Texas AG Sues Meta Over Collection and Use of Biometric Data

On February 14, 2022, Texas Attorney General Ken Paxton brought suit against Meta, the parent company of Facebook and Instagram, over the company’s collection and use of biometric data. The suit alleges that Meta collected and used Texans’ facial geometry data in violation of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) and the Texas Deceptive Trade Practices Act (“DTPA”). The lawsuit is significant because it represents the first time the Texas Attorney General’s Office has brought suit under CUBI.

The suit focuses on Meta’s “tag suggestions” feature, which the company has since retired. The feature scanned faces in users’ photos and videos to suggest “tagging” (i.e., identify by name) users who appeared in the photos and videos. In the complaint, Attorney General Ken Paxton alleged that Meta,  collected and analyzed individuals’ facial geometry data (which constitutes biometric data under CUBI) without their consent, shared the data with third parties, and failed to destroy the data in a timely matter, all in violation of CUBI and the DTPA. CUBI regulates the collection and use of biometric data for commercial purposes, and the DTPA prohibits false, misleading, or deceptive acts or practices in the conduct of any trade or commerce.

Among other forms of relief, the complaint seeks an injunction enjoining Meta from violating these laws, a $25,000 civil penalty for each violation of CUBI, and a $10,000 civil penalty for each violation of the DTPA. The suit follows Facebook’s $650 million class-action settlement over alleged violations of Illinois’ Biometric Privacy Act and the company’s discontinuance of the tag suggestions feature last year.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

As the California Attorney General Focuses on Loyalty Programs, What Do Companies Need to Remember?

The California attorney general (AG) celebrated data privacy day by doing an “investigative sweep” of the loyalty programs of retailers, supermarkets, home improvement stores, travel companies, and food service companies, and sending out notices of non-compliance to businesses that the AG’s office believes might not be fully compliant with the CCPA. As the AG focuses its attention on loyalty programs, the following provides a reminder of the requirements under the CCPA.

What is a loyalty program?

Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers; others track products purchased. Some programs are free to participate in; others require consumers to purchase membership. Some programs offer consumers additional products; other programs offer prizes, money, or products from third parties. Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program,” as a practical matter most, if not all, loyalty programs have two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.[1]

What are the general obligations under the CCPA?

Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, then its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:

Right Applicability to Loyalty Program
Notice at collection A loyalty program that collects personal information from its members should provide a notice at the point where information is being collected regarding the categories of personal information that will be collected and how that information will be used.[2]
Privacy notice A loyalty program that collects personal information of its members should make a privacy notice available to its members.[3]
Access to information A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.[5]
Deletion of information A member of a loyalty program may request that a business delete the personal information collected about them. That said, a company may be able to deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten.
Opt-out of sale A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner) it would not be considered a “sale” of information.
Notice of financial incentive To the extent that a loyalty program qualifies as a “financial incentive” under the regulations implementing the CCPA (discussed below), a business should provide a “notice of financial incentive.”[4]

Are loyalty programs always financial incentive programs?

Whether a loyalty program constitutes a “financial incentive” program as that term is defined by the regulations implementing the CCPA depends on the extent to which the loyalty program’s benefits “relate to” the collection, retention, or sale of personal information.”[6] While the California Attorney General has implied that all loyalty programs “however defined, should receive the same treatment as other financial incentives,” a strong argument may exist that for many loyalty programs the benefits provided are directly related to consumer purchasing patterns (i.e., repeat or volume purchases) and are not “related” to the collection of personal information.[7] If a particular loyalty program qualifies as a financial incentive program, a business should consider the following steps (in addition to the compliance obligations identified above):

