Category: Consumer Protection

Lyft Sexual Assault Claims Consolidated for Pre-Trial Proceedings

Lyft and other companies have become a part of life and people look to them for a safe ride home at the end of a night out.   However, ridesharing companies, like Lyft and Uber, have been under fire for passenger safety concerns, and the stories of women being sexually assaulted by their drivers are prolific, harrowing and terrifying.  In response to this disturbing trend, a wave of lawsuits in California are addressing the company’s responsibility when a passenger is assaulted.

Lyft Sexual Assault Claims Consolidated in San Francisco Superior Court

Recently,  California Superior Court Judge Hon. Kenneth Freeman granted a petition to consolidate multiple Lyft sexual assault cases in California recommending the Superior Court of California San Francisco County as the appropriate venue for the “complex” coordinated matters to be heard.

The Lyft passenger lawsuits claim the plaintiffs were sexually assaulted by sexual predators driving for Lyft after Lyft had been on actual notice of ongoing, sexual assaults by its drivers. According to the complaints, Lyft failed to respond to the sexual assaults by adopting and implementing adequate driver hiring or monitoring systems and procedures to protect riders. This failure to respond to an identified, systemic issue of sexual assault put more riders at risk.

The Lyft plaintiffs filed a motion to coordinate the cases, as most of the cases included in the ruling had been filed in San Francisco Superior Court.  The court agreed with the Lyft plaintiffs that: Lyft’s corporate headquarters are in San Francisco, as are the majority of corporate witnesses and documents.   The court added, the San Francisco Superior Court uses e-filing, which could potentially save the parties significant costs.  Additionally, only cases that are “complex” as defined by California’s Judicial Council standards may be coordinated.

Need for ESI (Electronically Stored Information)  Orders, Are Lyft Drivers are Independent Contractors or Employees, Additional Plaintiffs Joining Requires Complex Case Management

Co-Counsel for the Lyft Sexual Assault Plaintiffs, Brooks Cutter of Cutter Law argued that there are likely to be thousands of documents, studies, e-mails, and memoranda that are relevant to the claims and defenses in this case and discovery will inevitably require a complex ESI (Electronically Stored Information) order and accordingly a court like San Francisco Superior Court is well-equipped to handle such issues, including staying discovery, staying portions of the case, obtaining stipulations that apply to the entire coordinated case, and selecting bellwether plaintiffs.

Many of the underlying cases in the consolidation action allege vicarious liability or the liability of Lyft for the torts or wrongful actions of their drivers whether or not Lyft classifies them as an employee or independent contractor.  Lyft, Uber, and Doordash are actively fighting California Assembly Bill 5 Pledging over $90 Million To Fund Voter Initiative To Overturn AB-5  which went into effect January 1, 2020.  AB-5 profoundly alters the legal standard applied in evaluating whether a worker is classified as an employee or an independent contractor.   Furthermore,  Uber and Postmates on December 31st  filed a legal challenge in Federal Court alleging AB-5 violates individuals’ constitutional rights, seeking declaratory and injunctive remedies claiming the law unfairly discriminates against technology platforms and those who make a living through them.

Lyft has also been accused of stalling and slowing down discovery. Coordinated proceedings could help plaintiffs’ attorneys combat Lyft’s delays, and it could be beneficial to have one judge see how Lyft has conducted itself in discovery.

Attorney Cutter stated he is aware of five more related sexual assault cases that have been filed in the time since that petition was filed.   According to attorney Cutter, “There are definitely victims who have not yet come forward.”

Lyft Fought Against Sexual Assault Lawsuit Consolidation

Lyft, represent by Williams & Connolly, argued that the consolidation of  Lyft Sexual assault cases “would make in San Francisco Superior Court a national clearinghouse for claims against San Francisco-based companies.”    Furthermore, Lyft contended that:

“all claims against a California based-company —wherever the underlying incidents arise, and however much the disputed facts occurred elsewhere and other states’ laws govern the contested legal issues — could be brought in California courts and coordinated.”

Lyft’s two main objections to consolidation are that “the allegations of misconduct are not the same and that the majority of the cases did not occur in California.”

Judge Freeman, however, disagreed with the company, focusing instead on Lyft’s actions or inactions as an organization to protect rider’s safety. “To the contrary, the predominating legal and factual issues will examine Lyft’s liability for allegedly failing to institute a system to have prevented the assaults in these cases and potential future assaults.” Judge Freeman said. “The court agrees with plaintiffs that this is not a case against the drivers; it is fundamentally a case against Lyft.”

Significance of Lyft Consolidation Ruling

Judge Freeman also found that coordination of the suits would make the most efficient use of court resources and avoid duplicative testimony. In giving his ruling he further noted that there is a risk of duplicative and inconsistent rulings if the cases were not coordinated, which would create confusion, and it would hinder the Court of Appeal’s ability to hear challenges to inconsistent rulings, orders, and judgments, which would inevitably cause significant delays.

“This is an important ruling for victims as it means the claims will be heard in a single court in California,” plaintiff’s co-counsel Brooks Cutter said. “Lyft opposed our motion and wanted to force victims to undergo litigation in separate courts across the country. As a California company, it is appropriate for these Lyft claims to be heard in California.”

The Lyft sexual assault and rape claims each allege that the company did not adequately address the issue of sexual misconduct committed by sexual predators who drove for the ride-sharing company. Furthermore, they allege Lyft owed that duty to its riders, who believed it offered a safe form of transportation.  Attorney Cutter says, “The occurrence of sexual assault in the vast majority of these lawsuits is undisputed. The focus of these lawsuits is Lyft’s accountability for the assaults, which plaintiffs contend were enabled by Lyft’s lax background checks and failure to enact reasonable in-app monitoring to help ensure rider safety.”

Alexandra LaManna, a spokeswoman for Lyft, disclosed to the New York Times: in 2019 nearly one in five employees at the company had been dedicated to initiatives strengthening the rideshare platform’s safety, and that in recent months Lyft had introduced more than 15 new safety features.  Lyft announced in September of 2019 some of these safety features: access to 911 through the app and monitoring and offers of support from Lyft personnel to the driver and passenger if a trip is experiencing an unexpected delay.  These are on top of the company’s criminal background checks, steps to prevent fraudulent use of the app and identify driver identity, and harassment prevention programs.

However, despite these steps, more Lyft lawsuits are being filed, alleging the ride-sharing company has not taken adequate steps to protect riders from sexual assault.

