Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In 2002, UNITE launched a drive to organize Cintas employees. A major component of the drive consisted of identifying potential legal claims against Cintas. UNITE’s plan included making house calls to Cintas employees who might be reluctant to talk to union organizers at work for fear of retaliation by Cintas management. UNITE compiled lists of names and addresses for Cintas employees using a variety of tactics. One such tactic, known as “tagging,” required union organizers to observe cars entering Cintas parking lots, record license plate numbers and access state motor vehicle records relating to those plate numbers. UNITE tagged between 1,758 and 2,005 Cintas employees.

In 2004, a group of Cintas employees who had been tagged filed a class action lawsuit in the U.S. District Court for the Eastern District of Pennsylvania alleging violations of the DPPA, which provides that a “person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains . . . .” 18 U.S.C. § 2724(a). The district court granted summary judgment in favor of ten plaintiffs and ruled that each of the plaintiffs was entitled to a liquidated damages award of $2,500, but not punitive damages. Both parties appealed.

On appeal, UNITE argued that the district court misapplied the DPPA and failed to realize that the statute allowed it to obtain and use the employees’ motor vehicle record information “in anticipation of litigation” and/or when “acting on behalf of a Federal, State or local agency in carrying out its functions.” The plaintiffs argued that they each should have been awarded punitive damages and liquidated damages in the amount of $5,000; $2,500 for the unauthorized access and $2,500 for the subsequent unauthorized use of their personal information, which they contended constituted separate violations of the DPPA.

The Third Circuit rejected UNITE’s principal argument, finding that “[b]ecause UNITE obtained and used the confidential information for an impermissible purpose – union organizing – it does not matter what other permissible purpose UNITE may have had.” The court similarly rejected UNITE’s other arguments that liquidated damages should not have been awarded absent actual damages and that liability should be contingent on proof that the union knew its actions were impermissible.

Addressing the plaintiffs’ cross-appeal, the Third Circuit agreed that an award of punitive damages may be permissible under the DPPA and remanded the case to the district court for further proceedings on the issue of damages. The court stated that “where there is a genuine issue of material fact regarding the willfulness or recklessness of a defendant’s conduct, we hold that the Seventh Amendment requires a trial by jury on the issue of punitive damages under the DPPA.” The court, however, rejected the plaintiffs’ argument that they should be entitled to $5,000 each in liquidated damages. The court noted that Congress anticipated that “in most cases, a defendant who obtained a motor vehicle record would put it to some use” and enlarging the statute’s liquidated damages award based on such use “would effectively result in a minimum award of $5,000 for every violation of the DPPA . . . .”

On June 26, 2008, in Absher v. Autozone, Inc. et al. (2008), the California Court of Appeal in the Second Appellate District, confirmed that California’s Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08 (hereinafter, the “Act”) does not apply to a refund for the return of merchandise purchased by credit card.

Under the Act, merchants who accept credit cards as a form of payment may not request or require as a condition to accepting payment by credit card the personal information of a cardholder, which information the merchant causes to be recorded upon a credit card transaction form or otherwise (such as a receipt, etc.). 

In the Absher case, plaintiff Dave Absher (who, when returning merchandise purchased from Autozone, was required to put his name and telephone number on a voucher in order to process the refund), claimed that Autozone’s practices violated the Act. In the trial court, Autozone moved for summary judgment arguing that the statute does not apply to return transactions. The trial court granted Autozone’s motion and the Court of Appeal affirmed the dismissal of plaintiff’s cause of action, holding that the Act’s restrictions are limited to initial purchase transactions and not return transactions. In particular, the court held that the legislative history behind the Act, as well as a policy interest in providing retailers with a reasonable means to safeguard against potential abuses in connection with the return of merchandise, weighed in favor of its interpretation that the Act does not apply where a merchant’s request for personal information is in connection with a refund for the return of merchandise purchased by credit card.

The outcome in this most recent case is not surprising given the court’s other recent decision, on May 22, 2008, which case involved The TJX Companies, Inc., T.J. Maxx of CA, LLC, Marshalls of CA, LLC, Marshalls of MA, Inc. and Marmaxx (collectively, “TJX”), and in which case the California Court of Appeal also narrowed the scope of claims available under the Act in ruling that the statute does not apply to merchandise returns.

Kathryn Conroy, a Summer Associated in Proskauer’s Los Angeles office, contributed to this post.

The law also requires businesses that collect Social Security numbers to create a privacy protection policy. The policy must protect the confidentiality of Social Security numbers, prohibit unlawful disclosure and limit access to them.

Unlike its counterpart in California, the Connecticut law only applies to willful violations. California also protects more categories of information. However, the Connecticut law creates a duty to safeguard personal information, whereas the California laws require only “reasonable steps” to protect or destroy personal information. 

This law is part of a broader effort in Connecticut to protect Social Security numbers; in the last two months, Connecticut has enacted three separate bills to protect Social Security numbers. The other two bills affect the use of Social Security numbers on birth certificates.

Whereas California Civil Code § 1798.84 authorizes a private right of action for California consumers injured by violations of its data security law, the new Connecticut law does not appear to create a private right of action. Instead, civil penalties are paid to the state, and the Department of Consumer Protection and other business licensing agencies share enforcement duties. 

Leslie Buoncristiani, a summer associate in Proskauer’s Los Angeles office, contributed to this post.

