You have no items in your shopping cart.
Search
Filters

Privacy Compliance and Litigation in California

Understand best practices in cyber security and data breach protection—and how to avoid penalties and lawsuits. Learn how to collect and protect customer data, health care data, children’s data, and employee data within California, the U.S., and worldwide. Discover practical guidance for business, finance, health care, and employers on California and federal data and security law—and the critical new European Union General Data Protection Regulation (GDPR). 

Understand best practices in cyber security and data breach protection—and how to avoid penalties and lawsuits. Learn how to collect and protect customer data, health care data, children’s data, and employee data within California, the U.S., and worldwide. Discover practical guidance for business, finance, health care, and employers on California and federal data and security law—and the critical new European Union General Data Protection Regulation (GDPR). 

  •       Collecting customer data: statutory requirements; privacy policies, security measures
  •       Implementing strict new GDPR regulations
  •       Online marketing to and collecting children’s data
  •       Sending commercial e-mail and telemarketing
  •       Complex HIPAA regulation compliance
  •       Employee privacy rights and employer obligations
  •       Avoiding identity theft
  •       Class actions for data breach: causes of action, standing, trial issues
OnLAW BU94930

Web access for one user.

 

$ 425.00
Print BU33930

looseleaf, updated August 2022

$ 425.00
Add Forms CD to Print BU23934
$ 99.00

Understand best practices in cyber security and data breach protection—and how to avoid penalties and lawsuits. Learn how to collect and protect customer data, health care data, children’s data, and employee data within California, the U.S., and worldwide. Discover practical guidance for business, finance, health care, and employers on California and federal data and security law—and the critical new European Union General Data Protection Regulation (GDPR). 

  •       Collecting customer data: statutory requirements; privacy policies, security measures
  •       Implementing strict new GDPR regulations
  •       Online marketing to and collecting children’s data
  •       Sending commercial e-mail and telemarketing
  •       Complex HIPAA regulation compliance
  •       Employee privacy rights and employer obligations
  •       Avoiding identity theft
  •       Class actions for data breach: causes of action, standing, trial issues

1

Challenges of Privacy Compliance and Litigation

Denis T. Rice

  • I.  SCOPE OF BOOK AND CHAPTER  1.1
  • II.  CHALLENGES FACING ATTORNEYS
    • A.  Patchwork of Federal and State Laws  1.2
    • B.  Developing Technologies, Trends, and Hot Topics  1.3
    • C.  Expanding Regulation  1.4
    • D.  Emerging Theories of Liability  1.5

2

Common Law and Constitutional Privacy Protection

Roy G. Weatherup

  • I.  SCOPE OF CHAPTER  2.1
  • II.  HISTORICAL BACKGROUND
    • A.  Privacy as a Legal Concept  2.2
    • B.  Common Law Recognition of the Right to Privacy  2.3
  • III.  PRIVACY AS FEDERAL CONSTITUTIONAL RIGHT
    • A.  Development of Federal Right  2.4
    • B.  Development of Right Under Fourth Amendment: Reasonable Expectation of Privacy  2.4A
  • IV.  INVASION OF PRIVACY UNDER CALIFORNIA LAW
    • A.  Development of Invasion of Privacy as a Common Law Tort in California  2.5
    • B.  Establishment of the State Constitutional Right to Privacy  2.6
    • C.  Elements of Invasion of Privacy  2.7
  • V.  TYPES OF INVASION OF PRIVACY CLAIMS  2.8
    • A.  Intrusion Into a Person’s Solitude or Seclusion
      • 1.  Elements of Intrusion Claim  2.9
      • 2.  Examples  2.10
    • B.  Public Disclosure of Private Facts
      • 1.  Elements of Public Disclosure Claim  2.11
      • 2.  Examples  2.12
    • C.  Portraying a Person in a False Light  2.13
    • D.  Unauthorized Appropriation of a Person’s Name or Likeness for Commercial Purposes
      • 1.  Elements of Appropriation Claim  2.14
      • 2.  Examples  2.15
  • VI.  RELATIONSHIP OF INVASION OF PRIVACY TO OTHER TORTS
    • A.  Negligence  2.16
    • B.  Intentional Infliction of Emotional Distress  2.17
    • C.  Defamation  2.18
    • D.  Other Statutory Violations  2.19
  • VII.  DEFENSES TO INVASION OF PRIVACY
    • A.  First Amendment as Defense to Invasion of Privacy  2.20
    • B.  Other Possible Defenses  2.21
  • VIII.  STRATEGIES FOR BUSINESS  2.22
  • IX.  THE INVASION OF PRIVACY LAWSUIT
    • A.  Jury Instructions on Liability  2.23
    • B.  Remedies for Invasion of Privacy  2.24
    • C.  Verdict and Judgment  2.25

3

Information Security and Security Breach

Françoise Gilbert

  • I.  SCOPE OF CHAPTER  3.1
  • II.  PROTECTION OF PERSONAL INFORMATION
    • A.  Understanding the Need to Protect Personal Information  3.2
    • B.  Personal Information
      • 1.  Personal Information in General  3.3
      • 2.  Definitions  3.4
      • 3.  Proprietary Information  3.5
  • III.  SOURCES OF LEGAL OBLIGATION TO KEEP INFORMATION SECURE  3.6
    • A.  California’s Reasonable Security Procedures and Practices Law  3.7
      • 1.  What Information Is Protected Under CC §1798.81.5?  3.8
      • 2.  What Information and Businesses Are Excluded From Coverage Under CC §1798.81.5?  3.9
      • 3.  What Are Reasonable Security Procedures and Practices?  3.10
      • 4.  Effect of California Consumer Privacy Act (CCPA)  3.10A
      • 5.  California IoT Security Law  3.10B
      • 6.  Contracts With Third Party Service Providers Are Required  3.11
      • 7.  Internet of Things Cybersecurity Improvement Act of 2020  3.11A
    • B.  Prohibition of Unfair or Deceptive Business Practices  3.12
      • 1.  FTC Enforcement  3.13
      • 2.  State Unfair Competition Laws  3.14
    • C.  Information Security Laws of Other States  3.15
      • 1.  Massachusetts  3.16
      • 2.  Nevada  3.17
      • 3.  Connecticut  3.18
    • D.  Contracts [Deleted]  3.19
    • E.  Document Disposal Laws and Regulations  3.20
      • 1.  California Document Disposal Law  3.21
      • 2.  FACTA Disposal Rule  3.22
        • a.  Reasonable Measures to Dispose of Information  3.23
        • b.  Disposal Company Services  3.24
        • c.  Third Party Service Providers  3.25
    • F.  Industry-Specific Laws and Regulations
      • 1.  Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act)  3.26
        • a.  HIPAA Privacy Rule  3.27
        • b.  HIPAA Security Standards  3.28
          • (1)  Administrative Safeguards  3.29
          • (2)  Physical Safeguards  3.30
          • (3)  Technical Safeguards  3.31
          • (4)  Organizational Requirements  3.32
          • (5)  Policies and Procedures and Documentation Requirements  3.33
          • (6)  Business Associates  3.34
          • (7)  Guidance on Methods to Secure Health Information  3.34A
        • c.  HITECH Act Notice of Security Breach Requirements  3.35
          • (1)  Breach of Security Affecting a Covered Entity or a Business Associate
            • (a)  Definitions  3.35A
            • (b)  Notice Requirements  3.35B
            • (c)  Content of the Notice and Timing  3.35C
          • (2)  Breach of Security Affecting a PHR Vendor or Service Provider of PHR Vendor  3.35D
            • (a)   Definitions  3.35E
            • (b)   Notice Requirements  3.35F
            • (c)  Content and Timing of the Notice  3.35G
      • 2.  Gramm-Leach-Bliley Act (GLBA)  3.36
        • a.  FTC Safeguards Rule  3.37
        • b.  Requirements for Security Plan Under FTC Safeguards Rule
          • (1)  Elements  3.38
          • (2)  Contracts With Third Party Service Providers [Deleted]  3.39
      • 3.  Red Flags Rule  3.40
      • 4.  Address Discrepancy Rule  3.41
      • 5.  Online Businesses: Children’s Online Privacy Protection Act (COPPA)  3.42
      • 6.  Sarbanes-Oxley Act  3.43
      • 7.  Dodd-Frank Wall Street Reform and Consumer Protection Act  3.43A
      • 8.  Contracts
        • a.  Privacy Statements  3.43B
        • b.  Data Use Agreements  3.43C
  • IV.  SECURITY BREACH
    • A.  California’s Security Breach Disclosure Law  3.44
      • 1.  Who Must Comply?  3.45
      • 2.  What “Personal Information” Is Covered?  3.46
      • 3.  What Is a “Breach”?  3.47
      • 4.  What Notice Is Required?  3.48
      • 5.  When Must Notification Be Made?  3.49
      • 6.  What Information Must the Notice Contain?  3.49A
      • 7.  Form: Model Security Breach Notification  3.49B
      • 8.  Notification to the State Attorney General  3.49C
    • B.  Effect of California Consumer Privacy Act (CCPA) on Security Breaches  3.49D
    • C.  Breach Disclosure Laws in Other Jurisdictions  3.50
    • D.  Addressing Breach Disclosure Issues  3.51
  • V.  THE INFORMATION SECURITY PLAN  3.52
    • A.  Developing a Security Plan  3.53
      • 1.  Identify a Responsible Party  3.54
      • 2.  Assess the Assets to Be Protected  3.55
      • 3.  Assess the Risk to These Assets  3.56
      • 4.  Record the Plan
        • a.  Understand Types of Security Measures  3.57
        • b.  Select Appropriate Security Measures  3.58
        • c.  Additional Characteristics of Plan  3.59
      • 5.  Implement and Train  3.60
      • 6.  Audit, Test, and Monitor Effectiveness  3.61
      • 7.  Conduct Periodic Revisions and Adjustments  3.62
    • B.  Maintaining Security in Relationships With Third Party Service Providers  3.63
    • C.  Monitor Legal Developments  3.64

4

Internet and Electronic Privacy

Denise Olrich

  • I.  SCOPE OF CHAPTER  4.1
  • II.  PRIVACY PROTECTIONS FOR PERSONAL INFORMATION
    • A.  What Is “Personal Information”?  4.2
    • B.  How Do Businesses Collect Personal Information?  4.3
    • C.  Business Obligations to Protect Personal Information  4.4
      • 1.  California Reasonable Security Procedures and Practices Law  4.5
      • 2.  California Social Security Numbers Confidentiality Law  4.6
      • 3.  California Public Safety Officials Home Protection Act  4.7
      • 4.  California Insurance Information and Privacy Protection Act  4.8
      • 5.  Video Rentals
        • a.  Federal Video Privacy Protection Act (VPPA)
          • (1)  Prohibitions, Remedies, and Definitions  4.9
          • (2)  Cases Under the VPPA  4.9A
        • b.  California Law on Nondisclosure of Video Sales or Rentals  4.10
      • 6.  Electronic Surveillance in Rental Cars  4.11
      • 7.  California Consumer Privacy Act of 2018  4.11A
      • 8.  California Privacy Rights Act of 2020  4.11B
      • 9.  Other Consumer Protections  4.12
  • III.  INTERNET AND COMPUTER PRIVACY PROTECTIONS FOR BUSINESSES AND OTHERS
    • A.  California Comprehensive Computer Data Access and Fraud Act  4.13
      • 1.  Criminal Penalties
        • a.  Fines and Imprisonment  4.14
        • b.  Forfeiture  4.15
      • 2.  Civil Actions  4.16
      • 3.  Cases Under Comprehensive Computer Data Access and Fraud Act  4.17
    • B.  Federal Computer Fraud and Abuse Act (CFAA)  4.18
      • 1.  Civil Remedies Under CFAA  4.19
      • 2.  Criminal Penalties Under CFAA  4.20
      • 3.  Cases Under CFAA  4.21
    • C.  Other State Law Protections for Individual Information  4.21A
  • IV.  HOW MAY A BUSINESS MEET ITS OBLIGATIONS?
    • A.  Website Privacy Policies: California’s Online Privacy Protection Act of 2003 (OPPA)  4.22
      • 1.  Who Is an “Operator” Under OPPA?  4.23
      • 2.  What Is “Personally Identifiable Information” Under OPPA?  4.24
      • 3.  Contents of the Privacy Policy Required by OPPA  4.25
      • 4.  Form: Website Privacy Policy [Deleted]  4.26
      • 5.  Display of Privacy Policy  4.27
      • 6.  Failure to Comply With OPPA  4.28
      • 7.  Other Website Privacy Policy Requirements  4.29
    • B.  General Review of Security Procedures  4.30
    • C.  Physical Security Measures  4.31
    • D.  Evaluation of Data Collected and Methods of Collection  4.32
    • E.  Review of Data Maintenance and Destruction Policies  4.33
    • F.  Registration of Data Brokers With Attorney General Required  4.33A
    • G.  Checklist: Steps for California Businesses to Meet Obligation to Protect Personal Customer Information  4.34
  • V.  ELECTRONIC COMMUNICATIONS PRIVACY  4.35
    • A.  California Law Governing Electronic Eavesdropping and Wiretapping: Invasion of Privacy Act  4.36
      • 1.  Specific Prohibitions of Act: Pen C §§631–632.01  4.37
      • 2.  Penalties  4.38
      • 3.  Application to Cell Phones and VoIP  4.39
      • 4.  Application to Out-of-State Businesses  4.40
    • B.  California Electronic Communications Privacy Act  4.40A
    • C.  Federal Electronic Communications Privacy Act of 1986 (ECPA)
      • 1.  Components of ECPA: Wiretap Act and Stored Communications Act (SCA)  4.41
      • 2.  Wiretap Act  4.42
      • 3.  SCA  4.43
      • 4.  Consequences of Violating Wiretap Act or SCA   4.44
      • 5.  Cases Under ECPA, Wiretap Act, and SCA  4.45
    • D.  Protections for Cable Subscribers
      • 1.  Federal Cable Communications Policy Act  4.46
      • 2.  California Prohibitions on Disclosures by Cable Providers (Pen C §637.5)  4.47
    • E.  Federal Communications Decency Act (CDA)
      • 1.  Immunity Provisions of CDA  4.48
      • 2.  Cases Under CDA  4.49
    • F.  Federal Telecommunications Act of 1996  4.50
    • G.  Federal Telephone Customer Protection Act (TCPA)  4.51
    • H.  California Telecommunications Customer Privacy Act  4.52
    • I.  Pretexting
      • 1.  California Pretexting Law  4.53
      • 2.  Federal Pretexting Law  4.54
    • J.  Social Networking Sites [Deleted]  4.55
    • K.  Behavioral Marketing  4.55A
    • L.  Mobile Devices and Mobile Applications  4.55B
  • VI.  ENFORCEMENT OF BUSINESS OBLIGATIONS AFFECTING PERSONAL INFORMATION
    • A.  FTC Resources   4.56
    • B.  Cybersecurity Act of 2015  4.56A
    • C.  United States Attorney General Enforcement  4.57
    • D.  California Attorney General Enforcement  4.57A
    • E.  Consumer Finance Protection Bureau Enforcement  4.57B
    • F.  Table: Statutory Remedies for Violations of Internet and Electronic Privacy Provisions  4.58

