You have no items in your shopping cart.
Search
Filters

Privacy Compliance and Litigation in California

Understand best practices in cyber security and data breach protection—and how to avoid penalties and lawsuits. Learn how to collect and protect customer data, health care data, children’s data, and employee data within California, the U.S., and worldwide. Discover practical guidance for business, finance, health care, and employers on California and federal data and security law—and the critical new European Union General Data Protection Regulation (GDPR). 

Understand best practices in cyber security and data breach protection—and how to avoid penalties and lawsuits. Learn how to collect and protect customer data, health care data, children’s data, and employee data within California, the U.S., and worldwide. Discover practical guidance for business, finance, health care, and employers on California and federal data and security law—and the critical new European Union General Data Protection Regulation (GDPR). 

  •       Collecting customer data: statutory requirements; privacy policies, security measures
  •       Implementing strict new GDPR regulations
  •       Online marketing to and collecting children’s data
  •       Sending commercial e-mail and telemarketing
  •       Complex HIPAA regulation compliance
  •       Employee privacy rights and employer obligations
  •       Avoiding identity theft
  •       Class actions for data breach: causes of action, standing, trial issues
OnLAW BU94930

Web access for one user.

 

$ 365.00
Print BU33930

looseleaf, updated 9/19

 

$ 365.00
Add Forms CD to Print BU23931
$ 99.00

Understand best practices in cyber security and data breach protection—and how to avoid penalties and lawsuits. Learn how to collect and protect customer data, health care data, children’s data, and employee data within California, the U.S., and worldwide. Discover practical guidance for business, finance, health care, and employers on California and federal data and security law—and the critical new European Union General Data Protection Regulation (GDPR). 

  •       Collecting customer data: statutory requirements; privacy policies, security measures
  •       Implementing strict new GDPR regulations
  •       Online marketing to and collecting children’s data
  •       Sending commercial e-mail and telemarketing
  •       Complex HIPAA regulation compliance
  •       Employee privacy rights and employer obligations
  •       Avoiding identity theft
  •       Class actions for data breach: causes of action, standing, trial issues

1

Challenges of Privacy Compliance and Litigation

Denis T. Rice

  • I.  SCOPE OF BOOK AND CHAPTER  1.1
  • II.  CHALLENGES FACING ATTORNEYS
    • A.  Patchwork of Federal and State Laws  1.2
    • B.  Developing Technologies, Trends, and Hot Topics  1.3
    • C.  Expanding Regulation  1.4
    • D.  Emerging Theories of Liability  1.5

2

Common Law and Constitutional Privacy Protection

Roy G. Weatherup

  • I.  SCOPE OF CHAPTER  2.1
  • II.  HISTORICAL BACKGROUND
    • A.  Privacy as a Legal Concept  2.2
    • B.  Common Law Recognition of the Right to Privacy  2.3
  • III.  PRIVACY AS FEDERAL CONSTITUTIONAL RIGHT
    • A.  Development of Federal Right  2.4
    • B.  Development of Right Under Fourth Amendment: Reasonable Expectation of Privacy  2.4A
  • IV.  INVASION OF PRIVACY UNDER CALIFORNIA LAW
    • A.  Development of Invasion of Privacy as a Common Law Tort in California  2.5
    • B.  Establishment of the State Constitutional Right to Privacy  2.6
    • C.  Elements of Invasion of Privacy  2.7
  • V.  TYPES OF INVASION OF PRIVACY CLAIMS  2.8
    • A.  Intrusion Into a Person’s Solitude or Seclusion
      • 1.  Elements of Intrusion Claim  2.9
      • 2.  Examples  2.10
    • B.  Public Disclosure of Private Facts
      • 1.  Elements of Public Disclosure Claim  2.11
      • 2.  Examples  2.12
    • C.  Portraying a Person in a False Light  2.13
    • D.  Unauthorized Appropriation of a Person’s Name or Likeness for Commercial Purposes
      • 1.  Elements of Appropriation Claim  2.14
      • 2.  Examples  2.15
  • VI.  RELATIONSHIP OF INVASION OF PRIVACY TO OTHER TORTS
    • A.  Negligence  2.16
    • B.  Intentional Infliction of Emotional Distress  2.17
    • C.  Defamation  2.18
    • D.  Other Statutory Violations  2.19
  • VII.  DEFENSES TO INVASION OF PRIVACY
    • A.  First Amendment as Defense to Invasion of Privacy  2.20
    • B.  Other Possible Defenses  2.21
  • VIII.  STRATEGIES FOR BUSINESS  2.22
  • IX.  THE INVASION OF PRIVACY LAWSUIT
    • A.  Jury Instructions on Liability  2.23
    • B.  Remedies for Invasion of Privacy  2.24
    • C.  Verdict and Judgment  2.25

3

Information Security and Security Breach

Françoise Gilbert

  • I.  SCOPE OF CHAPTER  3.1
  • II.  PROTECTION OF PERSONAL INFORMATION
    • A.  Understanding the Need to Protect Personal Information  3.2
    • B.  Personal Information
      • 1.  Personal Information in General  3.3
      • 2.  Definitions  3.4
      • 3.  Proprietary Information  3.5
  • III.  SOURCES OF LEGAL OBLIGATION TO KEEP INFORMATION SECURE  3.6
    • A.  California’s Reasonable Security Procedures and Practices Law  3.7
      • 1.  What Information Is Protected Under CC §1798.81.5?  3.8
      • 2.  What Information and Businesses Are Excluded From Coverage Under CC §1798.81.5?  3.9
      • 3.  What Are Reasonable Security Procedures and Practices?  3.10
      • 4.  Effect of California Consumer Privacy Act (CCPA)  3.10A
      • 5.  California IoT Security Law  3.10B
      • 6.  Contracts With Third Party Service Providers Are Required  3.11
    • B.  Prohibition of Unfair or Deceptive Business Practices  3.12
      • 1.  FTC Enforcement  3.13
      • 2.  State Unfair Competition Laws  3.14
    • C.  Information Security Laws of Other States  3.15
      • 1.  Massachusetts  3.16
      • 2.  Nevada  3.17
      • 3.  Connecticut  3.18
    • D.  Contracts [Deleted]  3.19
    • E.  Document Disposal Laws and Regulations  3.20
      • 1.  California Document Disposal Law  3.21
      • 2.  FACTA Disposal Rule  3.22
        • a.  Reasonable Measures to Dispose of Information  3.23
        • b.  Disposal Company Services  3.24
        • c.  Third Party Service Providers  3.25
    • F.  Industry-Specific Laws and Regulations
      • 1.  Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act)  3.26
        • a.  HIPAA Privacy Rule  3.27
        • b.  HIPAA Security Standards  3.28
          • (1)  Administrative Safeguards  3.29
          • (2)  Physical Safeguards  3.30
          • (3)  Technical Safeguards  3.31
          • (4)  Organizational Requirements  3.32
          • (5)  Policies and Procedures and Documentation Requirements  3.33
          • (6)  Business Associates  3.34
          • (7)  Guidance on Methods to Protect Health Information  3.34A
        • c.  HITECH Act Notice of Security Breach Requirements  3.35
          • (1)  Breach of Security Affecting a Covered Entity or a Business Associate
            • (a)  Definitions  3.35A
            • (b)  Notice requirements  3.35B
            • (c)  Content of the Notice and Timing  3.35C
          • (2)  Breach of Security Affecting a PHR Vendor or Service Provider of PHR Vendor  3.35D
            • (a)   Definitions  3.35E
            • (b)   Notice requirements  3.35F
            • (c)  Content and Timing of the Notice  3.35G
      • 2.  Gramm-Leach-Bliley Act (GLBA)  3.36
        • a.  FTC Safeguards Rule  3.37
        • b.  Requirements for Security Plan Under FTC Safeguards Rule
          • (1)  Elements  3.38
          • (2)  Contracts With Third Party Service Providers  3.39
      • 3.  Red Flags Rule  3.40
      • 4.  Address Discrepancy Rule  3.41
      • 5.  Online Businesses: Children’s Online Privacy Protection Act (COPPA)  3.42
      • 6.  Sarbanes-Oxley Act  3.43
      • 7.  Dodd-Frank Wall Street Reform and Consumer Protection Act  3.43A
      • 8.  Contracts
        • a.  Privacy Statements  3.43B
        • b.  Data Use Agreements  3.43C
  • IV.  OBLIGATION TO DISCLOSE A SECURITY BREACH
    • A.  California’s Security Breach Disclosure Law  3.44
      • 1.  Who Must Comply?  3.45
      • 2.  What “Personal Information” Is Covered?  3.46
      • 3.  What Is a “Breach”?  3.47
      • 4.  What Notice Is Required?  3.48
      • 5.  When Must Notification Be Made?  3.49
      • 6.  What Information Must the Notice Contain?  3.49A
      • 7.  Form: Model Security Breach Notification  3.49B
      • 8.  Notification to the State Attorney General  3.49C
    • B.  Effect of California Consumer Privacy Act (CCPA) on Security Breaches  3.49D
    • C.  Breach Disclosure Laws in Other Jurisdictions  3.50
    • D.  Addressing Breach Disclosure Issues  3.51
  • V.  THE INFORMATION SECURITY PLAN  3.52
    • A.  Developing a Security Plan  3.53
      • 1.  Identify a Responsible Party  3.54
      • 2.  Assess the Assets to Be Protected  3.55
      • 3.  Assess the Risk to These Assets  3.56
      • 4.  Record the Plan
        • a.  Understand Types of Security Measures  3.57
        • b.  Select Appropriate Security Measures  3.58
        • c.  Additional Characteristics of Plan  3.59
      • 5.  Implement and Train  3.60
      • 6.  Audit, Test, and Monitor Effectiveness  3.61
      • 7.  Conduct Periodic Revisions and Adjustments  3.62
    • B.  Maintaining Security in Relationships With Third Party Service Providers  3.63
    • C.  Monitor Legal Developments  3.64

