In re-launching the inquiry into carriers' data privacy and security practices, the FCC argues that not informing customers about the software or its data practices may have violated the carriers' responsibility pursuant to Section 222 of the Communications Act of 1934 to protect customer data "that is made available to a carrier solely by virtue of the carrier-customer relationship." The law allows such data to be used only in "limited circumstances," a term which is not defined in Section 222. It appears that one of the goals of the renewed inquiry is for the FCC to define the scope of the "limited circumstances."
Last week, a plaintiff's putative class action alleging a violation of California's Shine the Light law, Cal. Civ. Code § 1798.83, was dismissed without prejudice. See Boorstein v. Men's Journal LLC, No. 12-cv-00771-DSF-E, 2012 WL 2152815 (C.D. Cal. June 14, 2012). The suit, one of several other similar pending suits, is the first reported decision applying the Shine the Light Law.
The U.S. District Court for the Southern District of California recently granted class certification in a Song-Beverly Credit Card Act case, refusing to exclude from the class individuals who joined the retailer's rewards program months after the alleged Song-Beverly violation. See Yeoman v. IKEA U.S. West, Inc., No. 11CV701, 2012 WL 1598051 (S.D. Cal. May 4, 2012). The Court's discussion suggests that a retailer may also face Song-Beverly liability even if it requests personal information at the register that it already holds by virtue of the customer's membership in its rewards program.
What happened in the privacy world last week? On Thursday, just before the release of the White House Paper, California Attorney General Kamala Harris announced an agreement with the leading operators of mobile application platforms to privacy principles designed to bring the mobile app industry in line with a California law requiring mobile apps that collect personal information to have a privacy policy. It might be argued that the White House is now enunciating principles and best practices, and encouraging legislation of principles, that have long been embodied not only as best practice but as actual legislation under California law.
Phonedog v. Kravitz, currently pending in the Northern District of California, raises unprecedented issues regarding social media. Is a list of Twitter followers protected as trade secret under California law? What is the value of a Twitter follower? $2.50 per month? I discussed these questions today with Fox News.
California's infamous SB 1386 (California Civil Code sections 1798.29 and 1798.82) was the very first security breach notification law in the nation in 2002, and nearly every state followed suit. Many states added their own new twists and variations on the theme - new triggers for notification requirements, regulator notice requirements, and content requirements for the notices themselves. Over the years, the California Assembly and Senate have passed numerous bills aimed at amending California's breach notification law to add a regulator notice provision and to require the inclusion of certain content. However, Governor Schwarzenegger vetoed the bills on multiple occasions, at least three times. Earlier this year, State Sen. Joe Simitian (D-Palo Alto) introduced Senate Bill 24, again attempting to enact such changes. Yesterday, August 31, 2011, Governor Brown signed SB 24 into law.
The California Supreme Court ruled Thursday, in Pineda v. Williams-Sonoma, that zip codes are "personal identification information" for purposes of California's Song-Beverly Credit Card Act, California Civil Code section 1747.08. Really.
Many of you probably read earlier this month that California's Office of Administrative Law approved the California Department of Insurance's proposal to repeal certain privacy regulations. The California changes actually have greater significance than may be apparent on a quick glance. Although rarely noted in the media coverage, State insurance privacy regulations across the country (not just in California) find their roots in the federal Gramm Leach Bliley Act, so California's decision to make such changes provides a helpful illustration of the extraordinarily complex and confusing web of privacy regulation that governs even small organizations in this country. Also, California's move with respect to these changes contravenes the conventional wisdom that California is a renegade pro-consumer state when it comes to privacy regulation. Many of our followers have asked me to break down this newest California development, so here goes.
In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!
On Friday, the California Court of Appeal, Fourth Appellate District, certified for publication its October 8 opinion in Pineda v. Williams-Sonoma, the most recent in a string of decisions regarding California's Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08. On first glance, Pineda appears uneventful. The Court merely reiterated its December 2008 holding in Party City v. Superior Court, 169 Cal.App.4th 497 (2008), that zip codes are not personal identification information for purposes of the Act, right? Not so fast. In fact, the Pineda court added a couple of new wrinkles that are worth a second look. First, the court reaffirmed its Party City holding even though Pineda specifically alleged that Williams-Sonoma collected the zip code for the purpose of using it and the customer's name to obtain even MORE personal identification information, the customer's address, through the use of a "reverse search" database. Second, the court held that a retailer's use of a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of a consumer's privacy under California law.