  • Notify the consumer of the financial incentive.[8] The regulations implementing the CCPA specify that the financial incentive notice should contain the following information:
    • A summary of the financial incentive offered.[11] In the context of a loyalty program a description of the benefits that the consumer will receive as part of the program would likely provide a sufficient summary of the financial incentive.
    • A description of the material terms of the financial incentive. [12] The regulation specifies that the description should include the categories of personal information that are implicated by the financial incentive program and the “value of the consumer’s data.”[13]
    • How the consumer can opt-in to the financial incentive.[14] Information about how a consumer can opt-in (or join) a financial incentive program is typically conveyed when a consumer reviews an application to join or sign-up with the program.
    • How the consumer can opt-out, or withdraw, from the program. [15] This is an explanation as to how the consumer can invoke their right to withdraw from the program.[16]
    • An explanation of how the financial incentive is “reasonably related” to the value of the consumer’s data.[17] While the regulations state that a notice of financial incentive should provide an explanation as to how the financial incentive “reasonably relates” to the value of the consumer’s data, the CCPA requires only that a reasonable relationship exists if a business intends to discriminate against a consumer “because the consumer exercised any of the consumer’s rights” under the Act.[18] Where a business does not intend to use its loyalty program to discriminate against consumers that exercise CCPA-conferred privacy rights, it’s not clear whether this requirement applies. In the event that a reasonable relationship must be shown, however, the regulations require that a company provide a “good-faith estimate of the value of the consumer’s data that forms the basis” for the financial incentive and that the business provide a “description of the method” used to calculate that value.[19]
  • Obtain the consumer’s “opt in consent” to the “material terms” of the financial incentive,[9] and
  • Permit the consumer to revoke their consent “at any time.”[10]

FOOTNOTES

[1] FSOR Appendix A at 273 (Response 814) (including recognition from the AG that “loyalty programs” are not defined under the CCPA, and declining invitations to provide a definition through regulation).

[2] Cal. Civ. Code § 1798.100(a) (West 2021); Cal. Code Regs. tit. 11, 999.304(b), 305(a)(1) (2021).

[3] Cal. Code Regs. tit. 11, 999.304(a) (2021).

[5] Cal. Civ. Code § 1798.100(a).

[4] CAL. CODE REGS. tit. 11, 999.301(n); 304(d); 307(a), (b).

[6] CAL. CODE REGS. tit. 11, 999.301(j) (2021).

[7] FSOR Appendix A at 75 (Response 254).

[8] Cal. Civ. Code § 1798.125(b)(2) (West 2021).

[11] CAL. CODE REGS. tit. 11, 999.307(b)(1) (2021).

[12] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).

[13] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).

[14] CAL. CODE REGS. tit. 11, 999.307(b)(3) (2021).

[15] CAL. CODE REGS. tit. 11, 999.307(b)(4) (2021).

[16] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

[17] CAL. CODE REGS. tit. 11, 999.307(b)(5) (2021).

[18] Cal. Civ. Code § 1798.125(a)(1), (2) (West 2021).

[19] CAL. CODE REGS. tit. 11, 999.307(b)(5)(a), (b) (2021).

[9] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

[10] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

©2022 Greenberg Traurig, LLP. All rights reserved.
For more articles about data privacy, visit the NLR Cybersecurity, Media & FCC section.

COVID-19 Update: Don’t Be a Target: What Business Should Know about State Attorney General Reactions to COVID-19

In any time of crisis, there is heightened risk for fraud and scams. While United States Attorney General Barr has warned of scams and other illegal acts on the federal level,1 it is with the state Attorneys General (“AGs”) where the rubber hits the road in enforcing social distancing orders, investigating companies for alleged price gouging, continuing ongoing investigations, and overseeing lending relief efforts. As the economy begins to reopen on a state-by-state and sector-by-sector basis, companies must be vigilant in protecting themselves from the next wave of scrutiny by state AGs.

During normal times, state AGs rely upon their state’s Consumer Protection Act and Unfair or Deceptive Acts or Practices (UDAP) statutes to fight against perceived fraud. During the COVID-19 crisis, state AGs have taken the additional step of issuing Civil Investigative Demands, mostly focused on the issue of price gouging, or an instance in which a company allegedly inflates prices above a perceived acceptable level based not solely on supply and demand, but also on leveraging, in this case, the COVID-19 pandemic to the detriment of the consumer. Allegations of price gouging often appear during or immediately following natural disasters, an example of which would be heightened prices for essential products such as generators and flashlights in historically hard-hit areas such as Florida or New Orleans during the Atlantic hurricane season. In the current environment, state AGs across the country are each receiving literally hundreds of consumer complaints alleging that companies are similarly raising prices on necessities.2 Online platforms for third-party sellers are particularly vulnerable to state AGs in this environment, with most people sheltering in place and fulfilling the majority of their purchasing needs through online retail. In fact, 33 state AGs sent a letter to Amazon.com, Inc., Facebook, Inc., Craigslist, Inc. and eBay Inc. to request enhanced procedures to protect against price gouging on their respective platforms.3 Ironically, companies such as Facebook, Google, Navient, and others that have been targeted by state AGs, often on extremely flimsy legal grounds, are now being asked by those same regulators to continue their efforts to step up to assist in this pandemic. And those companies, and so many others, are doing just that.

