Four New State Data Privacy Laws Take Effect In 2023

Data privacy laws take effect during 2023 in California, Virginia, Colorado, Utah, and Connecticut.  Specifically:

    • California Privacy Rights Act, effective January 1, 2023
    • Virginia Consumer Data Protection Act, effective January 1, 2023
    • Colorado Privacy Act, effective July 1, 2023
    • Connecticut Data Privacy Act, effective July 1, 2023
    • Utah Consumer Privacy Act, effective December 31, 2023

Other states are actively considering the implementation of a comprehensive privacy law.

Currently, the United States does not have a federal data privacy law.  In May 2022, a bipartisan group of legislators introduced the American Data Privacy and Protection Act (“ADPPA”), which includes federal preemption of state laws with some exceptions, such as a limited private right of action for certain privacy violations.

As we enter the last quarter of 2022, make preparations to comply with the new state data privacy laws.

“Imminent” Harm Gives Standing to Phishing Attack Victim Against Employer

In a precedential ruling, the Third Circuit reinstated a class action lawsuit filed by a former employee who was required to provide sensitive personal and financial information to her employer which was then released on the dark web following a phishing attack, despite the employer’s statement that it would take appropriate measures to protect the information.   In Clemens v. ExecuPharm Inc., No. 21-1506 (3d Cir. Sept. 2, 2022), the Third Circuit:

    • overturned the District Court’s dismissal of the action for which the District Court found that Plaintiff failed to allege that she experienced actual identity theft or fraud
    • rejected the contention that a risk of identity theft or fraud cannot qualify as sufficiently “imminent” to establish standing to bring a lawsuit

Plaintiff, a former employee of Defendant, was required as a condition of her employment to provide sensitive personal and financial information, such as her social security number, bank and financial account numbers, tax information, her passport, and information about her husband and child.  Plaintiff’s employment agreement states that Defendant would “take appropriate measures to protect the confidentiality and security” of this information.

After Plaintiff left Defendant’s employment, a hacking group used a phishing attack in March 2020 to install malware on Defendant’s servers, stealing sensitive information about current and former employees including Plaintiff.  Either because Defendant refused to pay or for other reasons, the company’s data – including 123,000 files and 162 gigabytes of data – was released on the dark web, as confirmed by screenshots taken by an intelligence firm.

Plaintiff promptly took actions, including: (1) enrolling in Defendant’s complimentary one-year credit monitoring services, (2) transferring her account to a new bank, and (3) placing fraud alerts on her credit reports.

Plaintiff filed a class action lawsuit asserting claims for breach of contract, breach of implied contract, negligence, negligence per se, breach of confidence, and breach of fiduciary duty.  Plaintiff alleged that she sustained injuries as a result of the data breach – primarily the risk of identity theft and fraud – in addition to the investment of time and money to mitigate potential harm.

The District Court dismissed the case, stating that Plaintiff had not yet experienced actual identity theft or fraud, and thus she had no standing to bring this action.

First, the Third Circuit analyzed that to sustain an injury-in-fact in order to have standing to bring a lawsuit, the injury must be “actual or imminent” which indicates that Plaintiff need not wait until she has actually sustained the feared harm in order to seek judicial redress.  Instead, Plaintiff can file suit when the risk of harm becomes imminent: “meaning it poses a substantial risk of harm – versus hypothetical in the data breach context.”  Id. at  10.  The Third Circuit discussed that there are many factors to determine whether a risk is “imminent,” including whether:

    • the data breach was intentional
    • the data was misused
    • the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft

Second, the Third Circuit cited to U.S. Supreme Court cases which ruled that an intangible injury – which is an injury that does not represent a purely physical or monetary harm to a plaintiff – may be a “concrete” injury.

Third, the Third Circuit analyzed the employment agreement in which Defendant expressly contracted to “take appropriate measures to protect the confidentiality and security” of this information.

Thus, the Third Circuit is permitting the class action to proceed in the District Court.


California Passes Bill for Social Media Protections for Minors

California’s bill would require companies that provide online services or products “likely to be accessed by children” – defined as any individual under the age of 18 – to adhere to heightened privacy and data protection standards.

The California Age-Appropriate Design Code Act, A.B. 2273, passed in the California Legislature.  The bill is expected to be signed by the Governor and go into effect July 1, 2024.

