This week Adobe Inc. released some updated software for companies to target customers with advertising and offers using the brands’ own data as opposed to third-party cookies. More and more, third-party cookies are being eliminated from websites due to consumer concerns regarding unwanted tracking across the internet. Many web browsers already block third-party cookies, and soon even Google Chrome will block them. The new Adobe platform, Real-time Customer Data, will let its customers ask consumers for permission to use their information. With this new software, a consumer will likely see clearer information about how a website uses their data and why they are being shown certain personalized experiences.

Another reason the traditional third-party tracking cookies are on their way out is that companies that collect large volumes of data through their own services (i.e., Facebook or Google) do not typically share that data with others who want to use it for their own advertising purposes. Over half of the customers Adobe surveyed about their data use said that they often do not know the type of data collected and stored in disparate systems. The software will use first-party data to get a more complete profile about consumers. It also will allow different companies to share certain non-sensitive data to personalize the products they pitch.

The downside to this software may be that it is more complex than just allowing third-party cookies to collect data and then simply purchasing that data. However, this is a step towards stronger privacy protections for consumers.

At the beginning of April 2021, the U.S. Supreme Court unanimously ruled in favor of Facebook in Facebook, Inc. v. Duguid, reversing the decision of the Ninth Circuit Court of Appeals , holding: “To qualify as an ‘automatic telephone dialing system’ under the Telephone Consumer Protection Act (TCPA), a device must have the capacity either to store a telephone number using a random or sequential number generator, or to produce a telephone number using a random or sequential number generator.” This is big news. This precedent will likely be relied on by other defendants in TCPA class action litigation to argue that the technology used to send text messages does not constitute an autodialer and,therefore, the TCPA does not apply.

The TCPA prohibits certain telemarketing tactics by restricting a business’ ability to make certain communications using an automatic telephone dialing system. The TCPA defines “autodialers” as equipment with the capacity both “to store or produce telephone numbers to be called, using a random or sequential number generator,” and to dial those numbers. Facebook has a security feature in its platform that allows users to elect to receive text messages when someone attempts to log in to the user’s account from a new device or browser. Plaintiff, Noah Duguid, received these type of text messages from Facebook alerting him to login activity on a Facebook account linked to his telephone number. However, Duguid never created an account on Facebook. Facebook explained in its argument that Duguid may have been assigned a recycled cell phone number that was used by a Facebook user who previously opted into receiving these login notifications. Duguid claimed that he tried to stop the text messages, but he was unsuccessful. Duguid claimed that Facebook violated the TCPA by maintaining a database that stored telephone numbers, and then programming its equipment to send automated text messages. Facebook argued that the TCPA does not apply as the technology used to send those texts to Duguid did not use a “random or sequential number generator.” The Ninth Circuit court held that the TCPA did apply to a notification system that has the capacity to dial automatically-stored numbers.

The Supreme Court’s decision cited the intent of the TCPA when first introduced by Congress, saying that autodialers “threatened public safety by ‘seizing the telephone lines of public emergency services, dangerously preventing those lines from being utilized to receive calls from those needing emergency services.’ Indeed, due to the sequential manner in which they could generate numbers, autodialers could simultaneously tie up all the lines of any business with sequentially numbered phone lines. Nor were individual consumers spared: Auto-dialers could reach cell phones, pagers, and unlisted numbers, inconveniencing consumers and imposing unwanted fees.” [citation omitted.] However, the Supreme Court noted that technology has since changed (including cell phone services and the way we pay for those services), and the nuisance and threat of these autodialers has been lessened.

Neither party disputed the fact that the TCPA prohibits unsolicited text messages without prior express consent, and, therefore, the Supreme Court did not consider or resolve that issue.

The Supreme Court’s decision relies heavily on the literal interpretation of the language and grammar of the TCPA:

This case turns on whether the clause “using a random or sequential number generator” in §227(a)(1)(A) modifies both of the two verbs that precede it (“store” and “produce”), as Facebook contends, or only the closest one (“produce”), as maintained by Duguid. The most natural reading of the text and other aspects of §227(a)(1)(A) confirm Facebook’s view. First, in an ordinary case, the “series-qualifier canon” instructs that a modifier at the end of a series of nouns or verbs applies to the entire series. Here, that canon indicates that the modifying phrase “using a random or sequential number generator” qualifies both antecedent verbs, “store” and “produce.” Second, the modifying phrase immediately follows a concise, integrated clause (“store or produce telephone numbers to be called”), which uses the word “or” to connect two verbs that share a common direct object (“telephone numbers to be called”). Given this structure, it would be odd to apply the modifier to just one part of the cohesive clause. Third, the comma in §227(a)(1)(A) separating the modifying phrase from the antecedents suggests that the qualifier applies to all of the antecedents, instead of just the nearest one.

