September 2019 Update
The discussion in chap 1 of developing technologies, trends, and hot topics has been updated to reflect developments during the last year, including facial recognition technology, new Illinois biometrics legislation, the biggest data breaches yet, a new “Internet of things” law, research on wearable devices, and the status of federal and state net neutrality rules. See §1.3.
In addition, the California Legislature enacted new “Internet of things” legislation, which defines “connected devices” and requires that a manufacturer of such devices must equip them with reasonable security features. See §§1.3, 3.10B, 4.21A.
The Eleventh Circuit held that searches of cell phones occurring at the border require neither a warrant nor probable cause; rather, all that is needed is “reasonable suspicion.” U.S. v Vergara (11th Cir 2018) 884 F3d 1309. It also found that a traveler’s privacy interest should not be given much weight in light of the government’s paramount interest in protecting the nation’s territorial integrity. U.S. v Touset (11th Cir 2018) 890 F3d 1227. See §2.4A.
The Seventh Circuit found that a garage door opener does not carry a reasonable expectation of privacy and affirmed the conviction of a defendant for possession of drugs police officers found in a garage which they opened using an opener found on his person when they searched him pursuant to a minor traffic offense. U.S. v Correa (7th Cir 2018) 908 F3d 208. See §2.4A.
The California Legislature amended CC §47(c), which establishes the common interest privilege, to add language extending the privilege to communications about sexual harassment between a former employer and a prospective employer with regard to an applicant for employment. Stats 2018, ch 82. See §§2.21, 4.21A, 8.92.
The U.S. Supreme Court held that it is reasonable to require a person arrested for drunk driving to submit to a breath test, but not to a blood test, which is more intrusive and would violate a driver’s expectation of privacy (Birchfield v North Dakota (2016) __ US __, 136 S Ct 2160), unless the defendant voluntarily consented to a blood test (People v Gutierrez (2018) 27 CA5th 1155). See §2.4A.
The California Legislature amended CC §1939.23 to permit rental car companies to use authorized electronic surveillance technology in circumstances when the rental vehicle has not been returned within 72 hours after the contract return date. Stats 2018, ch 344. See §4.11.
In an exception to the normal rule that personnel records of peace officers are confidential, new California legislation provides that such records must be made public in certain cases including those when a gun was fired, when death or great bodily harm occurred, or when a peace officer assaulted a member of the public. Pen C §832.7. See §4.21.
The FTC has released a resource designed to help small businesses and nonprofits with cybersecurity issues, containing tips on 12 different topics, such as phishing, ransomware, vendor security, cyber insurance, physical security, and tech support scams. See https://www.us-cert.gov/ncas/current-activity/2018/10/25/FTC-Releases-Cyber-Resources-Small-Businesses. See also §4.56.
In one of the largest settlements to date, the FTC imposed civil penalties of $5.7 million on a music app producer for violating the Children’s Online Privacy Protection Act of 1998 (COPPA) by collecting personal information from children without parental consent. U.S. v Musical.ly (CD Cal, Feb. 27, 2019, No. 2:19-cv-01439) FTC File No. 172 3004. See §5.28.
The Attorney General of New York obtained a settlement from Oath, Inc. (formerly known as AOL Inc.) to pay $4.95 million in penalties and to adopt comprehensive reforms to protect children from improper online tracking. See https://ag.ny.gov/press-release/ag-underwood-announces-record-coppa-settlement-oath-formerly-aol-violating-childrens. See also §5.28.
After seeking public comment on possible technical updates to the existing rule under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), the FTC announced that it was retaining the rule without modification. See §5.39.
In June 2019, the FCC issued a declaratory ruling dramatically expanding previous policy and allowing phone carriers to start automatically blocking both illegal robocalls and robocalls that carriers believe customers do not want. FCC Declaratory Ruling and Third Further Notice of Rulemaking (June 6, 2019) CG Docket No. 17–59. See §5.53A.