4

Internet and Electronic Privacy

Denise Olrich

  • I.  SCOPE OF CHAPTER  4.1
  • II.  PRIVACY PROTECTIONS FOR PERSONAL INFORMATION
    • A.  What Is “Personal Information”?  4.2
    • B.  How Do Businesses Collect Personal Information?  4.3
    • C.  Business Obligations to Protect Personal Information  4.4
      • 1.  California Reasonable Security Procedures and Practices Law  4.5
      • 2.  California Social Security Numbers Confidentiality Law  4.6
      • 3.  California Public Safety Officials Home Protection Act  4.7
      • 4.  California Insurance Information and Privacy Protection Act  4.8
      • 5.  Video Rentals
        • a.  Federal Video Privacy Protection Act (VPPA)
          • (1)  Prohibitions, Remedies, and Definitions  4.9
          • (2)  Cases Under the VPPA  4.9A
        • b.  California Law on Nondisclosure of Video Sales or Rentals  4.10
      • 6.  Electronic Surveillance in Rental Cars  4.11
      • 7.  California Consumer Privacy Act of 2018  4.11A
      • 8.  Other Consumer Protections  4.12
  • III.  INTERNET AND COMPUTER PRIVACY PROTECTIONS FOR BUSINESSES AND OTHERS
    • A.  California Comprehensive Computer Data Access and Fraud Act  4.13
      • 1.  Criminal Penalties
        • a.  Fines and Imprisonment  4.14
        • b.  Forfeiture  4.15
      • 2.  Civil Actions  4.16
      • 3.  Cases Under Comprehensive Computer Data Access and Fraud Act  4.17
    • B.  Federal Computer Fraud and Abuse Act (CFAA)  4.18
      • 1.  Civil Remedies Under CFAA  4.19
      • 2.  Criminal Penalties Under CFAA  4.20
      • 3.  Cases Under CFAA  4.21
    • C.  Other State Law Protections for Individual Information  4.21A
  • IV.  HOW MAY A BUSINESS MEET ITS OBLIGATIONS?
    • A.  Website Privacy Policies: California’s Online Privacy Protection Act of 2003 (OPPA)  4.22
      • 1.  Who Is an “Operator” Under OPPA?  4.23
      • 2.  What Is “Personally Identifiable Information” Under OPPA?  4.24
      • 3.  Contents of the Privacy Policy Required by OPPA  4.25
      • 4.  Form: Website Privacy Policy [Deleted]  4.26
      • 5.  Display of Privacy Policy  4.27
      • 6.  Failure to Comply With OPPA  4.28
      • 7.  Other Website Privacy Policy Requirements  4.29
    • B.  General Review of Security Procedures  4.30
    • C.  Physical Security Measures  4.31
    • D.  Evaluation of Data Collected and Methods of Collection  4.32
    • E.  Review of Data Maintenance and Destruction Policies  4.33
    • F.  Checklist: Steps for California Businesses to Meet Obligation to Protect Personal Customer Information  4.34
  • V.  ELECTRONIC COMMUNICATIONS PRIVACY  4.35
    • A.  California Law Governing Electronic Eavesdropping and Wiretapping: Invasion of Privacy Act  4.36
      • 1.  Specific Prohibitions of Act: Pen C §§631–632.01  4.37
      • 2.  Penalties  4.38
      • 3.  Application to Cell Phones and VoIP  4.39
      • 4.  Application to Out-of-State Businesses  4.40
    • B.  California Electronic Communications Privacy Act  4.40A
    • C.  Federal Electronic Communications Privacy Act of 1986 (ECPA)
      • 1.  Components of ECPA: Wiretap Act and Stored Communications Act (SCA)  4.41
      • 2.  Wiretap Act  4.42
      • 3.  SCA  4.43
      • 4.  Consequences of Violating Wiretap Act or SCA   4.44
      • 5.  Cases Under ECPA, Wiretap Act, and SCA  4.45
    • D.  Protections for Cable Subscribers
      • 1.  Federal Cable Communications Policy Act  4.46
      • 2.  California Prohibitions on Disclosures by Cable Providers (Pen C §637.5)  4.47
    • E.  Federal Communications Decency Act (CDA)
      • 1.  Immunity Provisions of CDA  4.48
      • 2.  Cases Under CDA  4.49
    • F.  Federal Telecommunications Act of 1996  4.50
    • G.  Federal Telephone Customer Protection Act (TCPA)  4.51
    • H.  California Telecommunications Customer Privacy Act  4.52
    • I.  Pretexting
      • 1.  California Pretexting Law  4.53
      • 2.  Federal Pretexting Law  4.54
    • J.  Social Networking Sites [Deleted]  4.55
    • K.  Behavioral Marketing  4.55A
    • L.  Mobile Devices and Mobile Applications  4.55B
  • VI.  ENFORCEMENT OF BUSINESS OBLIGATIONS AFFECTING PERSONAL INFORMATION
    • A.  FTC Resources   4.56
    • B.  Cybersecurity Act of 2015  4.56A
    • C.  United States Attorney General Enforcement  4.57
    • D.  California Attorney General Enforcement  4.57A
    • E.  Consumer Finance Protection Bureau Enforcement  4.57B
    • F.  Table: Statutory Remedies for Violations of Internet and Electronic Privacy Provisions  4.58

