Safeway To Settle Allegations Of Privacy BreachOn December 31, 2014, the second-largest U.S. grocery chain, Safeway, was ordered to pay a $9.87 million penalty as a part of a settlement with California prosecutors related to the improper dumping of hazardous waste, and the improper disposal of confidential pharmacy records containing protected health information in violation of California’s Confidentiality of Medical Information Act (“CIMA”).

This settlement comes after an investigation revealed that for over seven years hazardous materials, such as medicine and batteries, had been “routinely and systematically” sent to local landfills that were not equipped to receive such waste. Additionally, the investigation revealed that Safeway failed to protect confidential medical and health records of its pharmacy customers, by disposing of records containing patients’ names, phone numbers, and addresses without shredding them, putting these customers at risk of identify theft.

Under this settlement agreement, while Safeway admits to no wrongdoing, it will pay (1) a $6.72 million civil penalty, (2) $2 million for supplemental environmental projects, and (3) $1.15 million in attorneys’ fees and costs. In addition, pursuant to the agreement, Safeway must maintain and enhance its customer record disposal program to ensure that customer medical information is disposed of in a manner that preserves the customer’s privacy and complies with CIMA.

“Today’s settlement marks a victory for our state’s environment as well as the security and privacy of confidential patient information throughout California,” said Alameda County District Attorney Nancy O’Malley. Another Alameda County Assistant District Attorney, Kenneth Misfud, says the case against Safeway spotlights the importance of healthcare entities, such as pharmacy chains and hospitals, properly shredding, or otherwise “making indecipherable,” patient and other consumer personal information prior to disposal.

However, despite the settlement, customers whose personal information was improperly disposed of will have a difficult time suing for a “pure” loss of privacy due Safeway’s violation of CIMA. In Sutter Health v. Superior Court, a California Court of Appeals held that confidential information covered by CIMA must be “actually viewed” for the statutory penalty provisions of the law to apply. So, parties bringing claims under CIMA will now have to allege, and ultimately prove, that their confidential information (1) changed possession in an unauthorized manner, and that (2) it was actually viewed (or presumably, used) by an unauthorized party.

The takeaway from Safeway’s settlement is to ensure that  your customers are not at risk of data breaches and identity theft, and protect your company from facing the million dollar consequences that can result from doing so. If you have any questions about complying with privacy and health information laws, please feel free to contact one of our certified privacy attorneys at OlenderFeldman LLP.

By: Aaron Krowne

In 2013, the California Legislature passed AB 370, an addition to California’s path-blazing online consumer privacy protection law in 2003, the California Online Privacy Protection Act (“CalOPPA”).  AB 370 took effect January 1, 2014, and adds new requirements to CalOPPA pertaining to consumers’ use of Do-Not-Track (DNT) signals in their web browsers (all major web browsers now include this capability). CalOPPA applies to any website, online service, and mobile application that collects personally identifiable information from consumers residing in California (“Covered Entity”).

While AB 370 does not mandate a particular response to a DNT signal, it does require two new disclosures that must be included in a Covered Entity’s privacy policy: (1) how the site operator responds to a DNT signal (or to other “similar mechanisms”); and (2) whether there are third parties performing online tracking on the Covered Entity’s site or service. As an alternative to the descriptive disclosure listed in (1), the Covered Entity may elect to provide a “clear and conspicuous link” in its privacy policy to a “choice program” which provides consumers a choice about tracking. The Covered Entity must clearly describe the effect of a particular choice (e.g., a web interface which allows users to disable the site’s tracking based on their browser’s DNT).

While this all might seem simple enough, as with many new laws, it has raised many questions about specifics, particularly how to achieve compliance, and as a result on May 21, 2014, the California Attorney General’s Office (the “AG’s Office”) issued a set of new guidelines entitled “Making Your Privacy Practices Public” (the “New Guidelines”).

The New Guidelines

The New Guidelines regarding DNT specifically suggest that a Covered Entity:

  1. Make it easy for a consumer to find the section of the privacy policy in which the online tracking policy is described (e.g., by labeling it “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures”).
  2. Provide a description of how it responds to a browser’s DNT signal (or to other similar mechanisms), rather than merely linking to a “choice program.”
  3. State whether third parties are or may be collecting personally identifiable information of consumers while they are on a Covered Entity’s website or using a Covered Entity’s service.