In the end, the takeaway is that an autodialer (whose use is prohibited by the TCPA) must have the ability to use a random or sequential number generator to either store or produce phone numbers to be called.

The California Attorney General recently approved modified regulations under the California Consumer Privacy Act (CCPA). One part of the modified regulations bans “dark patterns” on a website. What are dark patterns? Public comments to the proposed regulations describe dark patterns as deliberate attempts to subvert or impair a consumer’s choice to opt-out on a website. Dark patterns could be used on a website to confuse or distract a consumer into granting knowing consent instead of choosing the opt-out option.

The modified regulations therefore ban the use of dark patterns that:

  • Use an opt-out request process that requires more steps than the process for a consumer to opt back into the sale of personal information after previously opting out;
  • Use confusing language (e.g., double-negatives, “Don’t Not Sell My Personal Information”);
  • Require consumers to click through or listen to unnecessary reasons why they should not submit a request to opt-out before confirming their request;
  • Require a consumer to provide personal information that is unnecessary to implement an opt-out request; or
  • Require a consumer to search or scroll through the text of a website or privacy policy to submit the opt-out request after clicking the “Do Not Sell My Personal Information” link (but before actually choosing the option).

If your website uses any such dark patterns you may wish to revise those mechanisms and implement clearer, more transparent methods for your website’s users to opt-out.

California Attorney General Xavier Becerra announced this week that the Office of Administrative Law approved additional California Consumer Privacy Act (CCPA) regulations, which became effective March 15, 2021.

The additional changes to the regulations primarily affect businesses that sell the personal information of California residents. The changes include a uniform Opt-Out Icon for the purpose of promoting consumer awareness of the right to opt-out of the sale of personal information, guidance to businesses regarding opt-out requests, including what not to do, and changes regarding the proof that a business may require for authorized agents and consumer verifications.

New sections of the regulations include a requirement that a business that sells personal information it collects from consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out. The new regulations state that the Opt-Out Icon may be used in addition to posting the notice of the right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a “Do Not Sell My Personal Information” link. (A link to download the Opt-Out Icon can be found here.)

With respect to authorized agents, a business may require that the consumer authorized agent provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following: (1) verify their own identity directly with the business or (2) directly confirm with the business that it provided the authorized agent permission to submit the request.

Other new sections of the regulations state that a business’s methods for submitting requests to opt-out should be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. Examples of methods that businesses should not use are specified in the regulations and include:

  • The process for opting out shall not require more steps than the business process for opting in to the sale of personal information;
  • The business should not use confusing language such as double negatives (Don’t Not Sell My Personal Information);
  • The business shall not require consumers to click through or to listen to reasons they should not submit a request to opt-out before confirming their request;
  • The business cannot require the process for submitting a request to opt-out to require the consumer to provide personal information that is not necessary to implement the request; and
  • Upon clicking the “Do Not Sell My Personal Information” link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.

The bottom line for these additional changes to the CCPA regulations is that the overriding principles remain the same: inform consumers of their right to opt-out of the sale of their personal information and present this information to consumers in a way that is easy to read and understand.

California Governor Gavin Newsom, along with Attorney General Xavier Becerra, Senate President pro Tempore Toni G. Atkins (D-San Diego), and Assembly Speaker Anthony Rendon (D-Lakewood), announced the appointment of the five-member inaugural board for the California Privacy Protection Agency (CPPA) this week.

The Board was established by the California Consumer Privacy Rights Act (CPRA) and will oversee the rulemaking process for various topics relating to the CPRA, including privacy audits, consumer opt-out rights, and compliance relating to the protection of the privacy rights of consumers with regard to their personal information.

According to Attorney General Xavier Becerra, “The California Privacy Protection Agency marks a historic new chapter in data privacy by establishing the first agency in the country dedicated to protecting forty million Californians’ fundamental privacy rights. The CPPA Board will help California residents understand and control their data privacy while holding online businesses accountable.”

The Board members will select an Executive Director and may serve for no more than eight years.