5

Marketing and Sales Regulation

Jonathan D. Avila

Catherine D. Meyer

  • I.  SCOPE OF CHAPTER  5.1
  • II.  OVERVIEW: PERSONAL INFORMATION FOR MARKETING PURPOSES
    • A.  Collection, Use, and Sharing of Information for Marketing  5.2
    • B.  Protection of Personal Information for Marketing  5.2A
  • III.  COLLECTION OF MARKETING INFORMATION
    • A.  How Information Is Collected  5.3
    • B.  Children’s Online Privacy Protection Act (COPPA)
      • 1.  COPPA Statutes, Implementing Rules, Enforcement, and Coverage  5.4
      • 2.  Scope of Covered Activities
        • a.  Use of Site or Service on the Internet; “Operator” Defined  5.5
        • b.  Application to Website or Online Service Operated for Commercial Purposes in Interstate or Foreign Commerce  5.6
        • c.  “Personal Information” Defined  5.7
        • d.  “Collection” Defined  5.8
        • e.  Determining COPPA’s Application to Children
          • (1)  Information From a Child  5.9
          • (2)  The “Actual Knowledge” Standard for General Audience Websites  5.9A
          • (3)  Definition of Websites “Directed to Children”  5.10
          • (4)  Exception for Websites and Online Services That Are “Directed to Children,” But Do Not “Target Children as Their Primary Audience”  5.11
          • (5)  Sites and Services Targeted at Teenagers [Deleted]  5.12
        • f.  Substantive Restrictions on Information Collection  5.13
        • g.  “Disclosure” to a “Third Party”  5.14
      • 3.  Compliance Requirements
        • a.  Notice of Data Collection Practices and Parental Rights  5.15
        • b.  Posting a Privacy Notice  5.16
        • c.  Contents of Privacy Notice  5.17
        • d.  Form: Sample Children’s Website Privacy Policy  5.18
        • e.  Providing Notice Directly to a Parent  5.19
        • f.  Verifiable Parental Consent  5.20
        • g.  The “Sliding Scale” of Obtaining Parental Consent
          • (1)  If Child’s Information Will Be Disclosed to Third Parties; High-Level Consent  5.21
          • (2)  If Child’s Information Will Not Be Disclosed to Third Parties; “E-mail Plus” Method  5.22
        • h.  Exceptions to “Prior Verifiable Parental Consent”  5.23
        • i.  Parental Access, Objection, and Deletion Rights  5.24
        • j.  Information Security Procedures  5.25
        • k.  Obligation to Release Information Only to Capable Third Parties  5.25A
        • l.  Data Retention Limitation and Secure Destruction Obligation  5.25B
        • m.  Safe Harbor Programs  5.26
      • 4.  Enforcement  5.27
      • 5.  Examples of FTC and State Attorney General Enforcement Actions  5.28
      • 6.  FTC’s Proposed COPPA Revisions [Deleted]  5.28A
      • 7.  Checklist: COPPA Compliance  5.29
    • C.  Supermarket Club Cards  5.30
    • D.  Collecting Personal Information at the Cash Register
      • 1.  Payment by Check  5.31
      • 2.  Payment by Credit Card: Song-Beverly Credit Card Act  5.32
        • a.  Personal Information Retailers May Not Collect During Payments by Credit Card  5.33
        • b.  Exceptions: When Retailers May Collect Personal Information During Payments by Credit Card  5.34
        • c.  Online and Other Indirect Transactions  5.34A
        • d.  Penalties for Violation  5.35
    • E.  Radio Frequency Identification Technology (RFID)  5.36
    • F.  Spyware: Consumer Protection Against Spyware Act  5.37
  • IV.  USE OF INFORMATION
    • A.  Unsolicited Commercial E-mail: Spam  5.38
      • 1.  Federal CAN-SPAM Law: What It Prohibits  5.39
        • a.  Definitions
          • (1)  “Commercial E-mail”  5.40
          • (2)  “Transactional or Relationship Message” and “Primary Purpose”  5.41
          • (3)  “Sender”  5.42
        • b.  Required Contents of Commercial E-mail  5.43
        • c.  Opt-Out Requirement  5.44
        • d.  Form: Opt-Out Notice  5.45
        • e.  Advertising E-mail  5.46
        • f.  Sexually Oriented E-mail  5.47
        • g.  Prohibited Contents of Commercial E-mail  5.48
        • h.  Application to Wireless Devices  5.49
        • i.  Enforcement  5.50
        • j.  CAN-SPAM Preemption of State Law  5.51
      • 2.  California’s Anti-Spam Legislation
        • a.  Prohibited Activities  5.52
        • b.  Who May Enforce; Penalties  5.53
    • B.  Unsolicited Telemarketing Phone Calls
      • 1.  FCC Declaratory Ruling on Robocalls  5.53A
      • 2.  Do-Not-Call Registries  5.54
      • 3.  Federal Prohibitions Against Telemarketing: Telephone Consumer Protection Act (TCPA) and Telemarketing and Consumer Fraud Protection Act  5.55
        • a.  Application of TCPA
          • (1)  Prohibitions and Exceptions  5.56
          • (2)  Who Is a Caller  5.56A
          • (3)  What Constitutes the Required “Consent”  5.56B
          • (4)  Established Business Relationship  5.56C
          • (5)  “Dual Purpose” Calls  5.56D
          • (6)  Withdrawal of Consent to Receive Text Messages  5.56E
          • (7)  Do-Not-Call Registry  5.56F
        • b.  Automated Calls  5.56G
        • c.  Compliance Requirements  5.57
        • d.  Enforcement  5.58
        • e.  Effect on State Laws  5.59
      • 4.  California’s Do-Not-Call Law
        • a.  Prohibited Activities  5.60
        • b.  Exceptions  5.61
        • c.  Enforcement  5.62
    • C.  Prerecorded Phone Calls  5.63
    • D.  Do-Not-Fax Laws
      • 1.  TCPA Prohibitions Against Unsolicited Faxes  5.64
      • 2.  California’s Unsolicited Fax Law
        • a.  Prohibited Activities  5.65
        • b.  Exceptions  5.66
    • E.  Marketing to Children
      • 1.  Federal Restrictions on Internet Collection and Use of Information From Children Under Age 13  5.67
      • 2.  California Restrictions on Use of Information From Children Under Age 16  5.68
      • 3.  California’s Privacy Rights for Minors in the Digital World Law  5.68A
      • 4.  Verification of Legal Age for Purchases  5.68B
    • F.  Child Registries in Other States  5.69
  • V.  TRANSFER OF INFORMATION  5.70
    • A.  California’s “Shine the Light” Law  5.71
      • 1.  Intent and Coverage of Law; Compliance Considerations  5.72
      • 2.  California Businesses Subject to Law  5.73
      • 3.  Out-of-State Businesses Subject to Law  5.74
      • 4.  Simplest Means of Compliance: Opt-In/Opt-Out Customer Rights  5.75
      • 5.  Definitions and Application of Law
        • a.  “Personal Information” Defined  5.76
        • b.  “Customer” and “Established Business Relationship” Defined  5.77
        • c.  “Disclosure” to “Third Parties” Defined  5.78
        • d.  “Direct Marketing Purposes” Defined  5.79
      • 6.  Exclusions and Exceptions to Law  5.80
      • 7.  Joint Collection of Personal Information  5.81
      • 8.  Individuals Entitled to Request Information-Sharing Statement  5.82
      • 9.  Making and Responding to Request for Information-Sharing Disclosure  5.83
        • a.  Obligation of Businesses to Designate Means for Making Requests
          • (1)  Designating Contact Points for Customers to Submit Requests  5.84
          • (2)  Publicizing Contact Points; Three Alternatives  5.85
          • (3)  Advantages of Second Alternative for Publicizing Contact Points  5.86
        • b.  Content of Information-Sharing Disclosure  5.87
        • c.  Format of Information-Sharing Disclosure Statement
          • (1)  Two Sets of Data  5.88
          • (2)  Categories of Personal Information  5.89
          • (3)  Information About Third Parties  5.90
        • d.  Form: Sample Information-Sharing Disclosure Statement; Nonaffiliated Entities  5.91
        • e.  Special Rule for Disclosures to Certain Affiliated Entities  5.92
        • f.  Form: Sample Information-Sharing Disclosure Statement; Affiliated Entities  5.93
        • g.  Delivery and Timing of Responses to Customer Requests for Information-Sharing Disclosure Statements  5.94
      • 10.  Penalties  5.95
    • B.  California Insurance Information and Privacy Protection Act  5.96

