This week the Third Circuit Court of Appeals upheld a federal criminal law passed in 2013 regarding cyberstalking, holding that it passes constitutional muster.  U.S. v. Yung, Case No. 19-1640 (3d Cir.).  The case arose in the context of a criminal matter involving a student who was rejected from Georgetown University Law Center after interviewing with an alumni representative.  The decision issued by a three-judge panel is precedential and will impact other federal cyber litigations.  Read on to learn more.

The student applied for admission to Georgetown Law, but his application was rejected after he interviewed with an alumni representative and it went poorly.  Although the student was admitted to other law schools, he subsequently executed a cyber harassment campaign directed at his Georgetown interviewer.  This included, among other things, “creat[ing] fake obituaries for the interviewer’s wife and son; social-media profiles littered with Ku Klux Klan content in the interviewer’s name; and blog posts as the interviewer,” bragging about purported sexual crimes the interviewer had committed against women and children.

Needless to say, the FBI became involved and the student was subsequently charged with cyberstalking under 18 U.S.C. Sections 2261A(2)(B) and 2261(b).  He ultimately pleaded guilty to the charges after initially challenging the law under which he was charged as overbroad.  After he was sentenced to four years in prison, the student filed an appeal, which in part concerned his previously asserted overbreadth challenge.

By way of background, Congress enacted a cyberstalking law in 2006 and substantially expanded its scope in 2013.  Following the 2013 amendments, and as observed by the Third Circuit, “[n]ow the law punishes not only those who intend to harass, but also those who intend to intimidate.”  It provides that a defendant is a cyber-stalker if three criteria are met, as summarized by the Court:

  • An act: The defendant must “use[] the mail, any interactive computer service or electronic communication service or … system …, or any other facility of interstate or foreign commerce” at least twice.  18 U.S.C. § 2261A(2); see also 2266(2).
  • An intent. The defendant must have acted “with the intent to kill, injure, harass, intimidate, or place under surveillance with intent to kill, injure, harass, or intimidate another person.”   2261A(2).
  • A result. Finally, the defendant’s actions must cause some emotional response. They must either put the target “in reasonable fear of … death … or serious bodily injury,” or “cause[], attempt[] to cause, or … be reasonably expected to cause substantial emotional distress.”   2261A(2)(A), (B).

In this instance, the law student had pled guilty to the emotional distress element of the statute—which the Third Circuit focused upon for purposes of the appeal.

The Court ultimately held that narrowly construing the intent component of the law saved the statute from the student’s overbreadth challenge.  This was because, the Court explained:

The broader definitions of “harass” and “intimidate” can describe nonviolent, nonthreatening speech . . . But criminalizing that speech would collide with the First Amendment. The First Amendment protects at least some speech that persistently annoys someone and makes him fearful or timid.  As then-Judge Alito observed: “There is no categorical ‘harassment exception’ to the First Amendment’s free speech clause.”  Though “non-expressive, physically harassing conduct is entirely outside [its] ambit,” “deeply offensive” speech is not.

Based on this reasoning, the Court acknowledged that “the free speech clause protects a wide variety of speech that listeners may consider deeply offensive.”  As such, broad harassment laws that punish offensive speech “steer[] into the territory of the First Amendment.”

Relying on the doctrine of constitutional avoidance, the Third Circuit adopted a narrow reading of the cyberstalking statute as follows:

To “intimidate,” we hold, a defendant must put the victim in fear of death or bodily injury.  And to “harass,” he must distress the victim by threatening, intimidating, or the like.  That reading limits intent to harass to “criminal harassment, which is unprotected because it constitutes true threats or speech that is integral to proscribable criminal conduct.”

This confined interpretation of the federal cyberstalking statute is a mixed bag for victims of online harassment and cyberbullying.  On one hand, law enforcement retains an important lever in prosecuting and deterring conduct that in many instances is directed against racial minorities or those holding certain political or religious beliefs.  On the other, the Third Circuit’s ruling excludes conduct from the scope of the federal statute that may be personally distressing to those targeted in online cyberbullying incidents.  Suffice to say, given the current environment, this decision will likely impact other federal criminal cases going forward.  Stay tuned, CPW will be there to keep you in the loop.

The Fourth Circuit recently affirmed the Middle District of North Carolina’s grant of summary judgment in favor of the Defendants in a Driver’s Privacy Protection Act (“DPPA”) case, Garey v. Farrin, Case Nos. 21-1478, 21-1480.  In its opinion, the Fourth Circuit agreed with the district court’s ruling that the Plaintiffs had standing to assert their damages claims.  However, the Court held that summary judgment in favor of defendants was appropriate because Plaintiffs’ personal information were not obtained from drivers’ licenses or DMV databases—putting it outside the scope of the DPPA.

The Defendants—a number of personal injury lawyers—obtained car accident reports from North Carolina law enforcement agencies and private data brokers.  The reports included the names and addresses of the drivers involved in those accidents.  The Defendants then purportedly used that information to mail unsolicited attorney advertising materials to some of the drivers.  The Plaintiffs—the drivers who received advertising materials from the Defendants—filed suit and asserted violations of the DPPA.  The district court held that the Plaintiffs had standing to bring suit for damages, but rejected the Plaintiffs’ claims on the merits, granting summary judgment to the Defendants.  On appeal, the Fourth Circuit affirmed, albeit on narrower grounds than those on which the district court relied.

The Fourth Circuit agreed with the district court’s assessment that the Plaintiffs lacked standing to assert claims for injunctive relief.  The Plaintiffs alleged that the Defendants had obtained their driver’s information in violation of the DPPA.  They did not, however, plead that the Defendants continued to wrongfully obtain their driver’s license information after the filing of the lawsuit or otherwise allege that any wrongful conduct by the Defendants was ongoing or imminent.  Thus, the Plaintiffs lacked standing to assert claims for injunctive relief because they did not allege any non-speculative, imminent danger.  The Court noted this outcome was consistent with the Supreme Court’s ruling in Ramirez last year (which the Fourth Circuit was previously instructed to use a basis for reconsidering another Article III decision, as covered by CPW).  [Note: the Court found Article III satisfied on other grounds]

The parties also sought to present several issues of first impression in the Fourth Circuit including whether a driver’s license is a “motor vehicle record,” whether the DPPA applies to records outside the possession of a state DMV, and whether the DPPA’s restrictions on the obtaining, use, and dissemination of records impinge on the First Amendment.  Instead, the Fourth Circuit affirmed the district court on a much narrower ground.

The Fourth Circuit determined that, under the DPPA’s private right of action, the plaintiff must allege and prove that the defendant obtained the plaintiff’s personal information from a motor vehicle record.  As you may recall, to fall within the DPPA’s narrow private right of action, a defendant must have obtained a plaintiff’s personal information “from a motor vehicle record.”  18 U.S.C. § 2724(a) (emphasis supplied).  In this case, the Plaintiffs did not dispute that none of the Defendants obtained any information “from” a motor vehicle record.  Rather, the Plaintiffs alleged that the Defendants obtained their personal information that was derived from a motor vehicle record—which the Fourth Circuit explained was insufficient to prove a DPPA claim.

In reaching this conclusion, the Fourth Circuit analyzed the legislative history of the DPPA, and noted that the words “derived from” were intentionally removed by Congress in the process of drafting the language of the DPPA.  Thus, the legislative history clarified the plain text: the DPPA imposes civil liability only on a defendant who obtains personal information from a motor vehicle record, but not on a defendant who merely obtains personal information that can be linked back to (i.e., derived from) such a record.  Accordingly, the Fourth Circuit expressly disagreed with courts in other circuits that have found violations of the DPPA so long as the personal information at issue could be traced back to a motor vehicle record.

