People file lawsuits to test boundaries of California’s privacy law
“It’s kind of like throwing spaghetti at the wall.” That’s how Jessica Lee, partner and co-chair of the privacy, security and data innovation practice group at law firm Loeb and Loeb, described the approach people have taken when filing lawsuits against companies under the California Consumer Privacy Act.
California’s privacy law — which allows California residents to restrict companies’ ability to sell their personal information — has been notoriously ambiguous, so people have turned to the courts for clarity.
Many of the suits filed since the law went into effect Jan. 1, 2020, allege companies have failed to allow people to opt out from sale of their personal information or failed to disclose that the companies share people’s personal information with third parties, according to lawyers tracking CCPA lawsuits. Meanwhile, a spokesperson for California attorney general Xavier Becerra said the AG’s office has sent dozens of notices to companies demanding that they fix problems leading to noncompliance with the law.
A lawsuit testing phase is common when new laws are passed, said Alysa Hutnik, partner and chair of the privacy and security practice at law firm Kelley Drye and Warren. “Plaintiffs are trying to pressure-test all possible avenues.”
So far, because few of the cases related to these lawsuits have been concluded, the parameters for how the law can be applied remain murky. Lawyers interviewed for this story suggested no precedents have been set at this early stage.
Testing legal boundaries
The CCPA includes a private right of action that allows an individual or group to sue a company for data breaches that violate the law. However, in some cases, the individuals and groups of people filing these lawsuits are pushing the boundaries to test just what sorts of alleged violations they have the right to sue over according to the law, said lawyers tracking CCPA lawsuits.
In some cases, the lawsuits attempt to circumvent the CCPA’s private right of action limits by alleging companies have violated other California laws, such as the state’s Unfair Competition Law, according to data privacy and security lawyers. Some suits allege, for instance, that companies have made untrue statements if they claim they do not sell personal information when they actually pass it along to third-parties.
“The strategy seems to be to try boot-strapping CCPA onto some of the existing California privacy laws,” said Lee. Law firm Morrison Foerster reported this same trend.
Exactly how many CCPA-related lawsuits have been filed is unclear. Law firm Perkins Coie told Digiday that 101 lawsuits have been filed. Morrison Foerster, said in January, “Nearly 50 cases have been filed seeking damages under the CCPA, either in connection with data breaches or based on alleged violations of the Act’s other consumer rights (with even more using the CCPA to add context to other privacy-related claims).”
Dozens of notices to publishers from the California AG
Then there are the warnings. In addition to lawsuits, the California AG’s office has sent notices to firms such as retail, financial and health-related website publishers to inform them that they are not compliant with the law. These violations include failing to respond appropriately to people requesting their data be deleted or not sold or failing to update company privacy policies, according to Dominique Shelton Leipzig, partner and co-chair of ad tech privacy and data management practice at law firm Perkins Coie.
The “notices to cure” sent by the AG’s office give companies 30 days to make changes to comply with the law. The notices are not publicly available, and the number of notices sent is confidential, according to the California AG’s office spokesperson, who described the figure as being in the “dozens.”
Shelton Leipzig said some website publishers have received notices if their websites state only that they share data with “advertising partners” rather than listing specific partner companies by name.
Other enforcement notices have plucked at low-hanging fruit, said Dan Jaffe, group evp of government relations for the Association of National Advertisers. “It was often, ‘Where’s your opt-out button?’” he said.
A temporary cure
Firms that do not make adjustments to satisfy the AG’s demands within the 30-day remedy window may go into a negotiation period, said Lee. Then, if negotiations don’t lead to a satisfactory fix, she said, “That’s when we’ll start to see public enforcement by the attorney general.” That could come in the form of civil penalties of $7,500 for each post-notice violation.
The 30-day compliance leeway afforded companies that receive these types of notices will go away, though. California’s updated privacy law, the California Privacy Rights Act passed last year, which will replace the CCPA when it goes into effect Jan. 1, 2023, does not have that provision.
“The CPRA does not have the 30-day cure,” said Jaffe. “So things may become a little bit more intense.”
How publishers are handling the Juneteenth holiday this year
A number of publishers are observing Juneteenth this year, but not in the same way, with some making it an official holiday and others encouraging employees to use their PTO to take the day off.
Member ExclusiveMedia Briefing: How media companies’ DE&I efforts, office return statuses are affecting hiring
This week's Media Briefing looks at how issues like diversity, equity and inclusion and office return statuses are factoring into media companies' ability to hire people.
Cheat Sheet: How new antitrust bills could force more data access from Facebook and Google (and stop them from favoring their own services)
A set of bills proposed recently could force platforms to stop favoring their own services and give more data access and tech connectivity to others.
SponsoredIdentity solution fatigue is setting in: How to keep moving
By Kristina Prokop, CEO and co-founder, Eyeota As we move deeper into 2021, the desperate search for identity solutions that can smooth marketing organizations’ transitions to a cookieless world is reaching a fever pitch. There’s no shortage of new identifiers and identity technologies vying for attention — and that’s a big part of the problem. […]
Single-source panel measurement is key to optimizing social media planning, says DISQO report
New study is based on responses from 166,000 U.S. consumers in February and March, each of whom voluntarily allowed to have their digital behaviors observed.
BuzzFeed will finally monetarily reward its Community users for their viral quizzes, lists
BuzzFeed is testing to see if user-generated content could identify new areas of coverage for its staff, and bring in niche audiences, with a new summer program that could pay a contributor up to $10,000 for a viral post.