However, there are indeed some bad actors. In one well-publicized example, two Tennessee men hoarded over 17,000 bottles of hand sanitizer with the intent to sell them for up to $70 per bottle and was immediately met by an expedited investigation by Tennessee AG Herbert Slatery.4 Other examples have abounded: Massachusetts AG Maura Healey unilaterally expanded her state’s price gouging regulations, which had previously been limited to gasoline and petroleum products, to include “all goods or services necessary for the health, safety or welfare of the public”;5 New York AG Letitia James sent cease and desist letters to merchants that were allegedly engaging in price gouging related to the sale of hand sanitizer and disinfectant;6 New Jersey AG Gurbir Grewal has sent over 80 cease and desist letters after receiving more than 600 complaints of COVID-19-related price gouging and other related consumer protection violations;7 Florida AG Ashley Moody activated a “Price gouging Hotline” and opened an investigation into third-party sellers accused of price gouging on essential goods through accounts on Amazon;8 and finally, 20 state AGs have implored 3M Company to create a database and accounting of the distribution and pricing of 3M’s N95 respirator masks, including urging 3M to publish its policies prohibiting price gouging.

Businesses that remain open should be mindful of the additional steps taken to ensure compliance with social distancing regulations. For example, Vermont AG T.J. Donovan issued a directive for law enforcement outlining guidance for the enforcement of the state’s COVID-19 Executive Order that, among other things, extended authority to the state Department of Public Safety to inspect the premises and records of any employer to ensure compliance with the Executive Order.9 Other state AGs are enforcing their states’ Executive Orders with similar diligence: New York AG James ordered over 70 medical transportation companies to stop providing group rides;10 Michigan AG Dana Nessel sent a letter to home improvement store Menards in the wake of reports that the retailer had engaged in business practices that would endanger consumers and employees contrary to the Executive Order issued by Michigan Governor Gretchen Whitmer;11 and Delaware law enforcement officials even issued cease and desist orders to a barber shop and a tobacco shop.12

As the economy begins to incrementally ‘reopen’ in the weeks and months to come, companies should document every step taken to protect their customers and employees as well as the rationale underlying those measures. The far-reaching effects of the COVID-19 pandemic are unlikely to subside until a vaccine becomes publicly available. Thus, state AGs are likely to continue to probe companies aggressively about safety measures taken to protect their customers and employees; adherence to government policies and interpretative guidance; their definition of essential employees; and whether the company contributed to the spread of the virus.

State AGs are the top law enforcement officers in their states and will continue to act to protect their citizens during, and long after, the COVID-19 crisis is over. Industry should be on the lookout for measures taken by state AGs to identify and prosecute fraud and perceived price gouging during the COVID-19 pandemic, and should comply with laws and Executive Orders as diligently as possible. What constitutes the requisite compliance with social distancing – both now and as the economy begins to reopen – and what constitutes an essential service are often somewhat subjective and may require the consult of counsel. Cadwalader’s state AG practice is regularly in close communication with state AG offices and is well-positioned to provide guidance to clients that may be in receipt of an inquiry from a state AG, and we stand ready to continue to assist clients as they navigate the implications of the COVID-19 pandemic.

1   https://www.justice.gov/opa/pr/attorney-general-william-p-barr-urges-american-public-report-covid-19-fraud

https://www.cadwalader.com/state-attorney-general-insider/index.php?nid=6&eid=34

3  https://www.attorneygeneral.gov/wp-content/uploads/2020/03/03_25_2020_Multistate-letter.pdf

4   On April 21, 2020, Tennessee AG Slatery announced that a settlement had been reached with the two men to resolve allegations of price gouging; all supplies were surrendered to a nonprofit organization in Tennessee and a portion of the supplies were distributed to officials in Kentucky, and the two men were prohibited from selling emergency or medical supplies grossly in excess of the price generally charged during any declared state of abnormal economic disruption related to the COVID-19 pandemic.