Lyft has not Released a Safety Report – Lyft Victims Can Still File Lawsuits

In December 2019, Lyft competitor Uber released a safety report.  Uber reported that in 2017 and 2018 it received reports of 5,981 incidents of sexual abuse.  In 2018, this included 235 rapes and 280 reports of attempted rape, 1,560 reports of groping, 376 reports of unwanted kissing to breast, buttocks or mouth and 594 reports of unwanted kissing to another body part.  Because Uber’s figures are based on the information it received, the actual numbers could in fact be higher than reported.

Lyft has not released its safety report regarding sexual assaults, rapes, and accidents. Attorney Cutter finds the lack of safety report from Lyft to be problematic.  He says, “It is important for Lyft to issue a safety report so the public has a better understanding of the significant risk of sexual assault in rideshare vehicles.”

Victims who suffered sexual assault committed by a Lyft driver are still eligible to file a lawsuit. Consolidation of the current lawsuits does not prevent future lawsuits from being filed, and it is likely there are many more victims who have yet to come forward about their experiences.

Copyright ©2020 National Law Forum, LLC

More on consolidated case litigation in the National Law Review Litigation and Trial Practice section.

Venmo’ Money: Another Front Opens in the Data Wars

When I see stories about continuing data spats between banks, fintechs and other players in the payments ecosystem, I tend to muse about how the more things change the more they stay the same. And so it is with this story about a bank, PNC, shutting off the flow of customer financial data to a fintech, in this case, the Millennial’s best friend, Venmo. And JP Morgan Chase recently made an announcement dealing with similar issues.

Venmo has to use PNC’s customer’s data in order to allow (for example) Squi to use it to pay P.J. for his share of the brews.  Venmo needs that financial data in order for its system to work.  But Venmo isn’t the only one with a mobile payments solution; the banks have their own competing platform called Zelle.  If you bank with one of the major banks, chances are good that Zelle is already baked into your mobile banking app.  And unlike Venmo, Zelle doesn’t need anyone’s permission but that of its customers to use those data.

You can probably guess the rest.  PNC recently invoked security concerns to largely shut off the data faucet and “poof”, Venmo promptly went dark for PNC customers.  To its aggrieved erstwhile Venmo-loving customers, PNC offered a solution: Zelle.  PNC subtly hinted that its security enhancements were too much for Venmo to handle, the subtext being that PNC customers might be safer using Zelle.

Access to customer data has been up until now a formidable barrier to entry for fintechs and others whose efforts to make the customer payment experience “frictionless” have depended in large measure on others being willing to do the heavy lifting for them.  The author of Venmo article suggests that pressure from customers may force banks to yield any strategic advantage that control of customer data may give them.  So far, however, consumer adoption of mobile payments is still miniscule in the grand scheme of things, so that pressure may not be felt for a very long time, if ever.

In the European Union, the regulators have implemented PSD2 which forces a more open playing field for banking customers. But realistically, it can’t be surprising that the major financial institutions don’t want to open up their customer bases to competitors and get nothing in return – except a potential stampede of customers moving their money. And some of these fintech apps haven’t jumped through the numerous hoops required to be a bank holding company or federally insured – meaning unwitting consumers may have less fraud protection when they move their precious money to a cool-looking fintech app.

A recent study by the Pew Trusts make it clear that consumers are still not fully embracing mobile for any number of reasons.  The prime reason is that current mobile payment options still rely on the same payments ecosystem as credit and debit cards yet mobile payments don’t offer as much consumer protection. As long as that is the case, banks and fintechs and merchants will continue to fight over data and the regulators are likely to weigh in at some point.

It is not unlike the early mobile phone issue when one couldn’t change mobile phone providers without getting a new phone number – that handcuff kept customers with a provider for years but has since gone by the wayside. It is likely we will see some sort of similar solution with banking details.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more on fintech & banking data, see the National Law Review Financial Institutions & Banking law page.

Florida’s Legislature to Consider Consumer Data Privacy Bill Akin to California’s CCPA

Florida lawmakers have proposed data privacy legislation that, if adopted, would impose significant new obligations on companies offering a website or online service to Florida residents, including allowing consumers to “opt out” of the sale of their personal information. While the bill (SB 1670 and HB 963) does not go as far as did the recent California Consumer Privacy Act, its adoption would mark a significant increase in Florida residents’ privacy rights. Companies that have an online presence in Florida should study the proposed legislation carefully. Our initial take on the proposed legislation appears below.

The proposed legislation requires an “operator” of a website or online service to provide consumers with (i) a “notice” regarding the personal information collected from consumers on the operator’s website or through the service and (ii) an opportunity to “opt out” of the sale of certain of a consumer’s personal information, known as “covered information” in the draft statute.

The “notice” would need to include several items. Most importantly, the operator would have to disclose “the categories of covered information that the operator collects through its website or online service about consumers who use [them] … and the categories of third parties with whom the operator may share such covered information.” The notice would also have to disclose “a description of the process, if applicable, for a consumer who uses or visits the website or online service to review and request changes to any of his or her covered information. . . .” The bill does not otherwise list when this “process” would be “applicable,” and it nowhere else appears to create for consumers any right to review and request changes.

While the draft legislation obligates operators to stop selling data of a consumer who submits a verified request to do so, it does not appear to require a description of those rights in the “notice.” That may just be an oversight in drafting. In any event, the bill is notable as it would be the first Florida law to require an online privacy notice. Further, a “sale” is defined as an exchange of covered information “for monetary consideration,” which is narrower than its CCPA counterpart, and contains exceptions for disclosures to an entity that merely processes information for the operator.

There are also significant questions about which entities would be subject to the proposed law. An “operator” is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from Florida residents, and purposefully directs activities toward the state. That “and” is assumed, as the proposed bill does not state whether those three requirements are conjunctive or disjunctive.

Excluded from the definition of “operator” is a financial institution (such as a bank or insurance company) already subject to the Gramm-Leach-Bliley Act, and an entity subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Outside of the definition of “operator,” the proposed legislation appears to further restrict the companies to which it would apply, to eliminate its application to smaller companies based in Florida, described as entities “located in this state,” whose “revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on websites or online services,” and “whose website or online service has fewer than 20,000 unique visitors per year.” Again, that “and” is assumed as the bill does not specify “and” or “or.”

Lastly, the Department of Legal Affairs appears to be vested with authority to enforce the law. The proposed legislation states explicitly that it does not create a private right of action, although it also says that it is in addition to any other remedies provided by law.

The proposed legislation is part of an anticipated wave of privacy legislation under consideration across the country. California’s CCPA took effect in January and imposes significant obligations on covered businesses. Last year, Nevada passed privacy legislation that bears a striking resemblance to the proposed Florida legislation. Other privacy legislation has been proposed in Massachusetts and other jurisdictions.

©2011-2020 Carlton Fields, P.A.

For more on new and developing legislation in Florida and elsewhere, see the National Law Review Election Law & Legislative News section.

