California Governor Signs Sweeping New Privacy Legislation
By Thomas R. McMorrow, Chair, California Policy Practice | Donna L. Wilson, Managing Partner-Elect, Chair, Privacy and Data Security | Brandon P. Reilly, Associate, Privacy and Data Security
Governor Brown and California legislators enacted far-reaching consumer privacy and data security protections in a deal to avoid a deeply flawed privacy initiative being placed on the ballot for voters in November.
California Gov. Jerry Brown signed A.B. 375, the California Consumer Privacy Act of 2018 (CCPA), into law. The CCPA is the nation’s strictest consumer privacy and data protection measure. While legislators have promised “technical amendments” before the CCPA takes effect in 2020, there is little doubt that it is a better, more workable option for consumers and businesses than the consumer privacy ballot initiative would have been.
The CCPA will apply to any for-profit entity doing business in California that (1) collects consumers’ personal information (PI) solely or jointly with others, and (2) either (i) exceeds $25 million in annual gross revenues; (ii) annually transacts in the PI of 50,000 or more consumers, households or devices; or (iii) derives half or more of its annual revenues from PI sales.
The law will govern a broad swath of nonpublic information (i.e., personal information) that is more expansive than definitions of personally identifiable information and similar information categories protected under existing state law. As written, PI includes items such as IP address, commercial information, biometrics, Internet activity, geolocation, employment-related information, education information, and “inferences” drawn from any such information to create a profile reflecting consumer characteristics.
The CCPA will require covered businesses to observe an assortment of consumer rights and related notices that, in certain respects, resembles those recently codified in the European Union via its General Data Protection Regulation (GDPR). The CCPA’s new rights include:
- Right of Access. Consumers may request disclosure of the specific PI that a business has collected about the consumer.
- Right of Deletion. Consumers may request that a business delete any PI it has collected from the consumer and direct any service providers to do the same, subject to several exceptions, such as when PI is needed to complete requested transactions or services.
- Right to Know. Consumers may request disclosure of the categories and specific pieces of PI collected about them, the sources from which the PI was collected, the purpose for such collection, and the categories of third parties the PI is shared with or sold to.
- Right to Opt Out or Opt In. Consumers may opt out of any sale of their PI to third parties, and consumers under age 16 must opt in to any such sales.
- Right of Equal Service. Covered businesses must not discriminate against consumers exercising any of the above rights, including through pricing and quality of goods or services, unless different treatment is reasonably related to the value provided to the consumer by his or her data. However, businesses may offer reasonable financial incentives related to PI collection, sale or deletion.
Violations of these provisions are actionable by the California Attorney General (AG) via the state’s Unfair Competition Law (UCL) after a 30-day cure period has passed. In addition to UCL penalties, the law authorizes civil penalties of up to $7,500 per violation.
The CCPA also provides a limited private right of action for data breaches, defined as any instance in which unencrypted PI is subject to unauthorized access and exfiltrated or otherwise disclosed as a result of a violation of the business’s duty to observe reasonable security procedures and practices. The right of action has two major prerequisites: first, 30 days’ written notice to the business identifying the allegations and an opportunity to cure, and second, notification to the AG within 30 days of filing a complaint requiring the AG’s response within 30 days stating whether the AG will prosecute the matter within six months and potentially whether the consumer is not authorized to proceed. Only once these preconditions are met may the consumer proceed with his or her civil claim for the greater of statutory damages between $100 and $750 per incident or actual damages and injunctive or declaratory relief.
The development represents a significant compromise with Alastair Mactaggart, the lead sponsor of a ballot initiative that would have brought similar proposals to California voters in November. As part of the compromise, Mr. Mactaggart has agreed to pull the initiative from the ballot before the deadline for the Secretary of State to certify the initiative for the ballot. Though industry groups had been gearing up for an opposition to the ballot initiative, the Internet Association issued a statement saying it would not impede the bill’s enactment. Indeed, certain industry heads such as Marc Benioff of Salesforce have recently signaled support for such moves at the national level.
back to top
Justices Buck Precedent to Allow Sales Tax Collection From Remote Sellers
By Jesse M. Brody, Partner, Advertising, Marketing and Media
Reversing prior precedent that prevented collecting sales tax from Internet retailers that do not have a physical presence in the state, the 5-4 Supreme Court said the case law didn’t reflect the current reality.