6

Financial Data Privacy

  • I.  SCOPE OF CHAPTER  6.1
  • II.  GRAMM-LEACH-BLILEY ACT (GLBA)  6.2
    • A.  Explanation of GLBA
      • 1.  Mandates of GLBA  6.3
      • 2.  Definitions Under GLBA  6.4
    • B.  Financial Privacy Rule (Notice to Consumers)  6.5
      • 1.  Safe Harbor Model Privacy Form  6.5A
      • 2.  “Financial Institutions” Must Give Notice  6.6
      • 3.  Required Contents of Notice  6.7
      • 4.  Sharing Information With Nonaffiliated Third Parties
        • a.  General Rule  6.8
        • b.  Exceptions
          • (1)  When Financial Institutions May Disclose Nonpublic Personal Information  6.9
          • (2)  Limits on Sharing Account Number  6.10
          • (3)  Limits on Reuse of Information  6.11
      • 5.  Customer Opt-Out Provisions  6.12
    • C.  Safeguards Rule  6.13
    • D.  Consequences of Failure to Comply With GLBA  6.14
  • III.  FAIR CREDIT REPORTING ACT (FCRA) AND FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)
    • A.  Purpose and General Requirements; Applicability  6.15
    • B.  Definitions  6.16
      • 1.  Definition of Consumer  6.17
      • 2.  Consumer Report
        • a.  Definition of “Consumer Report”  6.18
        • b.  Exceptions to Definition  6.19
      • 3.  Definition of Consumer Reporting Agency  6.20
      • 4.  Definition of Furnisher  6.20A
      • 5.  Definition of Accuracy  6.20B
      • 6.  Definition of Integrity  6.20C
      • 7.  Definition of Direct Dispute  6.20D
    • C.  Requirements for Furnishers  6.20E
    • D.  Requirements for Consumer Reporting Agencies
      • 1.  Permissible Purposes for Which Consumer Reporting Agencies May Furnish Consumer Reports  6.21
      • 2.  Restriction on Certain Information in Credit Reports  6.22
      • 3.  Prescreening; Opt-Out  6.23
      • 4.  Notice and Disclosure Requirements  6.24
        • a.  Notice to Furnishers and Users of Information  6.25
        • b.  Free Credit Reports; Required Disclosures to Consumers; Required Summary of Consumer Rights  6.26
        • c.  Disclosures to Government  6.27
      • 5.  Limitations on Medical Information in Consumer Reports  6.28
      • 6.  Additional Requirements for Credit Reporting Agencies  6.29
    • E.  Special Requirements for Investigative Consumer Reports  6.30
      • 1.  Person Requesting Investigative Consumer Report Must Make Disclosure  6.31
      • 2.  Restrictions on Information in Investigative Reports  6.32
    • F.  Identity Theft Prevention Requirements  6.33
    • G.  Use of Consumer Reports for Employment  6.34
    • H.  Limitations on Sharing Consumer Credit Information Among Affiliates  6.35
      • 1.  Sharing With Affiliates for Nonmarketing Purposes (Affiliate Sharing)  6.36
      • 2.  Sharing With Affiliates for Marketing Purposes (Affiliate Marketing)  6.37
    • I.  Requirements for Users of Consumer Reports That Take Adverse Action  6.38
    • J.  Requirements for Resellers of Consumer Reports  6.39
    • K.  Consumer Rights to Dispute Reported Information  6.40
    • L.  Disposal of Records  6.41
    • M.  FCRA Preemption of California Law  6.42
    • N.  Penalties and Remedies for FCRA Violations  6.43
    • O.  How Institutions Are Checked for FCRA Compliance  6.44
  • IV.  FEDERAL AND CALIFORNIA RIGHT TO FINANCIAL PRIVACY ACTS
    • A.  Federal Right to Financial Privacy Act  6.45
    • B.  California Right to Financial Privacy Act  6.46
  • V.  CALIFORNIA FINANCIAL INFORMATION PRIVACY ACT
    • A.  Relation to GLBA; Definition of “Nonpublic Personal Information”  6.47
    • B.  Prohibitions on Disclosing Consumer Information to Nonaffiliates; Notice and Opt-Out Provisions  6.48
    • C.  Exceptions to Prohibitions  6.49
  • VI.  CONSUMER CREDIT REPORTING AGENCIES ACT (CCRAA) AND INVESTIGATIVE CONSUMER REPORTING AGENCIES ACT (ICRAA)
    • A.  Applicability of CCRAA and ICRAA  6.50
    • B.  Consumer Credit Reporting Agencies Act (CCRAA)  6.51
      • 1.  Summary of Major CCRAA Provisions  6.52
      • 2.  Remedies  6.53
    • C.  Investigative Consumer Reporting Agencies Act (ICRAA)  6.54
  • VII.  AREIAS CREDIT CARD FULL DISCLOSURE ACT OF 1986  6.55
  • VIII.  USA PATRIOT ACT  6.56
  • IX.  BANK SECRECY ACT (BSA) AND ITS ANTI-MONEY LAUNDERING (AML) LAWS
    • A.  Explanation of BSA  6.57
    • B.  BSA Requirements
      • 1.  Records That Must Be Maintained by Financial Institutions  6.58
      • 2.  Transactions That Must Be Reported  6.59
      • 3.  Individual Reporting Obligations  6.60
      • 4.  Immunity From Liability for Disclosures  6.61
      • 5.  Penalties for Violating BSA  6.62
  • X.  BUSINESSES THAT HANDLE CREDIT AND DEBIT CARDS—PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS)
    • A.  What Are the PCI DSS?  6.63
    • B.  Checklist: PCI DSS Requirements  6.64
    • C.  Payment Application Data Security Standard (PA-DSS)  6.65
    • D.  Payment Card Industry Forensic Investigator (PFI)  6.66

