The California Consumer Privacy Act (the “CCPA”) went into effect on January 1, 2020, requiring the provision of certain notices, including that businesses inform consumers of their: (1) right to know, (2) right to delete, (3) right to opt out, (4) and right not to be discriminated against for exercising any rights the CCPA provides. In the class action case plaintiff Kaupelis sought discovery that included the personally identifiable information of persons that complained about defects in the chainsaw that was the subject of the action. The defendant resisted production of this information in reliance on the CCPA arguing that the CCPA expanded the privacy rights previously provided under California law and that the court should “protect the consumers’ PI by allowing consumers an opportunity to opt out from disclosure.” The Court noted that historically Courts engaged in a balancing test, balancing the need for the discovery against the privacy interests involved, and that the CCPA did not set aside that body of law. The court granted plaintiff’s motion to compel, stating that “[n]othing in the CCPA presents a bar to civil discovery. Notably, no other case has so held. And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law,” which would include the Federal Code of Civil Procedure provisions concerning discovery.

Plaintiff in this case alleged that because he found his personally identifying information on the dark web, Walmart had suffered a data breach. Walmart argued that Plaintiff’s failure to allege the time the breach occurred was fatal because the CCPA could not apply to any breach occurring before January 1, 2020, the date it took effect. The Court also held that Plaintiff’s CCPA claim failed because Plaintiff did not sufficiently allege disclosure of his personal information. The Court found insufficient the Complaint’s allegation that the breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers: “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.”

The California Supreme Court reversed the judgment of the court of appeal and preserved the previously understood interpretation of Penal Code section 632.7, that it requires the consent of all parties to a call before the call can be recorded. Section 632.7 makes it a crime when a person, "without consent of all parties to a communication," intercepts or intentionally records a communication transmitted between a cellular or cordless telephone and another telephone. The court of appeal had held that only non-parties were required to obtain consent. The Supreme Court reversed and held that recording a communication without the speaker's consent is unlawful, regardless of whether a party to the call or someone else is recording the call.

The US Supreme Court issued a unanimous decision in Facebook, Inc. v. Duguid, holding that to be considered an “automatic telephone dialing system” (or “autodialer”) for purposes of the Telephone Consumer Protection Act (“TCPA”), the phone number used by the device to make the call must have been created by a random or sequential number generator, so that the number was either stored by the system, or generated by the system prior to dialing. The Supreme Court overturned the Ninth Circuit’s holding that a device was an autodialer if it “store[d] numbers to be called” and “dial[ed] such numbers automatically,” resolving a circuit split on the scope of the term.

A growing threat to business owners of all size is cybercrime brought on by the mounting strain put on the cyber security industry. Cybercrime takes many forms but has one main goal, theft of secure and private information.

In the past decade, several large-scale data breaches have resulted in troves of personal information (PI) and other data falling into the hands of malicious actors. For instance, in 2013, the records of over a billion users were compromised from the email system of Yahoo, including names, birth dates, phone numbers, passwords, backup email addresses, and security question answers. More recently, a massive breach of Facebook's databases compromised the PI of over 533 million users from 106 countries, including over 32 million records on users in the United States. These data included phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.

In previous articles, we have talked about the importance of using strong passwords and multi-factor authentication to protect consumer data. These are important steps, but only work when a potential user must login to a physical device or program before accessing consumer data. For this reason, every company should take steps to secure all devices and programs so that the user must login after a period of inactivity. This relatively simple step can help prevent a range of types of unauthorized access.

The Federal Trade Commission announced on October 27, 2021 the final updates to the Safeguards Rule under the Gramm–Leach–Bliley Act (“GLB”). These updates are the result of a multi-year process and purport to strengthen security for consumer financial information following an uptick in data breaches. Overall, the updates are more prescriptive than the previous Rule, imposing specific new requirements. For auto dealers who must comply with the new rules when they are fully effective, it means that action is needed now to protect their companies from costly private lawsuits and enforcement actions for failure to comply with the updates.

While it is important for every company to limit access to its data and network with strong passwords, for some sensitive data, traditional passwords aren’t secure enough anymore. Hackers have developed countless tried and tested methods of stealing credentials and gaining unauthorized access to private accounts. But strong passwords are not the only readily available security option. In a report published by Microsoft this year, it revealed that 99.9% of the account compromise incidents they deal with could have been blocked by a multi-factor authentication (MFA) solution. For this reason, your business should adopt MFA solutions to protect its most sensitive data.

On September 21, 2021, U.S. Federal Trade Commissioner Christine Wilson provided keynote remarks at the Duke University Sanford School of Public Policy’s Robert R. Wilson Distinguished Lecture Series regarding some of the major issues lawmakers must confront to pass federal privacy legislation. Commissioner Wilson, a Trump-appointee, argued that comprehensive federal privacy legislation is the right approach because there is an information asymmetry between consumers and businesses that results in a market failure and because federal legislation will create a more consistent legal landscape for businesses.