The Fourth Circuit’s holding was narrow and straightforward: a DPPA plaintiff must allege and prove that the defendant obtained the plaintiff’s personal information from a motor vehicle record.  Because the Defendants obtained the Plaintiffs’ personal information from accident reports—and not expressly from motor vehicle records—the Defendants were entitled to summary judgment on the Plaintiffs’ DPPA claims.

CPW’s Kristin Bryan is quoted in today’s featured articles from GDR (Global Data Review). The article, “Bipartisan data privacy bill faces uphill struggle despite compromises,” discusses the draft legislation before Congress that is intended to create a national privacy bill regulating the use of consumer data. The bipartisan bill, American Data Privacy and Protection Act, is at an integral point in the process, with the recent release of the draft legislation and a hearing to discuss the draft set for June 14. Kristin shares their perspectives on the bill and how it has taken a step forward in finding a compromise for pre-exemption and providing citizens with a private right of action.

Read on for insights from two of CPW’s key authors.

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

New Webinar: Employee and Other HR Data Under the California Privacy Rights Act

ABA Webinar featuring CPW’s Kristin Bryan

Updates to Automatic Renewal Laws with New Consent, Notice, and Cancellation Requirements in the United States and Germany

Federal Court Stays BIPA Litigation While Applicable Statute of Limitations is Still in Question

SEC Cyber Regulation Efforts: A Mid-Year Review

Congress Proposes Federal Privacy Legislation to Preempt Certain State Privacy Laws, Hearing Scheduled for Next Week

CPPA Holds First Public Meeting Following Publication of First Draft of Proposed Regulations and Initial Statement of Reasons

STILL TIME TO REGISTER FOR JUNE 14 CLE WEBINAR: Employee and Other HR Data Under the California Privacy Rights Act

OOPS! And Other Takeaways from the First Draft of CPRA Regulations

Start Vetting Your Data Processors! Key Takeaways From the Forum Case

Webinar TOMORROW: CPW’s Kristin Bryan and Kyle Fath to Discuss Artificial Intelligence and Biometrics in New IAPP Virtual Event

Ninth Circuit Revives Session Replay Software Litigation, Finding Plaintiff Sufficiently Alleged His Online Communications Were Tracked Without His Express Prior Consent

The ASA’s Top Tips on Advertising “Free Trials”

FCC Announces Nine More State Robocall Investigation Partnerships

FTC Targets Children’s Privacy and Stealth Advertising Directed at Children

In Case You Missed Our Webinar “Navigating Opportunities and Challenges: Cross-border Data, the Cookiepocalypse and Standard Contractual Clauses”

Two More Nails in the Coffin for Opportunistic Data Breach Claims

Agency to Reveal Timing on First Draft of CPRA Regs at May 26 Meeting

CPW’s Kyle Dull to Chair Panel on AI and Data Governance at the International Institute of Communications’ Telecom & Media Forum on May 20

Fresh From the Oven: The CNIL’s Criteria for Allowing Cookie Walls in France

FTC to Discuss Children’s Privacy, Endorsement Guides at Next (Virtual) Open Commission Meeting: May 19, 2022, 1PM ET

Even for companies that are currently California Consumer Privacy Act (CCPA) compliant, the California Privacy Rights Act (CPRA) will present significant new challenges. This is due, in part, to the CPRA’s regulation of the collection, use and disclosure of employee, applicant, independent contractor and other “HR Data” that is currently largely exempt from the CCPA. Starting on January 1, 2023, organizations will have to apply various obligations to otherwise common and routine HR data processing. Importantly, businesses should be aware that the scope of application will likely extend beyond California-based employers to those outside of the state, such as in the case of remote workers and California-based job applicants.

In a virtual CLE event on June 14 at 2:00 pm EST, our panel of thought leaders will help you anticipate and plan for the coming changes. Join Annette Demmel, Alan Friel and Kyle Fath as they explore:

  • The “consumer” rights and business obligations that apply to HR data under the CPRA
  • Completing a data inventory for HR Data and otherwise preparing for compliance in view of delayed regulations
  • Balancing the obligations under the CPRA with a tangled web of California employment laws and regulations
  • Preparing for the notoriously litigious employment plaintiffs’ bar to use CPRA rights as an alternative, pre-litigation discovery mechanism
  • Lessons learned from GDPR employee data subject access requests, including regarding emails and unstructured data
  • The scope of privilege, trade secrets and protection of another person’s privacy rights
  • Status of pending legislation that would extend HR and B-to-B Data exemptions
  • The potential distinction between business data and personal information
  • How new purpose and retention limitations will help minimize access
  • The use of self-serve access and focusing of requests to limit search parameters and of Section .145(h)(3)(formerly (g)(3)) to limit access
  • Application of deletion exception retention purposes to HR data

This program is pending 1.00 hour of general CLE in Arizona, California, New York and New Jersey. If you require another jurisdiction, please contact Robin Hallagan, our legal training manager.

If you would like to attend, or know someone who would, please click here to register.

The California Privacy Protection Agency (“CPPA” or “Agency”) hosted its first public meeting yesterday following publication of the first draft of proposed regulations (“Regs”) (on May 27) and the initial statement of reasons (“ISOR”) on June 3. Immediately below, we summarize highlights of the meeting held by the CPPA, including taking a further step towards formal rulemaking. Further below, we provide our initial but detailed insights on the first draft of proposed regulations (initially published here last week), including, among other things, on the controversial opt-out preference signal (“OOPS”).

June 8, 2022 Meeting Highlights

Not a Surprise, the CPPA and OAG Co-Wrote the RegsDuring the meeting, representatives from the California Department of Justice, Office of the Attorney General (“OAG”) provided a high-level summary of the proposed Regs, confirming that the CPPA worked closely with the OAG to draft the proposed Regs. This is not surprising given that prior to the CPPA’s formation, the OAG was responsible for adopting and publishing the initial set of the California Consumer Privacy Act’s (“CCPA”) regulations. Rulemaking authority under the CCPA, as amended by the California Privacy Rights Act (“CPRA”), formally transferred to the CPPA on April 21, 2022. The California Office of Administrative Law (“OAL”) approved the transfer on May 5, 2022. The text of the current CCPA regulations (the “Regs”) are now available Title 11, new Division 6, beginning with section 7000 of the California Code of Regulations. Although this formal transfer marks a step in the CPPA’s rulemaking, it is important to note that the CPPA has not begun formal rulemaking activities. The OAG emphasized that the proposed Regs do the following:  (1) updates the CCPA regs to harmonize requirements with the CPRA amendments and to address any confusion; (2) operationalizes new rights and concepts introduced by the CPRA amendments, including, among others, requirements for and limits on the use of sensitive personal information; and (3) reorganizes and restates the requirements of the law, where appropriate, to maximize readability and understanding of legal obligations.

Global Opt-Out, Not Optional. The OAG confirmed its position that it interprets the provisions of the CCPA regarding opt-out preference signals (aka Global Privacy Controls) (see Section 1798.135(b)(3) of the statute (“A business that complies with subdivision (a) [i.e., by including opt-out links] … is not required to comply with subdivision (b) [i.e., honoring OOPS]”) and Section 1798.185(a)(20)(referring to an election to comply with (b)) as mandatory.  Thus, if the Regs are approved, businesses must develop a process for honoring such signals.