The dispute can be traced back to 1967, when the Court in National Bellas Hess, Inc. v. Department of Revenue of Illinois held that a mail-order company whose only connection with customers in the state was by mail or common carrier lacked the requisite minimum contacts to collect sales tax. The justices doubled down on the decision in 1992’s Quill Corp. v. North Dakota, reiterating that the mere shipment of goods into the consumer’s state did not satisfy the physical presence requirement to require a retailer to collect sales tax.
In an effort to work around the Bellas Hess and Quill decisions, the state of South Dakota enacted a new law to increase its collection of sales tax. The 2016 law declared an emergency because the inability to collect sales tax from remote sellers was “seriously eroding the sales tax base” and “causing revenue losses and imminent harm.” The state estimated it loses $48 million to $58 million in tax revenue on an annual basis. In response, S.106 requires out-of-state sellers to collect and remit sales tax “as if the seller had a physical presence in the state.”
Pursuant to the law, sellers that deliver more than $100,000 of goods or services into the state or engage in 200 or more separate transactions for the delivery of goods and services into the state must collect the 4.5 percent South Dakota sales tax from purchasers. The South Dakota Act foreclosed the retroactive application of the law and, by its own terms, could be applied only after its validity was judicially upheld.
To test the constitutionality of the act, the state filed a declaratory judgment action against three remote sellers who met the minimum sales or transactions threshold—Newegg, Overstock.com and Wayfair—and asked for a declaration that the requirements of the law are valid and applicable. The defendants moved for summary judgment, arguing the law is unconstitutional.
A trial court sided with the defendants, and the South Dakota Supreme Court affirmed. The Supreme Court granted certiorari and reversed in an opinion authored by Justice Anthony Kennedy.
The physical presence rule has been the target of criticism for many years from many quarters, the Court noted, and each year, the rule “becomes further removed from economic reality and results in significant revenue losses to the States. These critiques underscore that the physical presence rule, both as first formulated and as applied today, is an incorrect interpretation of the Commerce Clause.”
“Quill is flawed on its own terms,” Justice Kennedy explained. “First, the physical presence rule is not a necessary interpretation of the requirement that a state tax must be ‘applied to an activity with a substantial nexus with the taxing State.’ Second, Quill creates rather than resolves market distortions. And third, Quill imposes the sort of arbitrary, formalistic distinction that the Court’s modern Commerce Clause precedents disavow.”
It is an inescapable fact of modern commercial life that a substantial amount of business is transacted without the need for physical presence within a state, and the rule “is a poor proxy” for the compliance costs faced by companies that do business in multiple states, the justices said.
The precedent puts both local businesses and many interstate businesses with physical presences in a state at a competitive disadvantage compared with remote sellers who can offer lower prices because they are not collecting tax. Wayfair advertised this fact, Justice Kennedy wrote; the company stated that “[o]ne of the best things about buying through Wayfair is that we do not have to charge sales tax.”
“In effect, Quill has come to serve as a judicially created tax shelter for businesses that decide to limit their physical presence and still sell their goods and services to a State’s consumers—something that has become easier and more prevalent as technology has advanced.”
Time and the rise of the Internet marketplace also provided support to South Dakota’s law. Modern e-commerce does not align analytically with a test that relies on the sort of physical presence defined in Quill, the majority said. “Between targeted advertising and instant access to most consumers via any internet-enabled device, ‘a business may be present in a State in a meaningful way without’ that presence ‘being physical in the traditional sense of the term.’”
Stare decisis is not an inexorable command, the Court said, and could no longer support the Court’s prohibition of a valid exercise of the states’ sovereign power.
“Quill’s physical presence rule intrudes on States’ reasonable choices in enacting their tax systems,” the Court wrote. “And that it allows remote sellers to escape an obligation to remit a lawful state tax is unfair and unjust. It is unfair and unjust to those competitors, both local and out of State, who must remit the tax; to the consumers who pay the tax; and to the States that seek fair enforcement of the sales tax, a tax many States for many years have considered an indispensable source for raising revenue.”