5

Marketing and Sales Regulation

Jonathan D. Avila

Catherine D. Meyer

  • I.  SCOPE OF CHAPTER  5.1
  • II.  OVERVIEW: PERSONAL INFORMATION FOR MARKETING PURPOSES
    • A.  Collection, Use, and Sharing of Information for Marketing  5.2
    • B.  Protection of Personal Information for Marketing  5.2A
  • III.  COLLECTION OF MARKETING INFORMATION
    • A.  How Information Is Collected  5.3
    • B.  Children’s Online Privacy Protection Act (COPPA)
      • 1.  COPPA Statutes, Implementing Rules, Enforcement, and Coverage  5.4
      • 2.  Scope of Covered Activities
        • a.  Use of Site or Service on the Internet; “Operator” Defined  5.5
        • b.  Application to Website or Online Service Operated for Commercial Purposes in Interstate or Foreign Commerce  5.6
        • c.  “Personal Information” Defined  5.7
        • d.  “Collection” Defined  5.8
        • e.  Determining COPPA’s Application to Children
          • (1)  Information From a Child  5.9
          • (2)  The “Actual Knowledge” Standard for General Audience Websites  5.9A
          • (3)  Definition of Websites “Directed to Children”  5.10
          • (4)  Exception for Websites and Online Services That Are “Directed to Children,” but Do Not “Target Children as Their Primary Audience” (“Mixed Audience”)  5.11
          • (5)  Sites and Services Targeted at Teenagers [Deleted]  5.12
        • f.  Substantive Restrictions on Information Collection  5.13
        • g.  “Disclosure” to a “Third Party”  5.14
      • 3.  Compliance Requirements
        • a.  Notice of Data Collection Practices and Parental Rights  5.15
        • b.  Posting a Privacy Notice  5.16
        • c.  Contents of Privacy Notice  5.17
        • d.  Form: Sample Children’s Website Privacy Policy  5.18
        • e.  Providing Notice Directly to a Parent  5.19
        • f.  Verifiable Parental Consent  5.20
        • g.  The “Sliding Scale” of Obtaining Parental Consent
          • (1)  If Child’s Information Will Be Disclosed to Third Parties; High-Level Consent  5.21
          • (2)  If Child’s Information Will Not Be Disclosed to Third Parties; “Email Plus” Method  5.22
        • h.  Exceptions to “Prior Verifiable Parental Consent”  5.23
        • i.  Parental Access, Objection, and Deletion Rights  5.24
        • j.  Information Security Procedures  5.25
        • k.  Obligation to Release Information Only to Capable Third Parties  5.25A
        • l.  Data Retention Limitation and Secure Destruction Obligation  5.25B
        • m.  Safe Harbor Programs  5.26
      • 4.  Enforcement  5.27
      • 5.  Examples of FTC and State Attorney General Enforcement Actions  5.28
      • 6.  FTC’s Proposed COPPA Revisions [Deleted]  5.28A
      • 7.  Checklist: COPPA Compliance  5.29
    • C.  Supermarket Club Cards  5.30
    • D.  Collecting Personal Information at the Cash Register
      • 1.  Payment by Check  5.31
      • 2.  Payment by Credit Card: Song-Beverly Credit Card Act  5.32
        • a.  Personal Information Retailers May Not Collect During Payments by Credit Card  5.33
        • b.  Exceptions: When Retailers May Collect Personal Information During Payments by Credit Card  5.34
        • c.  Online and Other Indirect Transactions  5.34A
        • d.  Penalties for Violation  5.35
    • E.  Radio Frequency Identification Technology (RFID)  5.36
    • F.  Spyware: Consumer Protection Against Spyware Act  5.37
  • IV.  USE OF INFORMATION
    • A.  Unsolicited Commercial Email: Spam  5.38
      • 1.  Federal CAN-SPAM Law: What It Prohibits  5.39
        • a.  Definitions
          • (1)  “Commercial Email”  5.40
          • (2)  “Transactional or Relationship Message” and “Primary Purpose”  5.41
          • (3)  “Sender”  5.42
        • b.  Required Contents of Commercial Email  5.43
        • c.  Opt-Out Requirement  5.44
        • d.  Form: Opt-Out Notice  5.45
        • e.  Advertising Email  5.46
        • f.  Sexually Oriented Email  5.47
        • g.  Prohibited Contents of Commercial Email  5.48
        • h.  Application to Wireless Devices  5.49
        • i.  Enforcement  5.50
        • j.  CAN-SPAM Preemption of State Law  5.51
      • 2.  California’s Anti-Spam Legislation
        • a.  Prohibited Activities  5.52
        • b.  Who May Enforce; Penalties  5.53
    • B.  Unsolicited Telemarketing Phone Calls
      • 1.  FCC Declaratory Ruling on Robocalls  5.53A
      • 2.  Do-Not-Call Registries  5.54
      • 3.  Federal Prohibitions Against Telemarketing: Telephone Consumer Protection Act (TCPA) and Telemarketing and Consumer Fraud Protection Act  5.55
        • a.  Application of TCPA
          • (1)  Prohibitions and Exceptions  5.56
          • (2)  Who Is a Caller  5.56A
          • (3)  What Constitutes the Required “Consent”  5.56B
          • (4)  Established Business Relationship  5.56C
          • (5)  “Dual Purpose” Calls  5.56D
          • (6)  Withdrawal of Consent to Receive Text Messages  5.56E
          • (7)  Do-Not-Call Registry  5.56F
        • b.  Automated Calls  5.56G
        • c.  Compliance Requirements  5.57
        • d.  Enforcement  5.58
        • e.  Effect on State Laws  5.59
      • 4.  California’s Do-Not-Call Law
        • a.  Prohibited Activities  5.60
        • b.  Exceptions  5.61
        • c.  Enforcement  5.62
    • C.  Prerecorded Phone Calls  5.63
    • D.  Do-Not-Fax Laws
      • 1.  TCPA Prohibitions Against Unsolicited Faxes  5.64
      • 2.  California’s Unsolicited Fax Law
        • a.  Prohibited Activities  5.65
        • b.  Exceptions  5.66
    • E.  Marketing to Children
      • 1.  Federal Restrictions on Internet Collection and Use of Information From Children Under Age 13  5.67
      • 2.  California Restrictions on Use of Information From Children Under Age 16  5.68
      • 3.  California’s Privacy Rights for Minors in the Digital World Law  5.68A
      • 4.  Verification of Legal Age for Purchases  5.68B
    • F.  Child Registries in Other States  5.69
  • V.  TRANSFER OF INFORMATION  5.70
    • A.  California’s “Shine the Light” Law  5.71
      • 1.  Intent and Coverage of Law; Compliance Considerations  5.72
      • 2.  California Businesses Subject to Law  5.73
      • 3.  Out-of-State Businesses Subject to Law  5.74
      • 4.  Simplest Means of Compliance: Opt-In/Opt-Out Customer Rights  5.75
      • 5.  Definitions and Application of Law
        • a.  “Personal Information” Defined  5.76
        • b.  “Customer” and “Established Business Relationship” Defined  5.77
        • c.  “Disclosure” to “Third Parties” Defined  5.78
        • d.  “Direct Marketing Purposes” Defined  5.79
      • 6.  Exclusions and Exceptions to Law  5.80
      • 7.  Joint Collection of Personal Information  5.81
      • 8.  Individuals Entitled to Request Information-Sharing Statement  5.82
      • 9.  Making and Responding to Request for Information-Sharing Disclosure  5.83
        • a.  Obligation of Businesses to Designate Means for Making Requests
          • (1)  Designating Contact Points for Customers to Submit Requests  5.84
          • (2)  Publicizing Contact Points; Three Alternatives  5.85
          • (3)  Advantages of Second Alternative for Publicizing Contact Points  5.86
        • b.  Content of Information-Sharing Disclosure  5.87
        • c.  Format of Information-Sharing Disclosure Statement
          • (1)  Two Sets of Data  5.88
          • (2)  Categories of Personal Information  5.89
          • (3)  Information About Third Parties  5.90
        • d.  Form: Sample Information-Sharing Disclosure Statement; Nonaffiliated Entities  5.91
        • e.  Special Rule for Disclosures to Certain Affiliated Entities  5.92
        • f.  Form: Sample Information-Sharing Disclosure Statement; Affiliated Entities  5.93
        • g.  Delivery and Timing of Responses to Customer Requests for Information-Sharing Disclosure Statements  5.94
      • 10.  Penalties  5.95
    • B.  California Insurance Information and Privacy Protection Act  5.96

6

Financial Data Privacy

  • I.  SCOPE OF CHAPTER  6.1
  • II.  GRAMM-LEACH-BLILEY ACT (GLBA)  6.2
    • A.  Explanation of GLBA
      • 1.  Mandates of GLBA  6.3
      • 2.  Definitions Under GLBA  6.4
    • B.  Financial Privacy Rule (Notice to Consumers)  6.5
      • 1.  Safe Harbor Model Privacy Form  6.5A
      • 2.  Financial Institutions Must Give Notice  6.6
      • 3.  Required Contents of Notice  6.7
      • 4.  Sharing Information With Nonaffiliated Third Parties
        • a.  General Rule  6.8
        • b.  Exceptions
          • (1)  When Financial Institutions May Disclose NPI  6.9
          • (2)  Limits on Sharing Account Number  6.10
          • (3)  Limits on Reuse of Information  6.11
      • 5.  Customer Opt-Out Provisions  6.12
    • C.  Safeguards Rule  6.13
    • D.  Consequences of Failure to Comply With GLBA  6.14
  • III.  FAIR CREDIT REPORTING ACT (FCRA) AND FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)
    • A.  Purpose and General Requirements; Applicability  6.15
    • B.  Definitions  6.16
      • 1.  Definition of Consumer  6.17
      • 2.  Consumer Report
        • a.  Definition of “Consumer Report”  6.18
        • b.  Exceptions to Definition  6.19
      • 3.  Definition of Consumer Reporting Agency  6.20
      • 4.  Definition of Furnisher  6.20A
      • 5.  Definition of Accuracy  6.20B
      • 6.  Definition of Integrity  6.20C
      • 7.  Definition of Direct Dispute  6.20D
    • C.  Requirements for Furnishers  6.20E
    • D.  Requirements for Consumer Reporting Agencies
      • 1.  Permissible Purposes for Which Consumer Reporting Agencies May Furnish Consumer Reports  6.21
      • 2.  Restriction on Certain Information in Credit Reports  6.22
      • 3.  Prescreening; Opt-Out  6.23
      • 4.  Notice and Disclosure Requirements  6.24
        • a.  Notice to Furnishers and Users of Information  6.25
        • b.  Free Credit Reports; Required Disclosures to Consumers; Required Summary of Consumer Rights  6.26
        • c.  Disclosures to Government  6.27
      • 5.  Limitations on Medical Information in Consumer Reports  6.28
      • 6.  Additional Requirements for Credit Reporting Agencies  6.29
    • E.  Special Requirements for Investigative Consumer Reports  6.30
      • 1.  Person Requesting Investigative Consumer Report Must Make Disclosure  6.31
      • 2.  Restrictions on Information in Investigative Reports  6.32
    • F.  Identity Theft Prevention Requirements  6.33
    • G.  Use of Consumer Reports for Employment  6.34
    • H.  Limitations on Sharing Consumer Credit Information Among Affiliates  6.35
      • 1.  Sharing With Affiliates for Nonmarketing Purposes (Affiliate Sharing)  6.36
      • 2.  Sharing With Affiliates for Marketing Purposes (Affiliate Marketing)  6.37
    • I.  Requirements for Users of Consumer Reports That Take Adverse Action  6.38
    • J.  Requirements for Resellers of Consumer Reports  6.39
    • K.  Consumer Rights to Dispute Reported Information  6.40
    • L.  Disposal of Records  6.41
    • M.  FCRA Preemption of California Law  6.42
    • N.  Penalties and Remedies for FCRA Violations  6.43
    • O.  How Institutions Are Checked for FCRA Compliance  6.44
  • IV.  FEDERAL AND CALIFORNIA RIGHT TO FINANCIAL PRIVACY ACTS
    • A.  Federal Right to Financial Privacy Act  6.45
    • B.  California Right to Financial Privacy Act  6.46
  • V.  CALIFORNIA FINANCIAL INFORMATION PRIVACY ACT
    • A.  Relation to GLBA; Definition of “Nonpublic Personal Information”  6.47
    • B.  Prohibitions on Disclosing Consumer Information to Nonaffiliates; Notice and Opt-Out Provisions  6.48
    • C.  Enforcement and Remedies  6.49
  • VI.  CONSUMER CREDIT REPORTING AGENCIES ACT (CCRAA) AND INVESTIGATIVE CONSUMER REPORTING AGENCIES ACT (ICRAA)
    • A.  Applicability of CCRAA and ICRAA  6.50
    • B.  Consumer Credit Reporting Agencies Act (CCRAA)  6.51
      • 1.  Summary of Major CCRAA Provisions  6.52
      • 2.  Remedies  6.53
    • C.  Investigative Consumer Reporting Agencies Act (ICRAA)  6.54
  • VII.  AREIAS CREDIT CARD FULL DISCLOSURE ACT OF 1986  6.55
  • VIII.  USA PATRIOT ACT  6.56
  • IX.  BANK SECRECY ACT (BSA) AND ITS ANTI-MONEY-LAUNDERING (AML) LAWS
    • A.  Explanation of BSA  6.57
    • B.  BSA Requirements
      • 1.  Records That Must Be Maintained by Financial Institutions  6.58
      • 2.  Transactions That Must Be Reported  6.59
      • 3.  Individual Reporting Obligations  6.60
      • 4.  Immunity From Liability for Disclosures  6.61
      • 5.  Penalties for Violating BSA Disclosure Rules  6.62
  • X.  BUSINESSES THAT HANDLE CREDIT AND DEBIT CARDS—PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS)
    • A.  What Are the PCI DSS?  6.63
    • B.  Checklist: PCI DSS Requirements  6.64
    • C.  Payment Application Data Security Standard (PA-DSS)  6.65
    • D.  Payment Card Industry Forensic Investigator (PFI)  6.66