Reflections on 2019 in Technology Law, and a Peek into 2020

It is that time of year when we look back to see what tech-law issues took up most of our time this year and look ahead to see what the emerging issues are for 2020.

Data: The Issues of the Year

Data presented a wide variety of challenging legal issues in 2019. Data is solidly entrenched as a key asset in our economy, and as a result, the issues around it demanded a significant level of attention.

  • Clearly, privacy and data security-related data issues were dominant in 2019. The GDPR, CCPA and other privacy regulations garnered much consideration and resources, and with GDPR enforcement ongoing and CCPA enforcement right around the corner, the coming year will be an important one to watch. As data generation and collection technologies continued to evolve, privacy issues evolved as well.  In 2019, we saw many novel issues involving mobilebiometric and connected car  Facial recognition technology generated a fair amount of litigation, and presented concerns regarding the possibility of intrusive governmental surveillance (prompting some municipalities, such as San Francisco, to ban its use by government agencies).

  • Because data has proven to be so valuable, innovators continue to develop new and sometimes controversial technological approaches to collecting data. The legal issues abound.  For example, in the past year, we have been advising on the implications of an ongoing dispute between the City Attorney of Los Angeles and an app operator over geolocation data collection, as well as a settlement between the FTC and a personal email management service over access to “e-receipt” data.  We have entertained multiple questions from clients about the unsettled legal terrain surrounding web scraping and have been closely following developments in this area, including the blockbuster hiQ Ninth Circuit ruling from earlier this year. As usual, the pace of technological innovation has outpaced the ability for the law to keep up.

  • Data security is now regularly a boardroom and courtroom issue, with data breaches, phishing, ransomware attacks and identity theft (and cyberinsurance) the norm. Meanwhile, consumers are experiencing deeper and deeper “breach fatigue” with every breach notice they receive. While the U.S. government has not yet been able to put into place general national data security legislation, states and certain regulators are acting to compel data collectors to take reasonable measures to protect consumer information (e.g., New York’s newly-enacted SHIELD Act) and IoT device manufacturers to equip connected devices with certain security features appropriate to the nature and function of the devices secure (e.g., California’s IoT security law, which becomes effective January 1, 2020). Class actions over data breaches and security lapses are filed regularly, with mixed results.

  • Many organizations have focused on the opportunistic issues associated with new and emerging sources of data. They seek to use “big data” – either sourced externally or generated internally – to advance their operations.  They are focused on understanding the sources of the data and their lawful rights to use such data.  They are examining new revenue opportunities offered by the data, including the expansion of existing lines, the identification of customer trends or the creation of new businesses (including licensing anonymized data to others).

  • Moreover, data was a key asset in many corporate transactions in 2019. Across the board in M&A, private equity, capital markets, finance and some real estate transactions, data was the subject of key deal points, sometimes intensive diligence, and often difficult negotiations. Consumer data has even become a national security issue, as the Committee on Foreign Investment in the United States (CFIUS), expanded under a 2018 law, began to scrutinize more and more technology deals involving foreign investment, including those involving sensitive personal data.

I am not going out on a limb in saying that 2020 and beyond promise many interesting developments in “big data,” privacy and data security.

Social Media under Fire

Social media platforms experienced an interesting year. The power of the medium came into even clearer focus, and not necessarily in the most flattering light. In addition to privacy issues, fake news, hate speech, bullying, political interference, revenge porn, defamation and other problems came to light. Executives of the major platforms have been on the hot seat in Washington, and there is clearly bipartisan unease with the influence of social media in our society.  Many believe that the status quo cannot continue. Social media platforms are working to build self-regulatory systems to address these thorny issues, but the work continues.  Still, amidst the bluster and criticism, it remains to be seen whether the calls to “break up” the big tech companies will come to pass or whether Congress’s ongoing debate of comprehensive data privacy reform will lead to legislation that would alter the basic practices of the major technology platforms (and in turn, many of the data collection and sharing done by today’s businesses).  We have been working with clients, advising them of their rights and obligations as platforms, as contributors to platforms, and in a number of other ways in which they may have a connection to such platforms or the content or advertising appearing on such platforms.

What does 2020 hold? Will Washington’s withering criticism of the tech world translate into any tangible legislation or regulatory efforts?  Will Section 230 of the Communications Decency Act – the law that underpins user generated content on social media and generally the availability of user generated content on the internet and apps – be curtailed? Will platforms be asked to accept more responsibility for third party content appearing on their services?

While these issues are playing out in the context of the largest social media platforms, any legislative solutions to these problems could in fact extend to others that do not have the same level of compliance resources available. Unless a legislative solution includes some type of “size of person” test or room to adapt technical safeguards to the nature and scope of a business’s activities or sensitivity of the personal information collected, smaller providers could be shouldered with a difficult and potentially expensive compliance burden. Thus, it remains to see how the focus on social media and any attempt to solve the issues it presents may affect online communications more generally.

Quantum Leaps

Following the momentum of the passage of the National Quantum Initiative at the close of 2018, a significant level of resources has been invested into quantum computing in 2019.  This bubble of activity culminated in Google announcing a major milestone in quantum computing.  Interestingly, IBM suggests that it wasn’t quite as significant as Google claimed.  In any case, the development of quantum computing in the U.S. has progressed a great deal in 2019, and many organizations will continue to focus on it as a priority in 2020.

  • Reports state that China has dedicated billions to build a Chinese national laboratory for quantum computing, among other related R&D products, a development that has gotten the attention of Congress and the Pentagon. This may be the beginning of the 21st century’s great technological race.

  • What is at stake? The implications are huge. It is expected that ultimately, quantum computers will be able to solve complex computations exponentially faster – as much as 100 million times faster — than classic computers. The opportunities this could present are staggering.  As are the risks and dangers.  For example, for all its benefits, the same technology could quickly crack the digital security that protects online banking and shopping and secure online communications.

  • Many organizations are concerned about the advent of quantum computing. But given that it will be a reality in the future, what should you be thinking about now? While not a real threat for 2020 or the near-term thereafter, it would be wise to think about it if one is anticipating investing in long-term infrastructure solutions. Will quantum computing render the investment obsolete? Or, will quantum computing present a security threat to that infrastructure?  It is not too early to think about these issues, and for example, technologists have been hard at work developing quantum-proof blockchain protocols. It would at least be prudent to understand the long-term roadmap of technology suppliers to see if they have even thought about quantum computing, and if so, to see to how they see quantum computing impacting their solutions and services.