In general, when drafting a privacy policy that complies with CalOPPA the New Guidelines recommend that a Covered Entity:

  • Use plain, straightforward language, avoiding technical or legal jargon.
  • Use a format that makes the policy readable, such as a “layered” format (which first shows users a high-level summary of the full policy).
  • Explain its uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the online service.
  • Whenever possible, provide a link to the privacy policies of third parties with whom it shares personally identifiable information.
  • Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
  • Provide “just in time,” contextual privacy notifications when relevant (e.g., when registering, or when the information is about to be collected).

The above is merely an overview and summary of the New Guidelines and therefore does not represent legal advice for any specific scenario or set of facts. Please feel free to contact one of OlenderFeldman’s Internet privacy attorneys, using the link provided below for information and advice regarding particular circumstances.

The Consequences of Non-Compliance with CalOPPA

While the New Guidelines are just that, mere recommendations, CalOPPA has teeth. The AG’s office is moving actively on enforcement. For example, it has already sued Delta Airlines for failure to comply with CalOPPA. A Covered Entity’s privacy policy, despite being discretionary within the general bounds of CalOPPA and written by the Covered Entity itself has the force of law – including penalties, as discussed below. Thus, a Covered Entity should think carefully about the contents of its privacy policy; over-promising could result in completely unnecessary legal liability, but under-disclosing could also result in avoidable litigation. Furthermore, liability under CalOPPA could arise purely because of miscommunication or inadequate communication between a Covered Entity’s engineers and its management or legal departments, or because of failure to keep sufficiently apprised of what information third parties (e.g., advertising networks) are collecting.

CalOPPA provides a Covered Entity with a 30-day grace period to post or correct its privacy policy after being notified by the AG’s Office of a deficiency.  However, if the Covered Entity has not remedied the defect at the expiration of the grace period, the Covered Entity can be found to be in violation for failing to comply with: (1) the CalOPPA legal requirements for the policy, or (2) with the provisions of the Covered Entity’s own site policy. This failure may be either knowing and willful, or negligent and material. Penalties for failures to comply can amount to $2,500 per violation. As mentioned above, non-California entities may also be subject to CalOPPA, and therefore, it is likely that CalOPPA based judicial orders will be enforced in any jurisdiction within the United States.

While the broad brushstrokes of CalOPPA and the new DNT requirements are simple, there are many potential pitfalls, and actual, complete real-world compliance is likely to be tricky to achieve.   Pre-emptive privacy planning can help avoid the legal pitfalls, and therefore if you have any questions or concerns we recommend you contact one of OlenderFeldman’s certified and experienced privacy attorneys.

JK! LOL! I Did Not Mean to Post That – California Now Requires That Children Be Provided With a “Cyber Eraser”

By Angelina Bruno-Metzger

Of the new cyber laws signed by California Governor Jerry Brown, by far the most publicized and debated has been bill SB568, which provides minors with greater cyber privacy rights. There are two main components of this new law: (1) it requires website operators and mobile application owners to allow minors to remove their postings, and (2) it places stronger restrictions on the type of products website operators can market and advertise to minors. The main sentiment and policy initiative behind this new law is clearly well-intentioned: to allow minors who are prone to posting rash and often emotionally charged content online without any awareness or concern of the future implications of that decision, to remove the harmful and offending content whether the regret comes five minutes later, or years later.

The first part of this law, the “internet eraser”, applies to two main categories of web providers; those that operate web sites, provide online services, or have mobile applications that are directed at minors and the second category applies to those same providers that have actual knowledge that a minor is using their site, services or mobile application. This eraser however, does not require the website operator to delete the information from its server. Instead, an operator will be deemed to have complied with this removal requirement by simply ensuring that the content is no longer visible to other users. As with many laws there are several notable exceptions, and this new internet eraser law is no different. In fact, there are multiple scenarios in which a web site operator is not under a removal obligation. Examples of these exceptions include: posts made anonymously by minors, as well as any content posted by a minor for which the minor received compensation (or other consideration) and only minors that are registered users of a site, service or application may seek to have their content removed.