Having overruled Bellas Hess and Quill, the justices wasted little ink on whether the South Dakota law was constitutional. The act applied to an activity with a substantial nexus with the taxing state, as the quantity of business required by the law to collect sales tax “could not have occurred unless the seller availed itself of the substantial privilege of carrying on business in South Dakota,” the Court held.
Further, the act includes several features designed to prevent discrimination against or undue burdens upon interstate commerce, from its forward-looking application to the safe harbor for those sellers who fail to meet the dollar or transactions thresholds, Justice Kennedy said, and South Dakota is one of more than 20 states to adopt the Streamlined Sales and Use Tax Agreement (which standardizes taxes with uniform definitions and rules and provides software that immunizes sellers from liability).
Justice Clarence Thomas authored a concurring opinion to essentially admit he was wrong to join the majority in Quill, while Justice Neil Gorsuch wrote a separate concurrence praising the majority for “correct[ing] the mistake” of Quill.
In a dissent led by Chief Justice John G. Roberts, Justices Stephen Breyer, Sonia Sotomayor and Elena Kagan expressed concern that the majority’s alteration to the rules could disrupt the economy, noting that e-commerce grew into a “significant and vital part of our national economy” against the backdrop of the physical presence rule. Congress should address the issue, the dissenters said, not the Court.
To read the opinion in South Dakota v. Wayfair, Inc., click here.
Why it matters: A sea change for e-commerce, the decision now permits states to require remote sellers to collect sales tax from purchasers despite not having a physical presence in the state. To take advantage of the decision, states will have to amend existing laws or enact new laws similar to the challenged South Dakota Act, which will buy online retailers some time before they begin collecting. Justice Kennedy also took pains to highlight features of the South Dakota law that protect sellers, such as the lack of retroactive application, the high threshold for dollar amount or sales transactions, and the state’s participation in the Streamlined Sales and Use Tax Agreement. States that neglect to include such provisions could face a legal challenge from sellers.
back to top
Wage Theft Costs California Restaurants Almost $15M
Why it matters
Providing a warning to employers in the industry, the California Labor Commission hit eight restaurants with fines totaling nearly $15 million for wage theft violations in recent weeks. In the San Francisco area, the commission cited one restaurant for violations totaling $5.16 million involving 133 workers, while another restaurant with six different locations was ordered to pay $4.96 million for 298 underpaid workers. The violations and civil penalties included failure to pay minimum wage, overtime and split shift premiums, the commission said. A few days later, the commission found Cheesecake Factory Restaurants liable for wage theft of $4.57 million after underpaying 559 janitorial workers at eight locations in Orange and San Diego counties, even though the restaurant contracted their services through a third party. The workers are due $3.94 million in minimum wages, overtime, liquidated damages, waiting time penalties and rest period premiums, the commission said.
Detailed discussion
Taking a closer look at restaurants in the Bay Area, the California Labor commissioner cited Kome Japanese Seafood & Buffet in Daly City, Burma Ruby Burmese Cuisine in Palo Alto and six locations of Rangoon Ruby Burmese Cuisine for various wage theft violations, totaling more than $10 million.
Kome’s citations involved 133 workers for a total in excess of $5.16 million. Of that amount, workers will receive $4,381,461 in unpaid wages, premiums and liquidated damages, with civil penalties assessed of $780,400.
An investigation and payroll audit by the labor commission determined that 69 cooks, sushi chefs and dishwashers typically worked north of 55 hours per week but were paid a fixed salary that did not include overtime. Those workers are owed almost $3 million in unpaid wages and penalties, the commissioner said, while other staff members—such as hosts, servers and bussers—will receive more than $1.4 million for overtime, split shift premiums and unpaid minimum wage violations (including the illegal counting of tips received as part of the minimum hourly wage).
At the Burmese restaurant chain, 87 cooks were paid a fixed salary but typically clocked more than 10 hours of unpaid overtime each week. For unpaid overtime wages, minimum wages, split shift premiums, liquidated damages, waiting time penalties and failure to provide accurate itemized wage statements, they will receive $3.8 million. The remaining 211 workers were not paid the daily extra hour of minimum wage required when their employer scheduled them to work split shifts, the commissioner said, and are due $590,072.
The Burmese restaurant chain’s total $4.96 million payment includes civil penalties of $574,150.