7

Health Information Privacy

Paul T. Smith

  • I.  SCOPE OF CHAPTER  7.1
  • II.  OVERVIEW: SOURCES OF LEGAL OBLIGATION TO KEEP HEALTH INFORMATION PRIVATE
    • A.  California Constitution  7.2
    • B.  Information Practices Act of 1977  7.3
    • C.  The California Consumer Privacy Act of 2018  7.3A
    • D.  California’s Confidentiality of Medical Information Act (CMIA)
      • 1.  Application of CMIA in General  7.4
      • 2.  Exemptions From CMIA for Certain Health Information  7.5
        • a.  Mental Health and Developmental Disability Information  7.6
        • b.  Public Health Services  7.7
        • c.  Substance Use Disorder Patient Records  7.8
        • d.  Information Concerning Communicable Diseases  7.9
        • e.  Other Information Exempt From the CMIA  7.10
    • E.  HIPAA Privacy Rule  7.11
      • 1.  Application of HIPAA Privacy Rule in General  7.12
      • 2.  HIPAA Preemption Scheme  7.13
    • F.  The Health Information Technology for Economic and Clinical Health Act (HITECH Act)  7.13A
    • G.  Laws Governing Specific Health Information  7.14
    • H.  Laws Governing the Use of Health Information in Research  7.14A
    • I.  Laws Governing Security of Health Information
      • 1.  HIPAA Security Standards  7.15
      • 2.  The HITECH Act’s Notice of Security Breach Requirements  7.15A
        • a.  Definition of “Breach”  7.15B
        • b.  Timing of Notice of Breach  7.15C
        • c.  Contents of Notice of Breach  7.15D
        • d.  Who Must Be Notified and Manner of Notice  7.15E
        • e.  Preemption  7.15F
      • 3.  FACTA Red Flags Rule  7.15G
      • 4.  California Health Information Security and Breach Notification Laws  7.16
  • III.  COVERED ENTITIES  7.17
    • A.  Entities Covered Under Confidentiality of Medical Information Act (CMIA)
      • 1.  Certain Health Care Professionals and Institutional Health Care Providers  7.18
      • 2.  Certain Health Plans  7.19
      • 3.  Certain Contractors of Health Professionals and Health Plans  7.20
      • 4.  Health Record Providers  7.21
      • 5.  Employers  7.22
      • 6.  Certain Recipients of Health Information  7.23
    • B.  Entities Covered Under HIPAA Privacy Rule
      • 1.  Health Care Providers  7.24
      • 2.  Health Plans  7.25
      • 3.  Health Care Clearinghouses  7.26
      • 4.  Medicare Part D Drug Card Sponsors  7.27
    • C.  Comparison: Covered Entities Under CMIA and HIPAA  7.28
  • IV.  PROTECTED INFORMATION
    • A.  Individually Identifiable Health Information  7.29
    • B.  Deidentified Information  7.30
      • 1.  Deidentified Information Under HIPAA Privacy Rule
        • a.  Deidentification Methods  7.31
        • b.  Contractor May Deidentify Information  7.32
      • 2.  CMIA  7.33
    • C.  Limited Data Set  7.34
    • D.  No Disclosure or Use of Protected Health Information Unless Required or Permitted  7.35
      • 1.  HIPAA Privacy Rule  7.36
      • 2.  Under the CMIA  7.37
  • V.  REQUIRED DISCLOSURE OF HEALTH INFORMATION  7.38
    • A.  On Individual’s Proper Request  7.39
    • B.  To Ascertain Privacy Rule Compliance  7.40
    • C.  When Required by Law  7.41
  • VI.  PERMITTED DISCLOSURES OF HEALTH INFORMATION
    • A.  Disclosure Required by Law  7.42
    • B.  Treatment  7.43
    • C.  Facility Directories
      • 1.  HIPAA Privacy Rule  7.44
      • 2.  CMIA  7.45
    • D.  Disclosure to Friends and Family  7.46
    • E.  Notification and Disaster Relief  7.47
    • F.  Payment  7.48
    • G.  Health Care Operations
      • 1.  The Covered Entity’s Operations
        • a.  HIPAA Privacy Rule  7.49
        • b.  CMIA  7.50
      • 2.  The Recipient’s Operations  7.51
    • H.  Marketing  7.52
      • 1.  HIPAA Privacy Rule and Marketing  7.53
      • 2.  CMIA and Marketing  7.54
    • I.  Fundraising
      • 1.  HIPAA Privacy Rule on Fundraising  7.55
      • 2.  CMIA on Fundraising  7.56
    • J.  Research
      • 1.  HIPAA Privacy Rule on Research  7.57
        • a.  Research Defined  7.58
        • b.  When Authorization Not Necessary  7.59
      • 2.  CMIA on Research  7.60
    • K.  Judicial and Administrative Proceedings  7.61
      • 1.  Use by Covered Entity  7.62
      • 2.  Third Party Legal Proceedings
        • a.  Under Court Order  7.63
        • b.  Without Court Order  7.64
          • (1)  HIPAA Privacy Rule  7.65
          • (2)  CMIA: Notice to Consumer  7.66
    • L.  Disclosure for Public Health Activities
      • 1.  HIPAA Privacy Rule on Public Health Activities  7.67
      • 2.  CMIA on Public Health Activities  7.68
    • M.  Victims of Abuse
      • 1.  HIPAA Privacy Rule on Abuse  7.69
      • 2.  California Law on Abuse  7.70
    • N.  Health Oversight Activities
      • 1.  HIPAA Privacy Rule on Oversight Activities  7.71
      • 2.  CMIA on Oversight Activities  7.72
    • O.  Law Enforcement Purposes
      • 1.  HIPAA Privacy Rule on Disclosure for Law Enforcement  7.73
      • 2.  California Law on Disclosure for Law Enforcement  7.74
    • P.  Decedents  7.75
    • Q.  Organ Procurement  7.76
    • R.  Imminent Threat to Health or Safety
      • 1.  HIPAA Privacy Rule on Imminent Threat  7.77
      • 2.  California Law on Imminent Threat  7.78
    • S.  Specialized Government Functions  7.79
  • VII.  PROHIBITION ON SALE OF ELECTRONIC HEALTH RECORDS OR PROTECTED HEALTH INFORMATION UNDER HIPAA PRIVACY RULE  7.79A
  • VIII.  VERIFICATION REQUIREMENTS UNDER HIPAA PRIVACY RULE  7.80
  • IX.  DISCLOSURES REQUIRING AUTHORIZATION UNDER HIPAA PRIVACY RULE
    • A.  When Authorization Is Required  7.81
      • 1.  Conditioning Benefits on Authorization  7.82
      • 2.  Revoking Authorization  7.83
      • 3.  Keeping Authorization  7.84
    • B.  Authorization Requirements  7.85
      • 1.  Required Elements Under HIPAA Privacy Rule and CMIA  7.86
      • 2.  Additional Considerations  7.87
    • C.  Form: General Authorization for the Use and/or Disclosure of Protected Health Information  7.88
  • X.  SPECIALLY PROTECTED INFORMATION UNDER HIPAA PRIVACY RULE  7.89
    • A.  Mental Health Information  7.90
    • B.  Information on Persons With Developmental Disabilities  7.91
    • C.  Information Concerning HIV/AIDS Testing  7.92
    • D.  Genetic Testing Information
      • 1.  California Law  7.92A
      • 2.  Federal Law  7.92B
    • E.  Substance Use Disorder Patient Records
      • 1.  Federal Regulations  7.93
        • a.  When Federal Regulations Apply  7.94
        • b.  Information Covered  7.94A
        • c.  Disclosure Requirements  7.95
        • d.  When Disclosure Is Permitted Without Patient’s Written Consent  7.96
        • e.  When Disclosure Requires Patient’s Written Consent  7.96A
        • f.  Preemption  7.97
      • 2.  California Law  7.98
    • F.  Psychotherapy Notes and Services
      • 1.  HIPAA Privacy Rule  7.99
      • 2.  California Law  7.100
  • XI.  SPECIAL RULES
    • A.  Personal Representatives
      • 1.  HIPAA Privacy Rule  7.101
      • 2.  California Law  7.102
    • B.  Incidental Disclosures  7.103
    • C.  Minimum Necessary Disclosure  7.104
    • D.  Disclosure to Contractors
      • 1.  CMIA Regulation of Medical Information Recipients  7.105
      • 2.  Business Associates Under HIPAA and HITECH Act  7.106
        • a.  When Business Associate Contract Is Required  7.107
        • b.  Who Are Not Business Associates  7.108
        • c.  Requirements for HIPAA Business Associate Contract  7.109
        • d.  Form: Sample Business Associate Agreement  7.109A
    • E.  Employers and Group Health Plans
      • 1.  Disclosure of Protected Health Information by Covered Entity to Individual’s Employer  7.110
      • 2.  Use and Disclosure of Employment Records Containing Health Information  7.111
    • F.  Health Insurers  7.112
  • XII.  INDIVIDUAL RIGHTS  7.113
    • A.  Notice of Privacy Practices Under HIPAA Privacy Rule  7.114
      • 1.  Provision of Notice
        • a.  When and Where Notice Must Be Provided  7.115
        • b.  Joint Notice  7.116
        • c.  Retention  7.117
      • 2.  Content of Notice  7.118
      • 3.  Revisions to Notice  7.119
    • B.  Right to Access and Copy  7.120
      • 1.  To Which Records Does Right Apply?  7.121
      • 2.  What Must Provider Supply?  7.122
      • 3.  Access to Electronic Health Records  7.122A
      • 4.  Third-Party Recipient  7.122B
      • 5.  Denial of Access
        • a.  HIPAA Privacy Rule  7.123
        • b.  California Law  7.124
    • C.  Right to Amend  7.125
      • 1.  HIPAA Privacy Rule  7.126
      • 2.  California Law  7.127
    • D.  Right to Accounting of Disclosures  7.128
    • E.  Right to Request Additional Restrictions  7.129
    • F.  Right to Confidential Communications  7.130
  • XIII.  COMPLEX ORGANIZATIONS  7.130A
    • A.  Affiliated Covered Entities  7.130B
    • B.  Hybrid Entities   7.130C
    • C.  Organized Health Arrangements  7.130D
  • XIV.  ADMINISTRATIVE REQUIREMENTS OF HIPAA PRIVACY RULE  7.131
    • A.  Personnel, Policies, and Training  7.132
    • B.  Safeguards and Protections  7.133
    • C.  Documentation  7.134
  • XV.  ENFORCEMENT
    • A.  HIPAA Privacy Rule Enforcement  7.135
    • B.  CMIA Enforcement  7.136

