With several consumer privacy laws and regulations going into effect this year, businesses need to be conducting and documenting formal assessments of their data practices, known as “Data Protection Impact Assessments” or “DPIAs.” We previously discussed DPIA requirements under the Virginia Consumer Data Protection Act (“VCDPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), California Privacy Rights Act (“CPRA”), and Colorado Privacy Rights Act (“CPA”) here, and DPIA requirements under the California Age-Appropriate Design Code Act (“CAADCA”) and New York City’s Local Law 144 (“Local Law 144”) here. Continue Reading Navigating Data Privacy Assessments Amid New State Laws

Data privacy litigators are well aware of the critical importance of a motion to dismiss to have meritless data incident claims kicked at the pleadings stage.  A recent decision underscores the importance of choice of law arguments as part of a comprehensive litigation strategy.  Why?  Well in some cases, differences between the laws of two states regarding frequently litigated data incident claims can be dispositive for purposes of a motion to dismiss.  Read on to learn more.

First, some background.  It is well-established that federal courts sitting in diversity apply the forum state’s conflict of laws rules.  For instance, in Greenstate Credit Union v. Hy-Vee, Inc., a data incident litigation recently pending in federal district court in Minnesota, the court noted that:

Under Minnesota law, the first inquiry is whether an actual conflict of laws exists.  Next, the court must determine ‘whether the law of both states can be constitutionally applied.’  If there is an outcome determinative conflict and the law of both states can be constitutionally applied, then the court applies Minnesota’s multifactor test . . .to determine which states’ law should apply.

2021 U.S. Dist. LEXIS 133894 (D. Minn. July 19, 2021).

Many data incident litigations involve common law tort claims (eg, negligence) that have some similarities across the jurisdictions.  As such, the reaction of some data privacy newbies may be reject choice of law considerations in a litigation.  After all, everyone knows a negligence claim always involves application of the same four elements (duty, breach, causation, damage) anyways, right?

Wrong answer.  Choice of law arguments can be dispositive regarding which party prevails in a litigation.  Therefore, making an informed assessment of which forum’s laws can and should apply in a data breach litigation is a mission critical inquiry at the onset of a case.

As an example, Greenstate Credit Union concerned a class action dispute arises out of Hy-Vee’s handling of a data breach that exposed consumers’ credit card data.  Plaintiff GreenState Federal Credit Union is a federally chartered credit union with its principal place of business in Iowa.  Defendant Hy-Vee is incorporated in Iowa and has its principal place of business in Iowa.  However, Hy-Vee operates supermarkets, convenience stores, and gas stations, with 240 retail stores in eight states, including Minnesota.

Why does this matter?  Plaintiff asserted claims under the Minnesota Plastic Card Security Act (PCSA), common law negligence, negligence per se, and for declaratory and injunctive relief.  Defendant argued, however, that instead of Minnesota law, the law of Iowa should govern Plaintiff’s claims.  This was motivated by the fact that unlike Minnesota, Iowa has adopted the economic loss doctrine.  As articulated by the Iowa Supreme Court, this doctrine “bars recovery in negligence when the plaintiff has suffered only economic loss.”

Here, the court found that:

GreenState’s negligence claim would be barred by Iowa’s economic loss doctrine.  GreenState’s alleged injuries – cancelling compromised cards, reissuing new cards, reimbursing members for fraudulent charges, and losing interest and transaction fees because of reduced card use — are all indirect economic losses . . .Because GreenState alleges nothing more than economic losses, Iowa law bars its negligence claims.

(emphasis supplied).

Additionally, based on Minnesota’s choice of law rules, the court found that “[a]ll of Hy-Vee’s relevant information security employees and decision-making are located in Iowa.  It is predictable that Iowa law would apply.”  For these reasons, among others, the court held that Iowa law should apply.  It then promptly dismissed Plaintiff’s claims pursuant to a straightforward application of Iowa’s damages law.

While the economic loss rule is one of the more well-known variations in state law, there are other areas involving even more nuance.  Which in turn makes choice of law considerations (and assessment of if a defendant should strategically advocate for the law of a different forum in which a litigation was filed to apply) absolutely essential.

For more on this developing area of the law, stay tuned.  CPW will be there to keep you in the loop.



In Ducharme v. Madewell Concrete, LLC, No. 6:20-1620-HMH, 2020 U.S. Dist. LEXIS 127615 (D.S.C. July 17, 2020), Defendants Madewell Concrete, LLC and Kevin Johnston’s (“Johnston”) (collectively, “Defendants”) motion to dismiss Plaintiff Robert Ducharme’s (“Plaintiff”) South Carolina Homeland Security Act (“SCHSA”) claim pursuant to Federal Rule of Civil Procedure 12(b)(6) was denied.

Plaintiff alleges that Defendants deliberately misclassified him as a salaried employee, which exempted him from the overtime requirements of the Fair Labor Standards Act (“FLSA”). Accordingly, Plaintiff contends that he was not compensated for his overtime work. Plaintiff also alleges that Defendant Johnston illegally and without authorization accessed Plaintiff’s personal email account.

Plaintiff’s lawsuit alleges three claims: violations of (1) the Stored Communications Act, (2) the SCHSA, and (3) the FLSA.