One Step Closer to Commencing Formal Rulemaking. The CPPA approved a motion to delegate authority to Ashkan Soltani, Executive Director of the CPPA, for rulemaking functions. Again, the CPPA has not commenced formal rulemaking activities yet. They are currently in the staff production phase of the pre-rulemaking stage, whereby staff prepares the rulemaking file. The CPPA will then approve the rulemaking file and file a Notice of Proposed Rulemaking Action (“NOPA”) together with the rulemaking file to the OAL. The NOPA will be posted on the CPPA’s website and published in the California Regulatory Notice Register. This will mark the first day of formal rulemaking.  Afterwards, a 45-day public comment period begins. The CPPA will also hold a public hearing during this time as scheduled or by request. At the conclusion of the public comment period, the CPPA must address public comments and may notice changes. A subsequent 15-day comment period will open if the CPPA proposes material changes to the Regs following the initial comment period. This process may be repeated. The CPPA is required to summarize and respond to every public comment in its Final Statement of Reasons (“FSOR”). Once the CPPA finalizes the regulations, it will submit the final version together with the FSOR in a final rule package to the OAL. Once approved, the Agency will formally adopt the regulations and the rulemaking record will close.

Stakeholders Continue to Press for Transparency and Compliance Timeline ExtensionDuring the public comment portion of the meeting, representatives from business organizations, including the California Hispanic Chambers of Commerce, opined that there is much concern over the uncertainty of privacy regulations and potential consequences of the same on the business community, especially among small businesses. The representatives collectively expressed that the lack of complete regulations and uncertainty over the scope and timing of compliance and enforcement pursuant to the same create hardships for businesses who are concerned about the cost and timing of compliance. The representatives requested for greater transparency from the CPPA and at least a 6-month extension of the current compliance deadline, reasoning that an extension is fair in light of the delay in regulations.

OOPS! And Other Takeaways from the First Draft of CPRA Regulations

While the draft Regs do provide an indication of what the Agency’s priorities may be, they certainly are incomplete. The document purposely omits regulations on key topics, including automated decision-making and profiling, cybersecurity audits, and risk assessments (which the Agency announced would not be included in the first draft during its May 26 meeting), so we can expect the Regs to expand far beyond their current 66-page length.

Opt-Out Preference Signal; Do Not Sell / Share. The CPRA includes a Global Privacy Control concept referred to as the “opt-out preference signal” (or “OOPS”). Though the statute makes honoring OOPS optional (see Section 1798.135(b)(3) of the statute (“A business that complies with subdivision (a) [i.e., by including opt-out links] … is not required to comply with subdivision (b) [i.e., honoring OOPS]”) and Section 1798.185(a)(20)(referring to an election to comply with (b)), the Agency has decidedly taken the position that honoring OOPS is mandatory. Section 7025(e) and 7026(a)(1). The Agency appears to be hanging its hat on its new concept of processing OOPS signals in a “frictionless manner”—i.e., if your business processes OOPS in a frictionless manner it can forgo the opt-out links and mechanism, but if it does not then it must have both the opt-out links and mechanism and have a process for honoring OOPs, though that may involve certain steps and conditions, as discussed in further detail in the next paragraph. Regs. Sections 7013(d), 7025 (but compare to Section 7026(a)(1), which requires, at minimum, two methods in conflict with Section 7013(d) and 7025(e)). This approach is certain to receive a lot of comments and, should it become final, likely judicial challenge.

WTF is a “Frictionless Manner”? To be considered to have honored a OOPS signal in a frictionless manner, the business must not: (1) Charge a fee or require any valuable consideration if the consumer uses an opt-out preference signal; (2) Change the consumer’s experience with the product or service offered by the business; or (3) Display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal (however, the business is permitted to present a pop-up or other notification asking for consent to ignore the OOPS). Therefore, for example, publishers will still have the opportunity to monetize content and present pop-ups in the way that is currently done when they detect a pop-up blocker. Section 7025(f).

The criteria for a “frictionless manner” comes from what the statute tasks the Agency to determine are part of the specification for the OOPS at 1798.185(a)(20) so there is a basis for requiring the OOPS to be “frictionless,” however, that does not necessarily mean that Section 1798.135 does not permit publishers to elect between links or frictionless OOPS. In addition, to qualify under Section 7025(g) to avoid having to post the DNSale / DNShare link and mechanism, the frictionless OOPS must also act as a consumer opt-out of offline sales and sharing if the business has the ability to link the signal to offline consumer data (e.g., the website visitor is logged in and thereby tied to their profile). It is not clear what is meant by “offline” as it is not defined in the Regs or the statute. Finally, it is proposed that third party controllers (e.g., cookie operators) collecting personal information on a first party business’ website are also required to look for and honor OOPS. Section 7052(c).

What can the opt-out link(s) say? In terms of what links may be used, the Regs provide that they can either state: (1) “Do Not Sell or Share My Personal Information” and, if applicable, “Limit the Use of My Sensitive Information;” (2) Your Privacy Choices; or (3) Your California Privacy Choices; however, “this alternative opt-out link is to provide businesses the option of providing consumers with a single, clearly-labeled link that allows consumers to easily exercise both their right to opt-out of selling/sharing, and the right to limit, instead of posting the two separate [links] ” (emphasis added). That begs the question: can a company that does not use or disclose sensitive personal data in a manner that is subject to limitation still take advantage of the alternative link to address sale/share? Given that some sort of conspicuous opt-out link will be required for the other 2023 state privacy laws (e.g., Colorado, Virginia), option 2 would seem to present a clean and consumer friendly way of pointing consumers to their various opt-in and opt-out options. To emphasize, however, if the proposed OOPS provision is not reworked the processing of opt-out preference signals would still be required, they would just seemingly not have to be in a “frictionless manner.” See Sections 7013(b) and 7015(b).

Combined DNSell / DNShare Requests? The Agency appears to treat the separate opt-out from sale and sharing rights as a single, combined obligation to a business. In other words, if a business receives a “Do Not Sell” request it must also treat is as a “Do Not Share” request, and vice versa. A number of sections, including the new definition of “Opt-Out of Sale/Sharing” indicate that the Agency is not bifurcating the concepts and will seemingly require businesses to treat one as both. See, e.g., Sections 7001(z) (“neither sell nor share”), 7025(c) and 7026, among others. While the statute speaks in terms of a combined DNSale or DNShare link, it provides that such link be “to an internet webpage that enables a consumer … to opt-out of a sale or sharing…” (emphasis added). It is conceivable that some consumers may want to opt-out of sale, but not sharing for cross-context behavioral advertising, or vice versa, and the conflation of these rights in the Regs would prevent that. This, too, is likely to receive comments, assuming the full Agency Board even votes the provision forward. Furthermore, the Regs require DNSell / DNShare opt-outs to be flowed down to third party sale / share recipients, who must honor the opt-out in the same manner as the business. Section 7052(a). There is no express authority in the statute for such a pass through of opt-outs.

No OOPS Technical Details. Setting aside the controversy of the requirement (or lack thereof) of processing OOPS signals, the Agency provided no technical requirements on opt-out preference signal or regulations touching on the statute’s requirement that the signal must be sent with a consumer’s consent, which would likely require it to be a user-enabled rather than a default setting. In addition, the Regs provide no details on how a business can and should determine residency with respect to an OOPS signal. While we need significantly more detail on this, and as the debate regarding the optional nature of OOPS rages on, a few other interesting aspects the OOPS-related Regs worth raising include: (1) effectively requiring businesses to tie an OOPS opt-out to non-cookie and other non-online information where a consumer is signed into the business’ account online (but not if the consumer is not signed in) (Section 7025(c)(7)(A)-(B)); and (2) displaying an online message as to whether the business has “Honored” the OOPS opt-out for a particular device/consumer (Section 7025(c)(6)). In addition, the Regs not applying the OOPS to limitation of sensitive information, as the statute provides, alone arguably causes the current proposal on OOPS to fall short of the statutory requirements.

