August 26, 2022 California Attorney General Sends “Strong Message” in Fining Sephora $1.2 Million for CCPA Violations and Announces “New Investigative Sweep”

By: Madeleine V. Findley and Effiong K. Dampha

On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora Inc. (Sephora), the first public enforcement action under the California Consumer Privacy Act (CCPA).[1] The settlement resolved allegations that Sephora failed to disclose it was selling consumers’ personal information, failed to honor opt-out requests from user-enabled global privacy controls, and failed to cure these violations within 30 days, as required by CCPA. The settlement is part of “an enforcement sweep” of online retailers and their use of third-party tracking software on websites and mobile apps. The Attorney General simultaneously announced a new “investigative sweep” focused on whether businesses are complying with opt-out requests from user-enabled global privacy controls. Attorney General Bonta underscored his commitment to “robust enforcement” of California’s privacy law, stating “My office is watching, and we will hold you accountable.”[2] 

Sephora Settlement for Failure to Disclose Third-Party Tracking and Honor Opt-Out Requests

According to the Attorney General, Sephora allowed third-party companies to install cookies and other tracking software on its website and in its app that collected data about consumers, including the type of device a consumer used, the brand of cosmetic product the consumer placed in the shopping cart, and the consumer’s precise location. The Attorney General found this data sharing to be a sale of consumer information, and that Sephora had failed to notify consumers of the sale and offer an opt-out or to honor opt-out requests via global privacy controls.

The settlement required Sephora to pay $1.2 million in penalties and to: 

  1. clarify its online disclosures and privacy policy to state that it sells data, 
  2. provide opt out mechanisms, including via the Global Privacy Control, and
  3. conform its service provider agreements to the CCPA’s requirements. 

The agreement also required Sephora to provide status reports to the Attorney General on its progress on each of these obligations.[3] 

Notices of Non-Compliance with Global Privacy Controls

The Attorney General also announced a “new investigative sweep” focused on compliance with global privacy controls. As part of this “sweep,” the Attorney General sent notices of non-compliance on August 24 to over a dozen businesses relating to their alleged failure to process consumer opt-out requests made through user-enabled global privacy controls, such as the GPC. After quietly adding an FAQ about the GPC to the AG’s CCPA webpage in 2021 that the GPC “must be honored” as a request to opt out of the sale of personal information, the AG’s actions signal an increasingly aggressive enforcement approach. Businesses that receive a notice will have 30 days to cure their noncompliance—but this right to cure will expire when the California Privacy Rights Act becomes effective on January 1, 2023. The new round of notices makes clear that the Attorney General’s expectation that businesses will honor user-enabled global privacy controls.

Additional Case Examples

The Attorney General also updated the CCPA Enforcement Case Examples webpage for the first time since July 2021 with 13 new case summaries. These include failure to honor consumer opt out requests, failure to appropriately disclose financial incentives in loyalty programs, flaws in responding to consumer requests to access or delete personal information, and non-compliant privacy policies. The businesses involved ranged from telehealth providers to fintech to fitness chains.

In a press statement, Attorney General Bonta emphasized his view that the Sephora settlement would “send a strong message to businesses,” and noted “there are no more excuses” for not complying with CCPA. The settlement, case examples, and new round of notices reflect an increasingly robust focus on enforcing California privacy law, and pose additional compliance challenges as businesses prepare for the California Privacy Rights Act to take effect in 2023.

[1] Press Release, Cal. Dept. of Justice, Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act (Aug. 24, 2022), https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement (AG Bonta Press Release)
[2] AG Bonta Press Release
[3] AG Bonta Press Release; California v. Sephora, Inc., Case No. CGC-22-601380 (Cal. Sup. Ct. Aug. 24, 2022), available at https://oag.ca.gov/system/files/attachments/press-docs/Filed Judgment.pdf

CATEGORIES: Privacy Data Security

January 19, 2022 Changes to California Consumer Law Protections on January 1, 2022

Griffith_Wesley_COLOR Conwisar_Jena_COLOR
 

 

 

By: Wesley M. Griffith and Jenna L. https://jenner.com/people/JennaConwisarConwisar

Effective January 1, 2022, California implemented several important changes to its consumer protection laws, ranging from data privacy to debt collection to updates to the Consumer Legal Remedies Act. This post highlights several notable changes that companies and practitioners may wish to bear in mind as they ring in the new year.