8

Workplace Privacy

Ronald J. Souza

  • I.  SCOPE OF CHAPTER  8.1
  • II.  BASIC SOURCES OF EMPLOYEE PRIVACY RIGHTS
    • A.  Constitutions
      • 1.  State Constitution  8.2
      • 2.  Federal Constitution  8.3
    • B.  Statutes  8.4
    • C.  Common Law  8.5
    • D.  Contractual Provisions  8.6
  • III.  PRE-EMPLOYMENT AND OTHER INQUIRIES  8.7
    • A.  Inquiries Into Areas Protected by Fair Employment Laws
      • 1.  Statutory Provisions  8.8
      • 2.  Inquiries in General  8.9
      • 3.  Inquiries About Mental or Physical Condition Before Offer Is Made  8.10
    • B.  Inquiries Into Other Protected Areas
      • 1.  Politics  8.11
      • 2.  Union Activity  8.12
    • C.  Inquiries About Criminal History  8.13
      • 1.  Convictions and Arrests  8.14
      • 2.  Specified Marijuana-Related Convictions  8.15
      • 3.  Convictions Older Than 7 Years (CC §1786.18(a)(7))  8.16
      • 4.  Particular Employers
        • a.  Community Care Facilities  8.17
        • b.  Health Care Facilities  8.18
        • c.  Banks  8.18A
  • IV.  BACKGROUND AND CREDIT CHECKS  8.19
    • A.  Federal: Fair Credit Reporting Act  8.20
      • 1.  Notice of Intent to Request Consumer Report  8.21
      • 2.  Notice of Intent to Request “Investigative Consumer Report”  8.22
      • 3.  Notice of Adverse Action  8.23
      • 4.  Exception for Employee Misconduct and Other Investigations  8.24
      • 5.  Consequences of Failure to Comply With Fair Credit Reporting Act  8.25
      • 6.  Protecting Consumer Report Information From Disclosure  8.26
    • B.  State: Consumer Credit Reporting Agencies Act and Investigative Consumer Reporting Agencies Act  8.27
      • 1.  Consumer Credit Report Notice Requirement  8.28
      • 2.  Investigative Consumer Report Notice Requirement  8.29
      • 3.  When Employer (Not Agency) Assembles Public Record Information  8.30
      • 4.  Limits on Information That May Be Reported  8.31
      • 5.  Notice of Adverse Action  8.32
      • 6.  Exception From Notice Requirement for Employee Misconduct Investigations  8.33
      • 7.  Consequences of Violation  8.34
  • V.  MEDICAL INFORMATION
    • A.  Medical Examination Before Employment but After Offer  8.35
    • B.  Fitness-for-Duty Exams  8.36
    • C.  AIDS Testing and Inquiry  8.37
    • D.  Psychological Testing
      • 1.  Pre-Offer  8.38
      • 2.  Post-Offer; Return to Work  8.39
      • 3.  Interplay With Confidentiality of Medical Information Act  8.40
    • E.  Genetic Information  8.41
    • F.  Information About Disabilities
      • 1.  During Application Process  8.42
      • 2.  Reasonable Accommodation  8.43
    • G.  Drug Testing  8.44
      • 1.  Pre-Employment  8.45
      • 2.  After Hiring  8.46
    • H.  Information About Alcohol, Drug, and Tobacco Use
      • 1.  In General  8.47
      • 2.  Accommodation for Rehabilitation Treatment  8.48
    • I.  Serious Health Conditions Under FMLA  8.48A
  • VI.  POLYGRAPHS, FINGERPRINTS, PHOTOGRAPHS, AND OTHER INFORMATION
    • A.  Lie Detector Tests (Polygraphs)  8.49
      • 1.  Federal Law  8.50
      • 2.  State Law  8.51
    • B.  Voice Stress Analysis  8.52
    • C.  Intelligence Tests  8.53
    • D.  Fingerprints and Photographs  8.54
      • 1.  Fingerprints  8.55
      • 2.  Photographs  8.56
      • 3.  Protecting Fingerprints and Photographs From Disclosure  8.57
  • VII.  WORKPLACE MONITORING AND EMPLOYEE SURVEILLANCE
    • A.  Monitoring Electronic Communications  8.58
      • 1.  Federal Eavesdropping Law  8.59
        • a.  Ordinary Course of Business  8.60
        • b.  Express or Implied Consent  8.61
        • c.  Stored E-Mail; Text Messages  8.62
        • d.  Consequence for Violation  8.63
      • 2.  State Eavesdropping Law  8.64
        • a.  Prohibited Forms of Eavesdropping  8.65
        • b.  Consequences for Violation  8.66
      • 3.  Monitoring Internet Use
        • a.  Accessing Websites on Company Computer  8.67
        • b.  Employee Use of Personal E-Mail Account at Work  8.67A
        • c.  Off-Duty Internet Activity  8.67B
        • d.  Social Networking
          • (1)  Employee Use of Social Networks  8.67C
          • (2)  Employer Use of Social Networks for Information on Job Applicants  8.67D
        • e.  Inadvertent Disclosure of Privileged Information  8.67E
    • B.  Workplace Surveillance
      • 1.  Surveillance of Restrooms and Similar Areas  8.68
      • 2.  Surveillance of Public and Work Areas  8.69
      • 3.  Tracking Devices  8.70
    • C.  Off-Duty Surveillance  8.71
    • D.  Undercover Shoppers  8.72
    • E.  Form: Sample Electronic Information Systems Policy  8.73
  • VIII.  WORKPLACE INVESTIGATIONS
    • A.  Employer Obligation to Investigate  8.74
    • B.  Workplace Searches  8.75
      • 1.  Offices and Other Work Spaces  8.76
      • 2.  Physical Searches of Employees  8.77
    • C.  Interrogations  8.78
    • D.  Best Practices When Conducting Workplace Investigations  8.79
  • IX.  LIFESTYLE REGULATION  8.80
    • A.  Workplace Conduct  8.81
    • B.  Family Relationships  8.82
    • C.  Nonfraternization Policies  8.83
    • D.  Personal Appearance  8.84
    • E.  Workplace Discussions  8.85
    • F.  Conflict of Interest  8.86
    • G.  Off-Duty Conduct  8.86A
  • X.  EMPLOYERS’ RESPONSIBILITIES REGARDING HANDLING OF INFORMATION
    • A.  Social Security Numbers  8.87
    • B.  Other Personal Information  8.88
      • 1.  Fingerprints and Photographs  8.89
      • 2.  Employee Entering Rehabilitation for Drug and Alcohol Abuse  8.90
    • C.  Disclosure to Third Parties  8.91
      • 1.  References  8.92
      • 2.  Responding to Subpoenas  8.93
      • 3.  Discussing Employee’s Termination  8.94
    • D.  Medical Information Confidentiality
      • 1.  ADA/FMLA  8.95
      • 2.  California Confidentiality of Medical Information Act (CMIA)  8.96
      • 3.  Health Insurance Portability and Accountability Act (HIPAA)  8.97
    • E.  Personnel Files  8.98
    • F.  Immigration Status and Inspections by Immigration Enforcement Agents  8.98A
  • XI.  LITIGATING WORKPLACE PRIVACY ISSUES  8.99