7

Health Information Privacy

Paul T. Smith

  • I.  SCOPE OF CHAPTER  7.1
  • II.  OVERVIEW: SOURCES OF LEGAL OBLIGATION TO KEEP HEALTH INFORMATION PRIVATE
    • A.  California Constitution  7.2
    • B.  Information Practices Act of 1977  7.3
    • C.  The California Consumer Privacy Act of 2018  7.3A
    • D.  California’s Confidentiality of Medical Information Act (CMIA)
      • 1.  Application of CMIA in General  7.4
      • 2.  Exemptions From CMIA for Certain Health Information  7.5
        • a.  Mental Health and Developmental Disability Information  7.6
        • b.  Public Health Services  7.7
        • c.  Substance Use Disorder Patient Records  7.8
        • d.  Information Concerning Communicable Diseases  7.9
        • e.  Other Information Exempt From the CMIA  7.10
    • E.  HIPAA Privacy Rule  7.11
      • 1.  Application of HIPAA Privacy Rule in General  7.12
      • 2.  HIPAA Preemption Scheme  7.13
      • 3.  The COVID-19 Pandemic  7.13A
    • F.  The Health Information Technology for Economic and Clinical Health Act (HITECH Act)  7.13B
    • G.  The 21st Century Cures Act  7.13C
    • H.  Laws Governing Specific Health Information  7.14
    • I.  Laws Governing the Use of Health Information in Research  7.14A
    • J.  Laws Governing Security of Health Information
      • 1.  HIPAA Security Standards  7.15
      • 2.  The HITECH Act’s Notice of Security Breach Requirements  7.15A
        • a.  Definition of “Breach”  7.15B
        • b.  Timing of Notice of Breach  7.15C
        • c.  Contents of Notice of Breach  7.15D
        • d.  Who Must Be Notified and Manner of Notice  7.15E
        • e.  Preemption  7.15F
      • 3.  FACTA Red Flags Rule  7.15G
      • 4.  California Health Information Security and Breach Notification Laws  7.16
  • III.  COVERED ENTITIES  7.17
    • A.  Entities Covered Under Confidentiality of Medical Information Act (CMIA)
      • 1.  Certain Health Care Professionals and Institutional Health Care Providers  7.18
      • 2.  Certain Health Plans  7.19
      • 3.  Certain Contractors of Health Professionals and Health Plans  7.20
      • 4.  Health Record Providers  7.21
      • 5.  Employers  7.22
      • 6.  Certain Recipients of Health Information  7.23
    • B.  Entities Covered Under HIPAA Privacy Rule
      • 1.  Health Care Providers  7.24
      • 2.  Health Plans  7.25
      • 3.  Health Care Clearinghouses  7.26
      • 4.  Medicare Part D Drug Card Sponsors  7.27
    • C.  Comparison: Covered Entities Under CMIA and HIPAA  7.28
  • IV.  PROTECTED INFORMATION
    • A.  Individually Identifiable Health Information  7.29
    • B.  Deidentified Information  7.30
      • 1.  Deidentified Information Under HIPAA Privacy Rule
        • a.  Deidentification Methods  7.31
        • b.  Contractor May Deidentify Information  7.32
      • 2.  CMIA  7.33
      • 3.  California Consumer Privacy Act of 2018 (CCPA)  7.33A
    • C.  Limited Data Set  7.34
    • D.  No Disclosure or Use of Protected Health Information Unless Required or Permitted  7.35
      • 1.  HIPAA Privacy Rule  7.36
      • 2.  Under the CMIA  7.37
  • V.  REQUIRED DISCLOSURE OF HEALTH INFORMATION  7.38
    • A.  On Individual’s Proper Request  7.39
    • B.  To Ascertain Privacy Rule Compliance  7.40
    • C.  When Required by Law  7.41
    • D.  Information Blocking Under the 21st Century Cures Act  7.41A
    • E.  California Health and Human Services Data Exchange Framework  7.41B
  • VI.  PERMITTED DISCLOSURES OF HEALTH INFORMATION
    • A.  Disclosure Required by Law  7.42
    • B.  Treatment  7.43
    • C.  Facility Directories
      • 1.  HIPAA Privacy Rule  7.44
      • 2.  CMIA  7.45
    • D.  Disclosure to Friends and Family  7.46
    • E.  Notification and Disaster Relief  7.47
    • F.  Payment  7.48
    • G.  Health Care Operations
      • 1.  The Covered Entity’s Operations
        • a.  HIPAA Privacy Rule  7.49
        • b.  CMIA  7.50
      • 2.  The Recipient’s Operations  7.51
    • H.  Marketing  7.52
      • 1.  HIPAA Privacy Rule and Marketing  7.53
      • 2.  CMIA and Marketing  7.54
    • I.  Fundraising
      • 1.  HIPAA Privacy Rule on Fundraising  7.55
      • 2.  CMIA on Fundraising  7.56
    • J.  Research
      • 1.  HIPAA Privacy Rule on Research  7.57
        • a.  Research Defined  7.58
        • b.  When Authorization Not Necessary  7.59
      • 2.  CMIA on Research  7.60
    • K.  Judicial and Administrative Proceedings  7.61
      • 1.  Use by Covered Entity  7.62
      • 2.  Third Party Legal Proceedings
        • a.  Under Court Order  7.63
        • b.  Without Court Order  7.64
          • (1)  HIPAA Privacy Rule  7.65
          • (2)  CMIA: Notice to Consumer  7.66
    • L.  Disclosure for Public Health Activities
      • 1.  HIPAA Privacy Rule on Public Health Activities  7.67
      • 2.  CMIA on Public Health Activities  7.68
    • M.  Victims of Abuse
      • 1.  HIPAA Privacy Rule on Abuse  7.69
      • 2.  California Law on Abuse  7.70
    • N.  Health Oversight Activities
      • 1.  HIPAA Privacy Rule on Oversight Activities  7.71
      • 2.  CMIA on Oversight Activities  7.72
    • O.  Law Enforcement Purposes
      • 1.  HIPAA Privacy Rule on Disclosure for Law Enforcement  7.73
      • 2.  California Law on Disclosure for Law Enforcement  7.74
    • P.  Decedents  7.75
    • Q.  Organ Procurement  7.76
    • R.  Imminent Threat to Health or Safety
      • 1.  HIPAA Privacy Rule on Imminent Threat  7.77
      • 2.  California Law on Imminent Threat  7.78
    • S.  Specialized Government Functions  7.79
  • VII.  PROHIBITION ON SALE OF HEALTH RECORDS OR PROTECTED HEALTH INFORMATION UNDER HIPAA PRIVACY RULE  7.79A
  • VIII.  VERIFICATION REQUIREMENTS UNDER HIPAA PRIVACY RULE  7.80
  • IX.  DISCLOSURES REQUIRING AUTHORIZATION UNDER HIPAA PRIVACY RULE
    • A.  When Authorization Is Required  7.81
      • 1.  Conditioning Benefits on Authorization  7.82
      • 2.  Revoking Authorization  7.83
      • 3.  Keeping Authorization  7.84
    • B.  Authorization Requirements  7.85
      • 1.  Required Elements Under HIPAA Privacy Rule and CMIA  7.86
      • 2.  Additional Considerations  7.87
    • C.  Form: General Authorization for the Use and/or Disclosure of Protected Health Information  7.88
  • X.  SPECIALLY PROTECTED INFORMATION UNDER HIPAA PRIVACY RULE  7.89
    • A.  Mental Health Information  7.90
    • B.  Information on Persons With Developmental Disabilities  7.91
    • C.  Information Concerning HIV/AIDS Testing  7.92
    • D.  Genetic Testing Information
      • 1.  California Law
        • a.  Genetic Information Privacy Act  7.92A
        • b.  Hereditary Disorders Act  7.92B
      • 2.  Federal Law  7.92C
    • E.  Substance Use Disorder Patient Records
      • 1.  Federal Regulations  7.93
        • a.  When Federal Regulations Apply  7.94
        • b.  Information Covered  7.94A
        • c.  Disclosure Requirements  7.95
        • d.  When Disclosure Is Permitted Without Patient’s Written Consent  7.96
        • e.  When Disclosure Requires Patient’s Written Consent  7.96A
        • f.  Preemption  7.97
        • g.  CARES Act Amendments  7.97A
      • 2.  California Law  7.98
    • F.  Psychotherapy Notes and Services
      • 1.  HIPAA Privacy Rule  7.99
      • 2.  California Law  7.100
  • XI.  SPECIAL RULES
    • A.  Personal Representatives
      • 1.  HIPAA Privacy Rule  7.101
      • 2.  California Law  7.102
    • B.  Incidental Disclosures  7.103
    • C.  Minimum Necessary Disclosure  7.104
    • D.  Disclosure to Contractors
      • 1.  CMIA Regulation of Medical Information Recipients  7.105
      • 2.  Business Associates Under HIPAA and HITECH Act  7.106
        • a.  When Business Associate Contract Is Required  7.107
        • b.  Who Are Not Business Associates  7.108
        • c.  Requirements for HIPAA Business Associate Contract  7.109
        • d.  Form: Sample Business Associate Agreement  7.109A
    • E.  Employers and Group Health Plans
      • 1.  Disclosure of Protected Health Information by Covered Entity to Individual’s Employer  7.110
      • 2.  Use and Disclosure of Employment Records Containing Health Information  7.111
    • F.  Health Insurers  7.112
  • XII.  INDIVIDUAL RIGHTS  7.113
    • A.  Notice of Privacy Practices Under HIPAA Privacy Rule  7.114
      • 1.  Provision of Notice
        • a.  When and Where Notice Must Be Provided  7.115
        • b.  Joint Notice  7.116
        • c.  Retention  7.117
      • 2.  Content of Notice  7.118
      • 3.  Revisions to Notice  7.119
    • B.  Right to Access and Copy  7.120
      • 1.  To Which Records Does Right Apply?  7.121
      • 2.  What Must Provider Supply?  7.122
      • 3.  Access to Electronic Health Records  7.122A
      • 4.  Third Party Recipient  7.122B
      • 5.  Attorney’s Access to Client Health Records  7.122C
      • 6.  Denial of Access
        • a.  HIPAA Privacy Rule  7.123
        • b.  California Law  7.124
    • C.  Right to Amend  7.125
      • 1.  HIPAA Privacy Rule  7.126
      • 2.  California Law  7.127
    • D.  Right to Accounting of Disclosures  7.128
    • E.  Right to Request Additional Restrictions  7.129
    • F.  Right to Confidential Communications  7.130
  • XIII.  COMPLEX ORGANIZATIONS  7.130A
    • A.  Affiliated Covered Entities  7.130B
    • B.  Hybrid Entities   7.130C
    • C.  Organized Health Arrangements  7.130D
  • XIV.  ADMINISTRATIVE REQUIREMENTS OF HIPAA PRIVACY RULE  7.131
    • A.  Personnel, Policies, and Training  7.132
    • B.  Safeguards and Protections  7.133
    • C.  Documentation  7.134
  • XV.  ENFORCEMENT
    • A.  HIPAA Privacy Rule Enforcement  7.135
    • B.  CMIA Enforcement  7.136

8

Workplace Privacy

Ronald J. Souza

  • I.  SCOPE OF CHAPTER  8.1
  • II.  BASIC SOURCES OF EMPLOYEE PRIVACY RIGHTS
    • A.  Constitutions
      • 1.  State Constitution  8.2
      • 2.  Federal Constitution  8.3
    • B.  Statutes  8.4
    • C.  Common Law  8.5
    • D.  Contractual Provisions  8.6
  • III.  PRE-EMPLOYMENT AND OTHER INQUIRIES  8.7
    • A.  Inquiries Into Areas Protected by Fair Employment Laws
      • 1.  Statutory Provisions  8.8
      • 2.  Inquiries in General  8.9
      • 3.  Inquiries About Mental or Physical Condition Before Offer Is Made  8.10
    • B.  Inquiries Into Other Protected Areas
      • 1.  Politics  8.11
      • 2.  Union Activity  8.12
    • C.  Inquiries About Criminal History  8.13
      • 1.  Convictions and Arrests  8.14
      • 2.  Specified Marijuana-Related Convictions  8.15
      • 3.  Convictions Older Than 7 Years (CC §1786.18(a)(7))  8.16
      • 4.  Particular Employers
        • a.  Community Care Facilities  8.17
        • b.  Health Care Facilities  8.18
        • c.  Banks  8.18A
  • IV.  BACKGROUND AND CREDIT CHECKS  8.19
    • A.  Federal: Fair Credit Reporting Act  8.20
      • 1.  Notice of Intent to Request Consumer Report  8.21
      • 2.  Notice of Intent to Request “Investigative Consumer Report”  8.22
      • 3.  Notice of Adverse Action  8.23
      • 4.  Exception for Employee Misconduct and Other Investigations  8.24
      • 5.  Consequences of Failure to Comply With Fair Credit Reporting Act  8.25
      • 6.  Protecting Consumer Report Information From Disclosure  8.26
    • B.  State: Consumer Credit Reporting Agencies Act and Investigative Consumer Reporting Agencies Act  8.27
      • 1.  Consumer Credit Report Notice Requirement  8.28
      • 2.  Investigative Consumer Report Notice Requirement  8.29
      • 3.  When Employer (Not Agency) Assembles Public Record Information  8.30
      • 4.  Limits on Information That May Be Reported  8.31
      • 5.  Notice of Adverse Action  8.32
      • 6.  Exception From Notice Requirement for Employee Misconduct Investigations  8.33
      • 7.  Consequences of Violation  8.34
  • V.  MEDICAL INFORMATION
    • A.  Medical Examination Before Employment but After Offer  8.35
    • B.  Fitness-for-Duty Exams  8.36
    • C.  AIDS Testing and Inquiry  8.37
    • D.  Psychological Testing
      • 1.  Pre-Offer  8.38
      • 2.  Post-Offer; Return to Work  8.39
      • 3.  Interplay With Confidentiality of Medical Information Act  8.40
    • E.  Genetic Information  8.41
    • F.  Information About Disabilities
      • 1.  During Application Process  8.42
      • 2.  Reasonable Accommodation  8.43
    • G.  Drug Testing  8.44
      • 1.  Pre-Employment  8.45
      • 2.  After Hiring  8.46
    • H.  Information About Alcohol, Drug, and Tobacco Use
      • 1.  In General  8.47
      • 2.  Accommodation for Rehabilitation Treatment  8.48
    • I.  Serious Health Conditions Under FMLA  8.48A
    • J.  Considerations During COVID-19 Pandemic  8.48B
  • VI.  POLYGRAPHS, FINGERPRINTS, PHOTOGRAPHS, AND OTHER INFORMATION
    • A.  Lie Detector Tests (Polygraphs)  8.49
      • 1.  Federal Law  8.50
      • 2.  State Law  8.51
    • B.  Voice Stress Analysis  8.52
    • C.  Intelligence Tests  8.53
    • D.  Fingerprints and Photographs  8.54
      • 1.  Fingerprints  8.55
      • 2.  Photographs  8.56
      • 3.  Protecting Fingerprints and Photographs From Disclosure  8.57
  • VII.  WORKPLACE MONITORING AND EMPLOYEE SURVEILLANCE
    • A.  Monitoring Electronic Communications  8.58
      • 1.  Federal Eavesdropping Law  8.59
        • a.  Ordinary Course of Business  8.60
        • b.  Express or Implied Consent  8.61
        • c.  Stored E-Mail; Text Messages  8.62
        • d.  Consequence for Violation  8.63
      • 2.  State Eavesdropping Law  8.64
        • a.  Prohibited Forms of Eavesdropping  8.65
        • b.  Consequences for Violation  8.66
      • 3.  Monitoring Internet Use
        • a.  Accessing Websites on Company Computer  8.67
        • b.  Employee Use of Personal E-Mail Account at Work  8.67A
        • c.  Off-Duty Internet Activity  8.67B
        • d.  Social Networking
          • (1)  Employee Use of Social Networks  8.67C
          • (2)  Employer Use of Social Networks for Information on Job Applicants  8.67D
        • e.  Inadvertent Disclosure of Privileged Information  8.67E
    • B.  Workplace Surveillance
      • 1.  Surveillance of Restrooms and Similar Areas  8.68
      • 2.  Surveillance of Public and Work Areas  8.69
      • 3.  Tracking Devices  8.70
    • C.  Off-Duty Surveillance  8.71
    • D.  Undercover Shoppers  8.72
    • E.  Form: Sample Electronic Information Systems Policy  8.73
  • VIII.  WORKPLACE INVESTIGATIONS
    • A.  Employer Obligation to Investigate  8.74
    • B.  Workplace Searches  8.75
      • 1.  Offices and Other Work Spaces  8.76
      • 2.  Physical Searches of Employees  8.77
    • C.  Interrogations  8.78
    • D.  Best Practices When Conducting Workplace Investigations  8.79
  • IX.  LIFESTYLE REGULATION  8.80
    • A.  Workplace Conduct  8.81
    • B.  Family Relationships  8.82
    • C.  Nonfraternization Policies  8.83
    • D.  Personal Appearance  8.84
    • E.  Workplace Discussions  8.85
    • F.  Conflict of Interest  8.86
    • G.  Off-Duty Conduct  8.86A
  • X.  EMPLOYERS’ RESPONSIBILITIES REGARDING HANDLING OF INFORMATION
    • A.  Social Security Numbers  8.87
    • B.  Other Personal Information  8.88
      • 1.  Fingerprints and Photographs  8.89
      • 2.  Employee Entering Rehabilitation for Drug and Alcohol Abuse  8.90
    • C.  Disclosure to Third Parties  8.91
      • 1.  References  8.92
      • 2.  Responding to Subpoenas  8.93
      • 3.  Discussing Employee’s Termination  8.94
    • D.  Medical Information Confidentiality
      • 1.  ADA/FMLA  8.95
      • 2.  California Confidentiality of Medical Information Act (CMIA)  8.96
      • 3.  Health Insurance Portability and Accountability Act (HIPAA)  8.97
    • E.  Personnel Files  8.98
    • F.  Immigration Status and Inspections by Immigration Enforcement Agents  8.98A
  • XI.  LITIGATING WORKPLACE PRIVACY ISSUES  8.99