Data Privacy

In the world of data privacy, there has been a lot of buzz around California’s new consumer privacy law, the California Privacy Rights Act (CPRA), which was previously discussed on this blog here.

The CPRA will greatly expand the state’s current data protection infrastructure by, among other things, increasing consumer control over sensitive personal information, adding additional consumer privacy rights, and creating the California Privacy Protection Agency to enforce the CPRA.

While not effective until January 1, 2023, the CPRA will apply to certain data collected in 2022, requiring many businesses to begin updating their data practices now.[1]

Debt Collection

A number of the California consumer law updates that took effect on January 1, 2022 focused on debt collection practices. Perhaps most notable is the implementation of the Debt Collection Licensing Act (DCLA).[2] Aligning California with the majority of states that already have collection agency licensure requirements, the DCLA requires debt collectors and debt buyers operating in California to obtain a license from the Department of Financial Protection and Innovation.

The DCLA generally applies to entities collecting consumer debt in California, including organizations such as law firms and other companies engaged in collection activities who may not consider themselves “debt collectors” in the traditional sense. Critically, under the DCLA, debt collectors who missed the December 31, 2021 application deadline must halt operations in California until they are issued a license.[3]

Other changes to California debt collection laws effective January 1, 2022 include:

  • Health Care Debt and Fair Billing: Among other things, AB 1020 revises the state’s medical billing and debt collection policies, including by prohibiting hospitals from selling patient debt unless certain conditions are met.[4]
  • Identity Theft: AB 430 expands protections for victims of identity theft and requires debt collectors to pause collection activities until certain criteria are met if a consumer submits either a copy of a Federal Trade Commission (FTC) identify theft report or a police report.[5]
  • Fair Debt Settlement Practices Act: Adds new regulatory requirements and prohibitions on debt settlement service providers and payment processor activities. It also creates a consumer private right of action for intentional violations, with available remedies including actual damages, injunctive relief, attorneys’ fees, and/or statutory damages as high as $5,000 per violation.[6]

Consumer Legal Remedies Act

January 1, 2022 also saw revisions to the California Consumer Legal Remedies Act (CLRA).[7] As amended, the CLRA now offers additional protections to senior citizens from unfair and deceptive loan solicitations. Specifically, as amended the CLRA now applies to Property Assessed Clean Energy (PACE) program loans for seniors—such as loans for solar panels or energy efficient appliances­. Violations are subject to $5,000 in statutory damages, on top of any actual or punitive damages, injunctive relief, restitution, and/or attorneys’ fees.[8]

*          *          *

Taken together, California has added significant additional complexity and potential liability to the consumer protection landscape at the outset of 2022, and companies who work in these spaces should be careful to ensure that their existing practices are updated to comply with the new laws.

 

[1] Cal. Civ. Code § 1798.130.

[2] Cal. Fin. Code § 100000 et seq.

[3] Debt Collection – Licensee, Department of Financial Protection & Innovation.

[4] Cal. Civ. Code §§ 1788.14, 1788.52, 1788.58, 1788.185; Cal. HSC § 127400 et seq.

[5] Cal. Civ. Code §§ 1788.18, 1788.61, 1798.92, 1798.93; Cal. Penal Code § 530.8.

[6] Cal. Civ. Code § 1788.300 et seq.

[7] Cal. Civ. Code § 1770.

[8] Cal. Civ. Code § 1780.

CATEGORIES: Privacy Data Security

PEOPLE: Jenna L. Conwisar

October 19, 2021 Factors to Consider in Disclosing a Cybersecurity Breach to the SEC

Boch_Brian_COLOR Riely_Charles_COLOR
Erlain_William_COLOR




In this article published by Westlaw Today, Partners Brian R. Boch and Charles D. Riely and Associate William R. Erlain explain that the US Securities and Exchange Commission has ramped up its enforcement against misleading cybersecurity disclosures and announced plans to consider adopting new disclosure obligations. The authors highlight key factors to consider in determining whether and how a public company should disclose a cybersecurity breach in light of recent SEC guidance, enforcement actions and investigations, and private securities actions.

Click here to read the full article.