“Our job is to protect working people’s right to a just day’s pay for a hard day’s work, and to stop employers who embrace wage theft as a business model,” Labor Commissioner Julie A. Su said in a statement.
A few days later, the commission announced another significant enforcement action against Cheesecake Factory Restaurants, citing the company for $4.57 million in wage theft—despite the fact it subcontracted its janitorial work to a third party.
The 559 janitorial workers at eight locations in Orange and San Diego counties are due $3.94 million in minimum wages, overtime, liquidated damages, waiting time penalties, and meal and rest period premiums, the commissioner said. The remaining $632,760 was assessed for the failure to provide properly itemized pay stubs and other civil penalties.
An investigation by the commission found that janitorial workers started their shifts around midnight and worked until morning without proper meal or rest break periods. Some workers were not even released after eight hours of work until a kitchen manager conducted a walkthrough, which frequently led to additional tasks that had to be completed before the worker was released, the commission said, resulting in each worker building up 10 hours of unpaid overtime each week.
“This case illustrates common wage theft practices in the janitorial industry, where businesses have contracted and subcontracted to avoid responsibility for ensuring workers are paid what they are owed,” Su said in a statement. “Client businesses can no longer shield themselves from liability for wage theft through multiple layers of contracts. Our enforcement benefits not only the workers who deserve to be paid, but also legitimate janitorial businesses that are underbid by wage thieves.”
back to top
Vermont Enacts First Data Broker Law
By Richard P. Lawson, Partner, Consumer Protection
Vermont became the first state in the country to pass legislation to regulate data brokers, when it mandated that they register with a state regulator and establish minimum security standards. The law broadly defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
“Brokered personal information” includes “one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third parties: name; address; date of birth; place of birth; mother’s maiden name; unique biometric data, including fingerprints, retina or iris images, or other unique physical or digital representations of biometric data; name or address of a member of the consumer’s immediate family or household; Social Security number or other government-issued identification number; or other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.”
Covered entities must pay a $100 annual fee to register with the Vermont attorney general. In addition, on an annual basis, data brokers must disclose their practices related to the collection, storage and sale of consumers’ personal information, as well as the number of data breaches they experienced during the prior year (and, if known, the total number of consumers affected by the breaches).
All registered data brokers must also “develop, implement and maintain a written comprehensive information security program” that contains appropriate physical, technical and administrative safeguards designed to protect consumers’ personal information.
Violations of the law constitute an “unfair and deceptive act” under the state’s consumer protection law that provides the attorney general with the power to bring an enforcement action. The new law also eliminates any charge for Vermont residents to freeze and unfreeze their credit reports.
“This new law slashes fees, helps stop fraudsters and promotes transparency,” Vermont Attorney General T.J. Donovan said in a statement. “Vermonters care about their privacy. This bill not only saves them money, but also gives them information and tools to help them keep their personal information secure.”
With the exception of registration and data security obligations, which take effect Jan. 1, 2019, the rest of the law took effect immediately.
To read the new law, click here.
Why it matters: Back in 2014, the Federal Trade Commission conducted a study of nine data brokers and published a report concluding the industry operates with a “fundamental” lack of transparency, recommending that federal legislation be enacted to regulate data brokers. For years, federal lawmakers have debated how to regulate data brokers, but efforts at the federal level repeatedly stalled. In the wake of the massive Equifax data breach, however, lawmakers in Vermont enacted the new law. Whether other states follow suit remains to be seen.
back to top
Time to Renew Compliance With California Auto Renewal Law
By Richard P. Lawson, Partner, Consumer Protection
Companies that offer subscription-based plans should be aware that changes to California’s Automatic Renewal Law took effect on July 1.
The changes—pursuant to the passage of S. 313—provide additional protections to consumers, in some cases beyond the federal Restore Online Shoppers’ Confidence Act requirements.
Originally enacted in 2010, the California Automatic Renewal Law requires companies to clearly disclose the material offer terms before a consumer subscribes to an automatic renewal program, to obtain affirmative consent to the terms before charging a consumer, and to provide a confirmation to the consumer that includes the terms, a description of the cancellation policy, information about how to cancel, and an explanation that consumers may cancel before being charged if they were enrolled in a free trial. Companies must also provide an easy method for cancellation.