Artificial Intelligence

We have seen significant level of deployment in the Artificial Intelligence/Machine Learning landscape this past year.  According to the Artificial Intelligence Index Report 2019, AI adoption by organizations (of at least one function or business unit) is increasing globally. Many businesses across many industries are deploying some level of AI into their businesses.  However, the same report notes that many companies employing AI solutions might not be taking steps to mitigate the risks from AI, beyond cybersecurity. We have advised clients on those risks, and in certain cases have been able to apportion exposure amongst multiple parties involved in the implementation.  In addition, we have also seen the beginning of regulation in AI, such as California’s chatbot law, New York’s recent passage of a law (S.2302prohibiting consumer reporting agencies and lenders from using the credit scores of people in a consumer’s social network to determine that individual’s credit worthiness, or the efforts of a number of regulators to regulate the use of AI in hiring decisions.

We expect 2020 to be a year of increased adoption of AI, coupled with an increasing sense of apprehension about the technology. There is a growing concern that AI and related technologies will continue to be “weaponized” in the coming year, as the public and the government express concern over “deepfakes” (including the use of voice deepfakes of CEOs to commit fraud).  And, of course, the warnings of people like Elon Musk and Bill Gates, as they discuss AI, cannot be ignored.

Blockchain

We have been very busy in 2019 helping clients learn about blockchain technologies, including issues related to smart contracts and cryptocurrency. 2019 was largely characterized by pilotstrials,  tests and other limited applications of blockchain in enterprise and infrastructure applications as well as a significant level of activity in tokenization of assetscryptocurrency investments, and the building of businesses related to the trading and custody of digital assets. Our blog, www.blockchainandthelaw.io keeps readers abreast of key new developments and we hope our readers have found our published articles on blockchain and smart contracts helpful.

Looking ahead to 2020, regulators such as the SECFinCENIRS and CFTC are still watching the cryptocurrency space closely. Gone are the days of ill-fated “initial coin offerings” and today, security token offerings, made in compliance with the securities laws, are increasingly common. Regulators are beginning to be more receptive to cryptocurrency, as exemplified by the New York State Department of Financial Services revisiting of the oft-maligned “bitlicense” requirement in New York.

Beyond virtual currency, I believe some of the most exciting developments of blockchain solutions in 2020 will be in supply chain management and other infrastructure uses of blockchain. 2019 was characterized by experimentation and trial. We have seen many successes and some slower starts. In 2020, we expect to see an increase in adoption. Of course, the challenge for businesses is to really understand whether blockchain is an appropriate solution for the particular need. Contrary to some of the hype out there, blockchain is not the right fit for every technology need, and there are many circumstances where a traditional client-server model is the preferred approach. For help in evaluating whether blockchain is in fact a potential fit for a technology need, this article may be helpful.

Other 2020 Developments

Interestingly, one of the companies that has served as a form of leading indicator in the adoption of emerging technologies is Walmart.  Walmart was one of the first major companies to embrace supply use of blockchain, so what is Walmart looking at for 2020? A recent Wall Street Journal article discusses its interest and investment in 5G communications and edge computing. We too have been assisting clients in those areas, and expect them to be active areas of activity in 2020.

Edge computing, which is related to “fog” computing, which is, in turn,  related to cloud computing, is simply put, the idea of storing and processing information at the point of capture, rather than communicating that information to the cloud or a central data processing location for storage and processing. According to the WSJ article, Walmart plans on building edge computing capability for other businesses to hire (following to some degree Amazon’s model for AWS).  The article also talks about Walmart’s interest in 5G technology, which would work hand-in-hand with its edge computing network.

Our experience with clients suggest that Walmart may be onto something.  Edge and fog computing, 5G and the growth of the “Internet of Things” are converging and will offer the ability for businesses to be faster, cheaper and more profitable. Of course this convergence also will tie back to the issues we discussed earlier, such as data, privacy and data security, artificial intelligence and machine learning. In general, this convergence will increase even more the technical abilities to process and use data (which would conceivably require regulation that would feature privacy and data security protections that are consumer-friendly, yet balanced so they do not stifle the economic and technological benefits of 5G).

This past year has presented a host of fascinating technology-based legal issues, and 2020 promises to hold more of the same.  We will continue to keep you posted!

We hope you had a good 2019, and we want to wish all of our readers a very happy and safe holiday season and a great New Year!

© 2019 Proskauer Rose LLP.

For more in technology developments, see the National Law Review Intellectual Property or Communications, Media & Internet law sections.

FDA Issues Warning Letters, Cautions Consumers on Unapproved CBD Products

Nearly a year after the 2018 Farm Bill legalized hemp nationwide, the legal status of one of its most popular products, cannabidiol (CBD), is becoming clearer.

On Nov. 25, the U.S. Food and Drug Administration (FDA) issued a revised consumer update regarding unapproved CBD products and issued a new round of warning letters to CBD retailers selling products in violation of the Food, Drug and Cosmetics Act (FDCA). The agency also warned of potential health risks and safety concerns associated with numerous unapproved CBD products. The FDA publicized its determination that CBD cannot be considered as Generally Recognized as Safe (GRAS) under federal law, foreclosing one of the regulatory paths available to the FDA for allowing CBD as a food ingredient.

These recent actions underscore the FDA’s interpretation that food products, unapproved drugs, dietary supplements and cosmetics containing CBD sold in interstate commerce often violate the FDCA.

FDA warning letters

In this recent round of enforcement efforts, the FDA issued fifteen warning letters to CBD companies selling a variety of products in interstate commerce, including balms, capsules, oils, tinctures, lotions, gummies, chews and sprays that were marketed for use by adults, children and animals.

The letters outline the FDA’s legal analysis which concludes that the products at issue were marketed in interstate commerce as unapproved new drugs, misbranded drugs, adulterated foods or improperly labeled as dietary supplements in violation of the FDCA. The crux of this analysis is that CBD is an active ingredient in an approved drug as well as other drugs under clinical investigation.

These products triggered FDCA violations in a variety of ways:

  • Unapproved new drugs – CBD products making claims to prevent, diagnose, mitigate, treat or cure serious diseases, such as cancer, AIDS, schizophrenia and diabetes.
  • Misbranded drugs – CBD products marketed as drugs that also fail to bear adequate directions for use.
  • Dietary supplement labeling – Improperly using the label “dietary supplement” when it does not meet the definition under the FDCA.
  • Adulterated human food – CBD products marketed as conventional human foods and contain a drug approved by the FDA.

Each warning letter identified an “unapproved new drug” violation with products making aggressive health claims surrounding cancer or other similar serious conditions, suggesting the FDA continues to focus its efforts at “egregious, over-the-line” health claims as referenced by former FDA Commissioner Scott Gottlieb.

FDA consumer update

The FDA simultaneously issued a consumer update, signaling that unapproved CBD products remain prohibited under the FDCA. The agency noted it has seen only limited data about CBD safety and that some of the data points to risks that should be considered before taking CBD.