Definition of Personal Data

According to an earlier opinion issued by the Working Party, personal data includes an individual’s Internet search history if the individual to whom it relates is identifiable. In this most recent opinion, the Working Party found that, although IP addresses are not usually directly identifiable by search engines, the necessary data usually is available to identify the user(s) of the IP address. Therefore, unless a search engine operator can ensure “with absolute certainty” that data corresponding to users cannot be identified, it must treat all IP information as personal data.  

Scope

Article 4 of the Data Protection Directive provides that each Member State will apply its national data protection law to data processing in certain circumstances. The Working Party concluded that the Data Protection Directive applies even where a search engine company’s headquarters is outside the European Economic Area. Where the search engine service provider is not based in one of the Member States, the Data Protection Directive applies where either: (a) the search engine provider has an establishment in a Member State; or (b) the search engine makes use of equipment in the territory of a Member State. “[U]se of equipment” includes a user’s personal computer.

Thus, in the case of multi-national search engine providers:

• Those that are established in a Member State are subject to the Member State’s national data protection laws in which the search engine provider is established;

• Those that are not established in a Member State are subject to the Member States’ national data protection laws in each Member State in which the service provider makes use of equipment in the territory of that Member state for the purposes of processing personal data (e.g., the use of a cookie).

The Working Party expressly excluded from its opinion search functions on websites that were limited to searching only the website’s own domain. 

Processing of Personal Data

The Working Party Opinion found that, in general, search engines must only process personal data for legitimate purposes and the amount of data processed and/or retained must be relevant to and not excessive in respect of the purposes to be achieved by the processing. Search engine providers are “fully responsible under data protection laws for the resulting content related to the processing of personal data.” Specifics are outlined below.

Collection and Processing

The Working Party found that collection and processing of personal data must be based on at least one legitimate ground. Legitimate grounds include:

(1)   Consent of the user for the search engine provider to use specified data for a specified purpose (Data Protection Directive Art. 7(a));

(2)   Necessary for the performance of a contract (Data Protection Directive Art. 7(b)) – however, the Working Party expressly rejected any argument that users enter into a de facto contractual relationship when using services offered by a search engine provider;

(3)   Necessary for the purposes of a legitimate interest pursued by the controller (Data Protection Directive Art. 7(f)):

(a)    Service improvement – however, this is not a legitimate reason for storing data that has not been anonymized;

(b)   Systems security – however, any personal data stored for system security must be subject to a strict purpose limitation and cannot be used for any other purpose;

(c)    Fraud prevention – however, the amount of personal data stored and/or processed and the amount of time it is retained depends on whether and for how long the data is necessary for fraud detection and prevention;

(d)   Accounting – the Working Party expressed “serious doubts that personal data of search engine users are really essential for accounting purposes” and called on search engine providers to develop accounting mechanisms that are more privacy-friendly;

(e)    Personalized advertising – the Working Party expressed its “clear preference for anonymi[z]ed data”;

(f)     Law enforcement and legal requests – the Working Party recognized that search engine providers must comply with legitimate requests from law enforcement and legal orders, but noted that “compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes.”

Retention

The Working Party found as follows:

(1)   The Working Party sees no basis for a retention period of more than six (6) months in any instance and the retention period should be “no longer than necessary for the specific purposes of the processing.” Where data is retained for longer than six (6) months, a search engine provider must demonstrate that such retention “is strictly necessary for the service.”

(2)   Search engine providers must delete personal data when a legitimate purpose no longer exists; in the alternative, search engine providers may anonymize data as long as the anonymization is completely irreversible.

(3)   Search engine providers must inform users about the applicable retention policies for all types of user data they process.

Other Specific Practices

The Working Party found as follows:

(1)   Persistent cookies containing a unique user ID are personal data and should be defined to allow an improved web surfing experience and a limited cookie duration. Moreover, users must be informed about the use and effect of cookies.

(2)   Where search engine providers utilize a cache functionality, they should only retain content in a cache for the “time period necessary to address the problem of temporary inaccessibility to the website itself” – any caching period of personal data contained in indexed websites beyond this necessity of technical availability should be considered an independent republication.

(3)   Correlation of personal data across services and platforms for authenticated users can only be legitimately done based on informed consent by the user.

(4)   Search engine providers may not suggest that using their service requires a personalized account by automatically re-directing unidentified users to a sign-in form for a personalized account.

User Rights

The complaint identified five specific security failures:

• failure to adequately assess risks to the information stored on the network and in paper files,
• failure to adequately restrict access to personal information to authorized employees only,
• failure to implement a comprehensive information security program,
• failure to provide adequate training about handling and protecting personal information and responding to security incidents, and
• failure to require third-party service providers by contract to protect the security and confidentiality of personal information.

The FTC Complaint charged Goal Financial with violating the FTC Act by disseminating a false or misleading privacy policy that claimed to "implement[] reasonable and appropriate measures to protect personal information from unauthorized access." Because Goal Financial qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, the Complaint also alleged violations of the GLBA Safeguards Rule and the GLBA Privacy Rule. The Safeguards Rule allegation reflected the company's failure to identify privacy risks and design appropriate safeguards, while the Privacy Rule charge stemmed from the company's privacy policy and notices inaccurately representing the actual security of consumer information.

The public comment period on the proposed consent order runs until April 3, after which the FTC will decide whether to finalize the order.