Starting July 1, the amendment mandates that if a consumer accepted an automatic renewal offer online, the company must allow consumers to terminate the renewal online as well (and not just by phone or mail).
A second change requires companies to provide a “clear and conspicuous explanation” of the price that will be charged after the trial ends “or the manner in which the subscription or purchasing agreement pricing will change upon conclusion of the trial.”
In addition, consumer consent is necessary before an advertiser can charge for a time-limited automatic renewal program or one that offers a discounted price, and the company must disclose how consumers can cancel an automatic renewal program prior to paying for the goods and services after a free trial period has ended.
To read S. 313, click here.
Why it matters: Particularly in light of recent enforcement efforts by regulators in California—such as a $2.2 million deal between eHarmony and California city and district attorneys challenging eHarmony’s auto renewal practices—companies that use automatic renewal programs should ensure compliance with the additional statutory requirements.
back to top
Accountability Program Emphasizes Transparency in New Decisions
By Jesse M. Brody, Partner, Advertising, Marketing and Media
Marking its 89th decision, the Online Interest-Based Advertising Accountability Program released two decisions addressing the issue of transparency.
According to the self-regulatory body, both Purple Innovation LLC’s and x19 Limited’s online consumer advertising required more transparency to achieve compliance with the Digital Advertising Alliance’s (DAA) Self-Regulatory Principles.
To fully comply, a website operator that allows third parties to collect visitors’ web browsing data for interest-based advertising (IBA) must comply with the enhanced notice requirement of the DAA Principles, the Accountability Program explained. Specifically, first parties must post a clear, meaningful and prominent link to a disclosure on any web page through which IBA data is collected. This disclosure must explain the IBA activity that occurs on the first party’s site, provide consumers with a means to opt out of IBA and state the website’s adherence to the DAA Principles.
In the case of Purple Innovation, a consumer complained that the online mattress retailer failed to provide the requisite notice. Unable to find the enhanced notice link or disclosure of third-party IBA activity, the Accountability Program sent an inquiry letter to Purple Innovation.
To achieve compliance, Purple Innovation added an enhanced notice link labeled “Interest-based Ads,” separate from its “Terms & Privacy” link, on each web page through which third parties collect information for IBA. The link takes users directly to an updated section of the site’s privacy policy, which now includes a disclosure of third-party IBA activity occurring on the website, a link to the DAA’s page and a statement of adherence to the DAA Principles. “These changes brought Purple into full compliance with the DAA Principles,” according to the decision.
United Kingdom-based company x19, which offers a URL shortening service known as Adf.ly, faced a similar inquiry from the Accountability Program. In 2014, the self-regulatory body released a compliance warning regarding non-cookie identification technologies (such as statistical identification techniques, canvas fingerprinting or font enumeration) that are used alongside or instead of traditional cookies to identify users as they browse the Internet. The warning reminded companies that the DAA Principles apply equally to whatever methods are used to facilitate IBA.
The Accountability Program then conducted a systematic review of the technology and encountered Adf.ly during a survey of websites using what appeared to be canvas fingerprinting on third-party websites. In addition, a review of Adf.ly’s own website revealed it lacked IBA disclosures with regard to third parties, a compliant opt-out mechanism from IBA activity and a statement of adherence to the DAA Principles.
In response, Adf.ly told the self-regulatory body that it did not engage in canvas fingerprinting for IBA purposes (instead using the technology for fraud prevention). Finding “no reason to question this assertion,” the Accountability Program determined the company was in compliance with regard to third-party duties.
Adf.ly did make tweaks to achieve compliance with regard to its own website by adding an enhanced notice link titled “AdChoices,” separate from its privacy policy link on the footer of each page of its website where third parties collect data for IBA. The link takes users directly to a new section of the website’s privacy policy that addresses the IBA taking place and provides a link to the DAA’s page and a statement of adherence with the DAA Principles.
Why it matters: “It is vital that consumers be given up-front notice of this background data collection for IBA,” Jon Brescia, director of adjudications and technology for the Accountability Program, said in a statement. “We take this opportunity to again entreat website owners and operators to ensure that consumers are given the notice and choice owed them under the DAA Principles.”
back to top
NARB Wrinkles Its Nose at Deodorant Claims
By Jeffrey S. Edelstein, Partner, Advertising, Marketing and Media
The National Advertising Review Board wrinkled its nose at claims made by Schmidt’s Deodorant Co. that its products absorb or help absorb moisture or wetness and provide protection against wetness, and recommended they be discontinued.
Competitor Tom’s of Maine challenged a long list of express claims made by Schmidt’s on product packaging (“Effectively neutralizes odors and absorbs wetness” and “Long lasting protection against odor and wetness”) as well as other claims such as “Help avoid wetness,” “Help[s] to keep you dry” and “Absorbs wetness with plant and mineral derived ingredients.”
After reviewing the claims, the National Advertising Division (NAD) found that Schmidt’s testing was not sufficiently reliable to support the wetness protection claims and recommended the advertiser discontinue the challenged claims.
Schmidt’s appealed. The advertiser provided four pieces of evidence to support the claims: articles with respect to the absorption capabilities of ingredients in Schmidt’s deodorants; in vitro testing of Schmidt’s deodorant by an independent laboratory showing a moisture absorption rate between 9.27 percent and 11.35 percent; customer reviews by Schmidt’s deodorant users reporting effective reduction in visible and sensory signs of sweating; and an independently administered three-day product test of Schmidt’s deodorant line, followed by an online survey that showed a significant majority of Schmidt’s deodorant users experienced wetness protection benefits.
Collectively, this support established a reasonable basis for its wetness protection claims, Schmidt’s told the NARB.
But the panel did not find the articles—which were nonscientific and not based on clinical testing, and did not relate to absorbency in the context of a deodorant—to be probative. Testing on individual ingredients will generally not provide support for a claim that a product including those ingredients performs in the same manner—which is particularly true in the case of deodorant with multiple ingredients that could impact the claimed efficacy of the end product—the NARB said.
A majority of the panel similarly rejected the persuasive value of the in vitro testing, which “was not performed under conditions that even remotely represent the human armpit,” the NARB wrote, with nothing to show that the distilled water measured for absorption was an acceptable substitute for human perspiration.
“At best, Schmidt’s in vitro testing suggests the possibility that its deodorant could absorb perspiration, but it falls far short of reliably showing that the product actually absorbs perspiration in actual use,” according to the decision.
Turning to the customer reviews, the NARB agreed with the NAD that anecdotal evidence based solely on the perception of individual consumers was not sufficient to support product efficacy claims.
“The panel also notes that [Federal Trade Commission] guidelines make it clear that an advertiser may not make claims through consumer testimonials that could not be substantiated if made directly by the advertiser; to the extent that Schmidt’s reposts or links to consumer reviews, it would need to have substantiation for any efficacy claims included in those reviews,” the self-regulatory body added.
As for the product test relied upon by Schmidt’s, the panel expressed concern about the use of a consumer survey to measure subjective reactions to support objective wetness protection claims.
“A majority of the panel agrees with the NAD that the challenged objective efficacy claims (e.g., ‘absorbs wetness’) should be supported by objective testing demonstrating the product works as claimed rather than by surveys seeking subjective consumer opinions with respect to the product’s performance,” the NARB wrote.
A majority of the panel also found problems with the reliability of the consumer survey because it was not placebo-controlled and consumers were given the actual Schmidt’s product with a front-label claim that it “[e]ffectively neutralizes odor and absorbs wetness.” Telling consumers what the product is designed to do before they try it can introduce bias in favor of positive results when consumers provide their opinions as to product performance, the NARB said.
The panel recommended that the advertiser discontinue claims, supported either directly or through consumer testimonials, that Schmidt’s deodorants absorb or help absorb moisture or wetness and provide protection against wetness. However, the NARB noted that its decision “does not preclude Schmidt’s from making truthful non-misleading claims—provided it has proper substantiation—with respect to subjective consumer opinions as to the extent that Schmidt’s deodorants help them feel dry.”
To read the NARB’s press release about the decision, click here.
Why it matters: Advertisers can find important lessons in the NARB’s decision, including that anecdotal evidence based solely on the perception of individual consumers is not sufficient to support product efficacy claims, that testing on individual ingredients will generally not provide support for a claim that a product including those ingredients performs in the same manner, and that the persuasive value of in vitro testing that was not performed under conditions that are consumer-relevant is limited.
back to top