The FDA warned that unapproved CBD products may pose safety risks and make unproven health claims. The FDA fears consumers may put off getting proper diagnosis, treatment or supportive care due to unsubstantiated claims associated with CBD products.

Additionally, the FDA noted the information it currently has “underscores the need for further study and high quality, scientific information about the safety and potential uses of CBD.” The consumer update further notes:

  • No FDA evaluation of CBD products – There has been no FDA evaluation of whether unapproved CBD products are effective for their intended use, what the proper dosage might be, how they could interact with FDA-approved drugs or whether they have dangerous side effects or other safety concerns.
  • Potential health risks – Specifically, the FDA also identified some of the potential risks associated with using CBD products, including liver injury and male reproductive toxicity. Other potential health risks remain unknown to date, including the effects of sustained daily usage by adults as well as the effects on children, breastfed newborns and developing fetuses.
  • Side effects – Other side effects include drowsiness, gastrointestinal distress and increased irritability and agitation.
  • Unregulated manufacturing process and product safety is unknown – The manufacturing process of unapproved CBD drug products has not been subject to FDA review and the effects of CBD containing potentially unsafe levels of contaminants, such as pesticides and heavy metals, are unknown.

CBD remains a legal product

Despite this recent action from the FDA, hemp-derived CBD remains a legal product under federal law, but it must be marketed without violating the FDCA. Additionally, the warning letters and consumer update highlight that the FDA is targeting its enforcement to companies engaged in interstate commerce and making egregious, unsubstantiated health claims.

As is the case with other cannabis issues, the disconnect between state and federal law means companies are finding ways to bring products to market while limiting their risk. However, stakeholders must be aware of the risks under state and federal law when marketing any product containing CBD.

Expect more information from the FDA soon

The consumer update also notes that the FDA is “evaluating the regulatory frameworks that apply to certain cannabis-derived products that are intended for non-drug uses, including whether and/or how the FDA might consider updating its regulations, as well as whether potential legislation might be appropriate.” More information will be coming soon from the FDA, but it may be awhile before CBD can be marketed legally as a food ingredient or dietary supplement under federal law.

Copyright © 2019 Godfrey & Kahn S.C.

More on FDA CBD Regulation via the National Law Review Biotech, Food & Drug law page.

CPSC Staff Addresses IoT 2018 Hearing Feedback, IoT Project Plans in New Report

Connected products can make the world a safer place: electronic sensors in the home can detect problems and send smartphone notifications to the homeowner; smart alert devices can notify family members or home help companies that an elderly person has fallen and needs assistance. But with over 64 billion connected products in the marketplace, there is a concern that connected devices could introduce hazards that might lead to a risk of injury due to problems with software updates or customization, faulty connections, and even consumer modifications.

As the body charged with overseeing consumer product safety in the U.S., over the last few years, the Consumer Product Safety Commission (CPSC) has shown an increasing interest in defining its role with regard to connected products. In May 2018, the CPSC held a public hearing on IoT, obtaining feedback from a range of stakeholders on potential risks of connected consumer products and the agency’s role. In late September, CPSC staff submitted to the Commission a status report outlining the CPSC’s work on consumer product IoT issues since the public hearing. The report also outlines how CPSC staff understands the agency’s role, which is safeguarding consumers from potential physical product risks, as well as how its work intersects with the jurisdiction of other agencies as they oversee connected products.

The report notes that this is an ongoing process, stating that CPSC staff is working on “how to define consumer product safety in terms of the IoT, the intersection of, and interdependencies among, consumer product safety, data security and privacy, and how our traditional risk management approaches apply to connected products.” The report acknowledges that privacy and data security are not within CPSC’s jurisdiction, but noted that at least one participant in CPSC’s 2018 hearing warned that “CPSC should pay attention to certain cybersecurity threats that create opportunities for physical harm, a risk not previously considered, and resist creating any prescriptive rules for IoT devices.”

To increase institutional knowledge of IoT benefits and challenges, CPSC has dedicated resources to develop its staff’s expertise. CPSC has also participated in developing voluntary standards, has taken a leadership role in establishing an interagency IoT working group, and has been developing its capability to simulate home networks at its laboratory.

The staff report outlines three ongoing internal projects relating to IoT. The first involves developing a methodology for assessing safety-related implications arising out of software and firmware updates to connected products. This project is at what CPSC views as the intersection of product safety and data security and potential “hazardization” of connected products as a result of data vulnerabilities. CPSC is also looking at connected heating appliances and the risks associated with their remote activation. Finally, CPSC is studying smart toys “in an effort to identify physical safety hazards.” It is surprising that CPSC staff would dedicate resources to toys as opposed to other products, like in-home safety devices, since the physical safety of toys is strictly regulated by the mandatory toy safety standard, ASTM F-963. The likelihood of physical hazardization of toys is far lower than, for example, connected home security devices and sensors. In those categories, connectivity, and thus security breaches that affect the operation of those devices, may be directly related to both safety risks and advantages. Indeed, home safety devices is a category where we have actually seen CPSC recall activity.

The report notes that CSPC is engaging in product safety assessments of connected& shared e-scooters. This is likely in response to reports of e-scooters that were vulnerable to hacking. The emerging hazards of micro-mobility devices such as shared e-scooters are also a focus of CPSC’s Operating Plan for Fiscal Year 2020 and represent another product category that appears to be more vulnerable to hazardization than connected toys.

CPSC staff intended to develop a best practices guide for industry and consumers on connected products, which was an enumerated project in the proposed Operating Plan for Fiscal Year 2020. However, an amendment introduced by Commissioner Feldman focuses CPSC’s resources on IoT intergovernmental work instead. Given the report’s acknowledgment that the agency is still working to develop staff expertise in IoT, attempting to create such a guide appears premature at this juncture.

The sharp increase in the number of connected devices in the market means it is necessary and appropriate for CPSC to continue to build expertise on IoT issues, even though very few examples of actual product safety hazards attributable to some type of connectivity failures exist. It would be useful for CPSC to focus its efforts and resources on product categories that pose a higher potential risk to the physical safety of consumers through hazardization or failure as a result of connectivity, without overstating potential risks. It is encouraging that through the intergovernmental initiatives a variety of federal agencies are working collaboratively to better understand the various consumer protection issues potentially raised by connected products that fit within their respective jurisdictions.

© 2019 Keller and Heckman LLP

For more CSPC regulation, see the National Law Review Consumer Protection law page.