CATEGORIES: Privacy Data Security, Securities

March 27, 2020 COVID-19 / Coronavirus

We are closely tracking and providing information on developments facing companies and organizations arising from the COVID-19 pandemic. In the latest alerts, our lawyers offer guidance on financial and tax relief provisions in Illinois; share observations of how landlords and real estate lenders are Noun_virus_1772453responding to defaulting tenants and borrowers; consider the effects of the crisis on M&A transactions; explore how social distancing affects ongoing environmental investigations and mediation; analyze how state and federal legislation may combat insurance coverage denials for COVID-19; and examine the Department of Labor’s guidance regarding expanded family and medical leave under the Families First Coronavirus Response Act. These alerts and others are available in the library of our COVID-19 / Coronavirus Resource Center

 

CATEGORIES: Decisions of Note, Employment, Privacy Data Security, Securities

March 18, 2020 COVID-19 / Coronavirus Resources

When we read the daily news, we see uncharted waters. Industries are being impacted overnight. We continue to do everything we can to support clients as they navigate these times. Our lawyers have provided practical insight into the legal and strategic challenges companies are facing. Jenner & Block has assembled a multi-disciplinary team, drawn from a variety of our practice areas and sector groups, to support clients as they navigate these uncharted waters. We also continue to update our COVID-19 / Coronavirus Resource Center.  It provides helpful and timely information on the legal and strategic challenges companies are facing.  Noun_virus_1772453Following is a list of some of those pieces.

Evaluating Force Majeure Clauses in Connection with the COVID-19 Outbreak

As governments and businesses take action to mitigate the impact of COVID-19, companies must consider whether and to what extent their existing contractual agreements oblige parties to perform while events related to COVID-19 are impacting the performance under those contracts. Many contracts contain force majeure clauses that may excuse performance in the face of COVID-19. These provisions are not uniform, and the scope of relief they afford may vary considerably based upon the language used, the jurisdictions involved, and the unique facts and circumstances of each case. We provide a brief overview here of how a force majeure clause may excuse performance with respect to COVID-19-related events. To read more, please click here.

SEC Reacts to COVID-19 Crisis and Issues Relief Relevant to Public Companies and Regulated Entities

On Friday, March 13, 2020, and over the subsequent weekend, the Securities and Exchange Commission (SEC) and its staff made announcements with guidance and/or relief for public companies and firms experiencing challenges because of COVID-19 / coronavirus. The SEC and its staff appear to have calibrated the guidance and relief to balance investors’ need for information with the practical realities of an unprecedented public health event. The SEC also emphasized that it is continuing to “assess impacts relating to the coronavirus on investors and market participants, and will consider additional relief from other regulatory requirements.” To read more, please click here.

Cybersecurity Concerns with Regard to Work-From-Home Policies

The COVID-19 outbreak is causing many companies to consider work-from-home programs for many of their employees. Any arrangement where employees are permitted to work from home poses a unique set of cybersecurity risks and challenges, but those risks are heightened when a majority of the work force are away from offices that are controlled. Ensuring that appropriate technical and administrative safeguards are in place prior to launching wide-scale work-from-home programs is critical to ensuring the safety of your network and data.  For considerations that businesses should take into account when implementing work from home programs, please click here.

To stay abreast of developments through this unprecedented situation, continue to monitor the Consumer Law Round-Up blog and visit the resource library for helpful reference materials.

 

CATEGORIES: Employment, Privacy Data Security

August 7, 2019 New York SHIELD Act Expands Data Security and Breach Notification Requirements

By: Kara K. Trowell

ShieldOn July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which significantly amended the state’s data breach notification law to impose additional data security and data breach notification requirements on covered entities.

Expanded Definitions.

Under the new law, the definitions of “private information” and “breach of the security system” have been revised in ways that broaden the circumstances that qualify as a data “breach” and could trigger the notification requirements.  First, private information has been expanded to include:

  • (a) financial account numbers that can be used alone to access a financial account;
  • (b) biometric data used to authenticate an individual’s identity;
  • (c) standalone data such as a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
  • (d) unsecured protected health information covered under HIPAA.

These changes effectively expand the types of situations covered by the law that could result in a breach of system security and trigger the notification requirements.

Second, the circumstances that qualify as a “breach” have been expanded to now include incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information.

Expanded Coverage.

Moreover, the SHIELD Act also expanded its data breach notification requirements to mandate compliance by any person or business that owns or licenses computerized data that includes the private information of New York residents, regardless of whether the person or business conducts business in New York.  It provides for exemptions under certain circumstances, such as when the “exposure of private information” was an “inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”  Additionally, while businesses that are already regulated by and comply with data breach notice requirements under certain state and federal cybersecurity laws, such as HIPAA, GLBA and NY DFS Reg. 500, must also notify the state Attorney General, Department of State Division of Consumer Protection and Division of the State Police, they need not further notify affected New York residents.