The second part of this law involves the limitation of marketing and advertising of specified products to minors on websites and mobile devices. Predictably, those specified products include certain dietary supplements, permanent tattoos, alcohol, firearms, fireworks, lottery tickets and e-cigarettes. A website operator will be deemed to be in compliance with this new law if it has properly notified its advertising services that its site, service or application is directed towards minors. Essentially, if a company could not sell a product face-to-face to a minor, under this new law a company cannot solicit or sell that same product to a minor online.

This law will become effective on January 1, 2015, and already legal experts from around the country are debating whether or not this is a direct collision of privacy law and the First Amendment. Additionally, as with all cyber laws, there remains an enormous amount of ambiguity to address. For example, does the person need to be a minor when they request removal or can an adult retroactively ask for removal of a posting made while a minor? Will this law apply to all websites in the country or just to those based in California? As currently written, this new law does not included a time frame in which the operator needs to delete the requested content. Moreover, the scope of the content to be deleted remains unclear, and there is no penalty for an operator that does not comply with a request.

Stay tuned to see how the implementation and enforcement of this law plays out. For now, review our prior postings about the best ways to navigate the social media and the workplace, as well as understand the limitations of privacy on Facebook.

 

WARNING: Your Account Has Been Compromised – California Expands Existing Data Privacy Breach Law

By Angelina Bruno-Metzger

Governor Jerry Brown recently signed bill SB46 into law, which amends California’s data breach notification law by expanding the definition of “personal information.” The current law requires alerts to be sent to consumers when a database has been breached in a way that could expose a consumer’s social security number, driver license number, credit card number(s), or medical/health insurance information. Under this new amendment, website operators will be obligated to send out privacy notifications after the breach of a “user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Additionally this law requires notifications, even when no other personal information has been breached, in cases when a breach of a user name or email address used in combination with a password or security question could permit access to an online account. Currently, as with the new “Do Not Track” law, California is the only state whose breach notification statute incorporates breaches solely by the loss of a user name or email address.

This law will go into effect on January 1, 2014 and a company’s notification obligations under this new law are different depending on the type of personal data that has been breached. When the security breach does not involve login credentials for an email account, the operator is allowed to notify affected customers through the use of a “security breach electronic form”. This form would direct the person whose personal information has been compromised to immediately change his/her password and security question(s) or answer(s) – as well as direct the user to take appropriate precautionary measures with all other virtual accounts that use the same user name or email address and password. However, when the security breach does involve login credentials for an email account the operator, logically, may not provide notification to that email address. Alternatively, the operator may provide “clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the person or business knows the resident customarily accesses the account.”

As with the other recently passed cyber laws, the implications of this new data privacy breach law will likely be felt nationally and internationally, as almost every company that offers online personalized services requires a consumer to create a username and password. While there remains some uncertainty about exactly what businesses must abide by this new regulation, as not all companies can readily, if at all, confirm affected users are California residents, since sharing of home addresses is often optional, it is best for businesses to abide by the old “better safe than sorry” adage. The two best ways companies can come into compliance with this regulation are to: (1) ensure that all usernames, passwords, security questions and answers are stored in an encrypted form, and (2) update existing protocols, or create new internal protocols that are consistent with this law’s reporting requirements.

See OlenderFeldman LLP’s predictions for what should happen in 2013 within the data privacy field and compare it with this new data privacy breach law in California.

The proposed bill prohibits an employer from requiring a current or prospective employee to provide access to a personal account or even asking if they have an account or profile on a social networking website.

By Alice Cheng

Last month, a New Jersey Assembly committee approved a measure that would prohibit an employer from requiring a current or prospective employee to disclose user name or passwords to allow access to personal accounts. The employer is prohibited from asking a current or prospective employee whether she has an account or profile on a social networking website. Additionally, an employer may not retaliate or discriminate against an individual who accordingly exercises her rights under the bill.

This bill came in light of the multitude of stories of employers and schools requesting such information, or performing “shoulder surfing,” during interviews and at school/work. Although this may be only an urban legend at best, the ACLU and Facebook itself have demanded that the privacy-violating practice come to an end, and legislators across the nation have nevertheless responded promptly. For example, Maryland, California, and even the U.S. Senate have all proposed similar legislation banning such password requests to protect employee privacy.

Not only are password requests problematic for employees, but it also may land employers in legal hot water. Social media profiles may contain information that employers legally cannot ask (such as race or religion), and may potentially open employers up to discrimination suits.

Under the New Jersey bill, civil penalties are available in an amount not to exceed $1,000 for the first violation, or $2,500 for each subsequent violation.

Recently, in Ehling v. Monmouth Ocean Hospital Service Cop., 11-cv-3305 (WJM) (D.N.J.; May 30, 2012), a New Jersey court found that accessing an employee’s Facebook posts by “shoulder surfing” a coworker’s page states a privacy claim. See Venkat Balasubramani’s excellent writeup at the Technology & Marketing Law Blog.

The Limits of Privacy on Facebook

The Limits of Privacy on FacebookZip Codes Can Reveal Customer Information, Leading To Privacy Concerns

By Michael Feldman

A February 2011 ruling against Williams-Sonoma by the California Supreme Court held that a consumer’s ZIP code was “personal identification information” that merchants are not permitted to demand from customers under a California consumer privacy law. The result was a rash of lawsuits against businesses such as Wal-Mart Stores Inc., Bed Bath & Beyond Inc., Crate & Barrel and Victoria’s Secret. Though some stores claim to use the ZIP code information to protect against credit card fraud (i.e., if the card was stolen, the user is less likely to know the ZIP code of the true owner), most businesses use the information for marketing purposes. Ultimately, the California Supreme Court held that merchants can still collect customer’s ZIP codes under limited circumstances such as gas station pumps where the information is requested for security reasons, and in transactions involving shipping. Retailers may also ask customers to produce a valid driver’s license for security reasons, but may not record the personal information contained on the license.

The California Supreme Court’s decision was premised upon California’s strict consumer privacy laws. However, the theory of ZIP codes representing personal or protected information has now spread to New Jersey. Superior Court Judge Stephan Hansbury refused to dismiss a lawsuit against Harmon Stores, Inc. for collecting ZIP code information from its credit card customers. The Court held that New Jersey’s Truth in Consumer Contract, Warranty and Notice Act allowed the plaintiffs to assert a claim for violation of N.J.S.A. 56:11-17, which provides:

No person which accepts a credit card for a consumer transaction shall require the credit card holder, as a condition of using a credit card in completing the consumer transaction, to provide for recordation on the credit card transaction form or any other form, any personal identification information that is not required by the issuer to complete the credit card transaction, including, but not limited to, the credit card holder’s address or telephone number, or both; provided, however, that the credit card holder’s telephone number may be required on a credit card transaction form if the credit card transaction is one for which the credit card issuer does not require authorization. (emphasis added)

It appears that the New Jersey Superior Court, like the California Supreme Court, considers ZIP code information to represent protected “personal identification information.” As a general matter, the ZIP code information is not required by the credit card company. As the New Jersey case is in its infancy, we do not yet know the results or full repercussions.

While it is likely that the Harmon Stores case will be appealed at some point (if it does not settle), its very existence creates new uncertainty amongst New Jersey consumers and merchants alike. For consumers, Judge Hansbury’s opinion suggests that the consumer can refuse to provide his or her ZIP code information when engaging in a live transaction (as opposed to online transactions or, like in California, when using an automated machine to charge a transaction). Of course, it is also possible that refusing to provide ZIP code information could simply result in the merchant demanding that you produce a driver’s license.
Merchants, on the other hand, should be sure to have a valid justification for seeking a customer’s ZIP code information in connection with any credit card transaction. Merely seeking it for marketing purposes will not suffice. Alternatively, merchants can be clear in seeking the ZIP code information that providing the information is completely voluntary. However, engaging in such a practice presents its own pitfalls and could create new confusion or a public relations nightmare.

As privacy-related litigation and consumer’s concerns about their privacy rights increase, one thing is becoming abundantly clear: now is the time for businesses to proactively use consumer privacy protection as a marketing tool to distinguish the business from its competitors.