CCPA Alert: California Attorney General Releases Draft Regulations

On October 10, 2019, the California Attorney General released the highly anticipated draft regulations for the California Consumer Privacy Act (CCPA). The regulations focus heavily on three main areas: 1) notices to consumers, 2) consumer requests and 3) verification requirements. While the regulations focus heavily on these three topics, they also discuss special rules for minors, non-discrimination standards and other aspects of the CCPA. Despite high hopes, the regulations do not provide the clarity many companies desired. Instead, the regulations layer on new requirements while sprinkling in further ambiguities.

The most surprising new requirements proposed in the regulations include:

  • New disclosure requirements for businesses that collect personal information from more than 4,000,000 consumers
  • Businesses must acknowledge the receipt of consumer requests within 10 days
  • Businesses must honor “Do Not Sell” requests within 15 days and inform any third parties who received the personal information of the request within 90 days
  • Businesses must obtain consumer consent to use personal information for a use not disclosed at the time of collection

The following are additional highlights from each of the three main areas:

1. Notices to consumers

The regulations discuss four types of notices to consumers: notice at the time of collection, notice of the right to opt-out of the sale of personal information, notice of financial incentives and a privacy policy. All required notices must be:

  • Easy to read in plain, straightforward language
  • In a format that draws the consumer’s attention to the notice
  • Accessible to those with disabilities
  • Available in all languages in which the company regularly conducts business

The regulations make clear that it is necessary, but not sufficient, to update your privacy policy to be compliant with CCPA. You must also provide notice to consumers at the time of data collection, which must be visible and accessible before any personal information is collected. The regulations make clear that no personal information may be collected without proper notice. You may use your privacy policy as the notice at the time of collection, but you must link to a specific section of your privacy policy that provides the statutorily required notice.

The regulations specifically provide that for offline collection, businesses could provide a paper version of the notice or post prominent signage. Similar to General Data Protection Regulation (GDPR), a company may only use personal information for the purposes identified at the time of collection. Otherwise, the business must obtain explicit consent to use the personal information for a new purpose.

In addition to the privacy policy requirements in the statute itself, the regulations require more privacy policy disclosures. For example, the business must include instructions on how to verify a consumer request and how to exercise consumer rights through an agent. Further, the privacy policy must identify the following information for each category of personal information collected: the sources of the information, how the information is used and the categories of third parties to whom the information is disclosed. For businesses that collect personal information of 4,000,000 or more consumers, the regulations require additional disclosures related to the number of consumer requests and the average response times. Given the additional nuances of the disclosure requirements, we recommend working with counsel to develop your privacy policy.

If a business provides financial incentives to a consumer for allowing the sale of their personal information, then the business must provide a notice of the financial incentive. The notice must include a description of the incentive, its material terms, instructions on how to opt-in to the incentive, how to withdraw from the incentive and an explanation of why the incentive is permitted by CCPA.

Finally, the regulations state that service providers that collect personal information on behalf of a business may not use that personal information for their own purposes. Instead, they are limited to performing only their obligations under the contract between the business and service provider. The contract between the parties must also include the provisions described in CCPA to ensure that the relationship is a service provider/business relationship, and not a sale of personal information between a business and third party.

2. Consumer requests

Businesses must provide at least two methods for consumers to submit requests (most commonly an online form and a toll-free number), and one of the methods must reflect the manner in which the business primarily interacts with the consumer. In addition, businesses that substantially interact with consumers offline must provide an offline method for consumers to exercise their right to opt-out, such as providing a paper form. The regulations specifically call out that in-person retailers may therefore need three methods: a paper form, an online form and a toll-free number.

The regulations do limit some consumer request rights by prohibiting the disclosure of Social Security numbers, driver’s license numbers, financial account numbers, medical-related identification numbers, passwords, and security questions and answers. Presumably, this is for two reasons: the individual should already know this information and most of these types of information are subject to exemptions from CCPA.

One of the most notable clarifications related to requests is that the 45-day timeline to respond to a consumer request includes any time required to verify the request. Additionally, the regulations introduce a new timeline requirement for consumer requests. Specifically, businesses must confirm receipt of a request within 10 days. Another new requirement is that businesses must respond to opt-out requests within 15 days and must inform all third parties to stop selling the consumer’s information within 90 days. Further, the regulations require that businesses maintain request records logs for 24 months.

3. Verification requirements

The most helpful guidance in the regulations relates to verification requests. The regulations provide that a more rigorous verification process should apply to more sensitive information. That is, businesses should not release sensitive information without being highly certain about the identity of the individual requesting the information. Businesses should, where possible, avoid collecting new personal information during the verification process and should instead rely on confirming information already in the business’ possession. Verification can be through a password-protected account provided that consumers re-authenticate themselves. For websites that provision accounts to users, requests must be made through that account. Matching two data points provided by the consumer with data points maintained by the business constitutes verification to a reasonable degree of certainty, and the matching of three data points constitutes a high degree of certainty.

The regulations also provide prescriptive steps of what to do in cases where an identity cannot be verified. For example, if a business cannot verify the identity of a person making a request for access, then the business may proceed as if the consumer requested disclosure of only the categories of personal information, as opposed to the content of such personal information. If a business cannot verify a request for deletion, then the business should treat the request as one to opt-out of the sale of personal information.

Next steps

These draft regulations add new wrinkles, and some clarity, to what is required for CCPA compliance. As we move closer to January 1, 2020 companies should continue to focus on preparing compliant disclosures and notices, finalizing their privacy policies and establishing procedures to handle consumer requests. Despite the need to press forward on compliance, the regulations are open to initial public comment until December 6, 2019, with a promise to finalize the regulations in the spring of 2020. We expect further clarity as these draft regulations go through the comment process and privacy professionals, attorneys, businesses and other stakeholders weigh in on their clarity and reasonableness.

Copyright © 2019 Godfrey & Kahn S.C.

For more on CCPA implementation, see the National Law Review Consumer Protection law page.

Mayo Clinic Reports Vaping Injuries Resemble Chemical Burns

The Centers for Disease Control and Prevention (CDC) announced that over 1,000 people became ill from vaping e-cigarettes, including 18 deaths. Now, research by the Mayo Clinic of Arizona suggests the lung damage may be the result of chemical burns.

The CDC announced that 77% of the injured vapers were using e-cigarettes with tobacco and THC products, and 17% were using only nicotine. The CDC partnered with state-based health care services and research hospitals to try to determine the cause of the recent spike in vaping lung damage cases.

The Mayo Clinic of Arizona is one of the first to release data derived from recent cases. The research team tested lung biopsy samples from 17 patients, including two who have since died from the condition. All 17 biopsies suggested that the lung injuries were most likely caused by “direct toxicity or tissue damage from noxious chemical fumes.” These fumes are generated from the vaporized e-cigarette liquids. Researchers said it does not appear that the build-up of lipids, reported earlier as a possible cause of the lung damage, was a factor in these 17 patients.