New “Reasonable” Data Security Requirements.

The SHIELD Act also enacted requirements for covered entities to implement reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of sensitive data, and the law itself provides examples of “reasonable practices.”  Again, compliance is presumed for businesses that are already in compliance with applicable laws such as HIPAA and the GLBA.  Notably, there is a limited exemption to the requirement for small businesses, which are defined as any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets.

Enforcement and Penalties for Non-Compliance.

The SHIELD Act does not provide consumers with a private right of action, but instead permits an attorney general to bring an action to enjoin violations of the law and obtain civil penalties.  For data breach notification violations that are neither reckless nor knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice including consequential financial losses.  For reckless or knowing violations, a court may impose increased penalties of the greater of $5000 dollars or up to $20 per instance for a maximum of $250,000.  For violations of the reasonable safeguard requirements, a court may impose penalties of not more than $5,000 per violation.  The time for commencing an action under the law has also been increased from two to three years from the date on which the attorney general became aware of the violation, or the date that the covered entity provide notice of the breach.  No action may be brought after six years from the date the breach was discovered unless the company took steps to hide the breach.

The SHIELD Act takes effect on March 21, 2020.

CATEGORIES: Privacy Data Security

April 29, 2019 HUD Brings Housing Discrimination Charge Against Facebook

By Emily A. Bruemmer

HousingOn March 28, 2019, the US Department of Housing and Urban Development (HUD) filed a Charge of Discrimination against Facebook, alleging that Facebook violated the Fair Housing Act “by encouraging, enabling, and causing housing discrimination through the company’s advertising platform.”  This is an administrative action filed by the Secretary of HUD, on behalf of complainant Assistant Secretary for Fair Housing and Equal Opportunity, before the Office of Administrative Law Judges at HUD.  Unless any of the parties chooses to have the case heard in federal district court, an administrative law judge will hear the charge and may award damages, in addition to injunctive or other equitable relief, attorney fees, and fines.  HUD previously announced a formal complaint, initiated by the Secretary of HUD, against Facebook in August 2018.  The formal complaint was the first step in a process that then moved to a fact-finding investigation.  Last month’s charge indicates that the investigation resulted in a determination that there was reasonable cause to believe that Facebook violated the Fair Housing Act.

The Fair Housing Act prohibits making, printing, or publishing (or causing to be made, printed, or published) notices, statements, or advertisements related to the sale or rental of a dwelling that indicate “any preference, limitation, or discrimination based on race, color, religion, sex, handicap, familiar status, or national origin, or an intention to make any such preference, limitation, or discrimination.”  Here, HUD has alleged that Facebook violated that prohibition by allowing advertisers not only on its social media platforms but also across the Internet through its advertising services to select or exclude categories of recipients of housing-related advertising by making distinctions based on race, color, religion, sex, familial status, national origin, disability, and/or zip codes.  According to the charge, advertisers could use a map tool to exclude people who lived in specific areas by drawing red lines, evoking historical discrimination through “redlining.”

This enforcement action came just ten days after Facebook settled five lawsuits related to allegedly discriminatory advertising practices, including one by fair housing groups the National Fair Housing Alliance, Fair Housing Council of Greater San Antonio, Fair Housing Justice Center of New York, and Housing Opportunities Project for Excellence, Inc. of Miami related to Facebook’s housing advertisement practices, and one by the ACLU, the Communications Workers of America, and Outten & Golden LLP related to sex discrimination in employment advertisements.

As HUD General Counsel Paul Compton stated in the press release: “Fashioning appropriate remedies and the rules of the road for today’s technology as it impacts housing are a priority for HUD.”  Further, that HUD’s lawsuit follows Facebook’s settlements with private parties provides a reminder that settling lawsuits with private plaintiffs is no guarantee that a federal or state regulator will not bring its own, separate enforcement action.  The case will be an important one to watch.

CATEGORIES: Privacy Data Security

April 26, 2019 Facebook Announces Potential $5 Billion FTC Fine

By Emily A. Bruemmer

Facebook-privacyOn April 24, 2019, Facebook announced in its Q1 earnings release that it had set aside $3 billion and estimates that it may pay up to $5 billion in a fine related to the FTC’s ongoing inquiry into its “platform and user data practices.” Facebook entered into a settlement with the FTC related to its privacy practices in 2011, which has reportedly been re-opened. This would be the largest fine ever imposed by the FTC on a technology company. The possibility of a “multi-billion dollar fine” was first reported this February by The Washington Post.