9

International Personal Data Protection and Cross-Border Data Transfers

Françoise Gilbert

Jeewon K. Serrato

Nichole L. Sterling

  • I.  SCOPE OF CHAPTER  9.1
  • II.  CHALLENGES OF GLOBAL PRIVACY COMPLIANCE
    • A.  Understanding Data Protection Laws of Other Countries  9.2
    • B.  When Other Country Has No Data Protection Laws  9.3
  • III.  THE EUROPEAN UNION DATA PROTECTION FRAMEWORK
    • A.  Historical Background  9.3A
    • B.  Initial EU Data Protection Framework  9.4
    • C.  EU Data Protection Reform  9.5
    • D.  Other Relevant Developments  9.5A
    • E.  Countries Adhering to EU Directives and Regulations [Deleted]  9.6
    • F.  Purpose of EU 1995 Data Protection Directive [Deleted]  9.7
  • IV.  THE EUROPEAN UNION GENERAL DATA PROTECTION REGULATION (GDPR)
    • A.  Objectives  9.8
    • B.  Material Scope  9.9
    • C.  Territorial Scope
      • 1.  Entities Established in EU  9.10
      • 2.  Entities Established Outside EU  9.11
      • 3.  Main Establishment of Controller or Processor  9.12
      • 4.  EU Representative  9.13
    • D.  Definitions
      • 1.  Data Subject  9.14
      • 2.  Data Controller  9.15
      • 3.  Data Processor  9.16
      • 4.  Data Protection Officer  9.17
      • 5.  Supervisory Authority  9.18
      • 6.  European Data Protection Board (EDPB)  9.19
      • 7.  European Data Protection Supervisor (EDPS)  9.20
    • E.  Principles Relating to the Processing of Personal Data
      • 1.  General Principles   9.21
      • 2.  Lawfulness of Processing
        • a.  Conditions for Lawfulness  9.22
        • b.  Consent as Basis for Lawful Processing  9.23
        • c.  Processing for Performance of a Contract  9.24
        • d.  Processing to Comply With Legal Obligation of Controller  9.25
        • e.  Processing for Legitimate Interest of Controller  9.26
        • f.  Processing of Special Categories of Data  9.27
        • g.  Conditions Applicable to Child’s Consent  9.28
    • F.  Rights of Data Subjects
      • 1.  General Rights  9.29
      • 2.  Right of Erasure or Right to Be Forgotten [Deleted]  9.30
    • G.  Obligations of Data Controllers
      • 1.  General Responsibilities of Data Controllers  9.31
      • 2.  Data Protection by Design  9.32
      • 3.  Data Protection by Default  9.33
      • 4.  Data Controllers’ Obligations Regarding Exercise of Data Subjects’ Rights  9.34
      • 5.  Data Controller’s Obligations Related to Right to Be Forgotten [Deleted]  9.35
      • 6.  Joint Controllers  9.36
      • 7.  Recordkeeping Requirements for Data Controllers  9.37
      • 8.  Cooperation With Supervisory Authority  9.38
    • H.  Obligations of Processors: Recordkeeping Requirements  9.39
    • I.  Engaging a Data Processor or Subprocessor  9.40
      • 1.  Written Contract Required  9.41
      • 2.  No Further Processing Permitted  9.42
      • 3.  Use of Subprocessors; Controller’s Prior Consent Required  9.43
    • J.  Security of Personal Data
      • 1.  Technical and Organizational Measures Required  9.44
      • 2.  Breach of Security  9.45
        • a.  Notification of the Supervisory Authority by the Data Controller  9.45A
        • b.  Breach Affecting Data Processor  9.46
        • c.  Notification to Data Subjects by Data Controller  9.47
    • K.  Data Protection Impact Assessment
      • 1.  When Data Protection Impact Assessment Is Required  9.48
      • 2.  Content of Assessment  9.49
      • 3.  Prior Consultation of Supervisory Authority  9.50
    • L.  Data Protection Officer
      • 1.  Entities Required to Appoint Data Protection Officer  9.51
      • 2.  Qualifications of a Data Protection Officer  9.52
      • 3.  Status of Data Protection Officer  9.53
      • 4.  Tasks of Data Protection Officer  9.54
    • M.  Cross-Border Data Transfers [Deleted]  9.55
      • 1.  Transfers With Adequacy Decision [Deleted]  9.56
      • 2.  Transfers by Way of Appropriate Safeguards [Deleted]  9.57
        • a.  Safeguards That Do Not Require Authorization [Deleted]  9.58
        • b.  Safeguards That Require Authorization [Deleted]  9.59
      • 3.  Transfers by Way of Binding Corporate Rules [Deleted]  9.60
      • 4.  Transfers or Disclosures in Context of Litigation [Deleted]  9.61
      • 5.  Derogations for Specific Situations [Deleted]  9.62
    • N.  Remedies
      • 1.  Right to Lodge Complaint With Supervisory Authority  9.63
      • 2.  Right to Effective Judicial Remedy Against Supervisory Authority  9.64
      • 3.  Right to an Effective Judicial Remedy Against Controller or Processor  9.65
      • 4.  Right of Data Subjects to Mandate Not-for-Profit Organizations to Lodge Complaints on Their Behalf  9.66
      • 5.  Right to Compensation and Liability  9.67
        • a.  Administrative Fines
          • (1)  General Conditions for Imposing Administrative Fines  9.68
          • (2)  Amount of Administrative Fines  9.69
            • (a)  10 Million Euros or 2 Percent Annual Turnover Fines   9.70
            • (b)  20 Million Euros or 4 Percent Annual Turnover Fines  9.71
        • b.  Other Fines and Penalties   9.72
    • O.  Codes of Conduct and Certification   9.73
    • P.  Supervisory Authority  9.74
      • 1.  Tasks of Supervisory Authorities  9.75
      • 2.  Investigative Powers of Supervisory Authorities  9.76
      • 3.  Corrective Powers of Supervisory Authorities  9.77
      • 4.  Authorization and Advisory Powers of Supervisory Authorities  9.78
      • 5.  Cooperation With Other Supervisory Authorities  9.79
      • 6.  Lead Supervisory Authority
        • a.  Designation of Lead Supervisory Authority  9.80
        • b.  Cooperation Between Lead Supervisory Authority and Other Concerned Supervisory Authorities  9.81
    • Q.  Establishment and Duties of EDPB  9.82
    • R.  Do Not Expect Uniformity in GDPR  9.83
  • V.  CROSS-BORDER DATA TRANSFERS
    • A.  Cross-Border Data Transfers Generally  9.83A
    • B.  Transfers With Adequacy Decision  9.83B
    • C.  EU-U.S. Trans-Atlantic Personal Data Transfers
      • 1.  Background  9.83C
      • 2.  Overview  9.84
      • 3.  Self-Certification Process  9.85
      • 4.  Enforcement and Dispute Resolution  9.86
    • D.  Transfers by Way of Appropriate Safeguards  9.86A
      • 1.  Safeguards That Do Not Require Authorization  9.86B
      • 2.  Safeguards That Require Authorization  9.86C
    • E.  Standard Contractual Clauses (SCCs)  9.87
    • F.  Transfers Using Binding Corporate Rules (BCRs)  9.88
      • 1.  Requirements of BCRs  9.89
      • 2.  Supervisory Authority Cooperation Procedure  9.90
      • 3.  Additional Guidance for Preparation of BCRs  9.91
      • 4.  BCRs for Data Processors  9.92
      • 5.  Transfers or Disclosures in Context of Court Orders  9.92A
      • 6.  Derogations for Specific Situations  9.92B
    • G.  Cloud Computing in the EU  9.93
  • VI.  THE EUROPEAN UNION 2002 PRIVACY AND ELECTRONIC COMMUNICATIONS DIRECTIVE
    • A.  Recent Developments   9.94
    • B.  Purpose and Scope of 2002 Privacy and Electronic Communications Directive  9.95
    • C.  Unsolicited Commercial Messages
      • 1.  Automatic Calling Machines, Email, and Text Messages  9.96
      • 2.  Personal Telephone Calls and Other Communications  9.97
      • 3.  Identification of Email Sender and Promotions, Contests, and Games  9.98
      • 4.  Right of Action for Electronic Communications Service Providers  9.99
    • D.  Cookies and Tracking Technologies  9.100
    • E.  Traffic Data  9.101
    • F.  Nonitemized Billing  9.102
    • G.  Blocking Caller Identification  9.103
    • H.  Location Data  9.104
    • I.  Confidentiality and Security
      • 1.  Confidentiality  9.105
      • 2.  Security  9.106
    • J.  Public Directories  9.107
  • VII.  SELECTED INTERNATIONAL DATA PROTECTION LAWS OUTSIDE THE EUROPEAN UNION
    • A.  The Asia-Pacific Economic Cooperation (APEC) Privacy Framework
      • 1.  Overview of APEC  9.108
      • 2.  Purpose and Scope of APEC Privacy Framework
        • a.  Purpose  9.109
        • b.  Scope  9.110
      • 3.  APEC Privacy Framework’s Information Privacy Principles  9.111
        • a.  Preventing Harm  9.112
        • b.  Notice  9.113
        • c.  Limitation on Collection  9.114
        • d.  Limitation on Use  9.115
        • e.  Choice  9.116
          • (1)  When Appropriate  9.117
          • (2)  Special Categories of Personal Information  9.118
        • f.  Integrity of Personal Information  9.119
        • g.  Security Safeguards  9.120
        • h.  Access and Correction  9.121
        • i.  Accountability  9.122
      • 4.  Enforcement  9.123
      • 5.  APEC Data Privacy Pathfinder and Cross-Border Privacy Rules (CBPRs)  9.124
      • 6.  Relationship With Other Countries  9.125
    • B.  Australia’s Privacy Act 1988
      • 1.  Purpose and Scope  9.126
      • 2.  Australian Privacy Principles (APP)
        • a.  Collection  9.127
        • b.  Use and Disclosure of Data  9.128
        • c.  Data Quality and Data Security  9.129
        • d.  Openness  9.130
        • e.  Access and Correction  9.131
        • f.  Identifiers and Anonymity  9.132
        • g.  Transfers out of Australia  9.133
        • h.  Sensitive Information  9.134
      • 3.  Supervision, Enforcement, and Penalties  9.135
      • 4.  Other Provisions  9.136
      • 5.  Security Breach Notification  9.137
    • C.  Brazil  9.137A
    • D.  Canada’s Personal Information Protection and Electronic Documents Act  9.138
      • 1.  Scope of Coverage  9.139
      • 2.  Data Collection and Use  9.140
      • 3.  Rights of the Individual  9.141
      • 4.  Confidentiality, Security, and Third Party Transfer  9.142
      • 5.  Supervision; Enforcement  9.143
    • E.  Canada’s Anti-Spam Law  9.144
    • F.  PIPEDA and Canada’s Security Breach Disclosure Law  9.144A
    • G.  Canada’s Digital Charter Implementation Act, 2020 to Enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act  9.144B
    • H.  China  9.145
      • 1.  Chinese Laws Protecting Personal Information  9.146
      • 2.  Chinese Cybersecurity and Data Security Laws  9.147
    • I.  Hong Kong’s Personal Data Ordinance  9.148
      • 1.  Scope of Coverage  9.149
      • 2.  Data Collection, Accuracy, Retention, and Use  9.150
      • 3.  Security, Availability, and Access  9.151
      • 4.  Transfers of Data to Third Parties  9.152
      • 5.  Supervision and Enforcement  9.153
      • 6.  Use of Personal Data in Direct Marketing  9.154
      • 7.  Offenses  9.155
    • J.  India  9.156
      • 1.  Indian Privacy Rules  9.157
      • 2.  Other Relevant Law  9.158
    • K.  Japan’s Act on the Protection of Personal Information  9.159
      • 1.  Data Collection, Use, and Security  9.160
      • 2.  Rights of the Individual  9.161
      • 3.  Transfers to Third Parties and Transfers Outside Japan  9.162
      • 4.  Supervision and Enforcement  9.163
    • L.  Mexico  9.164
      • 1.  Definitions and Data Collected  9.165
      • 2.  Notice and Security  9.166
      • 3.  International Data Transfers  9.167
      • 4.  Enforcement of Right to Data Protection  9.168
    • M.  Philippines
      • 1.  Data Privacy Act  9.169
        • a.  Principles of Data Privacy Act  9.170
        • b.  Security, Availability, and Access  9.171
      • 2.  Cybercrime Prevention Act  9.172
    • N.  Republic of Korea  9.173
    • O.  Singapore  9.174
      • 1.  Data Collection, Retention, and Use  9.175
      • 2.  Security, Availability, and Access  9.176
      • 3.  Breach of Security  9.176A
        • a.  Requirement to Conduct Assessment of Data Breach  9.176B
        • b.  Notification to the PDPC  9.176C
        • c.  Data Breach Affecting Data Processor  9.176D
        • d.  Notification to Affected Individuals  9.176E
      • 4.  Supervision and Enforcement  9.177
    • P.  Taiwan—Republic of China  9.178
    • Q.  United Kingdom  9.179

10

Identity Theft

Matthew J. Cooney

Robert V. Hale II

  • I.  SCOPE OF CHAPTER  10.1
  • II.  IDENTITY THEFT DEFINED
    • A.  Use of Identifying Information of Another  10.2
    • B.  Types of Identity Theft
      • 1.  Financial Identity Theft  10.3
        • a.  Financial Identity Theft That Appears on Credit Reports  10.4
        • b.  Financial Identity Theft That Does Not Appear on Credit Reports  10.5
      • 2.  Criminal Identity Theft  10.6
      • 3.  Identity Cloning  10.7
      • 4.  Cyber Identity Theft  10.8
      • 5.  Business Identity Theft  10.9
      • 6.  Medical Identity Theft  10.9A
  • III.  HOW DOES IDENTITY THEFT OCCUR?  10.10
    • A.  Nonelectronic  10.11
    • B.  Electronic  10.12
  • IV.  FEDERAL IDENTITY THEFT LAWS APPLICABLE TO BUSINESSES
    • A.  Identity Theft Assumption and Deterrence Act  10.13
    • B.  Identity Theft Penalty Enhancement Act  10.14
    • C.  Gramm-Leach-Bliley Act  10.15
    • D.  Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA)  10.16
      • 1.  Free Credit Reports  10.17
      • 2.  Fraud Alerts  10.18
      • 3.  Credit Card Truncation  10.19
      • 4.  Blocking Identity Theft-Related Information  10.20
      • 5.  Coordination of Identity Theft Investigations  10.21
      • 6.  Heightened Standard of Accuracy for Furnishers  10.22
      • 7.  Furnisher Obligation to Prevent “Repollution”  10.23
      • 8.  Duty of Furnishers to Provide Transaction Information  10.24
      • 9.  Consumer Right to Dispute Accuracy With Furnisher  10.25
      • 10.  Prohibition on Resale of Identity Theft-Related Debts  10.26
      • 11.  Debt Collector Duty to Notify Creditor of Identity Theft  10.27
      • 12.  Red Flags Rule  10.28
      • 13.  Address Discrepancy Rule  10.29
      • 14.  Card Issuers Rule  10.30
      • 15.  Remedies  10.31
    • E.  Driver’s Privacy Protection Act  10.32
    • F.  Federal Trade Commission Act
      • 1.  FTC Prohibition Against Unfair or Deceptive Business Practices  10.33
      • 2.  FTC Enforcement Actions  10.34
    • G.  Health Insurance Portability and Accountability Act  10.35
  • V.  CALIFORNIA IDENTITY THEFT LAWS APPLICABLE TO BUSINESSES  10.36
    • A.  Criminal Laws
      • 1.  Improper Use of Personal Information  10.37
      • 2.  Impersonation  10.38
      • 3.  Crimes Related to Fraudulent Documentation  10.39
      • 4.  Racketeering  10.40
      • 5.  Criminal Statute of Limitations  10.41
      • 6.  Clearing an Identity Theft Victim’s Name  10.42
    • B.  Civil Laws
      • 1.  Laws Applicable to California Businesses Generally
        • a.  Business Duty to Protect Information  10.43
        • b.  Prohibited Uses of Social Security Numbers
          • (1)  When Businesses May Not Use Social Security Numbers  10.44
          • (2)  Other Prohibitions on Use of Social Security Numbers  10.45
          • (3)  Federal Prohibitions Applicable to California Businesses  10.45A
        • c.  Disposal Law  10.46
        • d.  Anti-Phishing Act  10.47
        • e.  Consumer Protection Against Computer Spyware Act  10.48
        • f.  Security Breach Notification Law  10.49
        • g.  Financial Information Privacy Act  10.50
        • h.  Notification of Disclosures for Business Information Sharing: “Shine the Light” Law  10.51
        • i.  Unfair and Deceptive Practices  10.52
      • 2.  Laws Applicable to Credit Reporting Agencies and Furnishers and Users of Credit Reports: The California Consumer Credit Reporting Agencies Act (CCRAA)  10.53
        • a.  Preemption by Federal Law  10.54
        • b.  Permitted Disclosure of Credit Reports  10.55
        • c.  Credit Information for Transactions Not Initiated by the Consumer  10.56
        • d.  Reasonable Procedures Required Before Releasing Consumer Credit Information  10.57
        • e.  Security Alert  10.58
        • f.  Security Freeze
          • (1)  Placing and Lifting a Security Freeze  10.59
          • (2)  When Security Freeze Does Not Apply  10.60
          • (3)  Credit Reporting Agency’s Obligations When Freeze in Place  10.61
        • g.  Blocking of Credit Information When Identity Theft Shown  10.62
        • h.  Notice of Rights  10.63
        • i.  Free Credit Reports  10.64
        • j.  Businesses’ Sales of Consumer Debt Resulting From Identity Theft  10.65
        • k.  Businesses’ Use of Credit Reports
          • (1)  Matching Credit Application Information With Consumer Credit Information  10.66
          • (2)  Honoring Identity Theft Notices  10.67
          • (3)  Remedies for Failure to Reconcile Credit Application Information or Failure to Honor Identity Theft Notice  10.68
      • 3.  Laws Applicable to Creditors
        • a.  Duty of Creditors to Cooperate With Victims  10.69
        • b.  Declaratory Relief Action  10.70
        • c.  Preapproved Solicitations  10.71
        • d.  Instant Loan Checks  10.72
        • e.  Changes of Address and Credit Cards  10.73
        • f.  Financial Institutions’ Duty to Cooperate With Law Enforcement  10.74
      • 4.  Laws Applicable to Debt Collectors  10.75
      • 5.  Laws Applicable to Merchants
        • a.  Credit Card Transaction Slips  10.76
        • b.  Information That Merchant May Require for Payments by Credit Card  10.77
        • c.  Driver’s Licenses  10.78
        • d.  Payments by Negotiable Instrument  10.79
      • 6.  Other Identity Theft-Related Laws
        • a.  Birth Certificates  10.80
        • b.  Records of Common Interest Developments  10.81
        • c.  Unlawful to Sell or Access Data Obtained Pursuant to Crime  10.81A
  • VI.  CLAIMS AND LIABILITY  10.82
    • A.  Negligence [Deleted]  10.83
      • 1.  California Statutory Duty of Care [Deleted]  10.84
      • 2.  When Duty of Care Applies [Deleted]  10.85
      • 3.  Negligent Enablement of Impostor Fraud [Deleted]  10.86
      • 4.  Assumption of Duty [Deleted]  10.87
      • 5.  Intervening Criminal Conduct [Deleted]  10.88
      • 6.  Negligent Failure to Notify [Deleted]  10.89
    • B.  Misrepresentation [Deleted]  10.90
    • C.  Invasion of Privacy [Deleted]  10.91
    • D.  Breach of Fiduciary Duty [Deleted]  10.92
    • E.  Infliction of Emotional Distress [Deleted]  10.93
    • F.  Defamation [Deleted]  10.94
    • G.  Breach of Contract [Deleted]  10.95
    • H.  Trespass to Chattels [Deleted]  10.96
    • I.  Other Claims and Defenses [Deleted]  10.97
      • 1.  Causation Issues [Deleted]  10.98
      • 2.  Damages [Deleted]  10.99
  • VII.  PROTECTING AGAINST IDENTITY THEFT  10.100
    • A.  FTC Standards for Safeguarding Customer Information  10.101
    • B.  California Business Privacy Handbook  10.102
    • C.  Incident Response Plan  10.103
    • D.  Cyberinsurance  10.104
    • E.  Third Party Contracts  10.105
      • 1.  Exercising Due Diligence in Vendor Selection  10.106
      • 2.  Key Contract Provisions  10.107
  • VIII.  CHECKLISTS AND FORMS
    • A.  Checklist: Implementing and Maintaining a Business Identity Theft Prevention Program  10.108
    • B.  Checklist: Selecting Third Party Service Providers  10.109
    • C.  Form: Model Business Letter Notifying Customer of Theft of Personal Information  10.110