The anticipated law applies to “businesses” which are for-profit organizations that do business in California and: (1) have revenue of more than $25 million, or (2) derive 50% or more of its annual revenue from selling consumers’ personal information, or (3) buys/receives for commercial purposes the personal information of more than 50,000 consumers/households/devices.  In summary, A.B. 2273 requires:

  • Default privacy settings:  Companies must configure default privacy settings to the highest possible level of privacy and provide privacy information and other policies prominently in terms that children can understand.
  • No use of minor’s personal information:  Companies will be banned from using children’s personal information “for any reason other than a reason for which the personal information was collected, unless the business can demonstrate a compelling reason that use of the personal information is in the best interests of children,” according to the legislation.
  • Attorney General’s authority:  A.B. 2273 permits the Attorney General to seek an injunction or civil penalty against companies that violate the Act.  Negligent violations could result in a penalty of up to $2,500 per affected child, and intentional violations could result in a penalty of up to $7,500 per affected child, according to the bill.  Currently, the bill does not provide a private right of action.

In sum, the bill: (1) increases technology regulation, (2) aims to provide more online privacy protections for minors, and (3) will cause companies to increase privacy, legal, and engineering resources to meet the bill’s requirements.

TCPA: Health Care Exemption

The U.S. District Court, Northern District of Illinois recently held that a plaintiff’s Telephone Consumer Protection Act (“TCPA”) suit survived a motion to dismiss due to a lack of an established patient-provider relationship, when ruling on the health care exemption in the context of phone calls from an eye care provider.  The consumer had made an inquiry with the eye care provider but did not receive care, and thus, the exemption may not apply.

In Murtoff v. MyEyeDr. LLC, the Plaintiff sent an email to Defendant asking about the cost of a new pair of eyeglasses.  Plaintiff then began receiving automated phone calls from Defendant and its corporate entity regarding scheduling eye exams.  Plaintiff asked that the call stop, but they continued.

Plaintiff filed a putative class action, alleging violations of the TCPA.  Defendants filed a partial motion to dismiss regarding the part of the claim that relied on the lack of prior express written consent, asserting that the calls were health care messages.

The District Court analyzed that the Federal Communications Commission (“FCC”) has issued two health care exemptions for the TCPA, one of which was potentially applicable to this case.  Similar to the Federal Trade Commission’s (“FTC”) health care exception to its Telemarketing Sales Rule, the 2012 exemption covers any call that “Delivers a ‘health care’ message made by, or on behalf of, a ‘covered entity’ or its ‘business associate.”  To determine whether the exemption applies, the District Court then analyzed the factors set forth in Zani v. Rite Aid, which includes whether the call: (1) “concerns a product or service that is inarguably health-related”; (2) “was made by or on behalf of a health care provider to a patient with whom she has an established health care treatment relationship”; and (3) “concerns the individual health care needs of the patient recipient.” 

Significantly, the District Court noted that: (1) for the second factor, Plaintiff only made an inquiry regarding the cost of eyeglasses and thus never consummated a health care treatment relationship and (2) for the third factor, the calls regarding scheduling an eye exam were generic and not individualized as to Plaintiff.  Thus, the District Court ruled that – for purposes of a motion to dismiss – Plaintiff stated a claim that the calls were made without express prior written consent.

Lessons:  First, merely being a health care business is not, alone, sufficient to invoke the TCPA health care exemption.  Second, the exemption may not apply to a generalized message which is not specific to this patient or to this category of patients.

FTC Explores Rules About Commercial Surveillance and Data Security Practices

By: Sheila Raftery Wiggins

The Federal Trade Commission (“FTC”) announced that it is exploring rules to address commercial surveillance and lax data security. The FTC seeks public comment on the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.

Commercial surveillance is the business of collecting, analyzing, and profiting from information about people. The business of commercial surveillance can prompt companies to collect large quantities of consumer information, even though consumers only proactively share a small amount of this information. For example, companies reportedly surveil consumers while they are connected to the internet, including obtaining access to many aspects of the consumer’s online activities and physical movements/location.

The FTC’s concerns about commercial surveillance include:

  • Children: Some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms.
  • Discrimination: There are concerns that the algorithms that underlie commercial surveillance may be prone to errors or bias which results in discrimination against consumers based on legally protected characteristics like race, gender, religion, and age, harming their ability to obtain housing, credit, employment, or other critical needs.
  • Condition for service: Some companies require consumers to sign up for surveillance as a condition for service. After consumers sign up, some companies change their privacy terms going forward to allow for more expansive surveillance.