Federal Court Finds the California Consumer Privacy Act (CCPA) Does Not Apply Retroactively, Dismissing Claims Against Walmart Stemming from an Alleged Data Breach | Data Privacy + Cybersecurity Insider














Skip to content

Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) on Tuesday, March 2, 2021. Virginia now joins California as the second state to have a data privacy law. The law takes effect on January 1, 2023, so businesses have some time to get ready. In our previous article on the proposed legislation, we described the new consumer rights available, the lack of a private right of action, and detailed which businesses will have to comply with the new law.  In addition to providing consumers with their rights regarding their data, the CDPA requires transparent processing of personal data through a privacy notice, which must include the following:

  • The categories of personal data collected by the controller;
  • The purposes for which the categories of personal data are used and disclosed to third parties, if any;
  • The rights that consumers may exercise via the new law;
  • The categories of personal data that the controller shares with third parties, if any; and
  • The categories of third parties, if any, with whom the controller shares personal data.

In addition, if a controller sells personal data to data brokers or processes personal data for targeted advertising, controllers must disclose such processing to consumers and inform them about how a consumer may exercise the right to object to such processing, in a clear and conspicuous manner.

Finally, the new law requires controllers to conduct a risk assessment of each of their processing activities involving personal data and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers.

This week, Consumer Reports published a Model State Privacy Act. The Consumer advocacy organization proposed model legislation “to ensure that companies are required to honor consumers’ privacy.” The model legislation is similar to the California Consumer Privacy Act, but seeks to protect consumer privacy rights “by default.”  Some additional provisions of the model law include a broad prohibition on secondary data sharing, an opt-out of first-party advertising, and a private right of action in addition to enforcement by state Attorneys General.

While the introduction of a model privacy law is an interesting development, we also continue to track state privacy laws in multiple states right now, as several states have recently introduced consumer privacy legislation. Connecticut, Massachusetts, Illinois, Minnesota, New York and Utah recently saw the introduction of new privacy legislation. As legislative sessions move forward into 2021, we expect even more states to follow suit.

Our list of pending state privacy legislation includes:

We will continue to provide updates as these bills move forward.

The California Consumer Privacy Act (CCPA) requires businesses covered by the CCPA to notify their employees of the categories of personal information the business collects about employees and the purposes for which the categories of personal information are used. The categories of personal information are broadly defined in the CCPA and include personal information such as medical information, geolocation data, biometric information, and sensory data.

As a result of the COVID-19 pandemic, many businesses are conducting screenings of employees for COVID symptoms. In many states, it is either required or recommended that businesses conduct such screenings of employees prior to entering the workplace. These employee screenings vary across the country but many include documenting an employee’s temperature, whether they have any COVID-related symptoms or exposure to individuals with COVID-19, or documenting travel out of state or out of the country. States vary too, in the method of collection of this information, with employees completing a written questionnaire via email, text, or mobile application. COVID-19 screening and temperature data is recorded and kept daily to demonstrate compliance with state and local public health requirements.

So, what does this mean for CCPA compliance? None of us could have predicted a year ago that employers would be collecting temperature data, lists of symptoms, and travel information from our employees. If you drafted your CCPA employee notice prior to the start of the pandemic, you may want to review the categories of personal information you now collect in light of these COVID-19 data collection requirements and recommendations. For example, depending upon the type of temperature check, this data could be considered biometric information or sensory data. Your employee notice may also need to disclose how such categories of personal information are used by the business, such as to comply with state and local public health requirements.

While the CCPA requires notice to employees of the categories of data collected, in light of the pandemic, businesses may wish to review their employee notice to determine if it needs to be updated to accurately reflect any additional categories of personal information collected and how the business is using that personal information.

The California Privacy Rights Act (CPRA) expands the definition of personal information as it currently exists in the California Consumer Privacy Act (CCPA). The CPRA adds “sensitive personal information” as a defined term, which means:

(l) personal information that reveals:

(A) a consumer’s social security, driver’s license, state identification card, or passport number;

(B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;

(C) a consumer’s precise geolocation;

(D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;

(E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;

(F) a consumer’s genetic data; and

(2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer;

(B) personal information collected and analyzed concerning a consumer’s health; or

(C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This is perhaps the broadest definition of personal information in the country as it now includes entirely new classes of personal information such as racial, ethnic origin, religious or philosophical beliefs or union membership, the content of a consumer’s mail, email and text messages, genetic data, biometric data, and data collected and analyzed concerning a consumer’s health or sex life or sexual orientation.

What does this mean for a business that is covered by the CPRA? In a previous post, we provided a detailed overview of  the CPRA, but suffice it to say that if the business had to comply with CCPA, it also will likely be covered by CPRA. Given this new definition of sensitive personal information, one of the first steps in thinking about CPRA compliance will be to think about data mapping to determine whether the business collects any of these new categories of sensitive personal information. The CPRA is still very much a consumer-focused law with the goal of expanding consumer knowledge about the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. It will be a critical first step for businesses to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.