Month: July 2019

Will the California Consumer Privacy Act Force Businesses to Disclose Marketing Secrets?

Welcome to 2019, where almost every product, service, and website tracks every bit of data it can about us and creates a giant profile it can use to make inferences and predict our every move and desire. Even if a company doesn’t sell our data, so many companies in our society today rely on the mass aggregation of data to inform their marketing decisions.

These systems can be pretty frighteningly precise. We’ve all heard about the time Target figured out that a high school girl was pregnant and began marketing maternity items to her before her parents knew, creating some…awkward discussions at home. As a white man of Jewish heritage in his 30s, who likes the San Francisco Giants and Shawshank Redemption, maybe I’m more likely to buy a Toyota that gets at least 40 MPG or less likely to drink spiced rum. Somebody out there probably knows.

One of the most interesting but unpredictable parts of the California Consumer Privacy Act is the portion of the law that requires companies to share not just the information collected about consumers, but also the inferences they’ve made based on this data. This requirement could potentially implicate companies’ marketing strategy or even trade secrets.

Read More

Facebook Lawsuit: Q&A With Plaintiffs’ Attorney S. Clinton Woods

Privacy advocates won a major victory on Monday when a lawsuit against Facebook for the Cambridge Analytica scandal was allowed to move forward. The San Mateo Superior Court judge, in what the plaintiffs believe to be a significant step for privacy, held that the plaintiffs have adequately pled an injury and have standing for the case to continue.

As has been previously discussed on this blog, the plaintiffs alleged causes of action in violation of California’s Unfair Competition Law (UCL) and False Advertising Law (FAL) due to the unauthorized acquisition of Facebook profile data by political consulting firm Cambridge Analytica. Facebook demurred, arguing that the plaintiffs had not been injured solely as a result of unauthorized access to data and as a result lacked standing under California’s Proposition 64. On Monday, the judge overruled Facebook’s demurrer and allowed the case to proceed.

We are lucky to have S. Clinton Woods, senior associate at Audet & Partners and the lead counsel for the plaintiffs in this action (and a fellow Hastings alum), here to discuss the lawsuit and the path forward.

Read More

What Does the California Consumer Privacy Act Mean for Data Aggregation?

Data aggregation has long been an important part of business analysis, from collecting information on past consumer trends to predicting the next big hit. Recently, the California Consumer Privacy Act’s provisions on data aggregation have become a warzone between privacy advocates and businesses concerned with the law’s scope.

AB 873, which is working its way through the committee process, would make two prominent changes that privacy advocates say would dramatically weaken the effectiveness of the CCPA.

Read More

Would the California Consumer Privacy Act Have Protected Us From FaceApp?

The privacy scandal du jour revolves around FaceApp, an app for iOS and Android that allows users to automatically digitally alter their photographs to look older, younger, change hairstyles, facial hair, glasses, or more. In order to make FaceApp work, users had to grant the app access to their photos, either from their devices’ camera roll or social media account. Then the magic happens, multiplied by the 100 million or so people who have downloaded the app so far.

I would love to look this good when I’m 100 years old

However, recent examinations into FaceApp’s policies raise new and troubling questions about what FaceApp can and will do with our photos, and whether there’s anything we can do to stop them. Well, these questions may be troubling but they aren’t new: FaceApp first went viral back in 2017, before the Internet forgot it exists just like everything else.

This most recent freakout comes amid the realization that FaceApp is owned by a Russian company and that their terms of use essentially grant FaceApp the right to access and use our photos, as well as the “perpetual, irrevocable” right to use any photos that they processed for us. This, paired with the fact that FaceApp uploads the photos being processed to their server, sparked fear and outrage just as quickly as the old-age photos dominated social media.

Read More

What the Lawsuit Against Facebook for the Cambridge Analytica Breach Could Change About Privacy Suits

Facebook made international news recently when it was revealed that Cambridge Analytica, a political consulting firm, used the personal data of tens of millions of people it got from Facebook to assist Donald Trump’s presidential campaign. A recent lawsuit against Facebook alleges that Facebook violated California law in culling and selling the data to Cambridge Analytica. Now, a new development in the case could fundamentally change how we think about the viability of such data-related lawsuits.

For those unfamiliar with Cambridge Analytica, the alleged story, in a nutshell, is the following: a Russian professor named Aleksandr Kogan released a personality test app called This Is Your Digital Life. However, TIYDL did more than store the survey results. The app reached into the Facebook profiles of the more than 300,000 users who granted Kogan consent, as well as the profiles of all of those users’ Facebook friends (who did not grant consent, obviously). According to Mark Zuckerberg, TIYDL might have accessed as many as 87 million accounts, though even Facebook is not quite sure how many or whose information was taken. Kogan then sold the data to Cambridge Analytica’s parent company, who used the data to assist the Trump campaign.

Read More

How the Schrems II Decision Could Affect International Data Transfers

Californians with an ear to the privacy ground have probably seen mention of the Schrems II case working its way through European courts. While we wait for what could be a groundbreaking decision, let’s take a look back at the history of this case and why it is so important to the international privacy community.

The story of Schrems II begins, unsurprisingly, with Schrems I. Long story short, the Data Protection Directive, the predecessor to the General Data Protection Regulation (GDPR), the European Union’s recent privacy law, put strict regulations regarding data collection, retention, and use, on European Economic Area (EEA) companies and companies processing the data of people in the EEA.

Read More

How Could the California Consumer Privacy Act Affect Facial Recognition Technology?

California’s newest privacy law may soon protect more than just our personal information. If a proposed amendment to the California Consumer Privacy Act ends up passing, the legislature will add new protections to the CCPA that restrict the use of facial recognition technology by California companies.

Proposed amendment AB 1281 would make it mandatory for all businesses that use facial recognition technology to post “clear and conspicuous” signs at the entrance of every location that uses such technology.

Read More

How Much Will the Attorney General Actually Enforce the California Consumer Privacy Act?

As we creep closer to January 1, 2020, one of the major plotlines in the Legislature’s fine-tuning of the California Consumer Privacy Act is to see how exactly the law will be enforced when all is said and done. As it stands, it looks as though Californians are going to need to rely on the Attorney General and local governments to do most of the actual legwork to make sure companies abide by the new law. Whether that reliance is justified remains to be seen.

As we have discussed, SB 561, which would have granted a private right of action to allow individuals to sue for any violation of the CCPA, was summarily defeated. Similarly, early attempts to make improper use of facial recognition software a violation of unfair competition laws (and therefore privately enforceable) died an early death in committee. As it stands, the only private right of action remaining is for data breaches.

Read More

How Will the California Consumer Privacy Act Affect Loyalty Programs?

Loyalty programs are everywhere. A Starbucks gold card might get you a free shot of syrup or refill on coffee. Your hotel gives you free upgrades and snacks for being a loyal member. When I buy a salad from the cafe downstairs from my office, I punch in my phone number and collect points that, someday, I will cash in for a free roast beef panini and large fountain soda. But now, there’s some concern that such loyalty programs will go the way of the dinosaur under the CCPA.

Read More

Will the California Consumer Privacy Act Survive Big Tech?

It should come as no surprise that many in the tech industry are not happy about the California Consumer Privacy Act. As we speed toward January 1, 2020, industry lobbyists and business-geared legislators are pushing a number of amendments that could severely limit the effectiveness and reach of the CCPA.

Todd Weaver and Brendan Eich recently wrote an op-ed in the Mercury News about the generational shift in tech companies’ approach to privacy: while new, smaller tech companies see the appeal and necessity of privacy regulation, Big Tech is digging in its heels.

Read More