9

International Personal Data Protection and Cross-Border Data Transfers

Françoise Gilbert

  • I.  SCOPE OF CHAPTER  9.1
  • II.  CHALLENGES OF GLOBAL PRIVACY COMPLIANCE
    • A.  Understanding Data Protection Laws of Other Countries  9.2
    • B.  When Other Country Has No Data Protection Laws  9.3
  • III.  THE EUROPEAN UNION DATA PROTECTION FRAMEWORK
    • A.  Historical Background  9.3A
    • B.  Initial EU Data Protection Framework  9.4
    • C.  EU Data Protection Reform  9.5
    • D.  Other Relevant Developments  9.5A
    • E.  Countries Adhering to EU Directives and Regulations [DELETED]  9.6
    • F.  Purpose of EU 1995 Data Protection Directive [DELETED]  9.7
  • IV.  THE EUROPEAN UNION GENERAL DATA PROTECTION REGULATION (GDPR)
    • A.  Objectives  9.8
    • B.  Material Scope  9.9
    • C.  Territorial Scope
      • 1.  Entities Established in EU  9.10
      • 2.  Entities Established Outside EU  9.11
      • 3.  Main Establishment of Controller or Processor  9.12
      • 4.  EU Representative  9.13
    • D.  Definitions
      • 1.  Data Subject  9.14
      • 2.  Data Controller  9.15
      • 3.  Data Processor  9.16
      • 4.  Data Protection Officer  9.17
      • 5.  Supervisory Authority  9.18
      • 6.  European Data Protection Board  9.19
      • 7.  European Data Protection Supervisor  9.20
    • E.  Principles Relating to the Processing of Personal Data
      • 1.  General Principles   9.21
      • 2.  Lawfulness of Processing
        • a.  Conditions for Lawfulness  9.22
        • b.  Consent as Basis for Lawful Processing  9.23
        • c.  Processing for Performance of a Contract  9.24
        • d.  Processing to Comply With Legal Obligation of Controller  9.25
        • e.  Processing for Legitimate Interest of Controller  9.26
        • f.  Processing of Special Categories of Data  9.27
        • g.  Conditions Applicable to Child’s Consent  9.28
    • F.  Rights of Data Subjects
      • 1.  General Rights  9.29
      • 2.  Right of Erasure or Right to Be Forgotten  9.30
    • G.  Obligations of Data Controllers
      • 1.  General Responsibilities of Data Controllers  9.31
      • 2.  Data Protection by Design  9.32
      • 3.  Data Protection by Default  9.33
      • 4.  Data Controllers’ Obligations Regarding Exercise of Data Subjects’ Rights  9.34
      • 5.  Data Controller’s Obligations Related to Right to Be Forgotten  9.35
      • 6.  Joint Controllers  9.36
      • 7.  Recordkeeping Requirements for Data Controllers  9.37
      • 8.  Cooperation With Supervisory Authority  9.38
    • H.  Obligations of Processors: Recordkeeping Requirements  9.39
    • I.  Engaging a Data Processor or Subprocessor  9.40
      • 1.  Written Contract Required  9.41
      • 2.  No Further Processing Permitted  9.42
      • 3.  Use of Subprocessors; Controller’s Prior Consent Required  9.43
    • J.  Security of Personal Data
      • 1.  Technical and Organizational Measures Required  9.44
      • 2.  Breach of Security  9.45
        • a.  Notification of the Supervisory Authority by the Data Controller  9.45A
        • b.  Breach Affecting Data Processor  9.46
        • c.  Notification to Data Subjects by Data Controller  9.47
    • K.  Data Protection Impact Assessment
      • 1.  When Data Protection Impact Assessment Is Required  9.48
      • 2.  Content of Assessment  9.49
      • 3.  Prior Consultation of Supervisory Authority  9.50
    • L.  Data Protection Officer
      • 1.  Entities Required to Appoint Data Protection Officer  9.51
      • 2.  Qualifications of a Data Protection Officer  9.52
      • 3.  Status of Data Protection Officer  9.53
      • 4.  Tasks of Data Protection Officer  9.54
    • M.  Cross-Border Data Transfers  9.55
      • 1.  Transfers With Adequacy Decision  9.56
      • 2.  Transfers by Way of Appropriate Safeguards  9.57
        • a.  Safeguards That Do Not Require Authorization  9.58
        • b.  Safeguards That Require Authorization  9.59
      • 3.  Transfers by Way of Binding Corporate Rules  9.60
      • 4.  Transfers or Disclosures in Context of Litigation  9.61
      • 5.  Derogations for Specific Situations  9.62
    • N.  Remedies
      • 1.  Right to Lodge Complaint With Supervisory Authority  9.63
      • 2.  Right to Effective Judicial Remedy Against Supervisory Authority  9.64
      • 3.  Right to an Effective Judicial Remedy Against Controller or Processor  9.65
      • 4.  Right of Data Subjects to Mandate Not-for-Profit Organizations to Lodge Complaint on Their Behalf  9.66
      • 5.  Right to Compensation and Liability  9.67
        • a.  Administrative Fines
          • (1)  General Conditions for Imposing Administrative Fines  9.68
          • (2)  Amount of Administrative Fines  9.69
            • (a)  10 Million Euros or 2 Percent Annual Turnover Fines   9.70
            • (b)  20 Million Euros or 4 Percent Annual Turnover Fines  9.71
        • b.  Other Fines and Penalties   9.72
    • O.  Codes of Conduct and Certification   9.73
    • P.  Supervisory Authority  9.74
      • 1.  Tasks of Supervisory Authorities  9.75
      • 2.  Investigative Powers of Supervisory Authorities  9.76
      • 3.  Corrective Powers of Supervisory Authorities  9.77
      • 4.  Authorization and Advisory Powers of Supervisory Authorities  9.78
      • 5.  Cooperation With Other Supervisory Authorities  9.79
      • 6.  Lead Supervisory Authority
        • a.  Designation of Lead Supervisory Authority  9.80
        • b.  Cooperation Between Lead Authority and Other Concerned Supervisory Authorities  9.81
    • Q.  Establishment and Duties of European Data Protection Board  9.82
    • R.  Do Not Expect Uniformity in GDPR  9.83
  • V.  TRANSFERRING DATA OUT OF THE EUROPEAN UNION AND THE EUROPEAN ECONOMIC AREA
    • A.  The EU-U.S. Privacy Shield
      • 1.  Historical Background  9.83A
      • 2.  Overview of Privacy Shield  9.84
      • 3.  Self-Certification Process  9.85
      • 4.  Enforcement and Dispute Resolution  9.86
    • B.  Standard Contractual Clauses  9.87
    • C.  Binding Corporate Rules (BCRs) for International Data Transfers  9.88
      • 1.  Content of BCRs  9.89
      • 2.  DPA Cooperation Procedure  9.90
      • 3.  Additional Guidance for Preparation of BCRs  9.91
      • 4.  BCRs for Data Processors  9.92
    • D.  Cloud Computing in the European Economic Area  9.93
  • VI.  THE EUROPEAN UNION 2002 PRIVACY AND ELECTRONIC COMMUNICATIONS DIRECTIVE
    • A.  Recent Developments   9.94
    • B.  Purpose and Scope of 2002 Privacy and Electronic Communications Directive  9.95
    • C.  Unsolicited Commercial Messages
      • 1.  Automatic Calling Machines, Fax, E-mail, and Text Messages  9.96
      • 2.  Personal Telephone Calls  9.97
      • 3.  Identification of E-mail Sender Required  9.98
      • 4.  Right of Action for Electronic Communications Service Providers  9.99
    • D.  Cookies, Spyware, and Similar Devices  9.100
    • E.  Traffic Data  9.101
    • F.  Nonitemized Billing  9.102
    • G.  Blocking Caller Identification  9.103
    • H.  Location Data  9.104
    • I.  Confidentiality and Security
      • 1.  Confidentiality  9.105
      • 2.  Security  9.106
    • J.  Public Directories  9.107
  • VII.  DATA PROTECTION IN THE AMERICAS AND ASIA-PACIFIC
    • A.  The Asia-Pacific Economic Cooperation (APEC) Privacy Framework
      • 1.  Overview of APEC  9.108
      • 2.  Purpose and Scope of APEC Privacy Framework
        • a.  Purpose  9.109
        • b.  Scope  9.110
      • 3.  APEC Privacy Framework’s Information Privacy Principles  9.111
        • a.  Preventing Harm  9.112
        • b.  Notice  9.113
        • c.  Limitation on Collection  9.114
        • d.  Limitation on Use  9.115
        • e.  Choice  9.116
          • (1)  When Appropriate  9.117
          • (2)  Special Categories of Personal Information  9.118
        • f.  Integrity of Personal Information  9.119
        • g.  Security Safeguards  9.120
        • h.  Access and Correction  9.121
        • i.  Accountability  9.122
      • 4.  Enforcement  9.123
      • 5.  APEC Data Privacy Pathfinder and Cross-Border Privacy Rules (CBPR)  9.124
      • 6.  Relationship With Other Countries  9.125
    • B.  Australia’s Privacy Act 1988
      • 1.  Purpose and Scope  9.126
      • 2.  Australian Privacy Principles
        • a.  Collection  9.127
        • b.  Use and Disclosure of Data  9.128
        • c.  Data Quality and Data Security  9.129
        • d.  Openness  9.130
        • e.  Access and Correction  9.131
        • f.  Identifiers and Anonymity  9.132
        • g.  Transfers out of Australia  9.133
        • h.  Sensitive Information  9.134
      • 3.  Supervision, Enforcement, and Penalties  9.135
      • 4.  Other Provisions  9.136
      • 5.  Security Breach Notification  9.137
    • C.  Brazil  9.137A
    • D.  Canada’s Personal Information Protection and Electronic Documents Act  9.138
      • 1.  Scope of Coverage  9.139
      • 2.  Data Collection and Use  9.140
      • 3.  Rights of the Individual  9.141
      • 4.  Confidentiality, Security, and Third Party Transfer  9.142
      • 5.  Supervision; Enforcement  9.143
    • E.  Canada’s Anti-Spam Law  9.144
    • F.  Canada’s Security Breach Disclosure Law  9.144A
    • G.  China  9.145
      • 1.  Chinese Laws Protecting Personal Information  9.146
      • 2.  Chinese Cybersecurity Law  9.147
    • H.  Hong Kong’s Personal Data Ordinance  9.148
      • 1.  Scope of Coverage  9.149
      • 2.  Data Collection, Accuracy, Retention, and Use  9.150
      • 3.  Security, Availability, and Access  9.151
      • 4.  Transfers of Data to Third Parties  9.152
      • 5.  Supervision and Enforcement  9.153
      • 6.  Use of Personal Data in Direct Marketing  9.154
      • 7.  Offenses  9.155
    • I.  India  9.156
      • 1.  General Requirements for Collection and Use of Personal information  9.157
      • 2.  Requirements for Collection and Use of Sensitive Data  9.158
    • J.  Japan’s Act on the Protection of Personal Information  9.159
      • 1.  Data Collection, Use, and Security  9.160
      • 2.  Rights of the Individual  9.161
      • 3.  Transfers to Third Parties and Transfers Outside Japan  9.162
      • 4.  Supervision and Enforcement  9.163
    • K.  Mexico  9.164
      • 1.  Definitions and Data Collected  9.165
      • 2.  Notice and Security  9.166
      • 3.  International Data Transfers  9.167
      • 4.  Enforcement of Right to Data Protection  9.168
    • L.  South Korea  9.169
    • M.  Malaysia  9.170
    • N.  Philippines
      • 1.  Data Privacy Act  9.171
        • a.  Principles of Data Privacy Act  9.172
        • b.  Security, Availability, and Access  9.173
      • 2.  Cybercrime Prevention Act  9.174
    • O.  Singapore  9.175
      • 1.  Data Collection, Retention, and Use  9.176
      • 2.  Security, Availability, and Access  9.177
      • 3.  Supervision and Enforcement  9.178
    • P.  Taiwan  9.179

