California : Privacy Law Blog

Home > California >

Light, (Camera), Class Action! After Seven Years of Dormancy Since Inception, Businesses See Class Action Lawsuits for Alleged Violations of California's "Shine the Light" Act

Posted on January 25, 2012 by Kevin Khurana

The past month has seen a new pattern of class action lawsuits filed in California courts against businesses for allegedly violating California’s Shine the Light privacy law (the “Act”). For seven years since the Act became effective, well-intentioned businesses have understandably had the sense that their compliance approach has been sound, and we have seen no challenges to that notion. Recent class actions have alleged non-compliance on technical grounds as frivolous as the title of the privacy policy being “Privacy Policy” instead of “Your Privacy Rights.” Why should that cost a business $500 - $3,000 per California customer? We would have to ask the plaintiffs’ lawyer that question.

Tags: California, Shine the Light, class action, customer relationship management, lawsuit, litigation, opt-out, privacy disclosure, privacy notice, safe harbor, website privacy

Veto, Veto, Pass! New Governor Means New Breach Notification Law in California

Posted on September 7, 2011 by Brendon Tavelli

On Wednesday, August 31, 2011, California became the third state this year to amend its existing security breach notification law when Governor Jerry Brown signed into law Senate Bill 24 (“SB 24”). Interestingly, the bill also marks the third time (in three years) that a bill attempting to beef up the state’s breach notice law has landed on the Governor’s desk. Former Governor Arnold Schwarzenegger vetoed the previous two. SB 24’s specific changes, while far from sweeping, include the addition of content requirements for notice letters to individuals and a requirement to send a sample letter to the state’s attorney general if more than 500 people are affected by a breach.

Tags: California, Security Breach Notification Laws, attorney general, breach notification, security breach

90210 Gets Personal: California Supreme Court Rules that ZIP Codes are "Personal Identification Information"

Posted on February 11, 2011 by Brendon Tavelli

Yesterday, the California Supreme Court held that ZIP codes are “personal identification information” within the meaning of the state’s Song Beverly Credit Card Act. The court’s decision in Pineda v. Williams-Sonoma Stores, Inc., No. S178241 slip op. (Cal. Feb. 10, 2011), casts a dark cloud over the established retail practice of asking for ZIP codes when customers make purchases using a credit card in brick-and-mortar stores. In Pineda, the plaintiff sued Williams-Sonoma alleging that when she made a purchase at one of defendant’s stores, the cashier requested her ZIP code and recorded it as part of her credit card transaction. Subsequently, Williams-Sonoma used plaintiff’s ZIP code to perform a “reverse append” and thereby locate plaintiff’s home address.

Tags: California, personal identification information, song-beverly, zip code

California Supreme Court: Law Enforcement Officials May Search Cellular Phones Incident To Arrest

Posted on January 5, 2011 by Proskauer Rose LLP

On Monday, the California Supreme Court ruled that the Fourth Amendment to the United States Constitution did not prohibit a deputy sheriff from conducting a warrantless, post-arrest search of the text messages of an arrestee. Specifically, the Court affirmed the decision of the Court of Appeal that the cell phone was “immediately associated with [defendant’s] person at the time of his arrest” and was therefore “properly subjected to a delayed warrantless search.”

In People v. Diaz, filed on January 3, the Court considered whether the trial court properly denied Diaz’s motion to suppress evidence gathered during a search of his cell phone, which occurred approximately 90 minutes after he was arrested for being a coconspirator in the sale of drugs. Diaz denied knowledge of the sales. A deputy sheriff accessed Diaz’s cell phone, which had been seized from Diaz’s person, and found a coded text message that, based on the deputy’s training and experience, indicated Diaz knew of the transaction.

The California Supreme Court’s ruling hinged on its finding that the cell phone “was an item [of personal property] on [defendant’s] person at the time of his arrest and during the administrative processing at the police station.” People v. Diaz, S1666000, slip op. Majority Op. at 8 (Cal. Jan. 1, 2011). As such, the case was controlled by the United States Supreme Court’s holdings in United States v. Edwards, 415 U.S. 800, 802-803 (1974) and United States v. Robinson, 414 U.S. 218, 224 (1973), in which the High Court affirmed seizures of paint chips from clothing and a cigarette package containing heroin from a coat pocket (respectively).

Tags: California, Fourth Amendment, criminal, law enforcement, text messages

CA Insurance Brokers No Longer Required To Send Opt-Out Notices Prior To Policy Shopping At Renewal

Posted on November 11, 2010 by Proskauer Rose LLP

Insurance broker-agents in California no longer are required to send customers annual privacy notice forms permitting them to opt-out of information sharing. Insurance broker-agents thus may now use customers’ nonpublic personal information to shop around for better policies at renewal.