Principles Regarding Consumer Requests and Consent. In addition to the specific requirements regarding the various consumer request types discussed below, the Agency outlined several overarching requirements applicable to all types of consumer requests. Among these general requirements, businesses must:

  1. Ensure the consumer request methods and accompanying instructions are easy to understand;
  2. Offer symmetry in choice. In other words, “[t]he path for a consumer to exercise a more privacy protective option shall not be longer than the path to exercise a less privacy-protective option.”
  3. Avoid confusing language (including double negatives).
  4. “Avoid manipulative language or choice architecture.”
  5. Be easy to execute.

Section 7004(a). Failure to comply with the requirements above may be considered a “dark pattern” under the CPRA. Additionally, the Regs clarify that “[a] user interface is a dark pattern if the interface has the effect of substantially subverting or impairing user autonomy, decisionmaking [sic], or choice, regardless of a business’s intent.” Section 7004(b) and (c).

Right to Delete. The draft Regs make explicit businesses’ obligations to flow down requests to delete to service providers, contractors, and third parties. Specifically, the Regs instruct businesses to notify contractors and service providers delete PI on request from an eligible consumer, and also require service providers and contractors to comply with those requests and pass the request down to subprocessors. Section 7022(b)(2) and (c). Additionally, third parties to whom a business has shared or sold PI must be instructed to delete the PI(Section 7022(b)(3)), and the Regs add that they must comply (Section 7052(a)). The former is required by the statute, but the latter is not explicitly stated.

Right to Correct. The Regs’ provisions regarding requests to correct primarily revolve around issues of contested data, as well as how businesses are expected to effectuate correction requests. On the former point, the Agency instructs businesses to consider the “totality of the circumstances” when determining whether to accept new PI presented by a consumer, or to reject the request. Factors to consider include:

(A) The nature of the personal information (e.g., whether it is objective, subjective, unstructured, sensitive, etc.).

(B) How the business obtained the contested information.

(C) Documentation relating to the accuracy of the information whether provided by the consumer, the business, or another source. Requirements regarding documentation are set forth in subsection (d).

Section 7023(b)(1). Helpfully, the Regs add that “[i]f the business is not the source of the personal information and has no documentation to support the accuracy of the information, the consumer’s assertion of inaccuracy may be sufficient to establish that the personal information is inaccurate.” Section 7023(b)(2).

With respect to the implementation of correction requests, the Regs advise that businesses should update the PI on existing systems, and also take measures to ensure that the information stays accurate. Essentially, the CPPA is telling businesses to make sure that corrected information is not subsequently overwritten by incorrect information. Additionally, businesses are obligated to pass along correction requests to contractors and service providers. Section 7023(c).

Limit the Use of My Sensitive Personal Information. In a regulatory scheme rife with difficult acronyms, we have to compliment the Agency here for coining the phrase “right to limit” to refer to a consumer’s right to limit the use or disclosure of sensitive personal information. As promised by the statute, the Regs provide the purposes for which a business can use or disclose sensitive PI without offering the right to limit, including performing services reasonably expected by an average consumer, fraud prevention, ensuring physical safety of natural persons, short term transient use for nonpersonalized advertising, and other routine business purposes. In addition to enumerating such business purposes, the Agency provides helpful examples within each one. See Section 7027.  The Regs also require that the privacy notice and retention schedule break out disclosure of sensitive personal information collected into the nine subcategories set forth in the statute.

Right to Know (access). Consistent with the statute’s expansion of the lookback period for access requests beyond 12 months after January 1, 2022, the Regs do so, but clarify that they may limit such requests where compliance would involve disproportionate effort, measured by a balancing test of the time and resources against the benefit to the consumer. Section 7001(h) and 7024(h). “For example, responding to a consumer request to know may require disproportionate effort when the personal information which is the subject of the request is not in a searchable or readily-accessible format, is maintained only for legal or compliance purposes, is not sold or used for any commercial purpose, and would not impact the consumer in any material manner.” Section 7001(h)(emphasis added). However, failure to put appropriate systems in place to reasonably fulfill requests will negate a claim of disproportionate effort.  Id.

Verification. Interestingly, these regulations provide few revisions to the sections relating to verification of requests.

Purpose Limitation. “Reasonably Necessary and Proportionate” Defined. The Regs provide helpful guidance on the purpose limitation requirements in the statute, namely, by defining “reasonably necessary and proportionate.” The Regs provide that this limitation means that collection, use, retention, and sharing of PI must be “consistent with what an average consumer would expect when the personal information was collected” or “for other disclosed purpose(s) if they are compatible with what is reasonably expected by the average consumer.” Section 7002(a). This section also provides examples of what may or may not be reasonably necessary and proportionate. However, the examples suggest that certain advertising and marketing practices, particularly regarding geolocation and third party marketing, would not be permissible without specific notice and express consent.

Notice at Collection. Along with the statutory additions to the notice at collection requirements—most notably, retention details on a category basis (and for sensitive person information, subcategories)—the Regs have added significant substance, particularly as it relates to third parties controlling the collection on a first party’s website or premises. See Section 7012. In particular, the Regs require, among other things:

  • The first party business to include in its notice at collection names of all such third parties, or in the alternative, information about the third parties’ business practices. Section 7012(g)(2).
  • The third party businesses that control the collection on another business’s website or physical premises, such as in a retail store or in a vehicle, must still provide a notice at collection in a conspicuous manner, though it can do so as part of the first party’s notice (e.g., the first party provides notice at collection of where the third party’s notice can be found online). Section 7012(g)(1)-(4).
  • However, these provisions explicitly do not relive the first party of its obligations “to comply with a consumer’s right to opt-out of sale/sharing. If a consumer makes a request to opt-out of sale/sharing with the first party, both the first party and third parties controlling the collection of personal information shall comply with sections 7026, subdivision (f) (honoring opt-outs) and 7052, subdivision (a) (passing opt-outs down to the sale/share recipient). Section 7012(g)(1)(A).

There is no discussion on how this relates to the broadening of the exemption to sale / sharing under the statute where the consumer “uses or directs the business to: (1) intentionally disclose personal information; or (2) intentionally interact with one or more third parties,” Section 1798.140(ad)(2)(A) and (ah)(2)(A), and the Regs do not provide any guidance on this type of disclosure.

Notice of Financial Incentive. While few changes and details are provided in relation to financial incentives (such as loyalty programs, discounts in exchange for email sign-ups, etc., which have been a focus of CCPA enforcement), the Regs remove the requirements of personal information valuation and explaining how that value is reasonably related to the program benefits, unless the program requires waiver of consumer rights to avoid a price or service difference. Sections 7016(d)(5), 7080 and 7081.

Human Resources. The Regs include amendments that take into account the January 1, 2023 sun-setting of the current exceptions applied to applicants, current and former employees and contractors.  They also add a specific requirement that the business include in its privacy notice a statement that the business will not retaliate against applicants, employees or contractors that exercise their CCPA rights.

Service Provider, Contractor, and Third Party Management. This first draft of the Regs perhaps hints at one of the Agency’s potentially greatest area of focus, namely the management of data relationships. In short, the practice of papering relationships with a one size fits all template will not be sufficient in the eyes of the Agency. In addition, it is clearly focused on the “sale/share” issue on vendor-by-vendor (or other recipient) basis.