10A

The California Consumer Privacy Act of 2018

Genevieve R. Walser-Jolly

Colin T. Murphy

  • I.  HISTORY OF CCPA AND SCOPE OF CHAPTER
    • A.  Aggregate Consumer Information  10A.1
  • II.  DEFINITIONS UNDER THE CCPA
    • A.  Advertising and Marketing  10A.1A
    • B.  Aggregate Consumer Information  10A.2
    • C.  Authorized Agent  10A.2A
    • D.  Biometric Information  10A.3
    • E.  Business  10A.4
    • F.  Business Controller Information  10A.4A
    • G.  Business Purpose  10A.5
    • H.  Categories of Sources  10A.5A
    • I.  Categories of Third Parties  10A.5B
    • J.  Collects, Collected, or Collection  10A.6
    • K.  Commercial Credit Reporting Agency  10A.6A
    • L.  Commercial Purpose  10A.7
    • M.  Consent  10A.7A
    • N.  Consumer  10A.8
    • O.  Contractor  10A.8A
    • P.  Control or Controlled  10A.9
    • Q.  Cross-Context Behavioral Advertising  10A.9A
    • R.  Dark Pattern  10A.9B
    • S.  Data Broker  10A.9C
    • T.  Deidentified  10A.10
    • U.  Designated Methods for Submitting Requests  10A.11
    • V.  Device  10A.12
    • W.  Director  10A.12A
    • X.  Employment Benefits  10A.12B
    • Y.  Employment-Related Information  10A.12C
    • Z.  Health Insurance Information  10A.13
    • AA.  Homepage  10A.14
    • AB.  Household  10A.14A
    • AC.  Independent Contractor  10A.14B
    • AD.  Infer or Inference  10A.15
    • AE.  Intentionally Interacts  10A.15A
    • AF.  Management Employee  10A.15B
    • AG.  Medical Staff Member  10A.15C
    • AH.  Officer  10A.15D
    • AI.  Owner  10A.15E
    • AJ.  Ownership Information  10A.15F
    • AK.  Person  10A.16
    • AL.  Personal Information  10A.17
    • AM.  Precise Geolocation  10A.17A
    • AN.  Probabilistic Identifier  10A.18
    • AO.  Processing  10A.19
    • AP.  Profiling  10A.19A
    • AQ.  Pseudonymize or Pseudonymization  10A.20
    • AR.  Publicly Available  10A.21
    • AS.  Research  10A.22
    • AT.  Sell, Selling, Sale, or Sold  10A.23
    • AU.  Sensitive Personal Information  10A.23A
    • AV.  Service or Services  10A.24
    • AW.  Service Provider  10A.25
    • AX.  Share, Shared, Sharing  10A.25A
    • AY.  Third Party  10A.26
    • AZ.  Unique Identifier or Unique Personal Identifier  10A.27
    • BA.  Vehicle Information  10A.27A
    • BB.  Verifiable Consumer Request  10A.28
  • III.  CONSUMER RIGHT TO KNOW  10A.29
    • A.  Pre-Collection, Pre-Sale, Pre-Sharing Disclosures  10A.30
    • B.  Privacy Policy  10A.30A
    • C.  Verifiable Consumer Request About Collected Personal Information  10A.31
    • D.  Responding to Requests to Know  10A.31A
    • E.  Notice of Resale of Personal Information by Third Party  10A.31B
    • F.  Single, One-Time Transaction Exception to Data Retention  10A.32
  • IV.  CONSUMER RIGHT TO KNOW PERSONAL INFORMATION SOLD OR DISCLOSED FOR BUSINESS OR COMMERCIAL PURPOSE [Deleted]  10A.33
    • A.  Pre-Sale and Pre-Sharing Disclosure [Deleted]  10A.34
    • B.  What Businesses Must Disclose When Personal Information Is Sold or Shared for Business or Commercial Purpose [Deleted]  10A.35
    • C.  Notice of Resale of Personal Information by Third Party [Deleted]  10A.36
  • V.  CONSUMER RIGHT TO DELETE PERSONAL INFORMATION  10A.37
    • A.  Responding to Requests to Delete  10A.38
    • B.  Deleting Consumer Personal Information  10A.39
  • VI.  CONSUMER RIGHT TO CORRECT INACCURATE PERSONAL INFORMATION  10A.39A
  • VII.  CONSUMER RIGHT TO LIMIT THE USE AND DISCLOSURE OF SENSITIVE PERSONAL INFORMATION  10A.39B
    • A.  Requirement to Inform Consumer of Right to Limit Use and Disclosure of Sensitive Personal Information  10A.39C
    • B.  Handling Limit Use and Disclosure Requests  10A.39D
    • C.  Opt-In Requirement for Consumers Under the Age of 16  10A.39E
    • D.  Consumers May Authorize Third Parties to Opt Out on Their Behalf  10A.39F
  • VIII.  CONSUMER RIGHT TO OPT OUT OF THE SALE OF PERSONAL INFORMATION  10A.40
    • A.  Requirement to Inform Consumer of Right to Opt Out  10A.41
    • B.  Handling Consumer Opt-Outs  10A.42
    • C.  Opt-In Requirement for Consumers Under the Age of 16  10A.43
    • D.  Consumers May Authorize Third Parties to Opt Out on Their Behalf  10A.44
    • E.  Exception to Opt-Out Rights  10A.45
    • F.  Subsequent Opt-In  10A.46
  • IX.  FINANCIAL INCENTIVES  10A.47
    • A.  Notice of Financial Incentives  10A.48
    • B.  Permissible Incentives  10A.49
    • C.  Calculating the Value of Personal Information  10A.50
  • X.  PROHIBITION AGAINST RETALIATORY DISCRIMINATION FOR EXERCISING CONSUMER RIGHTS  10A.51
  • XI.  VENDOR OBLIGATIONS  10A.52
    • A.  Service Providers  10A.52A
    • B.  Contractors  10A.52B
    • C.  Third Parties  10A.52C
  • XII.  EXEMPTIONS TO THE CALIFORNIA CONSUMER PRIVACY ACT
    • A.  Exemptions for Complying With Laws, Cooperating With Law Enforcement, or Defending Legal Claims  10A.53
    • B.  Exemptions for Deidentified, Out-of-State, and Aggregate Consumer Information  10A.54
    • C.  Evidentiary Privilege  10A.55
    • D.  Health Information
      • 1.   HIPAA Exemption  10A.56
        • a.  Limitations to the HIPAA Exemption  10A.57
        • b.  Evaluation of Existing Practices for Deidentification Under HIPAA  10A.58
        • c.  Application of HIPAA Exemption to Research and Clinical Trials  10A.59
      • 2.  ERISA Preemption  10A.60
      • 3.  Non-ERISA Benefits  10A.61
      • 4.  Exemption for Health Care Providers Governed by Confidentiality of Medical Information Act (CMIA)  10A.62
    • E.  Personal Information Used Under Fair Credit Reporting Act  10A.63
    • F.  Personal Information Used Under Gramm-Leach-Bliley Act  10A.64
    • G.  Personal Information Used Under Driver’s Privacy Protection Act of 1994  10A.65
  • XIII.  TRAINING  10A.66
  • XIV.  RECORDKEEPING  10A.67
  • XV.  PRIVATE RIGHT OF ACTION FOR DATA BREACH  10A.68
    • A.  Remedies Available to Consumers  10A.69
    • B.  Prelitigation Requirements for Consumer Actions  10A.70
  • XVI.  ATTORNEY GENERAL ENFORCEMENT
    • A.  Businesses May Seek Guidance From Attorney General on How to Comply With CCPA  10A.71
    • B.  Civil Penalties Attorney General May Seek  10A.72
  • XVII.  REGULATIONS BY THE ATTORNEY GENERAL AND THE CALIFORNIA PRIVACY PROTECTION AGENCY  10A.73
  • XVIII.  RESTRICTIONS ON BUSINESSES CIRCUMVENTING CCPA  10A.74
  • XIX.  FORM: WEBSITE PRIVACY POLICY  10A.75

11

Global Jurisdiction Over Privacy, Breach of Security, and Internet Activity Claims

Denis T. Rice

  • I.  SCOPE OF CHAPTER  11.1
  • II.  UNDERSTANDING THEORIES OF LIABILITY  11.2
    • A.  Privacy- and Security-Oriented Statutes
      • 1.  Federal [Deleted]  11.3
      • 2.  State
        • a.  Security Breach and Breach Notification [Deleted]  11.4
        • b.  Other State Statutes [Deleted]  11.5
    • B.  Copyright, Trademark, and Unfair Competition Statutes [Deleted]  11.6
    • C.  Common Law Contract and Tort Theories [Deleted]  11.7
      • 1.  Examples: Breach of Contract [Deleted]  11.8
      • 2.  Examples: Tort Actions [Deleted]  11.9
  • III.  BASIC PRINCIPLES OF JURISDICTION IN THE UNITED STATES  11.10
    • A.  Personal Jurisdiction in General  11.11
    • B.  Subject Matter Jurisdiction  11.12
    • C.  Personal Jurisdiction and the Internet  11.13
    • D.  State Long-Arm Statutes  11.14
    • E.  Federal Rules of Civil Procedure  11.15
    • F.  Constitution  11.16
  • IV.  DETERMINING WHETHER A U.S. FORUM HAS JURISDICTION OVER A DEFENDANT
    • A.  Is There General Jurisdiction?  11.17
      • 1.  Internet Activity as the Sole Basis for General Jurisdiction  11.18
      • 2.  Internet Activity Plus Other Activity as a Basis for General Jurisdiction  11.19
    • B.  Is There Specific Jurisdiction?  11.20
      • 1.  Constitutional Requirement of Minimum Contacts  11.21
        • a.  Three-Part Minimum Contacts Test  11.22
        • b.  Shifting Burdens and Reasonableness  11.23
      • 2.  Purposeful Direction and the Calder “Effects” Test  11.24
        • a.  The “Effects” Test in Federal Courts
          • (1)  The Ninth Circuit  11.25
          • (2)  “Strict Effects” and “Soft Effects” Test Jurisdictions  11.26
        • b.  The Effects Test in California  11.27
        • c.  Calder and Particular Causes of Action  11.28
      • 3.  “Purposeful Availment”  11.29
      • 4.  Internet Activity as a Basis for Specific Jurisdiction  11.30
        • a.  The Zippo Sliding Scale  11.31
          • (1)  Websites Integral to Business; Interactive Websites  11.32
          • (2)  Passive Websites  11.33
        • b.  Calder Effects Test in Internet Cases  11.34
        • c.  Auction Websites  11.35
    • C.  Foreign Defendants in United States Forums  11.36
      • 1.  Burden of Defending in United States  11.37
      • 2.  Sovereignty  11.38
      • 3.  Foreign Sovereign Immunities Act  11.39
      • 4.  Type of Claim and Test Used by Court  11.40
    • D.  Checklist: Jurisdictional Facts in Civil Action for Breach of Privacy or Security  11.41
  • V.  BASIC PRINCIPLES OF JURISDICTION UNDER INTERNATIONAL LAW  11.42
    • A.  Country’s Authority to Exercise Jurisdiction Over Nonresidents  11.43
      • 1.  Jurisdiction to Prescribe  11.44
      • 2.  Jurisdiction to Adjudicate  11.45
      • 3.  Jurisdiction to Enforce  11.46
    • B.  Choice of Law  11.47
  • VI.  JURISDICTION OVER UNITED STATES RESIDENTS UNDER LAWS OF SELECTED OTHER COUNTRIES
    • A.  European Union  11.48
      • 1.  Brussels Regulation
        • a.  Jurisdiction in Member State Where Defendant Is Domiciled  11.49
        • b.  Jurisdiction Over a Nondomiciliary Defendant  11.50
          • (1)  Contract, Tort, and Maintenance Matters  11.51
          • (2)  Choice of Forum Agreements  11.52
          • (3)  Consumer Contracts  11.53
          • (4)  Individual Employment Contracts  11.54
          • (5)  Insurance  11.55
          • (6)  Exclusive Jurisdiction  11.56
          • (7)  Cross-Border Disputes  11.57
        • c.  Consumer Contracts Via the Internet  11.58
      • 2.  European Union Data Protection Laws and “Safe Harbor” [Deleted]  11.59
    • B.  United Kingdom  11.60
    • C.  Canada  11.61
    • D.  France  11.62
    • E.  Germany  11.63
    • F.  Italy  11.64
    • G.  Australia  11.65
    • H.  Japan  11.66
    • I.  Hong Kong  11.67
    • J.  China  11.68
  • VII.  ENFORCEMENT OF JUDGMENTS
    • A.  Sister State Judgments in the United States: Full Faith and Credit Clause  11.69
    • B.  Foreign Judgments in the United States
      • 1.  Comity  11.70
      • 2.  Uniform Foreign-Country Money Judgments Recognition Act  11.71
      • 3.  Public Policy Considerations  11.72
    • C.  United States Judgments in Foreign Countries
      • 1.  Consider Local Enforcement Requirements  11.73
        • a.  Determine Local Law  11.74
        • b.  Consider Local Enforcement Procedures  11.75
      • 2.  Selected Foreign Countries
        • a.  Canada
          • (1)  “Real and Substantial Connection” Test  11.76
          • (2)  Defenses to Enforcement  11.77
        • b.  France  11.78
        • c.  Germany  11.79
        • d.  United Kingdom  11.80
  • VIII.  PRE-DISPUTE CONSENT TO JURISDICTION OVER INTERNET TRANSACTIONS  11.81
    • A.  United States Approach to Pre-Dispute Contractual Choice of Law and Forum  11.82
      • 1.  Click-Wrap Agreements  11.83
      • 2.  Browse-Wrap Agreements  11.84
    • B.  European Union Approach to Pre-Dispute Contractual Choice of Law and Forum  11.85
    • C.  Checklist: Creating a Website Offering Goods and Services Online to Consumers  11.86