According to Dr. Larsen, the senior author of the study, “It would seem prudent based on our observations to explore ways to better regulate the industry and better educate the public, especially our youth, about the risks associated with vaping.”

COPYRIGHT © 2019, STARK & STARK

For more on vaping regulation, see the Nationa Law Review Biotech, Food & Drug law page.

Food for Thought: Outcomes of Food Labeling Cases Prove Difficult to Predict

The past year has seen a proliferation of lawsuits alleging that food product labels mislead consumers about the product’s ingredients. The trend continued last month, with decisions from the Court of Appeals for the First Circuit and one of its district courts reaching different results on motions to dismiss complaints alleging deceptive food labels.

Last month, the First Circuit reinstated a class action lawsuit against New England Coffee for violation of Massachusetts’ consumer protection laws related to the coffee brand’s label for “Hazelnut Crème” coffee. Dumont v. Reily Foods, 18-2055 (1st Cir. Aug. 8, 2019). Plaintiff alleged that the product name was deceptive because the product did not contain hazelnuts. A Massachusetts federal district court judge dismissed the suit because the complaint lacked sufficient particularized facts to satisfy the heightened pleading standard for fraud allegations.

The First Circuit reversed in a 2-1 decision. The majority noted that although the ingredient list on the product package’s back label read “100% Arabica Coffee Naturally and Artificially Flavored,” reasonable consumers might take different approaches in determining whether the coffee actually contained real hazelnuts. One might check the list of ingredients to ensure the coffee contained hazelnut while others may not, instead relying on the name of the product, without searching the ingredient list, “much like one might easily buy a hazelnut cake without studying the ingredients list to confirm that the cake actually contains some hazelnut.” The majority accordingly concluded that whether the product name implied that the product contained hazelnuts was better suited for resolution “from six jurors, rather than three judges.” In dissent, Circuit Judge Lynch argued that “a reasonable consumer plainly could not view the phrase ‘Hazelnut Crème’ as announcing the presence of actual hazelnut in a bag of coffee which also proclaims it is “100% Arabica Coffee.”

Neither opinion is especially persuasive. As for the dissent, hazelnuts are not coffee, and the fact that a coffee product called “Hazelnut Crème” is said to contain 100% Arabica Coffee does not reasonably rule out the possibility that the product contains hazelnuts. By the same token, however, other courts have concluded that reasonable consumers do not ignore a product’s prominently displayed ingredient list when information on the front label may be viewed as ambiguous concerning whether an ingredient is or is not contained in the product. See, e.g., Jessani et al. v. Monini North America, which one of the authors litigated and which this blog covered. To the extent the Dumont majority suggests otherwise, the opinion would be misguided. That said, whereas the olive oil product in Monini was labeled as “truffle flavored,” here, there was no modifier to suggest that the coffee in question simply tasted, or smelled, like hazelnuts. In such cases, perhaps, one could conclude that the front label lacked ambiguity, and thus would not compel prospective purchasers to search the label further.

Less than a week after the First Circuit’s Dumont decision, Judge Alison Burroughs of the District of Massachusetts tossed a putative class action suit alleging that the advertising and packaging of the cereal “Honey Bunches of Oats” falsely suggested it was sweetened only or primarily with honey, when in fact the main sweeteners are sugar, brown sugar, and corn syrup. Lima v. Post Consumer Brands, 18-12100 (D. Mass. Aug. 13, 2019).The plaintiffs pointed to images of a sun, bee, and honey dipper as representing that honey was the principal sweetener in the cereal. They also cited surveys showing that most consumers believe honey is “better for you than sugar” and that approximately half of consumers are willing to pay more for foods that are primarily sweetened with honey.

In concluding that the consumers failed to state a claim, Judge Burroughs found that plaintiffs had offered no reasonable basis for their alleged belief that the honey references on the packaging implied that honey was the primary sweetener in the cereal rather than simply one of its primary flavors. In addition, even assuming the packaging could be viewed as portraying honey to be an ingredient instead of or as well as a flavor, Judge Burroughs found that plaintiffs still failed to state a claim. She noted that, unlike the “Hazelnut Crème” product in Dumont that did not contain any hazelnut, Honey Bunches of Oats did, in fact, contain honey. She also distinguished the case from Mantikas v. Kellogg, in which the Second Circuit found that a “made with whole grain” claim could imply that the product contained more whole wheat flour than white flour. Here, according to Judge Burroughs, the mere references to honey on the package carried no implication that honey was the primary sweetener, and a reasonable consumer concerned about how the cereal was sweetened would have consulted the cereal’s list of ingredients.

If nothing else, these cases underscore the fact-specific nature of the inquiry as to what product labels imply about their ingredients.

 

© 2019 Proskauer Rose LLP.

For more on class action lawsuits, see the National Law Review Litigation & Trial Practice page.

The CCPA Is Approaching: What Businesses Need to Know about the Consumer Privacy Law

The most comprehensive data privacy law in the United States, the California Consumer Privacy Act (CCPA), will take effect on January 1, 2020. The CCPA is an expansive step in U.S. data privacy law, as it enumerates new consumer rights regarding collection and use of personal information, along with corresponding duties for businesses that trade in such information.

While the CCPA is a state law, its scope is sufficiently broad that it will apply to many businesses that may not currently consider themselves to be under the purview of California law. In addition, in the wake of the CCPA, at least a dozen other states have introduced their own comprehensive data privacy legislation, and there is heightened consideration and support for a federal law to address similar issues.

Below, we examine the contours of the CCPA to help you better understand the applicability and requirements of the new law. While portions of the CCPA remain subject to further clarification, the inevitable challenges of compliance, coupled with the growing appetite for stricter data privacy laws in the United States generally, mean that now is the time to ensure that your organization is prepared for the CCPA.

Does the CCPA apply to my business?

Many businesses may rightly wonder if a California law even applies to them, especially if they do not have operations in California. As indicated above, however, the CCPA is not necessarily limited in scope to businesses physically located in California. The law will have an impact throughout the United States and, indeed, worldwide.

The CCPA will have broad reach because it applies to each for-profit business that collects consumers’ personal information, does business in California, and satisfies at least one of three thresholds:

  • Has annual gross revenues in excess of $25 million; or
  • Alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers; or
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information

While the CCPA is limited in its application to California consumers, due to the size of the California economy and its population numbers, the act will effectively apply to any data-driven business with operations in the United States.

What is considered “personal information” under the CCPA?