  • New Expanded Requirements.
    • Service Providers/Contractors. The Regs require very prescriptive contractual terms to designate a data recipient as a service provider or contractor, including identification of the specific business purposes and services for which the service provider or contractor is processing information. Further, the Regs specify that “[t]he description shall be specific” and “shall not be descried in generic terms.” As a result, businesses would not be able to apply generic provisions across what is sometimes thousands of vendors. On the flip side, vendors will have to be specific in contract templates about the business purposes and services involved. See Section 7051. Importantly, the Regs state that failure to meet these prescriptive requirements means that the recipient is not a service provider or contractor, and thus, a sale / sharing is occurring. Section 7051. In addition, the Regs, in keeping with the statute, require at least eleven specific contractual obligations to be valid. Beyond that, the Regs add non-contractual obligations that apply to service provider / contactors and their subprocessors.
    • Third Parties (sale or sharing recipients). The agreement with statutorily-defined third-parties must identify “the limited and specified purposes for which the personal information is sold or disclosed” and “must not be described in generic terms”, but rather “shall be specific.” The contractual requirement is very strict; any third party is restricted from collecting, using, processing, retaining, selling, or sharing personal information from a business in the absence of a compliant contract. Section 7053. In addition, although not expressly provided for under the statute, the Regs add affirmative obligations on third parties, including the obligation to honor deletion and DNSale / DNShare requests made to a first party and passed down, and to look for an honor OOPS signals to a first party website on which they operate. Section 7052.
  • Diligence and Audits of Data Recipients. The Regs certainly incentivize businesses to audit their vendors and other data recipients (a right which must be in contracts with service providers, contractors, and third parties): “[D]epending on the circumstances, a business that never enforces the terms of the contract nor exercise its rights to audit or test the [recipient’s] systems might not be able to rely on the defense that it did not have reason to believe that the [recipient] intends to use the personal information in violation of the CCPA and these regulations….” Section 7051 and 7053.
  • Notice at Collection Requirements. As discussed above, both first parties and third parties controlling the collection of personal information on a first party website or premises have notice at collection obligations with respect to the third parties’ collection.

Enforcement. The Regs contain a procedure for consumers to submit requests to the Agency, including the information that must be submitted in connection with a complaint. In its Regs, the Agency commits to notifying complainants “in writing of the action, if any, the Agency has taken or plans to take on the complaint,” as well as the Agency’s rationale for action or inaction. When the Agency initiates an enforcement action, it will issue a probable cause notice to the alleged violator. The Agency will conduct a Probable Cause Proceeding in a closed hearing (unless a public hearing is requested by the alleged violator at least 10 days prior to the proceeding), in which it will evaluate evidence presented by the alleged violator (with counsel) and the CPPA Enforcement Division. The Agency will issue a written Probable Cause Determination based on evidence presented, which will not be a public document. The decision “is final and not subject to appeal.” Section 7302. Alternatively, the Enforcement Division and the subject of the complaint may enter into a stipulated order, prior to the entry of a Probable Cause Determination, which will be a public document. Section 7303. Finally, the Regs also empower the Agency to conduct audits, “to investigate possible violations of the CCPA” and also where “the subject’s collection or processing of personal information presents significant risk to consumer privacy or security, or if the subject has a history of noncompliance with the CCPA or any other privacy protection law.” Section 7304. Presumably this means entities which have been subject to significant enforcement actions (for example, by EU supervisory authorities) may expect to be audited by the CPPA.

Notable Regs–Cookies and AdTech.

  • Non-First Party Cookies are deemed a sale or sharing if not qualified as service providers / contractors. The Regs do not specifically state that the collection of personal information by third-party cookies on a first party site constitute a sale/sharing by the first party site. However, the statute changed the definition of third party to exclude service providers and contractors. The Regs provide that “[a] third party shall comply with a consumer’s request to delete or request to opt-out of sale/sharing forwarded to them from a business that provided, made available, or authorized the collection of the consumer’s personal information.” Section 7052(a). Further, the Regs make clear that a first party that allows third-party businesses to collect personal information are not thereby relieved from passing DNSale / DNShare opt-out to those third parties. Combined, this implies that absent an exception from sale / share, such as an express direction / interaction (i.e., opt-in) opt-outs apply to third party controllers such as third party cookie operators.
  • Cookie Banners alone are not sufficient for Do Not Sell/Share Opt-Outs. While this point seems obvious given the growing reliance on cookieless technology and identifiers to target advertisements, it underscores a potential enforcement priority for the Agency of looking beyond facial compliance. The Agency emphasizes that cookie controls like cookie banners only address the “collection” and not the sale or sharing of personal information.
  • Turning off Cookies Will Not Be Sufficient for Honoring a Do Not Sell / Do Not Share Request. In addition to its statements regarding cookie banners, the Regs require businesses to notify sale/sharing recipients of the request, and require such sale/sharing recipients to notify other downstream recipients, Section 7026(f)(3), and requires third parties to do so, Section 7052(a). In effect, the Regs require a signal-based opt-out system, much like the one that was developed by the Interactive Advertising Bureau (IAB) for the CCPA, and that such signal also trigger a downstream opt-out and not just a termination of ongoing sales / shares. It will remain to be seen how organizations outside of the AdTech ecosystem will pass such signals or otherwise provide notifications in relation to DNSell / DNShare requests for more traditional types of PI.
  • Any use cases involving cross-contextual behavioral advertising will prevent a vendor from being considered a service provider or contractor. In addition, routine activities that are able to fit under the service provider role under the current CCPA, such as custom audiences or email matching for advertising purposes, are stated explicitly in the Regs to fall outside of service provider permitted purposes (and thus would constitute a sale/sharing). Section 7050(c)(1).

CONCLUSION

While the Agency kicked some of the more difficult issues down the road for further consideration, its first draft of proposed Regs is quite comprehensive with respect to the issues addressed. The authority for some of what is proposed is questionable and will likely be challenged in comments, if not judicial action if such provisions become final. Interested businesses are encouraged to submit public comments. In addition to assisting specific clients and their trade organizations make comments, SPB plans on making comments based on unnamed clients that seek to be anonymous. While we will make it clear that such comments do not necessarily reflect the opinions or concerns of all of our clients we found during the CCPA rulemaking that this is a useful way for clients to get their views across when they are not comfortable doing so directly and lack a trade group that they can work through to get their views in front of the regulator.

For more information, contact the authors or your SPB relationship partner.

On Friday, three of the four leaders of the Congressional committees with principal jurisdiction over privacy provided for review draft privacy legislation (the American Data Privacy and Protection Act) that if adopted would preempt certain recently-passed state privacy laws.  The bill, sponsored by House Energy and Commerce Chair Frank Pallone (D-N.J.), ranking member Cathy McMorris Rodgers (R-Wash.) and Sen. Roger Wicker (R-Miss.), ranking member of the Senate Commerce Committee, shares features of California’s privacy legislation, as well as the GDPR.  However, the legislation departs from these existing laws in important ways.  In this post, we analyze some of the most important features of the legislation from both a compliance and litigation risk perspective, as what is on the horizon going forward.

Background

There were a number of privacy bills introduced in the House and Senate in 2021-2022.  As one recent example, in February the Algorithmic Accountability Act of 2022 was introduced in the U.S. Senate by Sen. Rob Wyden to direct the Federal Trade Commission (“FTC”) to promulgate regulations that require any “covered entity” to perform impact assessments and meet other requirements regarding automated decision-making processes.  The bill would have required the promulgation of regulations on automated decision-making processes that implicate an “augmented critical decision process” – essentially, that result in any legal or other material effects – on a consumer.