5  https://www.mass.gov/news/ag-healey-issues-emergency-regulation-prohibiting-price gouging-of-critical-goods-and-services

6  https://ag.ny.gov/press-release/2020/ag-james-price gouging-will-not-be-tolerated

7  https://www.njconsumeraffairs.gov/News/Pages/03172020.aspx

8   http://www.myfloridalegal.com/newsrel.nsf/newsreleases/A32615BF3942B33E8525854300514289?Open&

9  https://www.attorneygeneral.gov/wp-content/uploads/2020/03/03_25_2020_Multistate-letter.pdf

10  https://ag.ny.gov/press-release/2020/attorney-general-james-orders-78-transport-providers-immediately-stop-endangering

11  https://www.michigan.gov/coronavirus/0,9753,7-406-98158-523976–,00.html

12 https://www.delawarepublic.org/post/delaware-flagging-non-essential-businesses-open-during-shutdown


© Copyright 2020 Cadwalader, Wickersham & Taft LLP

For more on AG’s Enforcement Activities around COVID-19 Fraud see the National Law Review Coronavirus News section.

Supreme Court Holds That State Attorney General Actions are Not “Mass Actions” Under Class Action Fairness Act (CAFA)

DrinkerBiddle

 

On January 14, the Supreme Court of the United States held that lawsuits that are filed in the name of a State Attorney General but seek relief on behalf of a State’s citizens cannot be removed to federal court as “mass actions” under the Class Action Fairness Act (CAFA)See Mississippi ex rel. Hood v. AU Optronics Corp., No. 12-1036 (Jan. 14, 2014). Resolving a split between the Fifth Circuit on the one hand and the Fourth, Seventh and Ninth Circuits on the other, the ruling means that businesses will have to defend AG actions in state courts, and state courts will have to resolve whether such actions can proceed even though the consumers on whose behalf they are brought have agreed to settle their claims in a class action or, conversely, to pursue their own claims individually rather than collectively.

“Mass Actions”

CAFA gives federal courts original subject matter jurisdiction over certain “class actions” and “mass actions.” It defines a “class action” as “any civil action filed under rule 23 of the Federal Rules of Civil Procedure or similar State statute or rule of judicial procedure authorizing an action to be brought by 1 or more representative persons as a class action” and defines a “mass action” as “any civil action . . . in which the monetary relief claims of 100 or more persons are proposed to be tried jointly on the ground that the plaintiffs’ claims involve common questions of law or fact, except that jurisdiction shall exist only over those plaintiffs whose claims in a mass action [exceed $75,000, exclusive of interest and costs].” 28 U.S.C. §§ 1332(d)(1)(B), (d)(11)(B)(i).[1] Excluded from the definition of “mass action” are (among other things) actions in which “all of the claims are asserted on behalf of the general public (and not on behalf of individual claimants or members of a purported class) pursuant to State statute specifically authorizing such action . . . .” Id.§ 1332(d)(11)(B)(ii)(III).

The Hood Case

Jim Hood, the Attorney General of Mississippi, filed a parens patriaeaction that alleged that the companies that manufacture and market liquid crystal display (LCD) panels had engaged in price-fixing that violated the Mississippi Consumer Protection Act and Mississippi Antitrust Act. Hood sought equitable and compensatory relief on behalf of both the State and its citizens. The defendants removed the action to federal court under CAFA and the Attorney General moved to remand. The district court remanded, finding that the suit was not a “mass action” because it fell within the definition’s “general public” exception. The Fifth Circuit reversed. Looking at each claim rather than the action as a whole, it reasoned that the real parties in interest were not only the State but also the individual citizens who had purchased LCD products, and as a result the “claims of 100 or more persons [we]re proposed to be tried jointly.” Id. § 1332(d)(11)(B)(i). Hood then petitioned for certiorari, which the Supreme Court granted.

