First CAN-SPAM Jury Conviction
On January 12, 2007, Jeffrey Brett Goodin became the first person convicted by a jury of violating the CAN-SPAM Act of 2003. Using several compromised Earthlink accounts, Goodin perpetrated a phishing scheme by sending thousands of e-mails to America Online Users and requesting personal and credit card information. He and others then used that information to make unauthorized charges on his victims’ credit cards. Goodin is scheduled to be sentenced in the Central District on June 11. He faces up to 101 years in prison.
California Office of Privacy Protection to Become Office of Information Security and Protection
According to Governor Schwarzenneger’s proposed budget, the Office of Privacy Protection (“OPP”) will become the Office of Information Security and Protection (“OISP”). OISP would be under the auspices of the Department of Finance, where its budget would increase from $521,000 to $1.7M, and its staff would climb from 11 to 14.
OPP Chief Joanne McNabb explained that the purpose of the merger is to combine the consumer privacy emphasis of OPP with the technology and security expertise of the Department of Finance. OISP also would be the lead agency responsible for securing state government information and for investigating breaches of state government information.
California was the first state to create an agency devoted exclusively to the privacy rights of consumers. OPP was created in 2000 and opened in 2001.
California Supreme Court Overturns Restrictive Court of Appeals Ruling on Privacy in Discovery
On January 25, 2007, the California Supreme Court held that, under the privacy provision of the California Constitution, a representative plaintiff in a class action may obtain from defendant company the personal identifying information of other complaining consumers, even when those consumers do not affirmatively grant permission for their personal identifying information to be used.
Patrick Olmstead, the plaintiff in Olmstead v. Pioneer Electronics (USA), Inc., and respondent in Pioneer Electronics (USA), Inc. v. Superior Court of Los Angeles County, purchased a DVD player from Pioneer Electronics. Claiming it was defective, he brought suit against Pioneer on behalf of himself and all persons who purchased the same model DVD player. In response to Olmstead’s discovery request, Pioneer produced redacted documents pertaining to the complaints it had received about the DVD player from 700 to 800 customers. Olmstead sought to compel disclosure of the redacted information, which included the addresses and telephone numbers of the complainants. Pioneer refused, citing Cal. Const., art. I § 1.
The trial court noted that, because the California Constitution protected the redacted information, Olmstead would have to seek permission to use the personal identifying information of potential class members by sending Colonial Life letters requesting their permission to use the information. In Colonial Life Ins. Co. v. Superior Court, 31 Cal. 3d 785 (1982), the Supreme Court upheld the trial court’s order allowing disclosure of the names and addresses of insured claimants who were parties to a bad faith settlement action, so long as those claimants specifically authorized such disclosure by signing and dating a form. Olmstead and Pioneer submitted two different proposed letters.
The Pioneer trial court approved the following text concerning the effect of disclosure:
If you do not agree to the disclosure of this information to the plaintiff’s counsel, please check the box on the enclosed form and return it to the address shown on the form. Not responding to this letter will be treated as agreeing to contact by Plaintiff’s counsel.
(Italics in Supreme Court opinion).
The trial judge’s rationale for not requiring an affirmative response was that “[i]t seems to me that this information, just the names, addresses and contact information is not particularly sensitive. It’s not medical information. It’s not personal finances. It’s merely the name, and if the people don’t want to be contacted, they can say so.”
The Court of Appeals reversed on the grounds that the California Constitution requires that the court know consumers were aware of the right they were waiving, and that such knowledge cannot be inferred from silence:
A consumer cannot be deemed to have intended to waive his or her right or privacy unless and until the consumer has notice of the need and opportunity to assert it . . . . Absent an affirmative response from the consumer, there is no adequate basis to infer that the consumer has consented to the release of personal information.
The Supreme Court found the Court of Appeals’ reasoning unpersuasive. It agreed with Olmstead’s argument that consumers had essentially waived their right to privacy by filing complaints in the first place. In this sense, the Court treated personal identifying information in the same manner as it treats other evidentiary privileges, such as attorney-client privilege in malpractice cases or physician-patient privilege in personal injury cases. If, in the course of filing a complaint with a company, a plaintiff makes initial contact and provides his or her identifying information, he or she cannot retreat behind a wall of privacy. As the Court acknowledged, the privacy provision of the California Constitution is a codification of “the right to be left alone.” According to the Court, the use in discovery of information voluntarily provided does not violate that right, so long as that use is reasonable.
Proskauer associate Cliff Davidson contributed to this post.