Data privacy has also been a top of mind issue at the state level, with comprehensive privacy laws recently enacted in California, Colorado, Connecticut, Virginia and Utah.  Over 100 privacy bills were introduced in state legislatures in 2022 alone.  This wave of activity included other states seeking adopt broad privacy regimes (such as Florida’s twice failed efforts) while others focused on privacy bills that were narrowly tailored to specific areas such as biometric privacy, AI and facial recognition.  This proliferation of state laws and their diverging regulatory requirements has led to increasing calls for passage of a federal privacy law.  A uniform federal law, if enacted, would provide business interests much needed clarity while also ideally stemming the tide of putative class actions and other data privacy claims brought under various state laws.

Compliance Requirements

If passed, the American Data Privacy and Protection Act (the “Act”) would codify several privacy best practices into federal law.  Under the draft, businesses would be required to limit the collection, processing, and transfer of “covered data” to that which is “reasonably necessary, proportionate, and limited to” provide products or services to the individual, communicate with the individual, or perform another purpose permitted by the legislation.  Sec. 101(a).

Prohibited Practices

The Act would place an outright prohibition on certain data processing activities if very limited exceptions—like the consent of the individual, exigent circumstances, or a search warrant—are not satisfied.  Under the Act, the following activities would be prohibited:

  • Processing of Social Security numbers, except where necessary for the extension of credit, authentication of the individual, or payment and collection of taxes.
  • Transferring precise geolocation information to a third party, except to another device or service of the individual, with the individual’s affirmative express consent, “through a conspicuous notice explaining the manner in which the precise geolocation information will be transferred with such a notice provided for in each instance in which such transfer is to occur absent a search warrant or exigent circumstances.”
  • Collecting, processing, or transferring biometric information, “except for data security, authentication, to comply with a legal obligation, to exercise or defend a legal claim, for law-enforcement purposes, or with the affirmative express consent of the individual through a standalone conspicuous notice explaining the manner in which the biometric information will be collected, processed, or transferred with such a notice provided for each instance in which such collection, processing, or transferring is to occur.”
  • Transferring passwords, except to a password manager, a covered entity whose job it is to identify passwords being re-used across sites or accounts, without a search warrant or exigent circumstances.
  • Collection, processing, or transferring “known nonconsensual intimate images,” (what is sometimes referred to as “revenge porn”), “except for law enforcement purposes.”
  • Transferring “an individual’s aggregate internet search or browsing history, except with the affirmative express consent of the individual through a standalone conspicuous notice,” like that described above for biometric or precise geolocation information.
  • Transferring an individual’s physical activity information from a smart phone or wearable device, other than to another device or service of that individual with the affirmative express consent of the individual,” as described above.

Sec. 102(a).

Individual Rights

Like existing privacy laws, the Act would provide individuals rights like the right to access (in human and machine-readable, portable formats), correction (including for completeness), and deletion. Sec. 203(a). The Act also includes the right to opt out of targeted advertising (Sec. 204(d)), and also requires covered entities to obtain consent before processing “sensitive covered data.” Sec. 204(a). Notably, the Act construes “sensitive” broadly, including the following categories not previously included in other privacy laws:

  1. Clickstream data.
  2. “Calendar and address book information, phone or text logs, photos, audio recordings, or videos maintained for private use on an individual’s device.”
  3. Photos and videos showing “the naked or undergarment-clad private area of an individual.”
  4. Television, cable, or streaming content viewing information.
  5. Information regarding individuals under 17.
  6. “Any other covered data collected, processed, or transferred for the purpose of identifying the” sensitive data types.

In a more novel turn, the Act also includes the right to opt out of data transfers to third parties. Sec. 204(c).

Privacy by Design

If passed, the Act would mandate that covered entities develop and implement a privacy program that accounts for applicable Federal, State, or local laws, rules or regulations, mitigation of privacy risks to children, reduction of privacy risks arising from the products or services of the covered entity, and training for employees and staff.  Sec. 103(a).

Privacy Notices

Many of the Act’s requirements for privacy policies under the draft legislation mirror other laws. Departing from existing privacy laws, the Act also requires the privacy policy to include “the name of each third-party collecting entity to which the covered entity transfers covered data, and the purposes for which such data is transferred to such categories of service providers and third parties or third-party collecting entities[.]”  Sec. 202(b)(4).  Additionally, “large data holders” would be obligated to provide a short form notice that is, “concise, clear, and conspicuous,” “readily accessible, based on the way an individual interacts with the large data holder,” and include an overview of the individual rights provided under the legislation.  Sec. 202(e).

Preemption

In a welcome move for many businesses, the Act would preempt most state privacy laws.  It provides that “[n]o State or political subdivision of a State may adopt, maintain, enforce, prescribe, or continue in effect any law, regulation, rule, standard, requirement, or other provision having the force and effect of law of any State, or political subdivision of a State, covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act.”

However, the Act would not preempt various targeted state statutes, including “consumer protection laws of general applicability such as laws regulating deceptive, unfair, or unconscionable practices”, laws regarding the privacy rights of employees or students, data breach notification laws, the Illinois Biometric Information Privacy Act, the California Consumer Privacy Act (except its provisions concerning security breaches) and the California Privacy Rights Act , and laws governing facial recognition, unsolicited email, telephone solicitations, and caller ID, among other matters.  In practice, this means that the Act if enacted would explicitly preempt the new comprehensive privacy legislation enacted by Connecticut, Virginia, Utah and Colorado.

Private Right of Action

The Act also contains a complex private right of action that allows “any person or class of persons who suffers an injury” due to a violation of the bill that could be addressed by its civil remedies to file suit in federal court.  The Act’s civil remedies however are limited to compensatory damages, injunctive and/or declaratory relief and reasonable attorney’s fees and litigation costs.  Additionally, presumably in an effort to give the business community time to adjust to any new regulatory requirements, the Act includes a four-year delay on the availability of the private right of action.  The Act also prohibits mandatory arbitration clauses, albeit for minors only.

Path Forward

On June 7, it was announced that a hearing on the Act has been scheduled for Tuesday, June 14, at 10:30 a.m. (EDT).  However, it remains to be seen whether Senator Cantwell, the Chair of the Senate Commerce Committee, will lend her support to the Act (and what the Act’s path forward will look like if Senator Cantwell’s endorsement is not forthcoming).  Senator Cantwell had previously supported other privacy bills (including one in 2019 that included a private right of action and would have established a “duty of loyalty” for companies handle consumer data).  For most on this, stay tuned.  CPW will be there to keep you in the loop.

2022 is not even halfway over, and the Securities and Exchange Commission (SEC) has already made it a banner year for the SEC’s efforts to shape cybersecurity policy.  This alert highlights this year’s cyber developments to date and the SEC’s likely future regulatory efforts in this space.

January: Chair Gensler Sets out Cyber Regulation Roadmap

To kick off the year of SEC’s emphasis on cybersecurity policy, on January 24, SEC Chair Gary Gensler gave the keynote address at the 2022 Securities Regulation Institute.  Stressing the risk of cyberattacks and highlighting the Biden administration’s cross-agency cyber efforts, Chair Gensler outlined six different areas where SEC staff were considering new or revised cyber regulations.  These areas were (1) cybersecurity reporting and recordkeeping regulations for investment funds, advisers, and broker-dealers, (2) cybersecurity event reporting requirements for public companies, (3) cybersecurity risk management disclosure requirements for public companies, (4) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (5) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (6) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.