The Supreme Court’s Decision

Yesterday, the Supreme Court unanimously reversed. Justice Sotomayor’s opinion is a primer on statutory construction:

Respondents argue that the [mass action] provision covers [AG actions] because “claims of 100 or more persons” refers to “thepersons to whom the claim belongs, i.e., the real parties in interest to the claims,” regardless of whether those persons are named or unnamed. We disagree.

To start, the statute says “100 or more persons,” not “100 or more named or unnamed real parties in interest.” Had Congress intended the latter, it easily could have drafted language to that effect. Indeed, when Congress wanted a numerosity requirement in CAFA to be satisfied by counting unnamed parties in interest in addition to named plaintiffs, it explicitly said so: CAFA provides that in order for a class action to be removable, “the number of members of all proposed plaintiff classes” must be 100 or greater, and it defines “class members” to mean “the persons (named or unnamed) who fall within the definition of the proposed or certified class.” Congress chose not to use the phrase “named or unnamed” in CAFA’s mass action provision, a decision we understand to be intentional.

More fundamentally, respondents’ interpretation cannot be reconciled with the fact that the “100 or more persons” referred to in the statute are not unspecified individuals who have no actual participation in the suit, but instead the very “plaintiffs” referred to later in the sentence—the parties who are proposing to join their claims in a single trial….[2]

The Court then rejected the argument that “plaintiffs” should be read as including both named and unnamed parties, finding that such a reading “stretches the meaning of ‘plaintiff’ beyond recognition” and would impose an “administrative nightmare” on the lower courts:

The term “plaintiff” is among the most commonly understood of legal terms of art: It means a “party who brings a civil suit in a court of law.” It certainly does not mean “anyone, named or unnamed, whom a suit may benefit,” as respondents suggest.

Yet if the term “plaintiffs” is stretched to include all unnamed individuals with an interest in the suit, then §1332(d)(11)(B)(i)’s requirement that “jurisdiction shall exist only over those plaintiffs whose claims [exceed $75,000]” becomes an administrative nightmare that Congress could not possibly have intended. How is a district court to identify the unnamed parties whose claims in a given case are for less than $75,000? Would the court in this case, for instance, have to hold an evidentiary hearing to determine the identity of each of the hundreds of thousands of unnamed Mississippi citizens who purchased one of respondents’ LCD products between 1996 and 2006 (the period alleged in the complaint)? Even if it could identify every such person, how would it ascertain the amount in controversy for each individual claim?

We think it unlikely that Congress intended that federal district courts engage in these unwieldy inquiries. By contrast, interpreting “plaintiffs” in accordance with its usual meaning—to refer to the actual named parties who bring an action—leads to a straightforward, easy to administer rule under which a court would examine whether the plaintiffs have pleaded in good faith the requisite amount. Our decision thus comports with the commonsense observation that “when judges must decide jurisdictional matters, simplicity is a virtue.”[3]

The decision means that the troubling trend of retaining private class action lawyers to file public AG actions in state courts can continue and could conceivably quicken. It also raises a number of interesting questions the Court did not address, for example whether AG actions are barred by agreements to settle class actions brought on behalf of the same consumers,[4] or affected by agreements to resolve claims in individual arbitration rather than representative litigation.[5]


[1]           The defendants did not ask the Court to hold that the case qualified as a “class action,” although they had raised that point below. See Opinion at 4 & n.2.

[2]           Opinion at 5-6 (emphasis in original, citations omitted).

[3]           Id. at 7-10 (citations omitted).

[4]           Cf. New Mexico ex rel. King v. Capital One Bank (USA) N.A., 13-0513, 2013 WL 5944087, at *4-8 (D.N.M. Nov. 4, 2013) (finding that class action settlement barred AG action to the extent it sought compensatory relief).

[5]           Cf. Iskanian v. CLS Transp. Los Angeles, LLC, 206 Cal. App. 4th 949, 964 (2012) (finding that Concepcion requires enforcement of waiver of right to bring representative action under California’s Private Attorney General Act), review granted Sept. 19, 2012 (No. S204032).

Article by:

Of:

Drinker Biddle & Reath LLP