Fair Credit Reporting Act

Last week, after months of negotiation and speculation, the California legislature passed bills amending the California Consumer Privacy Act (“CCPA”).  This marked the last round of CCPA amendments before the legislature adjourned for the year—and before the CCPA takes effect on January 1, 2020.  California Governor Gavin Newsom has until October 13 to sign the bills into law.  Separately, the Attorney General’s office is expected to release a draft of proposed CCPA regulations for public input later this Fall.

  • Exemption for employees and job applicants: AB 25 (Chau) generally exempts from the CCPA—for one year—personal information collected from job applicants, employees, owners, directors, officers, medical staff members, or contractors, as well as their emergency contacts and their beneficiaries.  However, employers must provide these individuals with general notice of the types of personal information collected about them and the purposes for which the information is used.  Employers may be liable if certain types of unredacted or unencrypted personal information are breached due to unreasonable data security.
  • Exemption for business customers and other technical corrections: AB 1355 (Chau) exempts from the CCPA—also for one year—personal information reflecting a communication or transaction with a natural person who is acting as an employee, owner, director, officer or contractor of another company or legal entity in most circumstances.  This language generally creates an exemption for personal information about business customers.  The bill clarifies that the CCPA’s private right of action does not apply if personal information is either encrypted or redacted.  The bill also makes certain technical corrections, including revising the exemption for activities involving consumer reports that are regulated under the Fair Credit Reporting Act and clarifying that de-identified or aggregate consumer information is excluded from the definition of “personal information.”
  • Definitions of “personal information” and “publicly available information:” AB 874 (Irwin) includes several helpful clarifications with respect to the scope of “personal information” regulated under the statute.  Previously, “personal information” was defined to include all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  The amended definition of “personal information” clarifies that information must be “reasonably capable of being associated with” a particular consumer or household.  Separately, the bill clarifies that “publicly available information” means information that is lawfully made available from federal, state, or local records, regardless of whether the data is used for a purpose that is compatible with the purpose for which the data was made publicly available.  Further, the bill revises the definition of “personal information” to clarify that it does not include de-identified or aggregate information.
  • Required methods for receiving consumer requests: The CCPA provides that a covered business is required to make available to consumers two or more reasonably accessible methods for submitting requests under the CCPA, including, at a minimum, a toll-free telephone number, and, if the business maintains an internet website, a website address.  AB 1564 (Berman) would amend this requirement to provide that a business which (1) operates exclusively online and (2) has a direct relationship with the customer from whom it collects personal information needs to provide only an email address.  If the business also maintains a website, the bill requires the business to make the website available to consumers to submit requests.  Finally, the bill expressly permits a business to require a consumer who maintains an account with the business to submit a request through the account.
  • Exemption for vehicle warranty/recall purposes: AB 1146 (Berman) exempts, from the CCPA’s right to opt out and right to delete, vehicle or owner information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for the purposes of vehicle repair covered by a warranty or recall.

Continue Reading California Legislature Passes CCPA Amendments and Privacy Bills

The closely watched lawsuit alleging Spokeo, Inc., violated the Fair Credit Reporting Act (“FCRA”) may proceed, after a federal appeals court ruled — on remand from the Supreme Court — that publication of the inaccuracies alleged by the plaintiff would constitute a sufficiently “concrete” harm to give the plaintiff standing to sue in federal court. 

Yesterday the White House released a report discussing how companies are using big data to charge different prices to different customers, a practice known as price discrimination or differential pricing.  The report describes the benefits of big data for sellers and buyers alike, and concludes that many concerns raised by big data and differential pricing can be addressed by existing antidiscrimination and consumer protection laws.

Big Data and Personalized Pricing 

“Big data” refers to the ability to gather large volumes of data, often from multiple sources, and use it to produce new kinds of observations, measurements, and predictions about individual consumers.  Thus, big data has made it easier for sellers to target different populations with customized marketing and pricing plans.

The White House report identifies two trends driving the increased application of big data to marketing and consumer analytics.  The first trend is the widespread adoption of new information technology platforms, most importantly the Internet and the smartphone.  These platforms give businesses access to a wide variety of applications like search engines, maps, blogs, and music or video streaming services.  In turn, these applications create new ways for businesses to interact with consumers, which produce new sources and types of data, including (1) a user’s location via mapping software; (2) their browser and search history; (3) the songs and videos they have streamed; (4) their retail purchase history; and (5) the contents of their online reviews and blog posts.  Sellers can use these new types of information to make educated guesses about consumer characteristics like location, gender, and income.  The second trend is the growth of the ad-supported business model, and the creation of a secondary market in consumer information.  The ability to place ads that are targeted to a specific audience based on their personal characteristics makes information about consumers’ characteristics particularly valuable to businesses.  This, in turn, has fostered a growing industry of data brokers and information intermediaries who buy and sell customer lists and other data used by marketers to assemble digital profiles of individual consumers.
Continue Reading White House Issues Report on Big Data and Differential Pricing

A federal judge on Wednesday reduced a jury’s punitive damages award against Equifax from more than $18 million to $1.62 million, after finding that the jury’s award was unconstitutionally excessive despite Equifax’s “reprehensible” conduct in violating the Fair Credit Reporting Act.

Plaintiff Julie Miller sued Equifax under FCRA for failing to correct mistakes in the

Yesterday, the Federal Trade Commission entered into a consent decree with Spokeo, Inc., for violations of the Fair Credit Reporting Act.  As reflected in the FTC staff blog post, the FTC’s action against Spokeo is the first FCRA case to address the sale of data collected from online sources, including social media, in the