In reviewing the issue of whether a business engaging a vendor is liable for the vendor’s violation of the Telephone Consumer Protection Act (TCPA), the Ninth Circuit held that that calls placed by an agent of an advertiser are treated as if the advertiser itself had placed the call. Kristensen v Credit Payment Servs. (9th Cir 2018) 879 F3d 1010. The court reached a similar conclusion in Jones v Royal Admins. Servs. (9th Cir 2018) 887 F3d 443. See §5.56A.
In 2019, California enacted the Parent’s Accountability and Child Protection Act, operative January 1, 2020, requiring businesses to take “reasonable steps” (as defined) to verify a purchaser’s age when selling products that are illegal to sell to minors, and permitting businesses to retain or use any information collected to verify age only when necessary to comply with the statute. CC §1798.99.1. A section has been added in chap 5 discussing this new law. See §5.68B.
When the California medical board sought to subpoena records of a pain management physician suspected of over-prescribing controlled substances, it was required to show good cause to overcome the patients’ constitutional rights to privacy, but it failed the test by showing merely that the physician occasionally prescribed more than the usual dose because that did not suggest that the physician was negligent in treating patients or prescribed controlled substances without meeting the relevant standard of care. Grafilo v Cohanshohet (2019) 32 CA5th 428; see Grafilo v Wolfsohn (2019) 33 CA5th 1024. See also §§7.2, 7.66.
A new discussion of laws governing the use of health information in research and the Federal Policy for the Protection of Human Subjects has been added to chap 7. See §7.14A.
On October 19, 2018, the California Department of Public Health issued proposed regulations to implement Health & S C §1280.15, which requires clinics, health facilities, and hospices to prevent unauthorized access to or disclosure of patients’ medical information. See https://www.cdph.ca.gov/Programs/OLS/Pages/DPH-11-009.aspx. See also §7.16.
An entirely new discussion of complex organizations, which may be covered by the HIPAA Privacy Rule, has been added to chap 7. The discussion covers affiliated covered entities, hybrid entities, and organized health care arrangements. See §§7.130A–7.130D.
The country of Brazil has adoped a comprehensive new data protection law, effective February 14, 2020, and a complete discussion of it has been added in chap 9. Law No. 13,709 (Aug. 14, 2018), “Lei Geral de Protecçao de Dados Pessoais” (LGPD). See §9.137A.
Canada’s new security breach disclosure regulations require organizations to notify the Canadian Privacy Commissioner and affected individuals of any breach of security involving personal information in the control of the organization if it is reasonable to believe that a breach poses a risk of significant harm. Breach of Security Safeguards Regulations (SOR/2018-64). See §9.144A.
In a data breach case involving the question of US Const art III standing to bring a class action, the Ninth Circuit found that the data breach victims sufficiently alleged injury in fact to confer standing based on the substantial risk that the hackers would commit identity theft. Ree v Zappos.com (In re Zappos.com) (9th Cir 2018) 888 F3d 1020. See §§12.6A–12.6B.
In a case in which the parties negotiated a cy pres settlement, the U.S. Supreme Court found that, despite the settlement, substantial questions remained about whether any of the named plaintiffs had suffered sufficiently concrete injury to give them standing to sue, so the Court vacated and remanded the Ninth Circuit decision so that the lower court could determine standing. Frank v Gaos (2019) ___ US ___, 139 S Ct 1041.See §12.10.
The U.S. Supreme Court found that the exemption in the Freedom of Information Act (FOIA) (5 USC §522) for “confidential” commercial or financial information applies to all information treated as private by the owner. Food Mktg. Inst. v Argus Leader Media (Jan. 11, 2019, No. 18–481) 2019 US Lexis 577. See §12.34.
The Legislature has amended the Government Code to provide that certain video or audio recordings related to a critical incident cannot be withheld more than 45 days, even if they were otherwise confidential under the California Public Records Act. Stats 2018, ch 960. See §12.38.