Inside Privacy - Updates on Developments in Global Privacy & Data Security

After gaining prominence in 2012, state legislation restricting access to personal social media accounts by employers and schools has remained active.  Three more states have enacted their own restrictions thus far in 2013, and bills are pending in more than two dozen other states, according to the National Conference of State Legislatures. In 2012, Illinois and Maryland  enacted social media privacy laws restricting employers, Delaware and New Jersey enacted laws restricting academic institutions, and California and Michigan enacted both employer- and school-focused restrictions.

So far this year, Utah, New Mexico, and Arkansas have enacted their own restrictions. Utah enacted two laws — the Internet Employment Privacy Act and the Internet Postsecondary Education Privacy Act — as part of one bill, HB100, which was signed into law on March 26 and takes effect May 14. New Mexico enacted two separate bills — SB 371 and SB 422 — focusing on employers and post-secondary schools, respectively. Both bills were signed April 5 and take effect on June 14. In Arkansas, a bill imposing restrictions on public and private post-secondary schools was enacted as Act 998 on April 8.  Below is more information about each.

Continue Reading

On Monday, the California Supreme Court, by a slim 4-3 majority, held that California’s Song-Beverly Credit Card Act of 1971 (“Song-Beverly”) does not apply to online purchases in which a product is downloaded electronically, finding that Apple was not liable under the statute for collecting plaintiff Krescent’s telephone number and address in order to complete credit card purchases of various digital downloads from the iTunes store.

In a lengthy opinion that considered the statutory text and legislative history, the Court overturned a lower court’s finding that Song-Beverly prohibited Apple from collecting personal identification information (“PII”) in connection with an online transaction.  Song-Beverly generally prohibits retailers from requesting or requiring as a condition to accepting credit card payment, that the cardholder be required to provide PII upon a credit card transaction form or otherwise.  In Pineda v. Williams Sonoma Stores—decided in early 2011—the California Supreme Court held that ZIP codes were PII, and that the defendant had violated Song-Beverly by requesting the plaintiff's ZIP code during a credit card transaction that took place in a traditional brick-and-mortar retail store, a decision that spurred a wave of Song-Beverly litigation in California.

In Krescent, the California Supreme Court determined that Song-Beverly was enacted by the California legislature with the intent of safeguarding consumer privacy while also protecting consumers and retailers from undue risk of fraud.  It then reasoned that online purchases are different from brick-and-mortar purchases: 

The safeguards against fraud that are provided in section 1747.08(d) are not available to the online retailer selling an electronically downloadable product.  Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer‘s photo identification.  Thus, … the key antifraud mechanism in the statutory scheme . . . has no practical application to online transactions involving electronically downloadable products.”

Continue Reading

California Attorney General Kamala Harris has made good on her promise to get tough with mobile app makers that fail to provide privacy policies in their apps.  Yesterday, her office sued Delta Airlines for violating the California Online Privacy Protection Act (“CalOPPA”), which requires providers of websites and “online services” to conspicuously post privacy policies that describe the provider’s data practices.  Harris contends that Delta’s “Fly Delta” app does not contain a privacy policy, despite the fact that Delta collects “personally identifiable information” (“PII”), as that term is defined in CalOPPA. 

Interestingly, Harris also alleges that Delta “fail[ed] to comply with the provisions of its privacy policy,” which itself is a violation of CalOPPA.  This allegation is somewhat puzzling given that the core assertion of the suit is that Delta has failed to maintain any privacy policy at all in its app.  But it appears possible that Harris will argue Delta has failed to comply with its website privacy policy, which, the complaint notes, does not disclose certain categories of PII that are being collected through the app (e.g., location information). 

Also noteworthy are allegations that the “Fly Delta app is not the primary commercial activity of Delta,” and that “CalOPPA does not relate to rates, routes or services of any air carrier.”  These allegations anticipate a preemption challenge by Delta pursuant to the Airline Deregulation Act.  Delta would appear to have a strong argument that the suit is, indeed, preempted.  As noted in the complaint, the app enables people to search for and book flights.  Thus, the Attorney General’s argument that the app is not related to the “routes and services” of Delta would seem to face an uphill battle.

The one-count complaint seeks recovery under Cal. Bus. & Prof. Code § 17200, alleging that the violations of CalOPPA are “unfair” acts.  In addition to injunctive relief, Harris seeks a $2,500 per-violation civil penalty.