CATEGORIES: Privacy Data Security

April 26, 2019 Facebook Announces Potential $5 Billion FTC Fine

By Emily A. Bruemmer

Facebook-privacyOn April 24, 2019, Facebook announced in its Q1 earnings release that it had set aside $3 billion and estimates that it may pay up to $5 billion in a fine related to the FTC’s ongoing inquiry into its “platform and user data practices.” Facebook entered into a settlement with the FTC related to its privacy practices in 2011, which has reportedly been re-opened. This would be the largest fine ever imposed by the FTC on a technology company. The possibility of a “multi-billion dollar fine” was first reported this February by The Washington Post.

CATEGORIES: Privacy Data Security

March 20, 2019 Facebook Announces New Privacy Initiative

By Emily A. Bruemmer

Smartphone computerOn March 6, 2019, Facebook CEO Mark Zuckerberg announced via an interview and a Facebook blog post a planned shift to “building a privacy-focused messaging and social networking platform.”  Characterizing this shift as a “privacy-focused vision,” Zuckerberg said that this change in focus meant that Facebook and Instagram would not only function as “the digital equivalent of a town square” but also “the digital equivalent of the living room.”  This shift was billed in part as a response to user demand: according to the post, the “fastest growing areas of online communication” were private messaging, “ephemeral stories,” and small group communication. 

According to the blog post, Facebook’s “privacy-focused platform” will be based on six principles: private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.  “Interoperability” refers to Facebook’s plan to integrate its messaging services across Facebook Messenger, WhatsApp, and Instagram Direct.  The blog post did not provide much detail on what these principles would mean in practice or what changes users would see from an experiential perspective, but rather qualified its efforts as being in the “early stages.”  

The blog post acknowledged Facebook’s reputation for not building “privacy protective services.”  In 2011, Facebook entered into a consent decree with the Federal Trade Commission (FTC) related to its privacy practices and has continued to face criticism for its privacy and data protection practices.  Indeed, just a few days prior to the announcement, news reports circulated regarding the ability to look up individuals on Facebook based on their telephone numbers, despite Facebook’s statements to users when they provided their telephone numbers that the number would be used for two-factor authentication.  Reports last year led to Facebook’s confirmation that the telephone numbers are also used for advertising. 

Some legislators and regulators have expressed concerns about information sharing between Facebook’s services. Last month, the German antitrust regulator issued a decision restricting Facebook from sharing information between services in the absence of users’ voluntary consent.  Facebook announced that it planned to appeal the decision.

CATEGORIES: Privacy Data Security

March 20, 2019 Facebook Announces New Privacy Initiative

By Emily A. Bruemmer

Smartphone computerOn March 6, 2019, Facebook CEO Mark Zuckerberg announced via an interview and a Facebook blog post a planned shift to “building a privacy-focused messaging and social networking platform.”  Characterizing this shift as a “privacy-focused vision,” Zuckerberg said that this change in focus meant that Facebook and Instagram would not only function as “the digital equivalent of a town square” but also “the digital equivalent of the living room.”  This shift was billed in part as a response to user demand: according to the post, the “fastest growing areas of online communication” were private messaging, “ephemeral stories,” and small group communication. 

According to the blog post, Facebook’s “privacy-focused platform” will be based on six principles: private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.  “Interoperability” refers to Facebook’s plan to integrate its messaging services across Facebook Messenger, WhatsApp, and Instagram Direct.  The blog post did not provide much detail on what these principles would mean in practice or what changes users would see from an experiential perspective, but rather qualified its efforts as being in the “early stages.”  

The blog post acknowledged Facebook’s reputation for not building “privacy protective services.”  In 2011, Facebook entered into a consent decree with the Federal Trade Commission (FTC) related to its privacy practices and has continued to face criticism for its privacy and data protection practices.  Indeed, just a few days prior to the announcement, news reports circulated regarding the ability to look up individuals on Facebook based on their telephone numbers, despite Facebook’s statements to users when they provided their telephone numbers that the number would be used for two-factor authentication.  Reports last year led to Facebook’s confirmation that the telephone numbers are also used for advertising. 

Some legislators and regulators have expressed concerns about information sharing between Facebook’s services. Last month, the German antitrust regulator issued a decision restricting Facebook from sharing information between services in the absence of users’ voluntary consent.  Facebook announced that it planned to appeal the decision.

CATEGORIES: Privacy Data Security