Defendants argue that Plaintiff’s SCHSA claim is preempted by the Electronic Communications Privacy Act (“ECPA”) because in 18 U.S.C. § 2518(10)(c), “Congress expressed clear intent that any alleged interception of any ‘electronic communications’ falls under the exclusive remedy of the [ECPA].” Accordingly, the Court describes the dispute as whether “the interception of electronic communications provisions of the ECPA preempt a claim based on the interception of electronic communications provisions of the SCHSA.”

In holding that § 2518(10)(c) does not expressly preempt state law claims, the Court noted that  “Congress could have easily and explicitly stated that the remedies in the ECPA are the exclusive remedies for all interceptions of electronic communications or that the ECPA preempts state law claims, but it did not do so.” The Court went on to find that the legislative history of § 2518(10)(c) indicates that “the interceptions of electronic communications were not subject to the exclusionary rule absent a Fourth Amendment violation.” Thus, state law remedies are permissible for certain intercepts of electronic communications (such as personal emails) and “the ECPA does not preempt Plaintiff’s claim under the SCHSA. This case is a good reminder that employers should be mindful to ensure compliance with applicable state privacy laws, in addition to the well-known federal ones.

Privacy teams have more to do with Gov. Abbot signing the Texas Data Privacy and Security Act, also known as TX HB 4 (the “Act”), after several last minute amendments. This is in addition to new comprehensive privacy laws from Tennessee (also amended late in the game before submission to the Governor), Indiana, Iowa, Montana and Florida that have passed this spring alone.

Importantly, there is not a minimum number of records processed or annual revenue threshold for businesses to be in the scope of the law. It has broad applicability to companies who do business in the state and who process or sell personal data. It does contain the usual entity and data level exceptions (e.g., GLBA, HIPAA, FCRA, etc.) and explicitly excludes data collected in the human resources or business-to-business context. Continue Reading Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law

As U.S. privacy pros know, the past few years have seen many state privacy bills proposed but, as of January 1st, only five states had comprehensive privacy laws in effect. So far in 2023, Iowa approved its “Act relating to consumer data protection” (which we reported on here) and late last week, the Indiana Legislature passed the Indiana Consumer Data Privacy Act which is pending the governor’s signature (discussed here). Continue Reading Montana, Tennessee or ____________?: Which State Will Pass the Next Privacy Law?

On January 1st of this year, the Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”) went into effect. Later this year, the Colorado Privacy Act (“CPA”), Connecticut’s Public Act No. 22-15 (known as the “Connecticut Privacy Act” or “CTPA”), and the Utah Consumer Privacy Act (“UCPA”) will go into effect as well. Aside from the UCPA, these laws will obligate covered entities to document and assess certain processing activities in formal data protection assessments, which will be available to regulators. The purpose is to require companies to look critically at high-risk data processing activities and avoid unjustifiable risks and negative impacts on data subjects. Assessments can also serve the purpose of maintaining current data inventories and retention schedules and ensuring that processing is not inconsistent with the notified purposes at the time of collection. Continue Reading 2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements

We are pleased to announce that Alan Friel will be speaking in an upcoming Strafford live video webinar, “New State Data Privacy Laws in California and Other States: Corporate Counsel Compliance Guidance” scheduled for Thursday, March 30, 1:00pm-2:30pm EDT.

The panel will brief corporate counsel on the compliance challenges and key differences with California’s and other states’ new privacy laws. The panel will also discuss effective strategies for managing the widening corporate data privacy risk landscape across territories.

After the presentation, there will be a live question and answer session with participants to answer any questions about these important issues.

Read more information and register using this link.

The Interactive Advertising Bureau (IAB) and IAB Tech Lab have proposed updates their industry level agreements and privacy signal program to support the efforts of marketers, agencies, publishers, and ad tech companies to comply with the US state privacy laws going into effect in 2023. The comment period on the updates is open until October 27. Continue Reading Ad Industry Group Modifies Its Compliance Program to Address 2023 US State Privacy Laws

We head into the fourth quarter on the heels of the first public California Consumer Privacy Act (CCPA) civil penalty, while also looking ahead to the new state privacy laws in Virginia, Colorado, Connecticut, and Utah and the significant updates that the California Privacy Rights Act (CPRA) will bring to the CCPA. Considering that regulations are yet to be finalized in both California and Colorado, it is no surprise that some businesses are uncertain regarding how to proceed. To help businesses address both current risks, as demonstrated by recent enforcement, as well as the “new” 2023 privacy requirements, we have developed guidance materials, including high-level workstreams, covering the following topics:

  1. Preparing for the 2023 State Privacy Laws
  2. HR and B-to-B Data CCPA/CPRA Compliance Primer
  3. Lessons from the First CCPA Civil Penalty Case
  4. Takeaways from the First Draft of Revised CCPA/CPRA Regulations

Click here to download the guidance. More detailed guidance and workstreams, as well as model materials with customization support, are available to clients. Contact your SPB relationship partner for more information.

CPW’s Kristin Bryan and Glenn Brown recently jointed James Lee, Chief Operating Officer of the Identity Theft Resource Center (“ITRC”) and Eva Velasquez, Chief Executive Officer of the ITRC to discuss recent developments in privacy laws and privacy litigation.  Their podcast, which addresses recently enacted privacy laws, litigation trends, and what may be on the horizon in this space, is available here.  Be sure to check it out.  And for more on data privacy, security and innovation, stay tuned.  CPW will be there to keep you in the loop.