This week, the much talked-about amendments to Texas’s breach notice statute took effect.  We previously blogged about these amendments, which are unprecedented in scope.  With the amendments, the Texas statute now requires entities doing business in Texas to notify “any individual” whose “sensitive personal information” is acquired in a breach (unless the information is encrypted).  The statute makes clear that the “individuals” who must be notified include not only Texas residents but also “residents . . . [of] another state that does not require [the breached entity] to notify the individual of a breach.”  This provision appears intended to require notice to be provided to affected residents of the four states without breach notice laws: Alabama, Kentucky, New Mexico and South Dakota.

No other state breach notice statute purports to require notice to non-state residents.  So this feature of the amendments alone renders them unprecedented, but as our previous post noted, the statute might be construed to require notice to non-residents even in states that have breach notice laws. 

Connecticut also recently amended its breach notice law.  Under the amended version of the statute (which takes effect on October 1, 2012), entities that are required to notify Connecticut residents of a data breach must also notify the Connecticut Attorney General.  Notably, the Attorney General must be notified “not later than the time when notice is provided to the resident.”  Connecticut joins more than a dozen other states that have regulator notice requirements.

On August 1, Illinois became the second state in the country to prohibit employers from requesting or requiring employees to provide their passwords for social networking accounts.  As reported in this blog, Maryland adopted similar legislation in April.  The bill (HB 3782) was signed into law by Illinois Governor Pat Quinn and will become effective on January 1, 2013. 

The legislation amends the Illinois Right to Privacy in the Workplace Act to make unlawful an employer’s request or requirement that an employee or prospective employee provide “any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website….”  The term “social networking website” means an Internet-based service that allows individuals to (1) construct a public or semi-public profile within a bounded system, created by the service; (2) create a list of other users with whom they share a connection within the system; and (3) view and navigate their list of connections and those made by others within the system.  The legislation makes clear that emails are not included in the term “social networking website.” 

Legislation to prohibit employer access to employee social networking information currently is being considered in several states, including Washington, New Jersey, California, and Colorado.

Two bills have been proposed in the New York State Legislature that aim to de-anonymize online commenting.

The proposed Internet Protection Act — introduced in the identical bills S.6779 and A.8688 —would amend New York civil rights law to require a website administrator upon request to “remove any comments posted on his or her web site by an anonymous poster unless such anonymous poster agrees to attach his or her name to the post and confirms that his or her IP address, legal name, and home address are accurate.”

An anonymous poster is defined as one who “posts a message on a web site . . . where people can hold conversations in the form of posted messages.”  As drafted, “anonymous poster” would include all commenters, regardless of whether they are logged into an account or whether they have already posted under a first and last name. 

Assemblyman Jim Conte, a sponsor of the legislation, has explained that it “seeks to combat cyber-bullying by allowing the victim of an anonymous Website posting to request that the post be removed if the anonymous source is unwilling to attach his or her name to it.”

Tim Wu, a Columbia law professor, has called the legislation “an obvious first amendment violation.”  Critics cite a 1960 Supreme Court case, Talley v. California, that struck down a Los Angeles ordinance requiring handbill distributors to print the author and distributor of a handbill on its cover.   The Talley Court observed that “there are times and circumstances when States may not compel members of groups engaged in the dissemination of ideas to be publicly identified,” explaining that “identification and fear of reprisal might deter perfectly peaceful discussions of public matters of importance.”

Senator Thomas O’Mara, sponsor of the Senate version, has responded to criticisms of the legislation’s constitutionality.  “I certainly didn’t introduce the legislation with the thought that it was violative of the First Amendment.  We’re certainly looking forward to any and all input.”

Lawmakers in Maryland and Illinois have introduced bills that would prohibit employers from requiring job applicants or employees to grant access to their social networking accounts.  The bills arose from reports that employers have impliedly or explicitly required access to social networking accounts as a condition of hiring or employment.

A few bills have been proposed in Maryland that would protect the privacy of individuals’ social networking accounts.  Bills in the House and Senate have been introduced that would restrict all employers’ access to employee and job applicant accounts.  Two separate bills have also been introduced that would prevent university officials from accessing student accounts.

In Illinois, similar legislation has been introduced that would make it illegal for an employer to request access to an employee’s or job applicant’s account.  The legislation has bipartisan support.

In both states, lawmakers who back the bills believe that because of the pressure exerted on job applicants and employees to comply with requests for access to social networking accounts, these individuals have no real choice but to grant it.  To the lawmakers, this constitutes a violation of privacy.