February: Proposal for Advisers and Funds

On February 9, the SEC made its first cyber proposal of the year when it proposed new cybersecurity rules for registered investment advisers (“advisers”), investment companies and business development companies (“funds”).  These proposed rules would require advisers and funds to (1) adopt written cybersecurity policies and procedures, (2) publicly disclose cybersecurity incidents and risks to clients, (3) and keep related cybersecurity books and records.  Additionally, advisers would be required to file a confidential report to the SEC within 48 hours of significant cybersecurity incidents.

March: Proposal Requiring Public Company Cyber Incident and Risk Disclosures

The SEC followed its proposal with another; on March 9, it proposed rules that would require all public companies to disclose (1) material cybersecurity incidents and (2) their cybersecurity risk management, strategy, and governance procedures.  Most notably, the proposal would require companies to file a public disclosure form when the company suffers a “material cybersecurity incident” within four business days after the company has determined the incident is material.  The proposal’s four business day reporting deadline “would not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident” and the SEC acknowledges that “there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law.”

April: Chair Gensler Reiterates Roadmap

On April 14, Chair Gensler made remarks about the SEC’s cybersecurity policy before a joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council.  His April remarks mentioned the same areas for potential regulation that he mentioned in his February address.  By April, however, the SEC had since followed through and announced two proposals covering topics mentioned by Chair Gensler.

The remaining areas on Chair Gensler’s roadmap are: (1) cybersecurity reporting and recordkeeping regulations for broker-dealers, (2) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (3) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (4) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.

May: Increased Enforcement Capabilities

Most recently, on May 3, the SEC announced that its Crypto Assets and Cyber Unit—formerly just the Cyber Unit—would be nearly doubled in size, from 30 dedicated enforcement positions to 50.  Although the SEC’s announcement focused on increased cryptocurrency capabilities, the unit’s focus also includes enforcing violations of “cybersecurity controls at regulated entities” and “issuer disclosures of cybersecurity incidents and risks.”  With the cybersecurity regulations which have been proposed, and ones likely to be imposed in the future, there could be new cybersecurity control and disclosure requirements for the SEC’s newly expanded unit to police.

While Illinois’ Biometric Information Privacy Act remains one of the most-litigated privacy statutes, several aspects of the law remain unsettled, including the applicable statute of limitations for BIPA claims. CPW has previously covered several key decisions addressing whether BIPA claims are subject to a one-, two-, or five-year statute of limitations, as well as whether BIPA claims accrue only once (at the time an individual’s biometric data is first collected) or every time an individual’s biometric data is collected. In Gibbs v. ABT Elecs., Inc., No. 21 C 6277, 2022 U.S. Dist. LEXIS 92903 (N.D. Ill. May 24, 2022), another federal court stayed a plaintiff’s remaining BIPA claims pending the resolution of two appeals before the Illinois Supreme Court, Cothron v. White Castle System, Inc. and Tims v. Black Horse Carriers, Inc., which are poised to clarify the statute of limitations applicable to BIPA claims.

The Plaintiff in Gibbs brought ten separate claims against the Defendants, his former employer and an individual supervisor, one of which was a claim for violations of several sections of BIPA. Defendants moved to dismiss Plaintiff’s claims under Section 15(a)[1], claiming that Plaintiff lacked standing to bring such claims; as Plaintiff failed to respond to this argument, the Court deemed it waived and dismissed these claims. Defendants sought to stay the remaining claims pending the Illinois Supreme Court’s resolution of the appeals in Cothron and Tims on two grounds: first, that a finding for a one-year statute of limitations for BIPA claims would bar Plaintiff’s remaining claims entirely, and second, that a finding that BIPA claims only accrue once (at the first collection of biometric data) would impact the size of a putative class, the scope of discovery, and potential liability in the matter.

Recognizing that it was a “close call,” the Gibbs court nevertheless found that Defendants had met their burden of demonstrating that a stay was warranted. The Court found it “significant” that the Seventh Circuit had stayed proceedings in Cothron pending the resolution of the appeal and opted to “follow its lead” to wait for further guidance from the Illinois Supreme Court. The Court concluded that, while other courts had declined to stay similar matters, “it cannot be denied that the Illinois Supreme Court’s decisions in these cases will have a considerable impact on a very rapidly evolving area of law, as well as on how this case proceeds.”

We will continue to keep an eye on this case and the appeals in Cothron and Tims for you.

[1] Section 15(a) contains requirements for private entities possessing biometric data to develop, disclose, and comply with a retention schedule and guidelines to permanently destroy the data.

Legislatures, regulators, and enforcement agencies across the United States and in Germany have turned up the heat on subscription plans within the past year by updating their automatic renewal law (ARL). California and Germany have new ARL requirements starting July 1, 2022. Generally, an automatic renewal or negative option is a paid subscription plan that automatically renews at the end of the term for a subsequent term, until the subscribing consumer cancels. Many US states and the US Federal Trade Commission (FTC) require businesses offering subscription plans to obtain from the consumer affirmative consent to subscription plan terms, send confirmation emails with the subscription terms, send renewal notices within a set number of days prior to the plan automatically renewing, and allow consumers to easily cancel their subscriptions, among other requirements. The FTC’s enforcement power for automatic renewals rests in several laws and rules, such as Section 5 of the FTC Act, the Restore Online Shoppers’ Confidence Act (ROSCA), and the Telemarketing Sales Rule. Although most state ARLs target business-to-consumer contracts, some states have ARLs that regulate business-to-business contracts (e.g., New York and Wisconsin). We take a look at the varying requirements of the more stringent state ARLs regulating business-to-consumer contract below. New or updated ARLs have taken effect in Colorado, Delaware, New York, and Illinois. Notably, California’s new, more stringent requirements for businesses that offer consumers automatic renewals take effect July 1, 2022.

In Europe, the EU has had several Directives relating to consumer contracts, including the Unfair Contract Terms Directive, Consumer Rights Directive, and most recently, the Digital Content Directive and Sale of Goods Directive. However, in addition to these Directives, Germany passed the Fair Consumer Contracts Act, which will place stricter regulations on automatic renewals in e-commerce. An important new practical requirement is the cancellation button, the design of which is subject to detailed requirements. Non-compliant businesses will be subject to injunctive relief from both competitors and from consumer protection associations. Further, consumers can cancel contracts at any time if the business is non-compliant. Some of the provisions of the Fair Consumer Contracts Act entered into force on October 1, 2021, however, the implementation of the cancellation button is mandatory July 1, 2022, the same effective date as California’s updated ARL.

Updates to Laws

United States

Last year, New York strengthened its business-to-consumer ARL to include additional consent, disclosure, and cancellation requirements. In addition to this updated business-to-consumer ARL, New York’s original ARL covers business-to-business contracts “for service, maintenance or repair to or for any real or personal property” where the renewal period is longer than a month. New York’s enhanced ARL, which went into effect in 2021, has some notable new requirements for businesses that we have seen in other state consumer protection laws, including omnibus privacy laws:

  1. Obtain “affirmative consent” to the terms, including the cancellation policy, (which are clearly and conspicuously disclosed in “visual” or “temporal” proximity to the consent mechanism) prior to charging a consumer for an automatic renewal. Failure to obtain this consent will deem the “goods, wares, merchandise, or products” as “unconditional gifts to the consumer, who may dispose of the [gift] in any manner he or she sees fit without any obligation whatsoever on the consumer’s part to the business.” §527-a(6).
  2. “Clear[ly] and conspicuous[ly]” disclose the “terms, cancellation policy, and information regarding how to cancel in a manner that is capable of being retained by the consumer.” §527-a(1)(c). Think of this as a requirement to send a confirmation email or letter to the subscribing consumer. If the subscription includes a free gift, the business should provide the ability and include instructions in the confirmation for the consumer to cancel before being charged for the good or service.
  3. Allow cancellation online of subscriptions purchased online, as well as “cost-effective, timely, and easy-to-use mechanism for cancellation” for subscriptions not purchased online. §527-a(2)-(3).

