Author: Daniel J. Zarchy

    Daniel Zarchy is a civil litigator and privacy attorney in San Francisco, California. Daniel is also a Certified Information Privacy Professional (CIPP/US). The views and opinions expressed herein are solely those of the author and do not necessarily reflect the views or opinions of any other party or law firm.

When Do Vendors Count as Service Providers Under the California Consumer Privacy Act?

With just a few months remaining before the California Consumer Privacy Act comes into effect, companies throughout the Golden State and beyond are scrambling to figure out how to comply with some of the CCPA’s more confusing and demanding requirements. However, another subset of companies are facing a different question: does the law even apply to us?

The question arises because the CCPA draws an important distinction between “service providers” and “third parties.” A service provider, a company that provides analysis or processing services to another company, must agree by contract to uphold certain protections of the CCPA but is left free of the most arduous requirements of the CCPA, such as fielding user requests for disclosure of data. What companies want to avoid are situations where they believe they are signing up to be service providers but unintentionally put themselves in a position to comply with the entire CCPA.

Read More

How Could the Ninth Circuit’s Decision in a Facebook Facial Recognition Lawsuit Affect California?

A new decision out of the Ninth Circuit Court of Appeals could be a bellwether for future privacy cases under the California Consumer Privacy Act. On Thursday, the Ninth Circuit held that the plaintiffs in a class-action lawsuit against Facebook alleging violation of an Illinois biometrics law had standing, allowing the case to move forward.

Given the similarities between the Illinois law and the relevant portions of the CCPA, the Ninth Circuit’s decision may dramatically expand standing in future cases under the CCPA for similar biometric violations.

Read More

Will the California Consumer Privacy Act Force Businesses to Disclose Marketing Secrets?

Welcome to 2019, where almost every product, service, and website tracks every bit of data it can about us and creates a giant profile it can use to make inferences and predict our every move and desire. Even if a company doesn’t sell our data, so many companies in our society today rely on the mass aggregation of data to inform their marketing decisions.

These systems can be pretty frighteningly precise. We’ve all heard about the time Target figured out that a high school girl was pregnant and began marketing maternity items to her before her parents knew, creating some…awkward discussions at home. As a white man of Jewish heritage in his 30s, who likes the San Francisco Giants and Shawshank Redemption, maybe I’m more likely to buy a Toyota that gets at least 40 MPG or less likely to drink spiced rum. Somebody out there probably knows.

One of the most interesting but unpredictable parts of the California Consumer Privacy Act is the portion of the law that requires companies to share not just the information collected about consumers, but also the inferences they’ve made based on this data. This requirement could potentially implicate companies’ marketing strategy or even trade secrets.

Read More

Facebook Lawsuit: Q&A With Plaintiffs’ Attorney S. Clinton Woods

Privacy advocates won a major victory on Monday when a lawsuit against Facebook for the Cambridge Analytica scandal was allowed to move forward. The San Mateo Superior Court judge, in what the plaintiffs believe to be a significant step for privacy, held that the plaintiffs have adequately pled an injury and have standing for the case to continue.

As has been previously discussed on this blog, the plaintiffs alleged causes of action in violation of California’s Unfair Competition Law (UCL) and False Advertising Law (FAL) due to the unauthorized acquisition of Facebook profile data by political consulting firm Cambridge Analytica. Facebook demurred, arguing that the plaintiffs had not been injured solely as a result of unauthorized access to data and as a result lacked standing under California’s Proposition 64. On Monday, the judge overruled Facebook’s demurrer and allowed the case to proceed.

We are lucky to have S. Clinton Woods, senior associate at Audet & Partners and the lead counsel for the plaintiffs in this action (and a fellow Hastings alum), here to discuss the lawsuit and the path forward.

Read More

What Does the California Consumer Privacy Act Mean for Data Aggregation?

Data aggregation has long been an important part of business analysis, from collecting information on past consumer trends to predicting the next big hit. Recently, the California Consumer Privacy Act’s provisions on data aggregation have become a warzone between privacy advocates and businesses concerned with the law’s scope.

AB 873, which is working its way through the committee process, would make two prominent changes that privacy advocates say would dramatically weaken the effectiveness of the CCPA.

Read More

Would the California Consumer Privacy Act Have Protected Us From FaceApp?

The privacy scandal du jour revolves around FaceApp, an app for iOS and Android that allows users to automatically digitally alter their photographs to look older, younger, change hairstyles, facial hair, glasses, or more. In order to make FaceApp work, users had to grant the app access to their photos, either from their devices’ camera roll or social media account. Then the magic happens, multiplied by the 100 million or so people who have downloaded the app so far.

I would love to look this good when I’m 100 years old

However, recent examinations into FaceApp’s policies raise new and troubling questions about what FaceApp can and will do with our photos, and whether there’s anything we can do to stop them. Well, these questions may be troubling but they aren’t new: FaceApp first went viral back in 2017, before the Internet forgot it exists just like everything else.

This most recent freakout comes amid the realization that FaceApp is owned by a Russian company and that their terms of use essentially grant FaceApp the right to access and use our photos, as well as the “perpetual, irrevocable” right to use any photos that they processed for us. This, paired with the fact that FaceApp uploads the photos being processed to their server, sparked fear and outrage just as quickly as the old-age photos dominated social media.

Read More

What the Lawsuit Against Facebook for the Cambridge Analytica Breach Could Change About Privacy Suits

Facebook made international news recently when it was revealed that Cambridge Analytica, a political consulting firm, used the personal data of tens of millions of people it got from Facebook to assist Donald Trump’s presidential campaign. A recent lawsuit against Facebook alleges that Facebook violated California law in culling and selling the data to Cambridge Analytica. Now, a new development in the case could fundamentally change how we think about the viability of such data-related lawsuits.

For those unfamiliar with Cambridge Analytica, the alleged story, in a nutshell, is the following: a Russian professor named Aleksandr Kogan released a personality test app called This Is Your Digital Life. However, TIYDL did more than store the survey results. The app reached into the Facebook profiles of the more than 300,000 users who granted Kogan consent, as well as the profiles of all of those users’ Facebook friends (who did not grant consent, obviously). According to Mark Zuckerberg, TIYDL might have accessed as many as 87 million accounts, though even Facebook is not quite sure how many or whose information was taken. Kogan then sold the data to Cambridge Analytica’s parent company, who used the data to assist the Trump campaign.

Read More

How the Schrems II Decision Could Affect International Data Transfers

Californians with an ear to the privacy ground have probably seen mention of the Schrems II case working its way through European courts. While we wait for what could be a groundbreaking decision, let’s take a look back at the history of this case and why it is so important to the international privacy community.

The story of Schrems II begins, unsurprisingly, with Schrems I. Long story short, the Data Protection Directive, the predecessor to the General Data Protection Regulation (GDPR), the European Union’s recent privacy law, put strict regulations regarding data collection, retention, and use, on European Economic Area (EEA) companies and companies processing the data of people in the EEA.

Read More

How Could the California Consumer Privacy Act Affect Facial Recognition Technology?

California’s newest privacy law may soon protect more than just our personal information. If a proposed amendment to the California Consumer Privacy Act ends up passing, the legislature will add new protections to the CCPA that restrict the use of facial recognition technology by California companies.

Proposed amendment AB 1281 would make it mandatory for all businesses that use facial recognition technology to post “clear and conspicuous” signs at the entrance of every location that uses such technology.

Read More

How Much Will the Attorney General Actually Enforce the California Consumer Privacy Act?

As we creep closer to January 1, 2020, one of the major plotlines in the Legislature’s fine-tuning of the California Consumer Privacy Act is to see how exactly the law will be enforced when all is said and done. As it stands, it looks as though Californians are going to need to rely on the Attorney General and local governments to do most of the actual legwork to make sure companies abide by the new law. Whether that reliance is justified remains to be seen.

As we have discussed, SB 561, which would have granted a private right of action to allow individuals to sue for any violation of the CCPA, was summarily defeated. Similarly, early attempts to make improper use of facial recognition software a violation of unfair competition laws (and therefore privately enforceable) died an early death in committee. As it stands, the only private right of action remaining is for data breaches.

Read More