On November 4, 2010, California’s Office of Administrative Law repealed California Code of Regulations(C.C.R.) § 2689.8(c)(3), upon the recommendation of the California Department of Insurance and Insurance Commissioner (and unsuccessful gubernatorial candidate) Steve Poizner. The move finally harmonizes C.C.R. § 2689.8 with Financial Code § 4056.5(b), effective July 1, 2004, which expressly permits broker-agents to use nonpublic personal information without obtaining prior customer consent to shop for new policies on renewal, and should reduce the paperwork and expense broker-agents previously incurred in mailing annual opt-out notices to all customers.

Tags: California, insurance, opt-out

Facebook Simplified Its Privacy Policy, But Has Anyone Noticed?

Posted on December 17, 2009 by Robert D. Forbes

The blogosphere has been abuzz lately about Facebook’s new privacy settings, but lost amid all the noise is Facebook’s implementation of a new user-friendly privacy policy.

Tags: California, Online Privacy, Online Privacy Protection Act, web site, website operator, website privacy

Special Radio Report: Oncidi Talks Privacy in the Workplace

Posted on December 11, 2009 by Brendon Tavelli

There is an inherent tension between an employee's right to privacy and an employer's right -- and obligation -- to maintain a safe, productive, and hostility free environment at the office. The California business community is perhaps all too familiar with this conflict. Article I, section 1 of the California Constitution guarantees all California residents a right to privacy, including in some instances in their capacity as employees. A patchwork quilt of statutes, regulations and common law decisions also carves out certain areas to which a right of privacy may attach. But these rights must be balanced against an employer's business needs and legal responsibilities.

Click here to listen to Proskauer partner Anthony Oncidi talk about privacy in the workplace with Mari Frank, the host of KUCI's Privacy Piracy radio show.

Tags: California, Workplace Privacy, employee, employer, privacy, workplace

Cal. Supreme Court Has a Look at Cameras in the Workplace

Posted on August 12, 2009 by Tony Oncidi

In Hernandez v. Hillsides, Inc., S147552 (Aug. 3, 2009) [pdf], the California Supreme Court unanimously held that the mere placement of a hidden video camera in an employee's office could constitute an invasion of privacy, even if the camera was never actually used to record the employee. Under the specific facts of the case, however, the Court ultimately found no liability because the intrusion was relatively minor, limited and justified, but California employers should be aware that the use of hidden surveillance cameras without notice or warning in "semi-private" office space is likely to produce an actionable claim for invasion of privacy in many cases.

Tags: California, Workplace Privacy, camera, surveillance, workplace

California District Court Closes the Gap Left by Ruiz

Posted on April 9, 2009 by Proskauer Rose LLP

On Monday, the Northern District of California granted Gap, Inc.'s Motion for Summary Judgment in Ruiz v. Gap, Inc., et al., Case No. 07-5739 SC, holding that Ruiz's allegations of an increased risk of identity theft "do[] not rise to the level of appreciable harm necessary to assert a negligence claim under California law."

Tags: California, Data Breaches, Identity Theft, Pisciotta, Ruiz, Stollenwerk, appreciable harm, increased risk, litigation, negligence, summary judgment

Zip Codes not "Personal Identification Information" under California's Song-Beverly Act

Posted on December 26, 2008 by Proskauer Rose LLP

On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal in the Fourth Appellate District held that zip codes are not "personal identification information" under California's Song-Beverly Credit Card Act of 1971, California Civil Code Sec. 1747.08 (the "Act."). The Act prohibits a retailer that accepts credit cards from, among other things, "request[ing], or require[ing] as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the [retailer] writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise." Id. at § 1748.08(a)(2). Under the Act, "personal identification information" is "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." Id. at § 1747.08(b). Subdivision (e) of the statute provides that "[a]ny person who violates this section shall be subject to a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred."

Tags: California, credit card, personal identification information, personal information, personally identifiable information, privacy, retail privacy, retailer, song-beverly

Prying Eyes Make Headlines

Posted on August 18, 2008 by Proskauer Rose LLP

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential.

The Los Angeles Times recently reported that over 120 employees viewed the medical records and personal information of approximately 900 celebrity patients at UCLA Medical Center between April 2003 and May 2007. According to the latest report, the unauthorized snooping continued even after the facility cracked down on peeking employees in April.

Tags: California, Medical Privacy, Michigan, celebrities, confidential information, data security breach, health care, personally identifying information

Another Court Affirms Narrowed Interpretation of Song-Beverly Credit Card Act

Posted on July 11, 2008 by Natalie Newman

On June 26, 2008, in Absher v. Autozone, Inc. et al. (2008), the California Court of Appeal in the Second Appellate District, confirmed that California’s Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08 (hereinafter, the “Act”) does not apply to a refund for the return of merchandise purchased by credit card.

Tags: California, Card, Song-Beverly Credit Card Act, TJX, credit card, merchandise returns, merchant, personal information, receipt

Wrath of Quon?

Posted on June 20, 2008 by Proskauer Rose LLP

The June 18, 2008 Ninth Circuit panel decision in Quon et al. v. Arch Wireless et al., No. 07-55282 (9th Cir. June 18, 2008) has sparked a flurry of news reports and speculation regarding employers’ ability to monitor employees’ e-mails and text messages. In fact, the decision appears to change very little for private employers who wish to review employee communications stored on, or sent through, their own servers and computers. However, Quon does limit employers’ ability to request from third-party providers the contents of employees’ electronic communications. Continue Reading...

Tags: California, ECPA, Electronic Communications, Fourth Amendment, Workplace Privacy, employment, privacy interests, text messaging, workplace

No Shopping Spree for Plaintiffs Under California's Song-Beverly Credit Card Act

Posted on May 26, 2008 by Proskauer Rose LLP

On May 22, 2008, the California Court of Appeal narrowed the scope of claims available under California’s Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08, ruling that the statute is subject to the one-year statute of limitations of Code of Civil Procedure section 340 and does not apply to merchandise returns.

Tags: 1747.08, California, Marshalls, Song-Beverly Credit Card Act, TJX, class action, credit card, merchandise returns, merchant, personal identification information, retailer, shopping, statute of limitations

Iowa Enacts 43rd State Breach Notification Law

Posted on May 12, 2008 by Proskauer Rose LLP

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

More Breach Notification Laws -- 42 States and Counting

Posted on April 7, 2008 by Proskauer Rose LLP

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

Proskauer's Tanya Forsheit Gives Web Exclusive Interview on Pending Data Breach Legislation

Posted on February 19, 2008 by Scott J. Carpenter

http://www.csoonline.com/article/217027/CSO_Disclosure_Series_What_s_Next_with_Disclosure_Legislation_

Tags: California, Data Privacy Laws, Disclosure, Laws, breach, data, legislation, notification, privacy, security

In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States

Posted on May 29, 2007 by Proskauer Rose LLP

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.

Tags: California, Connecticut, Illinois, Massachusetts, Minnesota, PCI DSS, Payment Card Industry Data Security Standard, Security Breach Notification Laws, Texas, breach notification, data protection, data security, personal information, privacy

California Court of Appeal Reaffirms Adequacy of Opt-Out Notice to Protect Privacy of Individual Identity and Contact Information in Litigation

Posted on May 3, 2007 by Proskauer Rose LLP

On April 9, 2007, the California Court of Appeal, Second Appellate District, affirmed a ruling of the Los Angeles Superior Court permitting the disclosure to counsel for a putative class of the names, addresses, and telephone numbers of the defendant’s current and former employees unless, following proper opt-out notice, they objected in writing to the disclosure. Belaire-West Landscape, Inc. v. Superior Court, B194844 (April 9, 2007). The Belaire-West court applied the reasoning of the California Supreme Court's recent decision in Pioneer Electronics (USA), Inc. v. Superior Court, 40 Cal.4th 360 (2007) (discussed in our January 30 post) to employee data to hold that requiring current and former employees to object to disclosure of their identities and contact information “present[ed] no serious invasion of their privacy interests.” Continue Reading...

Tags: California, Workplace Privacy, discovery, opt-out, privacy, workplace

Proposed California Legislation Would Require Retailers to Dispose of Personal Information Within 90 Days

Posted on April 27, 2007 by Proskauer Rose LLP

Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements. In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779. That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers. The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.

Tags: California, Data Privacy Laws, breach notification, legislation, privacy, retailers

New Year, New Laws

Posted on January 18, 2007 by Proskauer Rose LLP

The new year brings with it many new California privacy laws. Included are the following:

S.B. 202 – Telephone Record Pretexting

As previously reported, S.B. 202 amends Penal Code § 638 to prohibit the purchase or sale of any telephone pattern record or list without the written consent of the subscriber.

A.B. 424 – Identity Theft: Personal Information

A.B. 424 expands the definition of identity theft victim, for purposes of Penal Code §§ 530.5, 530.6 and 530.8, to include firms, associations, organizations, partnerships, businesses, trusts, companies, corporations, limited liability companies or public entities.

A.B. 618 – Financial Crime

Upon request from law enforcement agencies, banks, credit unions and savings associations must provide surveillance photos and videos of anyone accessing the financial account of a crime victim, whether such access occurred at an ATM or inside the financial institution. Government Code § 7480.

A.B. 2043 – Identity Theft and Debt Collection

This law amends Civil Code §§ 1788.2 and 1788.18 to extend to firms, associations, organizations, partnerships, business trusts, companies, corporations, and limited liability companies protections previously available to consumers to contest debts where they are victims of identity theft.

A.B. 2886 – Identity Theft Penalties

This law amends Penal Code §§ 530.5 and 530.55 to define new crimes, enhance penalties and create court procedures concerning crimes of identity theft, including: 1) penalty enhancements for repeat offenders and for those stealing the identities of ten or more people; 2) a requirement that court records reflect that the person whose identity was stolen was not responsible for the crime committed; 3) penalties for selling, transferring or conveying personal information with the knowledge that it will be used to commit identity theft or with the intent to defraud; 4) state penalty for mail theft and 5) the addition of professional or occupational number to the definition of "personal identifying information."

Tags: California

Privacy Law Blog
Proskauer Rose LLP

Beijing Room 1569, 15/F China World Tower 3
1 Jianguomenwai Avenue
Chaoyang District
Beijing 100004
China
Phone: 86.10.5737.2622

Boca Raton 2255 Glades Road
Suite 421 Atrium
Boca Raton, FL 33431-7360
Phone: 561.241.7400

Boston One International Place
Boston, MA 02110-2600
Phone: 617.526.9600

Chicago Three First National Plaza
70 West Madison
Suite 3800
Chicago, IL 60602-4342

Hong Kong Suites 1701-1705, 17/F
Two Exchange Square
8 Connaught Place
Central, Hong Kong
Phone: 852.3410.8000

London Ninth Floor
Ten Bishops Square
London E1 6EG
United Kingdom
Phone: 44.20.7539.0600

Los Angeles 2049 Century Park East
32nd Floor
Los Angeles, CA 90067-3206
Phone: 310.557.2900

Newark One Newark Center
Newark, NJ 07102-5211
Phone: 973.274.3200

New Orleans Poydras Center
650 Poydras Street
Suite 1800
New Orleans, LA 70130-6146
Phone: 504.310.4088

New York Eleven Times Square
New York, NY 10036-8299
Phone: 212.969.3000

Paris 374 rue Saint-Honoré
75001 Paris, France
Phone: 33.1.53.05.60.00

São Paulo Rua Funchal, 418
26° andar
04551-060 São Paulo, SP, Brasil
Phone: 55.11.3045.1250

Washington, D.C. 1001 Pennsylvania Avenue, NW
Suite 400 South
Washington, DC 20004-2533
Phone: 202.416.6800

Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Proskauer

Light, (Camera), Class Action! After Seven Years of Dormancy Since Inception, Businesses See Class Action Lawsuits for Alleged Violations of California's "Shine the Light" Act

Veto, Veto, Pass! New Governor Means New Breach Notification Law in California

90210 Gets Personal: California Supreme Court Rules that ZIP Codes are "Personal Identification Information"

California Supreme Court: Law Enforcement Officials May Search Cellular Phones Incident To Arrest

CA Insurance Brokers No Longer Required To Send Opt-Out Notices Prior To Policy Shopping At Renewal

Facebook Simplified Its Privacy Policy, But Has Anyone Noticed?

Special Radio Report: Oncidi Talks Privacy in the Workplace

Cal. Supreme Court Has a Look at Cameras in the Workplace

California District Court Closes the Gap Left by Ruiz

Zip Codes not "Personal Identification Information" under California's Song-Beverly Act

Prying Eyes Make Headlines

Another Court Affirms Narrowed Interpretation of Song-Beverly Credit Card Act

Wrath of Quon?

No Shopping Spree for Plaintiffs Under California's Song-Beverly Credit Card Act

Iowa Enacts 43rd State Breach Notification Law

More Breach Notification Laws -- 42 States and Counting

Proskauer's Tanya Forsheit Gives Web Exclusive Interview on Pending Data Breach Legislation

In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States

California Court of Appeal Reaffirms Adequacy of Opt-Out Notice to Protect Privacy of Individual Identity and Contact Information in Litigation

Proposed California Legislation Would Require Retailers to Dispose of Personal Information Within 90 Days

New Year, New Laws

Kristen J. Mathews

Jeff Neuburger

Peta-Anne Barrow

Scott J. Carpenter

Amy Crafts

Margaret A. Dale

Nolan Goldberg

Andrew Hoffman

Charley Lozada

Cecile Martin

Jeremy Mittman

Natalie Newman

Robyn Sterling

Brendon Tavelli

Paresh Trivedi

Robert D. Forbes

Proskauer on Privacy