For nearly 20 years, the FTC used its existing authority to bring many enforcement acts against companies for privacy and data security violations. The FTC is now exploring rules to: (1) establish clear privacy and data security requirements and (2) grant the FTC with authority to seek financial penalties for first-time violations.

The public will also have an opportunity to share their input on these topics, including during a virtual public forum on September 8, 2022.

FCC Proposes $116 Million Fine for Scheme Mixing Robocalling, Traffic Pumping, and Attacks on Phone Systems

In its latest salvo to combat illegal robocalling, the FCC proposed a $116 million fine for an alleged scheme mixing robocalling with traffic pumping to fund telephone denial of service attacks (TDoS) against other companies.  In the Matter of Thomas Dorsher, ChariTel Inc., Ontel Inc., and ScammerBlaster Inc., Notice of Apparent Liability, FCC 22-57 (rel. July 14, 2022).  The alleged scheme at issue involved Thomas Dorsher, ChariTel Inc., Ontel Inc., and ScammerBlaster Inc.

As the FCC described it, in a two-month period at the start of 2021, ChariTel made about 10 million prerecorded voice message calls (robocalls) to toll free numbers without the recipients’ consent.  If the recipient did not terminate the call, these robocalls would play the prerecorded message continuously for up to 10 hours, effectively taking a line out of service and costing the toll free service provider an opportunity to talk to actual customers on that line.  Ironically, the robocalls at issue purported to be public service announcements to warn against scam calls, and encouraged recipients to report such calls.

Continue reading “FCC Proposes $116 Million Fine for Scheme Mixing Robocalling, Traffic Pumping, and Attacks on Phone Systems”

FCC’s New Proposed Rules Would Apply Traffic-Pumping Triggers to VoIP Providers

Access charges are the fees local exchange carriers (LECs) charge long distance carriers (interexchange carriers, or IXCs) to originate or terminate the IXCs’ customers’ calls.  These have been the subject of disputes ever since the breakup of Ma Bell in 1984.  For over a decade now, the disputes have centered on a practice known as access stimulation (also called traffic pumping or access arbitrage).  This arbitrage became possible because, over time, the rates for access charges became disconnected from the costs of providing the service, with rates far exceeding costs.  That mismatch created an incentive for some LECs to make arrangements with entities that offered high-volume calling services (e.g., “free” chat lines, “free” conference calling) to route (“pump”) large volumes of long-distance traffic to their partner LECs’ switches for termination.  That enabled the LEC and service provider to split the profits from the high access charges paid by the IXCs sending all that traffic to be terminated (far more traffic than would ever occur with normal customers and calling patterns).

The FCC found such schemes harm consumers by increasing IXCs’ costs and rates.  It therefore sought to prevent them in a 2011 order and rules (26 FCC Rcd. 17663), and again in an order and rules in 2019 (34 FCC Rcd. 9035).  The 2019 Order adopted certain “traffic ratio triggers,” which classified a LEC as an unlawful traffic pumper if its interstate terminating-to-originating traffic ratio was too high (meaning it was terminating vastly more long-distance traffic than it originated).  A traffic pumper cannot recover terminating access charges.

Continue reading “FCC’s New Proposed Rules Would Apply Traffic-Pumping Triggers to VoIP Providers”

Franchise Fees and the FCC’s Mixed-Use Rule – Oregon Federal Decision for Comcast May Have Wide Impact

For decades, cities and municipalities have counted on steady revenue from the franchise fees they charge cable companies for use of the public rights-of-way (ROWs). Such fees are imposed by local franchising authorities (LFAs).  Under the federal Cable Act, these fees could be as high as 5% of a cable operator’s gross revenues from providing cable TV service.  47 U.S.C. § 542(b).

As the television industry has migrated toward streaming platforms, cable TV revenues have been affected, leading local governments to seek new sources of income from entities using the public ROW. One effort has been to try to impose local fees on streaming platforms, like Netflix or Hulu, that send video using broadband service provided over wires in the public ROW. That has been largely unsuccessful, as discussed here.