12

Class Actions, Data Breach Litigation, and Privacy Concerns Before and During Trial

James G. Snell

Sheila M. Pierce

  • I.  SCOPE OF CHAPTER  12.1
  • II.  LITIGATION IN DATA BREACH AND PRIVACY CASES
    • A.  Class Actions  12.2
      • 1.  Statutory Class Certification
        • a.  California Class Actions   12.3
        • b.   Federal Class Actions  12.4
      • 2.   Constitutional Standing Requirements  12.5
        • a.  Injury in Fact  12.6
          • (1)  Assertion of Violation of Statute  12.6A
          • (2)  Fear of Injury and Threat of Future Harm  12.6B
          • (3)  Mitigation Costs as Injury  12.6C
        • b.  Causation  12.7
      • 3.  Damages
        • a.  Pleading Damages  12.8
        • b.  Mitigation  12.9
      • 4.  Cy Pres Settlements  12.10
    • B.  Causes of Action
      • 1.  Private Rights of Action  12.11
        • a.  Under Federal Law  12.12
        • b.  Under State Law  12.13
      • 2.  Defenses  12.14
      • 3.  Common Law Causes of Action  12.15
        • a.  Negligence  12.16
        • b.  Negligent or Intentional Misrepresentation  12.17
        • c.  Invasion of Privacy  12.18
        • d.  Breach of Fiduciary Duty  12.19
        • e.  Infliction of Emotional Distress  12.20
        • f.  Defamation  12.21
        • g.  Breach of Contract  12.22
        • h.  Trespass to Chattels  12.23
        • i.  Traditional Tort Actions  12.24
        • j.  Unjust Enrichment  12.25
        • k.  Breach of Covenant of Good Faith and Fair Dealing  12.26
      • 4.  Unfair Business Practices  12.27
      • 5.  Shareholder Derivative Action  12.28
  • III.  PRIVACY CONSIDERATIONS DURING INVESTIGATIONS  12.29
    • A.  Public Records  12.30
    • B.  Specific Requests for Government Agency Information  12.31
      • 1.  Freedom of Information Act (FOIA)  12.32
        • a.  Obtaining Information Under the FOIA  12.33
        • b.  FOIA Privacy Exemptions  12.34
      • 2.  California Public Records Act  12.35
        • a.  Obtaining Information Under California Public Records Act  12.36
        • b.  Exemptions From the California Public Records Act  12.37
          • (1)  Specific Exemptions  12.38
          • (2)  “Catchall” Exemption  12.39
    • C.  Other Information  12.40
      • 1.  Personal Medical and Credit Information  12.41
      • 2.  Financial Institution Customer Information  12.42
      • 3.  Prohibitions of Deceptive Acts or Practices  12.43
      • 4.  Obtaining Phone Records Without Consent or by Fraud or Deceit  12.44
      • 5.  “Phishing”  12.45
      • 6.  Eavesdropping  12.46
      • 7.  Accessing Computers  12.47
      • 8.  Adhering to Contractual Obligations  12.48
      • 9.  Contacting Parties and Witnesses
        • a.  Represented Party  12.49
          • (1)  Actual Knowledge of Representation  12.50
          • (2)  Communications With Opposing Party’s Employees, Officers, or Directors  12.51
        • b.  Expert Witnesses  12.52
      • 10.  Government Access to Information; Sharing Information With Government  12.52A
    • D.  Document Preservation  12.53
      • 1.  Duty to Preserve Under Federal Law
        • a.  Spoliation  12.54
        • b.  Spoliation and Electronic Documents  12.55
        • c.  Preservation Orders  12.56
      • 2.  Duty to Preserve Under California Law  12.57
      • 3.  Privacy and Metadata  12.58
  • IV.  PRIVACY CONSIDERATIONS WHEN LAWSUIT IS FILED
    • A.  Protecting the Name of the Plaintiff  12.59
      • 1.  Federal Practice  12.60
      • 2.  California  12.61
    • B.  Social Security and Other Numbers  12.62
    • C.  Privacy in Electronic Court Documents  12.63
      • 1.  California  12.64
      • 2.  Federal  12.65
  • V.  PRIVACY CONSIDERATIONS WHEN RESPONDING TO DISCOVERY REQUESTS
    • A.  Producing Metadata  12.66
    • B.  Inadvertent Disclosure  12.67
    • C.  Work Product Doctrine, Specific Privileges, and Other Protections  12.68
      • 1.  Work Product Doctrine
        • a.  California  12.69
        • b.  Federal  12.70
      • 2.  Attorney-Client Privilege
        • a.  California  12.71
        • b.  Federal  12.72
      • 3.  Personal Financial Privilege
        • a.  California  12.73
        • b.  Federal  12.74
      • 4.  Marital Privileges
        • a.  California  12.75
          • (1)  Testimonial Privilege  12.76
          • (2)  Spousal Communications Privilege  12.77
        • b.  Federal  12.78
          • (1)  Adverse Spousal Testimonial Privilege  12.79
          • (2)  Marital Communications Privilege  12.80
      • 5.  Physician-Patient Privilege
        • a.  California
          • (1)  Nature of Privilege  12.81
          • (2)  Exceptions  12.82
        • b.  Federal  12.83
      • 6.  Psychotherapist-Patient Privilege
        • a.  California  12.84
        • b.  Federal  12.85
      • 7.  Clergyperson-Penitent Privilege
        • a.  California  12.86
        • b.  Federal  12.87
      • 8.  Privilege Against Self-Incrimination
      • 9.  California  12.88
      • 10.  Federal  12.89
    • D.  Sexual Assault Victim-Counselor Privilege
      • 1.  California  12.90
      • 2.  Federal  12.91
    • E.  Domestic Violence Victim-Counselor Privilege
      • 1.  California  12.92
      • 2.  Federal  12.93
    • F.  Self-Critical Analysis Privilege
      • 1.  California  12.94
      • 2.  Federal  12.95
    • G.  Official Information Privilege
      • 1.  California  12.96
      • 2.  Federal  12.97
    • H.  State Secrets Privilege  12.98
    • I.  Settlement/Mediation Privilege
      • 1.  California  12.99
      • 2.  Federal  12.100
    • J.  Trade Secrets  12.101
      • 1.  California  12.102
      • 2.  Federal  12.103
    • K.  Voter Privilege  12.104
    • L.  Common Interest Privilege or Joint Defense Privilege
      • 1.  California  12.105
      • 2.  Federal  12.106
    • M.  Free Speech Privileges
      • 1.  Free Association  12.107
      • 2.  Anonymous Speech  12.108
      • 3.  Journalist’s Privilege
        • a.  Federal Law  12.109
        • b.  California Law  12.110
    • N.  Traditional Privacy Rights  12.111
      • 1.  California Constitution  12.112
      • 2.  Federal Privacy Act of 1974  12.113
      • 3.  Personal Financial Information Privacy  12.114
      • 4.  Consumer and Employment Records Subpoenas  12.115
      • 5.  Consumer Records Subpoenas in Class Actions  12.116
      • 6.  Overbroad Subpoenas  12.117
    • O.  Discovery in Specific Types of Cases
      • 1.  Marital Dissolution  12.118
      • 2.  Sexual Harassment Lawsuits  12.119
    • P.  Discovery When One Party Is a Corporation  12.120
    • Q.  International Considerations  12.121
  • VI.  MOTIONS TO SEAL  12.122
    • A.  Federal Court Motions to Seal
      • 1.  General Principles  12.123
      • 2.  Local Court Rules  12.124
    • B.  California Court Motions to Seal  12.125
      • 1.  Procedure  12.126
      • 2.  Cases Concerning Interest to Seal Versus Public’s Right to Access  12.127
  • VII.  PRIVACY AT TRIAL  12.128
    • A.  Gag Orders  12.129
    • B.  Privilege Against Self-Incrimination  12.130
    • C.  Media Access to Courtroom  12.131
    • D.  Sixth Amendment Right to Confront Witnesses  12.132
    • E.  Request for Private Trial  12.133

PRIVACY COMPLIANCE AND LITIGATION IN CALIFORNIA

(1st Edition)

August 2022

TABLE OF CONTENTS

 

File Name

Book Section

Title

CH03

Chapter 3

Information Security and Security Breach

03-049B

§3.49B

Model Security Breach Notification

CH04

Chapter 4

Internet and Electronic Privacy

04-034

§4.34

Checklist: Steps for California Businesses to Meet Obligation to Protect Personal Customer Information

CH05

Chapter 5

Marketing and Sales Regulation

05-018

§5.18

Sample Children’s Website Privacy Policy

05-029

§5.29

Checklist: COPPA Compliance

05-045

§5.45

Opt-Out Notice

05-091

§5.91

Sample Information-Sharing Disclosure Statement; Nonaffiliated Entities

05-093

§5.93

Sample Information-Sharing Disclosure Statement; Affiliated Entities

CH06

Chapter 6

Financial Data Privacy

06-064

§6.64

Checklist: PCI DSS Requirements

CH07

Chapter 7

Health Information Privacy

07-088

§7.88

General Authorization for the Use and/or Disclosure of Protected Health Information

07-109A

§7.109A

Sample Business Associate Agreement

CH08

Chapter 8

Workplace Privacy

08-073

§8.73

Sample Electronic Information Systems Policy

CH10

Chapter 10

Identity Theft

10-108

§10.108

Checklist: Implementing and Maintaining a Business Identity Theft Prevention Program

10-109

§10.109

Checklist: Selecting Third Party Service Providers

10-110

§10.110

Model Business Letter Notifying Customer of Theft of Personal Information

CH10A

Chapter 10A

The California Consumer Privacy Act of 2018

10A-075

§10A.75

Form: Website Privacy Policy

CH11

Chapter 11

Global Jurisdiction Over Privacy, Breach of Security, and Internet Activity Claims

11-041

§11.41

Checklist: Jurisdictional Facts in Civil Action for Breach of Privacy or Security

11-086

§11.86

Checklist: Creating a Website Offering Goods and Services Online to Consumers

 

Selected Developments

August 2022 Update

Challenges of Privacy Compliance and Litigation (Chapter 1)

  • New or amended state privacy laws were recently enacted in Nevada, Colorado, and Utah. In addition, New York City recently adopted its own regulations on biometric identifying information, prohibiting all selling, leasing, trading, and sharing of such information for anything of value or profit, including allowing for a private right of action for violations of the regulation. See §1.3.

  • Several decisions have also addressed personal jurisdiction under the Illinois Biometric Information Privacy Act (BIPA), particularly whether defendant companies had sufficient minimum contacts and purposely directed any activities at the forum state to properly bring a BIPA claim. See §1.3.

  • The Eighth Circuit held that a system that selects telephone numbers randomly from a nonrandom customer database does not constitute an “automatic telephone dialing system” under the Telephone Consumer Protection Act (TCPA). See Beal v Outfield Brew House, LLC (8th Cir 2022) 29 F4th 391, 394, in §1.3.

Common Law and Constitutional Privacy Protection (Chapter 2)

  • In U.S. v Tuggle (7th Cir 2021) 4 F4th 505, the Seventh Circuit confronted the question of whether a police department’s warrantless use of video cameras affixed to utility poles on public property to observe a home amounted to a search under the Fourth Amendment. See discussion in §2.4A.

  • The court in People v Roberts (2021) 68 CA5th 64, 97, held that the use of a DNA sample taken from the defendant who was validly arrested for a felony based on probable cause but never formally charged did not violate his federal or state constitutional rights against unreasonable search and seizure or his state constitutional right to privacy. See §2.4A.

Information Security and Security Breach (Chapter 3)

  • Civil Code §§1798.81.5 and 1798.82 were amended effective January 1, 2022, to include as protected information an individual’s genetic data. See §§3.8, 3.46, 4.2.

  • The FTC issued a statement in September 2021 signaling its commitment to enforce the FTC Rule and clarifying that the rule applies to most health apps and similar technologies, e.g., apps and other technologies that help consumers track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, and diet. In addition, the FTC has issued two publications to help explain the FTC Rule and the steps that covered businesses need to take in the event of a breach. See §§3.35, 3.35D.

  • On October 27, 2021, the FTC announced significant amendments to the agency’s Safeguards Rule. See §§3.37–3.38.

Internet and Electronic Privacy (Chapter 4)

  • The U.S. Supreme Court held that a person “exceeds authorized access” only when they access a computer with authorization but then obtain information located in particular areas of the computer (such as files, folders, or databases) that are off-limits to them. See Van Buren v U.S. (2021) ___ US ___, 141 S Ct 1648, 1662, in §4.21.

  • Civil Code §1724, which became effective January 1, 2022, makes it unlawful for a person to sell data, or sell access to it, that the person obtained or accessed as the result of a criminal act. It also prohibits an unauthorized person to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed the data as a result of the commission of a crime. See §§4.21A, 4.58.

  • In Lee v Amazon.com, Inc. (2022) 76 CA5th 200, 250, the court held that the Communications Decency Act did not shield Amazon from its own, independent obligation under Proposition 65 to warn consumers about harmful products listed for sale on its website. See §4.49.

Marketing and Sales Regulation (Chapter 5)

  • In Greenberg v Digital Media Solutions, LLC (2021) 65 CA5th 909, 919, the court held that a recipient of a commercial email advertisement sent by a third party is not precluded as a matter of law from stating a claim under Bus & P C §17529.5 against the advertiser based on the third party’s failure to provide sufficient information disclosing or making traceable the third party’s own identity, even if the email sufficiently identifies the advertiser. See §5.52.

  • The Eighth Circuit held that a system that selects telephone numbers randomly from a nonrandom customer database does not constitute an “automatic telephone dialing system” under the Telephone Consumer Protection Act (TCPA). See Beal v Outfield Brew House, LLC (8th Cir 2022) 29 F4th 391, 394, in §5.56.

  • The court in Lyngaas v Curaden AG (6th Cir 2021) 992 F3d 412, 424, confirmed that the “TCPA does not impose strict liability on a manufacturer simply because its products wind up on the face of an unsolicited fax advertisement; the manufacturer must independently fit the role of a ‘sender.’” The court also held that faxes received by computers fall within the scope of the TCPA, but noted that a fax sent as an attachment to an email message or pasted directly into an email message does not. See §5.64.

Financial Data Privacy (Chapter 6)

  • In 2021, the FTC, together with the Department of Justice, reached a $20 million settlement—the largest then to date—with a defendant for its FCRA violations, including illegally obtaining consumer credit reports without the consumers’ knowledge or consent and using them to establish credit profiles for uncreditworthy customers. See U.S. v Vivint Smart Home, Inc. (D Utah, Apr. 29, 2021, No. 2:21-cv-00267-TS) FTC File No. 192 3060, in §6.43.

Health Information Privacy (Chapter 7)

  • In County of Los Angeles v Superior Court (2021) 65 CA5th 621, 641, the court held that the trial court’s discovery order violated state constitutional privacy rights when it granted the defendant’s motion to compel detailed data on over 1 million dispensed medications, along with pharmacy and prescriber identifiers and other clinical, patient-level information. See §7.2.

  • On July 1, 2021, the California Department of Public Health issued a final rulemaking implementing the breach reporting requirements of Health & S C §1280.15(b). See 22 Cal Code Regs §§79900–79905 in §7.16.

  • Assembly Bill 133, which added Health & S C §130290, effective July 27, 2021, requires the California Health and Human Services Agency to establish, on or before July 1, 2022, the California Health and Human Services Data Exchange Framework. See discussion in §7.41B.

  • In 2021, §123114(e) was added to the Health and Safety Code to clarify that “a health care provider may honor a request to disclose a patient record ... that contains the written or electronic signature of the patient or the patient’s personal representative.” See §7.86.

  • The Genetic Information Privacy Act (CC §§56.18–56.186), effective January 1, 2022, seeks to ensure the “privacy, confidentiality, and integrity of a consumer’s genetic data” when that data is handled by direct-to-consumer genetic testing companies. See §7.92A.

Workplace Privacy (Chapter 8)

  • In Lozano v City of Los Angeles (2022) 73 CA5th 711, 727, the court held that the use in police officers’ termination proceedings of a digital in-car video system (DICVS) recording did not violate Pen C §632 because the city did not intend for the DICVS to record the officers’ confidential communication that demonstrated their misconduct, but rather the DICVS merely happened to record it. See §8.65.

International Personal Data Protection and Cross-Border Data Transfers (Chapter 9)

  • There have been many significant developments in international personal data protection and cross-border data transfers. See discussions throughout chap 9.

Identity Theft (Chapter 10)

  • Civil Code §1788.185, effective January 1, 2022, adds new requirements for the contents of a complaint brought by a debt collector for debt that originated with a general acute care hospital licensed under Health & S C §1250(a). See §10.75.

  • Civil Code §1724, effective January 1, 2022, provides that it is unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime. Similarly, it is unlawful for an unauthorized person to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data through the commission of a crime. See §10.81A.

The California Consumer Privacy Act of 2018 (Chapter 10A)

  • The federal district court in Karter v Epiq Sys., Inc. (CD Cal, July 16, 2021, No. SACV 20-01385-CJC (KESx)) 2021 US Dist Lexis 189258, *5, found that the defendant was not a service provider because it collects consumers’ personal information from consumers rather than from another business and also determines the purposes and means of processing that personal information. See §10A.4.

  • The California Attorney General has opined that a consumer is entitled to “inferences,” regardless of whether those inferences were internally generated or obtained from another source. See 2022 Ops Cal Atty Gen No. 20–303, in §10A.31A.

  • The CCPA is not retroactive and the private right of action does not apply to breaches that occurred before January 1, 2022. See Gardiner v Walmart, Inc. (ND Cal, July 28, 2021, No. 20-cv-04618-JSW) 2021 US Dist Lexis 211251, *3, in §10A.68.

  • The continued access and disclosure of a consumer’s personal information after termination of a relationship does not equate to a defendant’s failure “to implement and maintain reasonable security measures,” and thus such a claim “falls entirely outside of the reach of the CCPA.” Danfer-Klaben v JPMorgan Chase Bank, N.A. (CD Cal, Jan. 24, 2022, No. SACV 21-262 PSG (JDEx)) 2022 US Dist Lexis 25553, *17. See §10A.68.

  • On October 6, 2021, Governor Newsom signed AB 1391 into law, adding CC §1724 to make it unlawful for anyone to sell or sell access to data that were obtained pursuant to the commission of a crime. It also makes it unlawful for anyone to buy or use data that they know, or should know, were obtained through the commission of a crime. See §10A.69.

  • On October 6, 2021, Governor Newsom signed AB 694 into law. Among other things, it extended the timeline for the California Privacy Protection Agency (CalPPA) to take over enforcement responsibilities from July 1, 2021, to the later of either July 1, 2021, or within 6 months of CalPPA notifying the Attorney General that is ready to assume rulemaking responsibilities. See §10A.73.

Class Actions, Data Breach Litigation, and Privacy Concerns Before and During Trial

  • In Ramirez v TransUnion LLC (2021) ___ US ___, 141 S Ct 2190, 2208, the U.S. Supreme Court held that only a portion of the class for which TransUnion provided misleading credit reports to third party businesses had demonstrated concrete reputational harm and had art III standing needed for damages relief; the other portion of the class that had only experienced unrealized risk due to alleged statutory violation did not have art III standing needed for damages relief. See §12.6A.

  • Claims under the federal Driver’s Privacy Protection Act and California statutory and common law were dismissed for lack of standing in Greenstein v Noblr Reciprocal Exch. (ND Cal, Feb. 15, 2022, No. 21-cv-04537-JSW) 2022 US Dist Lexis 30228, *9. See §12.6B.

  • In In re Google Inc. Streetview Electronic Communications Litig. (9th Cir 2021) 21 F4th 1102, the Ninth Circuit affirmed the district court’s approval of a cy pres settlement when the district court found that it was not feasible to distribute settlement funds to class members and the settlement provided for injunctive relief, payments to nine internet privacy advocacy groups, attorney fees, and service awards to class representatives. See §12.10.

  • Even when the information is continuously available to the public online after initial publication, only one cause of action exists under the Privacy Act. See Doe v Garland (9th Cir 2021) 17 F4th 941, 945, in §12.113.

About the Authors

JONATHAN D. AVILA is Vice President, Chief Privacy Officer of Wal-Mart Stores, Inc., where he supervises data privacy law counseling and compliance for the domestic and international operations of Walmart Stores. He was formerly Vice President—Chief Privacy Officer of the Walt Disney Company. Before joining Disney, he was General Counsel and Chief Privacy Officer of Mvalue.com, Inc., and also served as Litigation Counsel to CBS Broadcasting, Inc., where he represented CBS in privacy litigation. Mr. Avila is a past President of the International Association of Privacy Professionals (IAPP) and was a member of the Advisory Group to the California Office of Privacy Protection with respect to its Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements (SB 27). Mr. Avila received a B.A. degree from Yale University (cum laude) and a J.D. degree from Harvard Law School as well as a diploma from the University of Salamanca (Spain). He is a co-author of chapter 5 (Marketing and Sales Regulation).

MATTHEW J. COONEY is Senior Counsel at California State Automobile Association of Northern California, Nevada, and Utah, where he leads the technology and procurement practice areas. Mr. Cooney is an active member of the San Francisco Bar Association and the State Bar of California, where he is also a member of the Cyberspace Law Committee of the Business Law Section. He received a B.S. degree from the University of California, Berkeley, and a J.D. degree from Golden Gate University School of Law (cum laude). Mr. Cooney is a co-author of chapter 10 (Identity Theft).

FRANÇOISE GILBERT is the CEO of DataMinding Legal Services, Palo Alto, California. She advises clients on developing and implementing information privacy and security strategies and compliance programs at the domestic and global levels. A significant portion of her time is dedicated to the creation of data governance and protection programs that comply with applicable laws, such as the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR). She assists clients in their efforts to implement data privacy and security safeguards in the design of products and services that rely on artificial intelligence, big data analytics, or internet of things (IoT) technologies, such as smart cities, autonomous vehicles, wearables, and other connected objects and devices. She is the author of Global Privacy and Security Law (Aspen Publishers/Wolters Kluwer Law and Business). She holds CIPP/US, CIPP/EU, and CIPM certifications from the International Association of Privacy Professionals. Her work in the information privacy and cybersecurity areas has been consistently recommended by Chambers Global (2009–present), Best Lawyers in America (2008–present), and Who’s Who in Internet, ECommerce and Telecommunication Laws (1998–present). Ms. Gilbert holds undergraduate and graduate degrees in mathematics from the Universities of Paris and Montpellier (France) and J.D. degrees from the University of Paris (France) and Loyola University School of Law in Chicago, Illinois. She is the author of chapter 3 (Information Security and Security Breach) and chapter 9 (International Personal Data Protection and Cross-Border Data Transfers).

ROBERT V. HALE II is in-house counsel at Apollo Group, Inc., where he handles consumer, transactional, and regulatory matters. Before joining Apollo in 2010, he served as Vice President and Senior Counsel at HSBC North America, and in similar roles at other financial institutions. He is the author of Wi-Fi Access and Operation Liability, published in The SciTech Lawyer. Mr. Hale serves as an Advisor to the Financial Institutions Committee and the Cyberspace Committee of the Business Law Section of the State Bar of California. He is Executive Managing Editor of the Journal of Internet Law (Aspen Publishers). Mr. Hale received his B.A. degree from Sarah Lawrence College and his J.D. degree from the University of San Francisco School of Law. He is a co-author of chapter 10 (Identity Theft).

CATHERINE D. MEYER is Counsel with Pillsbury Winthrop Shaw Pittman LLP, Los Angeles. She was a partner with the firm for 20 years, practicing in the areas of finance and privacy regulation and compliance. Ms. Meyer advises financial institutions and other companies on privacy, including rights to financial privacy and protection of customers’ privacy rights under state, federal, and international statutes and regulations. She regularly counsels commercial clients on compliance with regulations affecting the collection, use, sale, transfer, and sharing of customer and employee information on a local to global scale. She assists with marketing issues, such as unsolicited commercial email, fax, and telephone communications, marketing to children, and issues specific to credit card and check transactions and data security breaches. She has served as co-chair of the Business Department of the Los Angeles Office and of the firm-wide Privacy and Data Protection Practice Team. Ms. Meyer is a frequent speaker and writer on data protection and privacy issues, and sits on the Board of Editors of the Privacy & Data Security Law Journal and the Privacy & Data Security Review. Ms. Meyer received an A.B. degree from Bryn Mawr College and a J.D. degree from Northwestern University School of Law. She is a co-author of chapter 5 (Marketing and Sales Regulation).

COLIN T. MURPHY, an attorney in the San Francisco and Orange County offices of Severson & Werson, APC, has particular experience representing international and domestic clients in the defense and trial of construction defects, cybersecurity and data protection, products liability, professional liability, sports, and leisure and entertainment. Mr. Murphy represents national and international insureds and insurers. In 2019, he was recognized as a Distinguished Lawyer by the international organization Lawyers of Distinction. He is a member of the San Francisco and Orange County Bar Associations, the International Association of Privacy Professionals (IAPP), and the Professional Liability Underwriting Society. He received a B.A. from the University of California, Santa Cruz, and a J.D. from Santa Clara University, and is a co-author of chapter 10A (The California Consumer Privacy Act of 2018).

DENISE OLRICH, of the Law Office of Denise Olrich, in Santa Rosa, is a business attorney specializing in the legal needs of the entrepreneur, including e-commerce, privacy and cyberlaw matters, intellectual property matters, trademark registration, business formation, corporations and partnerships, business transactions, bankruptcy and bankruptcy litigation, as well as business litigation in the state courts. Ms. Olrich regularly lectures to attorneys, business groups, and students regarding business and cyberspace law matters. She served on the committee that drafted California’s new revised limited partnership law. She is an Advisor to the Executive Committee of the Business Law Section of the State Bar of California and has chaired the Cyberspace Law Committee, as well as the Partnerships and Limited Liability Companies Committee of the Business Law Section. Ms. Olrich received a B.A. degree from Michigan State University and a J.D. degree from Thomas M. Cooley Law School in Lansing, Michigan. She is the author of chapter 4 (Internet and Electronic Privacy).

SHEILA M. PIERCE is an associate in the Silicon Valley office of Bingham McCutchen LLP, where she represents clients on issues such as breach of contract, patent infringement, securities violations, privacy matters, civil rights matters, and product liability. She has also advised clients on issues related to internet privacy and data security laws. Ms. Pierce has a J.D. degree from the University of San Francisco School of Law and a B.A. degree from San Francisco State University (summa cum laude). She is a co-author of chapter 12 (Class Actions, Data Breach Litigation, and Privacy Concerns Before and During Trial).

DENIS T. RICE, of Arnold & Porter, LLP, San Francisco, practices in a broad range of areas, including corporate and securities matters, and internet and e-commerce law. Mr. Rice was a founding director of Howard Rice Nemerovski Canady Falk & Rabkin PC. He is chair of the Committee on Developments in Business Financing of the American Bar Association and a Board Member of the International Technology Law Association. He has litigated complex cases, including class actions, in state and federal courts involving securities fraud, fiduciary duties, corporate governance, antitrust, trademarks, and trade secrets. Mr. Rice has lectured on information technology, privacy, securities, electronic commerce, and litigation in cities around the world. He serves as a panel arbitrator and mediator for both the American Arbitration Association and the World Intellectual Property Organization. Mr. Rice holds an undergraduate degree from Princeton University, Woodrow Wilson School of Public and International Affairs (Phi Beta Kappa), and a law degree from the University of Michigan Law School (Order of the Coif; Associate Editor, Michigan Law Review). He is the author of chapter 1 (Challenges of Privacy Compliance and Litigation) and chapter 11 (Global Jurisdiction Over Privacy, Breach of Security, and Internet Activity Claims).

JEEWON K. SERRATO is a partner in the San Francisco office of BakerHostetler, where she is co-lead of the Digital Transformation and Data Economy team. Ms. Serrato counsels clients in the areas of consumer privacy, cybersecurity, data monetization, and data science. Before joining BakerHostetler, she served as chief privacy officer for two public companies. Ms. Serrato has led initiatives to design and execute compliance programs for international corporations, as well as negotiate cross-border M&A deals, and advise on high-stakes investigation, data breach, and dispute matters. She formerly served on the U.S. Department of Homeland Security Data Privacy and Integrity Advisory Committee and currently serves as Chair for the California Lawyers Association’s Privacy Law Section Executive Committee. Ms. Serrato received a B.A. degree from the University of California, Berkeley, and a J.D. degree from the University of California, Berkeley, School of Law. She is a co-author of chapter 9 (International Personal Data Protection and Cross-Border Data Transfers). She wishes to acknowledge the contributions of her colleagues R. Bisi Adeyemo, Jerel Pacis Agatep, Carolina A. Alonso, Foram Dave, Seungjae Lee, Marshall J. Mattera, Veronica Reynolds, and Catrina W. Wang to the chapter.

PAUL T. SMITH is a partner with Hooper, Lundy & Bookman, PC, San Francisco, where he advises clients in health care and other industries on corporate formation and governance, joint ventures, financing, reimbursement, and regulatory compliance, and also represents technology companies in transaction, financing, and licensing matters, and data privacy and security. Mr. Smith has practiced in the U.S. health care industry since 1982, representing hospitals, hospital associations, medical groups, and provider network organizations. He has been named as one of “America’s Leading Lawyers for business” in health care by Chambers USA, 2005–2010, and was selected to the “Northern California Super Lawyers” in health care law and business/corporate law in 2010. He has spoken on health-care-related topics at numerous conferences, including the American Bar Association, the California Society of Healthcare Attorneys, the IBM/Modern Healthcare National HIPAA Conferences, and the HIPAA Summits. He holds B.A. and LL.B. (cum laude) degrees from the University of Natal School of Law (South Africa). Mr. Smith is the author of chapter 7 (Health Information Privacy).

JAMES G. SNELL is a partner in the Silicon Valley office of Bingham McCutchen LLP, where he is co-chair of the firm’s Privacy and Security Group and former co-chair of the firm’s Intellectual Property Group. He has particular experience in privacy, internet, and marketing issues, and represents clients in a broad range of complex commercial matters, including internet, privacy, and trade secret matters, false advertising, and class actions. Mr. Snell is a frequent speaker at bar association and firm events and in-house seminars regarding electronic discovery issues, patent litigation, unfair competition, trade secret law, electronic communications and privacy, among other topics. He was recognized as a Northern California “Super Lawyer” by Law & Politics and San Francisco magazine in 2005. He has a J.D. degree from the University of California, Hastings College of the Law, and a B.A. degree from the University of California, Santa Barbara. Mr. Snell is a co-author of chapter 12 (Class Actions, Data Breach Litigation, and Privacy Concerns Before and During Trial).

NICHOLE L. STERLING is an associate in the New York office of BakerHostetler. Ms. Sterling focuses her practice on privacy and data protection, information governance, and emerging technology. She assists clients with practical solutions to a wide range of domestic and cross-border regulatory and compliance matters related to information governance, technology, and negotiating the everchanging privacy and data protection landscape. Ms. Sterling is active in pro bono work and has counseled global nonprofits on privacy and data protection issues. She received a B.A. degree from Gustavus Adolphus College, a Ph.D. degree from the University of California, Berkeley, and a J.D. degree from the University of Michigan Law School. She is a co-author of chapter 9 (International Personal Data Protection and Cross-Border Transfers). Ms. Sterling wishes to acknowledge the contributions of her colleagues R. Bisi Adeyemo, Jerel Pacis Agatep, Carolina A. Alonso, Foram Dave, Seungjae Lee, Marshall J. Mattera, Veronica Reynolds, and Catrina W. Wang to the chapter.

RONALD J. SOUZA is a partner in the law firm of Lynch, Gilardi & Grummer PC, in San Francisco, where he practices in the area of labor and employment litigation. He has been an employment law specialist for the last 15 years. A frequent presenter, speaker, and panelist, Mr. Souza regularly addresses professional groups and corporate executives on employment-related topics, including employment privacy, sexual harassment, and employment litigation practices. Mr. Souza is a member of the American Board of Trial Advocates (ABOTA). He also serves as Judge pro tem for the San Francisco Superior Court. He is a founding member of a chapter of the American Inns of Court, an organization of lawyers and judges dedicated to civility and ethics in law practice. Mr. Souza graduated with academic and athletic honors from Washington State University in 1969 and earned his J.D. (cum laude) degree from Santa Clara University School of Law in 1974. He is the author of chapter 8 (Workplace Privacy).

GENEVIEVE R. WALSER-JOLLY is a member of Severson & Werson, APC, where she is managing partner of the Orange County office. Ms. Walser-Jolly’s practice includes developing data privacy programs, complex litigation representing finance companies, and defending individual and class action consumer cases under the Telephone Consumer Protection Act (TCPA). She is active in the American Bar Association’s Consumer Financial Services Committee and is a member of the International Association of Privacy Professionals (IAPP), the Orange County Bar Association, and the Governing Committee for the Conference on Consumer Finance Law. Ms. Walser-Jolly regularly speaks on the latest developments in TCPA litigation and how businesses can comply with the California Consumer Privacy Act of 2018. She authors chapter 10A (The California Consumer Privacy Act of 2018).

ROY G. WEATHERUP is a partner of Lewis Brisbois Bisgaard & Smith LLP and is a member of the firm’s Appellate Practice Group. He is a Certified Specialist in Appellate Law, certified by the Board of Legal Specialization of the State Bar of California. He specializes in appellate practice, about which he has lectured extensively. Mr. Weatherup is a member of the Los Angeles County Bar Association, the California Academy of Appellate Lawyers, the Stanford Law Society, the Supreme Court Historical Society, the California Supreme Court Historical Society, and a sustaining member of the Product Liability Advisory Council. He is listed in The Best Lawyers in America, in Super Lawyers, in Who’s Who in America, and in Who’s Who in American Law. He has been responsible for more than 1,800 appellate briefs in over 1,000 cases, resulting in about 200 published opinions. He holds a law degree from Stanford University School of Law and an undergraduate degree from Stanford University. He is the author of chapter 2 (Common Law and Constitutional Privacy Protection).

About the 2022 Update Authors

MICHAEL D. ABRAHAM is the update author of chapter 12 (Class Actions, Data Breach Litigation, and Privacy Concerns Before and During Trial). He is a shareholder in Bartko Zankel Bunzel & Miller, in San Francisco, where he is the head of the firm’s privacy practice group and its award-winning eDiscovery practice group, with experience in multi-terabyte events. Mr. Abraham’s practice focuses on privacy litigation, antitrust, commercial litigation, real estate litigation, and contractual disputes. His expansive trial experience includes favorable jury verdicts and judgments involving privacy breaches, security breaches, breach of contract, real estate transactions, tort claims, unfair business practices, fraud, security violations, medical information claims, officer and director liability, premises liability, franchise law violations, employment claims, FEHA, environmental claims, partnership disputes, Proposition 65, and breach of fiduciary duty. Mr. Abraham has a J.D. degree from the University of California, Hastings College of the Law, and a M.C.P. in City and County Regional Planning and a B.S. in Conservation and Natural Resources from the University of California, Berkeley.

JONATHAN D. AVILA is an update author of chapter 5 (Marketing and Sales Regulation). He was Vice President, Chief Privacy Officer of Wal-Mart Stores, Inc., where he supervised data privacy law counseling and compliance for the domestic and international operations of Walmart Stores. He was formerly Vice President—Chief Privacy Officer of the Walt Disney Company. Before joining Disney, he was General Counsel and Chief Privacy Officer of Mvalue.com, Inc., and also served as Litigation Counsel to CBS Broadcasting, Inc., where he represented CBS in privacy litigation. Mr. Avila is a past President of the International Association of Privacy Professionals (IAPP) and was a member of the Advisory Group to the California Office of Privacy Protection with respect to its Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements (SB 27). Mr. Avila received a B.A. degree from Yale University (cum laude) and a J.D. degree from Harvard Law School as well as a diploma from the University of Salamanca (Spain).

ANDREA L. FREY is an update co-author of chapter 1 (Challenges of Privacy Compliance and Litigation) and chapter 3 (Information Security and Security Breach). She is an associate with Hooper, Lundy & Bookman, PC, San Francisco, and the co-chair of the firm’s Digital Health Task Force. Ms. Frey’s practice focuses on transactional and health care regulatory matters, with an emphasis on health privacy, digital health, licensure and certification, scope of practice, and medical staff issues. She is a member of the American Health Lawyers Association, California Society of Healthcare Attorneys, and Women in Health Care Executives. Ms. Frey holds a B.A. degree from Tufts University and a J.D. degree and a M.P.H. degree from the University of Washington.

JON P. KARDASSAKIS is the update author of chapter 10 (Identity Theft). He is a partner in the Los Angeles office of Lewis Brisbois Bisgaard & Smith LLP and a chair of the Class Action & Mass Tort Practice. Mr. Kardassakis has more than 40 years’ experience as a trial attorney and holds the rank of Associate in the American Board of Trial Advocates (ABOTA). He has tried more than 35 cases to conclusion in state and federal courts, including complex fraud, business, products liability, and employment litigation. Mr. Kardassakis holds a B.S. degree from University of California, Davis, and a J.D. degree from University of California, Davis, School of Law.

AUSTIN B. KENNEY is the update author of chapter 6 (Financial Data Privacy). He is a member in Severson & Werson, APC’s Financial Services Practice Group in Orange County, where he counsels and defends financial institutions in business matters and state and federal litigation involving banking operations and consumer finance, including consumer privacy, auto finance, mortgage, and unsecured credit lending. Mr. Kenney is an active member of the International Association of Privacy Professionals (IAPP) and the Consumer Financial Services Committee of the American Bar Association’s Business Law Section, and an Advisor to the Association of Consumer Vehicle Lessors and the California Creditors Bar Association. He holds a B.A. degree from the University of California, San Diego (Earl Warren College), and a J.D. degree from the University of Colorado School of Law.

CATHERINE D. MEYER is an update author of chapter 5 (Marketing and Sales Regulation). Ms. Meyer is Counsel with Pillsbury Winthrop Shaw Pittman LLP, Los Angeles. She was a partner with the firm for 20 years, practicing in the areas of finance and privacy regulation and compliance. Ms. Meyer advises financial institutions and other companies on privacy, including rights to financial privacy and protection of customers' privacy rights under state, federal, and international statutes and regulations. She regularly counsels commercial clients on compliance with regulations affecting the collection, use, sale, transfer, and sharing of customer and employee information on a local to global scale. She assists with marketing issues, such as unsolicited commercial email, fax, and telephone communications; marketing to children; and issues specific to credit card and check transactions and data security breaches. She has served as co-chair of the Business Department of the Los Angeles Office and of the firm-wide Privacy and Data Protection Practice Team. Ms. Meyer is a frequent speaker and writer on data protection and privacy issues, and sits on the Board of Editors of the Privacy & Data Security Law Journal and the Privacy & Data Security Review. Ms. Meyer received an A.B. degree from Bryn Mawr College and a J.D. degree from Northwestern University School of Law.

TARA MOHSENI is an update co-author of chapter 8 (Workplace Privacy). She is an associate in the Orange County office of Severson & Werson, APC. Ms. Mohseni is a member of the Employment and Financial Services Practice Groups. She provides strategic employment counsel to the firm’s broader array of clients in the context of the CARES Act legislation and related discrimination, disability accommodation, retaliation, and wage and hour compliance issues. Ms. Mohseni is skillful in all stages of litigation, and has defended numerous cases to settlement, received positive rulings on dispositive motions, and obtained a successful complete defense verdict in a jury trial representing a national loan servicer. She has a B.A. degree from the University of California, Santa Barbara, and a J.D. degree from the University of California, Hastings College of Law.

DENISE OLRICH is the update author of chapter 4 (Internet and Electronic Privacy). Ms. Olrich, of the Law Office of Denise Olrich, in Santa Rosa, is a business attorney specializing in the legal needs of the entrepreneur, including e-commerce, privacy and cyberlaw matters, intellectual property matters, trademark registration, business formation, corporations and partnerships, and business transactions. Ms. Olrich regularly lectures to attorneys, business groups, and students regarding business and cyberspace law matters. She served on the committee that drafted California’s new revised limited partnership law. She has served as an Advisor to the Executive Committee of the Business Law Section of the State Bar of California and has chaired the Cyberspace Law Committee, as well as the Partnerships and Limited Liability Companies Committee of the Business Law Section. Ms. Olrich received a B.A. degree from Michigan State University and a J.D. degree from Western Michigan University Thomas M. Cooley Law School in Lansing, Michigan.

KERRY K. SAKIMOTO is an update author of chapter 1. He is an associate in Hooper, Lundy & Bookman, PC’s Los Angeles office. His practice focuses on transactional and health care regulatory matters, including digital health and health technologies, privacy, and the corporate practice of medicine. He is also passionate about diversity, equity, and inclusion, and serves on the firm’s DEI Committee, bringing previous experience leading initiatives to diversify both the health care and legal communities. Mr. Sakimoto holds a B.A. degree from Occidental College and a J.D. degree from the University of California, Los Angeles, School of Law, where he served on the UCLA Law Review and the UCLA Journal on Law and Technology.

JEEWON K. SERRATO is an update co-author of chapter 9 (International Personal Data Protection and Cross-Border Transfers). She is a partner in the San Francisco office of BakerHostetler, where she is co-lead of the Digital Transformation and Data Economy team. Ms. Serrato counsels clients in the areas of consumer privacy, cybersecurity, data monetization, and data science. Before joining BakerHostetler, she served as chief privacy officer for two public companies. Ms. Serrato has led initiatives to design and execute compliance programs for international corporations, as well as negotiate cross-border M&A deals, and advise on high-stakes investigation, data breach, and dispute matters. She formerly served on the U.S. Department of Homeland Security Data Privacy and Integrity Advisory Committee and currently serves as Chair for the California Lawyers Association’s Privacy Law Section Executive Committee. Ms. Serrato received a B.A. degree from the University of California, Berkeley, and a J.D. degree from the University of California, Berkeley, School of Law. She wishes to acknowledge the contributions of her colleagues R. Bisi Adeyemo, Jerel Pacis Agatep, Carolina A. Alonso, Foram Dave, Seungjae Lee, Marshall J. Mattera, Veronica Reynolds, and Catrina W. Wang to the chapter.

PAUL T. SMITH is the update co-author of chapter 3 (Information Security and Security Breach) and update author of chapter 7 (Health Information Privacy). He is a partner with Hooper, Lundy & Bookman, PC, San Francisco, where he advises clients in health care and other industries on corporate formation and governance, joint ventures, financing, reimbursement, and regulatory compliance, and also represents technology companies in transaction, financing, and licensing matters, and data privacy and security. Mr. Smith has practiced in the U.S. health care industry since 1982, representing hospitals, hospital associations, medical groups, and provider network organizations. He has been named one of “America’s Leading Lawyers for Business” in health care by Chambers USA, 2005–2010, and was selected to the Northern California Super Lawyers in health care law and business/corporate law in 2010. Mr. Smith has spoken on health-care-related topics at numerous conferences, including the American Bar Association, the California Society of Healthcare Attorneys, the IBM/Modern Healthcare National HIPAA Conferences, and the HIPAA Summits. He holds B.A. and LL.B. (cum laude) degrees from the University of Natal School of Law (South Africa).

NICHOLE L. STERLING is an update co-author of chapter 9 (International Personal Data Protection and Cross-Border Transfers). She is an associate in the New York office of BakerHostetler. Ms. Sterling focuses her practice on privacy and data protection, information governance, and emerging technology. She assists clients with practical solutions to a wide range of domestic and cross-border regulatory and compliance matters related to information governance, technology, and negotiating the everchanging privacy and data protection landscape. Ms. Sterling is active in pro bono work and has counseled global nonprofits on privacy and data protection issues. She received a B.A. degree from Gustavus Adolphus College, a Ph.D. degree from the University of California, Berkeley, and a J.D. degree from the University of Michigan Law School. Ms. Sterling wishes to acknowledge the contributions of her colleagues R. Bisi Adeyemo, Jerel Pacis Agatep, Carolina A. Alonso, Foram Dave, Seungjae Lee, Marshall J. Mattera, Veronica Reynolds, and Catrina W. Wang to the chapter.

GENEVIEVE R. WALSER-JOLLY is the update author of chapter 10A (The California Consumer Privacy Act of 2018). Ms. Walser-Jolly is a member of Severson & Werson, APC, where she is managing partner of the Orange County office. Ms. Walser-Jolly’s practice includes developing data privacy programs, complex litigation representing finance companies, and defending individual and class action consumer cases under the Telephone Consumer Protection Act (TCPA). She is active in the American Bar Association’s Consumer Financial Services Committee and is a member of the International Association of Privacy Professionals (IAPP), the Orange County Bar Association, and the Governing Committee for the Conference on Consumer Finance Law. Ms. Walser-Jolly regularly speaks on the latest developments in TCPA litigation and how businesses can comply with the California Consumer Privacy Act of 2018.

ROY G. WEATHERUP is the update author of chapter 2 (Common Law and Constitutional Privacy Protection) and chapter 11 (Global Jurisdiction Over Privacy, Breach of Security, and Internet Activity Claims). Mr. Weatherup is a partner of Lewis Brisbois Bisgaard & Smith LLPand is a member of the firm’s Appellate Practice Group. He is a Certified Specialist in Appellate Law, certified by the Board of Legal Specialization of the State Bar of California. He specializes in appellate practice, about which he has lectured extensively. Mr. Weatherup is a member of the Los Angeles County Bar Association, the California Academy of Appellate Lawyers, the Stanford Law Society, the Supreme Court Historical Society, the California Supreme Court Historical Society, and a sustaining member of the Product Liability Advisory Council. He is listed in The Best Lawyers in America, in Super Lawyers, in Who’s Who in America, and in Who’s Who in American Law. He has been responsible for more than 1,800 appellate briefs in over 1,000 cases, resulting in about 200 published opinions. He holds a law degree from Stanford University School of Law and an undergraduate degree from Stanford University.

OnLAW System Requirements:
Desktop: Windows XP, 7 or 8, Mac OS 10.8
Mobile: iOS6, iOS7, Android 4.2
Firefox, Chrome, IE and Safari browsers

Note: OnLAW may work with some devices running older versions of these Operating Systems or Windows RT; however, functionality is not guaranteed.

Please see FAQs for more details.
Products specifications
PRODUCT GROUP Publication
PRACTICE AREA Business Law
Products specifications
PRODUCT GROUP Publication
PRACTICE AREA Business Law