The CCPA’s definition of “personal information” is likely the most expansive interpretation of the term in U.S. privacy law. Per the text of the law, personal information is any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA goes on to note that while traditional personal identifiers such as name, address, Social Security number, passport, and the like are certainly personal information, so are a number of other categories that may not immediately come to mind, including professional or employment-related information, geolocation data, biometric data, educational information, internet activity, and even inferences drawn from the sorts of data identified above.

As a practical matter, if your business collects any information that could reasonably be linked back to an individual consumer, then you are likely collecting personal information according to the CCPA.

When does a business “collect” personal information under the CCPA?

To “collect” or the “collection” of personal information under the CCPA is any act of “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Such collection can be active or passive, direct from the consumer or via the purchase of consumer data sets. If your business is collecting personal information directly from consumers, then at or before the point of collection the CCPA imposes a notice obligation on your business to inform consumers about the categories of information to be collected and the purposes for which such information will (or may) be used.

To reiterate, if your business collects any information that could reasonably be linked back to an individual, then you are likely collecting personal information according to the CCPA.

If a business collects personal information but never sells any of it, does the CCPA still apply?

Yes. While there are additional consumer rights related to the sale of personal information, the CCPA applies to businesses that collect personal information solely for internal purposes, or that otherwise do not disclose such information.

What new rights does the CCPA give to California consumers?

The CCPA gives California consumers four primary new rights: the right to receive information on privacy practices and access information, the right to demand deletion of their personal information, the right to prohibit the sale of their information, and the right not to be subject to price discrimination based on their invocation of any of the new rights specified above.

What new obligations does a business have regarding these new consumer rights?

Businesses that fall under the purview of the CCPA have a number of new obligations under the law:

  • A business must take certain steps to assist individual consumers with exercising their rights under the CCPA. This must be accomplished by providing a link on the business’s homepage titled “Do Not Sell My Personal Information” and a separate landing page for the same. In addition, a business must update its privacy policy (or policies), or a California-specific portion of the privacy policy, to include a separate link to the new “Do Not Sell My Personal Information” page.

A business also must provide at least two mechanisms for consumers to exercise their CCPA rights by offering, at a minimum, a dedicated web page for receiving and processing such requests (the CCPA is silent on whether this web page must be separate from or can be combined with the “Do Not Sell My Personal Information” page), and a toll-free 800 number to receive the same.

  • Upon receipt of a verified consumer request to delete personal information, the business must delete that consumer’s personal information within 45 days.
  • Upon receipt of a verified consumer request for information about the collection of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
    • Categories of personal information that the business has collected about the consumer;
    • Specific pieces of personal information that the business possesses about the consumer;
    • Categories of sources from which the business received personal information about the consumer;
    • A corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer; and
    • The categories of third parties with whom the business has shared the consumer’s personal information.
  • Upon receipt of a verified consumer request for information about the sale of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
    • Categories of personal information that the business has collected about the consumer;
    • Categories of personal information that the business has sold about the consumer;
    • Categories of third parties to whom the business has sold the consumer’s personal information; and
    • The categories of personal information about the consumer that the business disclosed to a third party (or parties) for a business purpose.
  • Finally, a business must further update its privacy policy (or policies), or the California-specific section of such policy(s), to:
    • Identify all new rights afforded consumers by the CCPA;
    • Identify the categories of personal information that the business has collected in the preceding 12 months;
    • Include a corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer;
    • Identify the categories of personal information that the business has sold in the prior 12 months, or the fact that the business has not sold any such personal information in that time; and
    • Note the categories of third parties with whom a business has shared personal information in the preceding 12 months.

What about employee data gathered by employers for internal workplace purposes?

As currently drafted, nothing in the CCPA carves out an exception for employee data gathered by employers. A “consumer” is simply defined as a “natural person who is a California resident …,” so the law would presumably treat employees like anyone else. However, the California legislature recently passed Bill AB 25, which excludes from the CCPA information collected about a person by a business while the person is acting as a job applicant, employee, owner, officer, director, or contractor of the business, to the extent that information is collected and used exclusively in the employment context. Bill AB 25 also provides an exception for emergency contact information and other information pertaining to the administration of employee benefits. The bill awaits the governor’s signature – he has until October 13, 2019 to sign.

But not so fast – Bill AB 25 only creates a one-year reprieve for employers, rather than a permanent exception. The exceptions listed above will expire on January 1, 2021. By that time, the legislature may choose to extend the exceptions indefinitely, or businesses should be prepared to fully comply with the CCPA.

California employers would thus be wise to start considering the type of employee data they collect, and whether that information may eventually become subject to the CCPA’s requirements (either on January 1, 2021 or thereafter). Personal information is likely to be present in an employee’s job application, browsing history, and information related to payroll processing, to name a few areas. It also includes biometric data, such as fingerprints scanned for time-keeping purposes. Employers who collect employees’ biometric information, for example, would be well advised to review their biometric policies so that eventual compliance with the CCPA can be achieved gradually during this one-year grace period.

Notwithstanding this new legislation, there remains little clarity as to how the law will ultimately be applied in the employer-employee context, if and when the exceptions expire. Employers are encouraged to err on the side of caution and to reach out to experienced legal counsel for further guidance if they satisfy any one of the above thresholds.

What are the penalties for violation of the CCPA?

Violations of the CCPA are enforced by the California Attorney General’s office, which can issue civil monetary fines of up to $2,500 per violation, or $7,500 for each intentional violation. Currently, the California AG’s office must provide notice of any alleged violation and allow for a 30-day cure period before issuing any fine.

Are there any exceptions to the CCPA?

Yes, there are a number of exceptions. First, the CCPA only applies to California consumers and businesses that meet the threshold(s) identified above. If a business operates or conducts a transaction wholly outside of California then the CCPA does not apply.

There are also certain enumerated exceptions to account for federal law, such that the CCPA is pre-empted by HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act as it applies to personal information sold to or purchased from a credit reporting agency, and information subject to the Driver’s Privacy Protection Act.

Would it be fair to say that the CCPA is not very clear, and maybe even a bit confusing?

Yes, it would. The CCPA was drafted, debated, and enacted into law very quickly in the face of some legislative and ballot-driven pressures. As a result, the bill as enacted is a bit confusing and even contains sections that appear to contradict its other parts. The drafters of the CCPA, however, recognized this and have included provisions for the California AG’s office to provide further guidance on its intent and meaning. Amendment efforts also remain underway. As such, it is likely that the CCPA will be an evolving law for at least the short term.

Regardless, the CCPA will impose real-world requirements effective January 1, 2020, and the new wave of consumer privacy legislation it has inspired at the state and federal level is likely to bring even more of the same. It is important to address these issues now, rather than when it is too late.

© 2019 Much Shelist, P.C.

For more on the CCPA legislation, see the National Law Review Consumer Protection law page.