Continue reading “Franchise Fees and the FCC’s Mixed-Use Rule – Oregon Federal Decision for Comcast May Have Wide Impact”

Franchise Fees – Georgia Joins Other States in Rejecting Attempts to Recover Franchise Fees From Streaming TV Providers Under State Video Franchise Law

In a decision by a state trial court, Georgia has joined California and Texas in holding that local governments cannot impose franchise fees on over-the-top (“OTT”) streaming TV services like Netflix, Hulu, or Amazon Prime.  Gwinnett County, Georgia, et al. v. Netflix, Inc., et al., Civil Action File No. 20-A-07909-10, Gwinnett County Superior Court, Feb. 18, 2022. Like those other states, the Georgia court held that the state video franchising statute (here, the Georgia Consumer Choice for Television Act), did not give local governments an express or implied private cause of action against the steaming TV providers.  While the local governments cited provisions allowing actions for disputes over franchise fee payments or for discrimination by franchise holders, the court noted that the provisions applied only to franchise holders, and that the streaming TV providers did not hold state-issued franchises.

In addition, the court explained that the Television Act does not apply to streaming TV providers because they do not construct and operate facilities in the public rights-of-way, and therefore cannot be required to obtain franchises or pay franchise fees to local governments.  As the court put it, “[a]pplying the Television Act – which contemplates fees for providers that offer facilities-based service – to non-facilities-based streaming services would be akin to applying a tax on horses to cars simply because cars have horsepower.”  In fact, the decision said, if the Television Act applied to non-facilities-based vide providers, local governments could seek franchise fees from an extremely broad range of entities that could not reasonably be covered by the Television Act, such as newspapers that provide online video or churches that stream their services online.  And like other courts, the Georgia court held that streaming TV providers do not “use” the public right-of-way simply because they send video content over the wires of internet service providers in the public right-of-way.  Finally, and again like other courts, the Georgia court held that streaming TV providers’ service falls within the exception in the Television Act for video provided via a service “offered over the public internet.”

This is the latest in a line of decisions in cases across the country where local governments seek to recover franchise fees from streaming video providers.  For an overview of the issues, arguments, and other cases, see this blog post.

Franchise Fees and Streaming TV – Municipalities Across the Country Seek to Subject Netflix, Hulu, Amazon and Others to Franchise Fees to Offset Declining Revenue From Cable TV Providers

A billion-dollar battle continues to play out in lawsuits pitting municipalities against providers of over-the-top (“OTT”) video streaming services, like Netflix or Hulu.  For decades, municipalities have raised revenues by collecting “franchise fees” from cable TV providers that needed to construct, install, or operate their facilities in public rights-of-way.  More recently, however, many consumers have “cut the cord” on traditional cable TV service in favor of streaming services.  That reduces cable companies’ revenues, thus reducing the franchise fees they pay based on a percentage of revenues.  And that hits municipalities in the bottom line.  In at least 14 states, municipalities have reacted by suing OTT streaming companies, asserting that they owe franchise fees under the statewide video franchising statutes passed in many states in the 2000s to reduce entry barriers and boost video competition with cable.  The stakes are high, as municipalities seek both back payments and to impose the fees going forward.

Threshold Question – Jurisdiction and Comity Abstention.  A threshold issue in many of these cases is whether they can be removed to federal court.  The Seventh Circuit sent one case back to Indiana state court by relying on the doctrine of comity abstention under Levin v. Commerce Energy, Inc., 560 U.S. 413 (2010), reasoning that state courts were better positioned to address claims regarding local revenue collection and taxation, even when federal-law defenses were raised.  City of Fishers, Indiana v. DirecTV, 5 F.4th 750 (7th Cir. 2021).  A district court judge in Missouri remanded another case to state court on the same basis. City of Creve Coeur, Missouri v. DirecTV, LLC, 2019 WL 3604631 (E.D. No. Aug. 6, 2019).  And the same kind of jurisdictional issue is currently pending at the Eleventh Circuit, where OTT streaming providers are challenging a Georgia district court’s remand order.  No. 21-13111 (11th Cir.), appealing Gwinnet County, Georgia v. Netflix, Inc., 2021 WL 3418083 (N.D. Ga. Aug. 5, 2021).

Continue reading “Franchise Fees and Streaming TV – Municipalities Across the Country Seek to Subject Netflix, Hulu, Amazon and Others to Franchise Fees to Offset Declining Revenue From Cable TV Providers”

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress