Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Under the Act, Cal. Civ. Code §1798.83, California residents have the right to request from a business with twenty or more employees, with whom they have an established business relationship, certain information about the business’s disclosure of personal information to third parties for direct marketing purposes. Specifically, such California residents may ask for details about what personal information the business shares with third parties for those third parties’ direct marketing purposes during the immediately preceding calendar year. 

There are several compliance options available to businesses under the Act. One option is for the business to adopt and disclose to the public in its privacy policy a procedure that allows its California customers to opt-out of the business’s sharing of their personal information for third parties’ direct marketing purposes. Alternatively, a business can inform its California customers of the business’s designated contact point to which a request under the Act should be directed in any of the three following ways: (A) by instructing its agents or employees to inform the customers of such information; (B) by including such information in the business’s web site privacy policy with the required emphasis and conspicuousness; or (C) by making such information available to customers at the business’s physical locations. 

To date, despite being effective since 2005, there are no published decisions under the Act. But that may change with this month’s wave of class action lawsuits. The complaints in the recently filed class action lawsuits share the same allegation (in addition to sharing the same plaintiff’s lawyer): that each respective business failed to comply with its obligations by not providing its California customers with the information necessary for them to make requests under the Act.

According to Cal. Civ. Code §1798.84(c), violating the Act can result in a civil penalty of up to $500 per violation, unless the violation is willful, intentional or reckless, in which case the business can be on the hook for as much as $3,000 per violation. However, businesses are given a ninety day cure period before they can be held in violation of the law, as long as their violation was not willful, intentional or reckless.  Many companies who have been challenged may be able to avail themselves of this safe harbor to avoid costly settlements and class notification expenses. 

Although these cases are still in their early stages and it is not clear how things will be resolved, it is important to note that while complying with the Shine the Light privacy law may be burdensome, noncompliance may result in a business’s lights being dimmed, or, given the possibility of statutory damages, turned off for good.

New Jersey law, like California law, does restrict the collection of personal information in connection with credit card purchases in some ways. However, New Jersey’s law does not provide for a private right of action. Therefore, the plaintiff in this case attempted to invoke the New Jersey law though the TCCWNA, which does provide for a private right of action. But unfortunately for the plaintiff, her complaint failed to allege the existence of a written contract containing a provision that explicitly violated the applicable New Jersey law on the subject so as to trigger the TCCWNA. Rather, Judge Walls rightly concluded that even assuming that the credit card transaction form constituted a written consumer contract, as plaintiff alleged it did, the “existence of the recorded zip code itself, which consists solely of numbers, does not constitute a contract provision that violates the plaintiff’s rights.” As such, the complaint failed to state a claim under the TCCWNA and required dismissal. The court also denied the plaintiff’s request to file an amended complaint because, in his opinion, the proposed amended complaint failed to either set forth any additional factual support for plaintiff’s allegation that the credit card transaction form constituted a written contract or allege any written provision of such “contract” violated her rights. Thus, according to Judge Walls, the amended complaint would fail for the same reasons as the original complaint.

The district court’s decision in this case supports what many people hope will continue to be the case, i.e., that it will be a challenge for plaintiffs’ lawyers to successfully transplant the California Supreme Court’s recent decision in Pineda v. Williams-Sonoma, Inc. (see this blog post) into other jurisdictions.

As many of our readers know, state data breach notification requirements have spawned a number of private lawsuits, including class actions. The vast majority of courts have found that the injury allegedly associated with the breach is too speculative and have refused to allow these cases to proceed. See, e.g., Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. Aug. 21, 2007); Stollenwerk v. Tri-West Healthcare Alliance, Case No. 05-16990, 2007 WL 4116068 (9th Cir. Nov. 20, 2007) (unpublished); Shafran v. Harley-Davidson, Inc., No. 07 Civ. 01365, 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008); Kahle v. Litton Loan Servicing, LP, 486 F.Supp.2d 705, 712-13 (S.D.Ohio 2007); Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2007); Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1021 (D.Minn. 2006); Hendricks v. DSW Shoe Warehouse, 444 F.Supp.2d 775, 783 (W.D.Mich.2006); Key v. DSW, Inc., 454 F.Supp.2d 684 (S.D. Ohio 2006); Guin v. Brazos Higher Educ. Serv. Corp., Inc., No. Civ. 05-668, 2006 WL 288483 (D.Minn. Feb.7, 2006) (unpublished); Bell v. Acxiom Corp., No. 4:06CV00485, 2006 WL 2850042 (E.D. Ark. Oct. 3, 2006) (unpublished); Giordano v. Wachovia Sec., LLC, Civil No. 06-476, 2006 WL 2177036 (D.N.J. July 31, 2006) (unpublished).

That is why many took notice when, last year, in Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D. Cal. 2008), the Northern District of California granted the Gap’s Rule 12(c) motion for judgment on the pleadings on three of five counts asserted by the plaintiff but allowed the plaintiff to proceed with a negligence claim and a statutory claim under state law. In last year's decision, the court found that an allegation of "increased risk of identity theft" from a lost Social Security number was sufficient "injury in fact" to establish standing and survive a motion to dismiss the negligence claim.

In Ruiz, a thief gained entry to the Chicago offices of Gap's job application processing vendor, Vangent, and stole two laptops. At the time of the theft, one of the computers was downloading information about Gap job applicants. The laptop in question contained personal information, including Social Security numbers, of approximately 750,000 Gap job applicants. Gap sent a notification letter to the applicants whose personal information was on the computer 11 days following the theft. Gap offered to provide the applicants with 12 months of credit monitoring with fraud assistance at no cost. Gap also advised job applicants to notify their banks and sign up for a free credit report from one of the three major credit reporting agencies. Ruiz did not enroll for the credit monitoring and did not contact his bank; he did attempt to sign up for a free credit report.

Noting that an essential element of a negligence claim under California law is "appreciable, nonspeculative, present harm", the court found that an increased risk of identity theft "does not rise to the level of . . . harm necessary to assert a negligence claim under California law" (emphasis added). In fact, Ruiz testified that he has never been a victim of identity theft. The court also rejected Ruiz's reliance on medical monitoring cases, expressing doubt that a California court "would view these two types of cases as analogous" given that there is no public health interest at stake in lost-data cases and noting that toxic exposure plaintiffs seeking to recover the costs of future medical monitoring face significant evidentiary burdens. "Ruiz presents no evidence showing there was an actual exposure of his personal information, much less that it was significant and extensive."

Thus, the Northern District of California joins the many other courts that have rejected negligence claims arising from lost data cases in the absence of a showing of actual harm.

In Times Newspapers Ltd (Nos. 1 and 2) v. The United Kingdom, Nos. 3002/03 and 23676/03, the Times appealed a judgment in favor of a plaintiff who recovered for libel based on an article accessible in the Times online archives. In pretrial motions, the Times applied to amend its defense “to contend that as a matter of law the only actionable publication of a newspaper article on the Internet is that which occurs when the article is first posted on the Internet.” Id. at par. 12. The trial court rejected this argument, citing Duke of Brunswick v. Harmer [1849] 14 QB 154, the holding of which was that every delivery of a libelous article, even if arising from the same initial dissemination, gave rise to an additional cause of action. 

The trial court rejected the Times’ further argument that it enjoyed qualified privilege because it was reporting on important matters – in this case, organized crime – because although such a defense might have been available for the original publication, it was not available for archived copies available on the Internet. Times v. U.K. at 14. Notably, the court based its decision in this regard on the “Internet publication rule,” announced in Godfrey v. Demon Internet Ltd. [2001] QB 201. That law provides that each viewing of a defamatory posting constitutes a new publication. Id. at 21.Id. at 21.

The Court of Human Rights held that application of the Internet publication rule to archived materials does not violate Article 10’s guaranteed freedom of expression because while the “primary function of the press in a democracy is to act as a public watchdog,” states have more latitude in regulating archiving of older articles; such archiving is only a secondary role of the press. Times v. U.K. at 45. According to the court, the possibility of endless restarting of the statute of limitations simply did not curtail the sort of expression Article 10 was intended to protect.

The U.K.’s Internet publication rule is at odds with the single publication rule in most U.S. jurisdictions and with the manner in which it has been applied to Internet publications. See, e.g., Firth v. State of New York, 12 A.D.3d 907 (2002), appeal denied, 4 N.Y.3d 709 (2005) (applying single publication rule to Internet reports and granting motion to dismiss on statute of limitations grounds). Nevertheless, Times v. U.K. and the underlying litigation concerning the archived materials is an important consideration for media that may be subject to privacy- and disclosure- related claims involving British law.