The victim girl from whose screen the movie was shared has been traumatized due to repeated questioning by school authorities and classmates and is reluctant to rejoin the school after the lockdown ends, just imagine the trauma.

The pandemic era is creating an apparent gold mine for cyber spies, according to an April report co-authored by researchers Bill Marczak and John Scott-Railton, based at The Citizen Lab research centre at the University of Toronto. The researchers found vulnerabilities with Zoom’s encryption and “waiting room” feature, which it had raised with the company.

    Screengrab of Zoom encryption in The Citizen Lab's April report. Photo via citizenlab.ca

What Can be done more

It’s often not the technology that fails. It’s teachers and students behaving in ways that put educational institutions at risk by not using a complex password or showing reluctance to using multifactor authentication, These are the kinds of simple behaviours that we emphasize but often aren’t followed across school systems, where sometimes convenience wins over cybersecurity hygiene.

That’s why educating teachers and students is so important, especially with looming budget cuts that may affect spending on security improvements such as firewall upgrades and higher-level endpoint protection,  But that training needs to be ongoing and should include everyone in an educational institution. cyber awareness training can cover basics like creating strong passwords, social engineering, social media behaviour and about phishing attacks.

Not just one session at the start of the school or college year, I mean ongoing messaging throughout the year that makes cyber safety a part of the school culture and is embedded in how we teach and how we learn, The key learning piece is that you can’t treat cybersecurity as a one-and-done. It’s not a checklist that you go through, because the next day, the entire environment has changed.