Indicating that automatic renewals are an enforcement priority, New York Attorney General Letitia James issued a consumer alert in November 2021, reminding consumers and businesses that New York has updated its ARL for business-to-consumer contracts.

In October 2021, the FTC issued an enforcement policy statement “warning companies against deploying illegal dark patterns that trick or trap consumers into subscription services.” The enforcement policy states that sellers should obtain a consumer’s unambiguous affirmative consent for the automatic renewal. You can read our other coverage of dark patterns here.

Also in October 2021, California enacted its enhanced ARL that has an operative date of July 1, 2022. In the enhanced ARL, California has required additional consent, disclosure, and cancellation requirements on businesses that offer automatic renewals. Notably, California’s ARL will soon require:

  1. Businesses must provide a notice (i.e. an email or letter to the consumer stating that the automatic renewal will automatically renew) that clearly and conspicuously discloses (a) the renewal will occur “unless the consumer cancels,” (b) the length of the additional term, (c) how the consumer may cancel, (d) if sent electronically, a link that directs the consumer to the cancellation process or another electronic method to cancel, and (e) the contact information for the business. §17602(a)(4).
  2. Notice timing.
    1. Notice must be provided 3 to 21 days before the expiration of a free gift or trial period lasting more than 31 days. §17602(b)(1).
    2. Notice must be provided 15 to 45 days prior to the renewal for automatic renewals with subscriptions one year or longer, under certain conditions. §17602(b)(2).
  3. Easy-to-use cancellation. Consumers subscribing online, must be allowed to cancel online, “at will, and without engaging in any further steps that obstruct or delay the consumer’s ability to terminate” the subscription immediately. Businesses shall provide (a) “a prominently located direct link or button” located in the account profile, or device or user settings; (b) a preformatted termination email that the “consumer can send to the business without additional information.” §17602(d)(1). Businesses can require account authentication prior to cancelling the account online, but consumers can still cancel through the other methods outlined elsewhere in California’s ARL.

Many other states and Washington, D.C. have similar consent, disclosure, and cancellation requirements in their existing or recently updated automatic renewal laws. For instance, Colorado’s ARL became effective January 1, 2022, and requires notices be sent to consumers 25 to 45 days prior to the “first automatic renewal that would extend the contract beyond a continuous twelve-month period,” as well as any subsequent renewal that would extend the contract past the additional twelve-month period. Delaware also enacted an ARL which has specific notice and disclosure requirements. Illinois’ enhanced ARL, which became effective January 1, 2022, now includes a requirement for cancellation instructions and mechanisms in the renewal notice, and requires an online cancellation option for consumers that subscribe online.

Germany

With the passage of the Fair Consumer Contracts Act (Gesetz für faire Verbraucherverträge), the German Civil Code (Bürgerliches Gesetzbuch – “BGB”) was amended to include stricter rules on tacit contract renewals (automatic renewals) for certain businesses. Sect. 309 No. 9 lit. b BGB. Notably, as of July 1, 2022, businesses offering subscriptions must provide a cancellation button on their websites. There are specific requirements including:

  • The button must be legibly labeled a phrase like “Cancel contract here.”
  • The button must lead the consumer to a confirmation page that meets specific requirements, such as allowing the consumer to provide identifying information, cancellation reason, and subscription end date.
  • The button and confirmation page must be permanently available, and immediately and easily accessible (i.e., clear and conspicuous).
  • The business must allow the consumer to document the request for termination (e.g., by means of a downloadable summary of the data and time the cancellation button was pressed) and provide the consumer with an electronic receipt of the request, including the date of the cancellation request and the date on which the subscription is to be cancelled.
  • If the consumer does not specify a time for cancellation, the termination date must be the earliest date possible.

If a business fails to follow these cancellation requirements, a German consumer may terminate a contract at any time and without observing a notice period.

Enforcement and Class Action Threat

Violations of automatic renewal laws are typically addressed by government enforcement actions. However, there have been a number of large class action settlements over the past few years that alleged illegal automatic renewal programs in newspaper and magazine subscription programs. Recently, a lawsuit alleging violations of state consumer protection laws, as well as California’s ARL, based on a wellness company’s deceptive trial periods and consumers’ difficulty in cancelling and getting a refund, settled for over $50m.  Although this class action alleged a violation of California’s ARL, several courts have found there is no independent private right of action in the California ARL. See Johnson v. Pluralsight, LLC, 728 F. App’x 674, 676 (9th Cir. 2018); Lopez v. YP Holdings, LLC, 2019 WL 7905748, *4 (C.D. Cal. Jan. 23, 2019); Mayron v. Google LLC, No. H044592, 2020 WL 5494245 (Cal. Ct. App. Sept. 11, 2020). Private litigants may attempt to bring automatic renewal lawsuits under different consumer protection statutes, such as California’s Unfair Competition Law. See Morrell v. WW Int’l, Inc., 551 F. Supp. 3d 173, 182 (2nd Cir. 2021).

As to state government enforcement, the state attorney general usually enforces the ARL. In California, the state Attorney General, District Attorneys, County Attorneys, City Prosecutors, and City Attorneys can enforce the state’s ARL. But as noted above, private litigants may still try to bring an ARL claim under another consumer protection statute, such as a law prohibiting unfair or deceptive trade practices. Some states explicitly allow private rights of action in their ARL (e.g., Virginia).

The ramification for failing to comply with the state ARL varies by state. States, such as New York and Connecticut, have clauses in their ARLs that proscribe failure to comply with certain requirements means that the good or service is an unconditional gift, which would prevent the non-complying business from collecting from the consumer for non-payment. Florida, for example, states that a violation of the ARL “renders the automatic renewal provision void and unenforceable.”

In addition to state enforcement, it is likely that the FTC will be looking more closely at automatic renewal programs in 2022 based on the October 2021 enforcement statement. For example, on March 8, 2022, the FTC announced a settlement with an online investment site for more than $2.4m based on allegations of bogus stock earnings claims and hard-to-cancel subscription plans, in violation of Section 5(a) of the FTC Act and Section 4 of ROSCA. The FTC’s press release notes that the settlement “continues the FTC’s crackdown on false earnings claims, returning millions to consumers and requiring click-to-cancel online subscriptions” signaling that more enforcement actions may be on the horizon and online cancellation is an FTC requirement for online subscriptions.

Recommendations

The consent, disclosure, and cancellation requirements vary by state and businesses should be vigilant in complying with the state specific requirements. Businesses that offer subscription plans should ensure that customers are notified of the automatic renewal provision prior to beginning the transaction. Businesses should obtain a subscribing customer’s affirmative consent to the automatic renewal provision and send the subscriber a descriptive confirmation email after the initial purchase. Consumers should also receive a renewal notice prior to the subscription automatically renewing. Finally, businesses must be cautious of the difference between clever marketing and dark patterns in the subscription process.

These enhanced ARL requirements are already the law in certain states, and will soon be required of businesses selling automatic renewals to Californians. Businesses should implement the best practices outlined above as soon as possible, and prior to July 1, 2022, if subject to California’s law.

In Germany, we recommend that businesses review their subscription terms and conditions to ensure that no stipulations can be construed to bar consumers from using the cancellation button, and ensure that the cancellation flow complies with Germany’s specific requirements, prior to July 1, 2022.

For more information, please contact the authors or your usual point of contact at Squire Patton Boggs.