10

Identity Theft

Matthew J. Cooney

Robert V. Hale II

  • I.  SCOPE OF CHAPTER  10.1
  • II.  IDENTITY THEFT DEFINED
    • A.  Use of Identifying Information of Another  10.2
    • B.  Types of Identity Theft
      • 1.  Financial Identity Theft  10.3
        • a.  Financial Identity Theft That Appears on Credit Reports  10.4
        • b.  Financial Identity Theft That Does Not Appear on Credit Reports  10.5
      • 2.  Criminal Identity Theft  10.6
      • 3.  Identity Cloning  10.7
      • 4.  Cyber Identity Theft  10.8
      • 5.  Business Identity Theft  10.9
      • 6.  Medical Identity Theft  10.9A
  • III.  HOW DOES IDENTITY THEFT OCCUR?  10.10
    • A.  Non-Electronic  10.11
    • B.  Electronic  10.12
  • IV.  FEDERAL IDENTITY THEFT LAWS APPLICABLE TO BUSINESSES
    • A.  Identity Theft Assumption and Deterrence Act  10.13
    • B.  Identity Theft Penalty Enhancement Act  10.14
    • C.  Gramm-Leach-Bliley Act  10.15
    • D.  Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA)  10.16
      • 1.  Free Credit Reports  10.17
      • 2.  Fraud Alerts  10.18
      • 3.  Credit Card Truncation  10.19
      • 4.  Blocking Identity Theft-Related Information  10.20
      • 5.  Coordination of Identity Theft Investigations  10.21
      • 6.  Heightened Standard of Accuracy for Furnishers  10.22
      • 7.  Furnisher Obligation to Prevent “Repollution”  10.23
      • 8.  Duty of Furnishers to Provide Transaction Information  10.24
      • 9.  Consumer Right to Dispute Accuracy With Furnisher  10.25
      • 10.  Prohibition on Resale of Identity Theft-Related Debts  10.26
      • 11.  Debt Collector Duty to Notify Creditor of Identity Theft  10.27
      • 12.  Red Flags Rule  10.28
      • 13.  Address Discrepancy Rule  10.29
      • 14.  Card Issuers Rule  10.30
      • 15.  Remedies  10.31
    • E.  Driver’s Privacy Protection Act  10.32
    • F.  Federal Trade Commission Act
      • 1.  FTC Prohibition Against Unfair or Deceptive Business Practices  10.33
      • 2.  FTC Enforcement Actions  10.34
    • G.  Health Insurance Portability and Accountability Act  10.35
  • V.  CALIFORNIA IDENTITY THEFT LAWS APPLICABLE TO BUSINESSES  10.36
    • A.  Criminal Laws
      • 1.  Improper Use of Personal Information  10.37
      • 2.  Impersonation  10.38
      • 3.  Crimes Related to Fraudulent Documentation  10.39
      • 4.  Racketeering  10.40
      • 5.  Criminal Statute of Limitations  10.41
      • 6.  Clearing an Identity Theft Victim’s Name  10.42
    • B.  Civil Laws
      • 1.  Laws Applicable to California Businesses Generally
        • a.  Business Duty to Protect Information  10.43
        • b.  Prohibited Uses of Social Security Numbers
          • (1)  When Businesses May Not Use Social Security Numbers  10.44
          • (2)  Other Prohibitions on Use of Social Security Numbers  10.45
          • (3)  Federal Prohibitions Applicable to California Businesses  10.45A
        • c.  Disposal Law  10.46
        • d.  Anti-Phishing Act  10.47
        • e.  Consumer Protection Against Computer Spyware Act  10.48
        • f.  Security Breach Notification Law  10.49
        • g.  Finanscial Information Privacy Act  10.50
        • h.  Notification of Disclosures for Business Information Sharing: “Shine the Light” Law  10.51
        • i.  Unfair and Deceptive Practices  10.52
      • 2.  Laws Applicable to Credit Reporting Agencies and Furnishers and Users of Credit Reports: The California Consumer Credit Reporting Agencies Act (CCRAA)  10.53
        • a.  Preemption by Federal Law  10.54
        • b.  Permitted Disclosure of Credit Reports  10.55
        • c.  Credit Information for Transactions Not Initiated by the Consumer  10.56
        • d.  Reasonable Procedures Required Before Releasing Consumer Credit Information  10.57
        • e.  Security Alert  10.58
        • f.  Security Freeze
          • (1)  Placing and Lifting a Security Freeze  10.59
          • (2)  When Security Freeze Does Not Apply  10.60
          • (3)  Credit Reporting Agency’s Obligations When Freeze in Place  10.61
        • g.  Blocking of Credit Information When Identity Theft Shown  10.62
        • h.  Notice of Rights  10.63
        • i.  Free Credit Reports  10.64
        • j.  Businesses’ Sales of Consumer Debt Resulting From Identity Theft  10.65
        • k.  Businesses’ Use of Credit Reports
          • (1)  Matching Credit Application Information With Consumer Credit Information  10.66
          • (2)  Honoring Identity Theft Notices  10.67
          • (3)  Remedies for Failure to Reconcile Credit Application Information or Failure to Honor Identity Theft Notice  10.68
      • 3.  Laws Applicable to Creditors
        • a.  Duty of Creditors to Cooperate With Victims  10.69
        • b.  Declaratory Relief Action  10.70
        • c.  Preapproved Solicitations  10.71
        • d.  Instant Loan Checks  10.72
        • e.  Changes of Address and Credit Cards  10.73
        • f.  Financial Institutions’ Duty to Cooperate With Law Enforcement  10.74
      • 4.  Laws Applicable to Debt Collectors  10.75
      • 5.  Laws Applicable to Merchants
        • a.  Credit Card Transaction Slips  10.76
        • b.  Information That Merchant May Require for Payments by Credit Card  10.77
        • c.  Driver’s Licenses  10.78
        • d.  Payments by Negotiable Instrument  10.79
      • 6.  Other Identity Theft-Related Laws
        • a.  Birth Certificates  10.80
        • b.  Records of Common Interest Developments  10.81
  • VI.  CLAIMS AND LIABILITY  10.82
    • A.  Negligence [Deleted]  10.83
      • 1.  California Statutory Duty of Care [Deleted]  10.84
      • 2.  When Duty of Care Applies [Deleted]  10.85
      • 3.  Negligent Enablement of Impostor Fraud [Deleted]  10.86
      • 4.  Assumption of Duty [Deleted]  10.87
      • 5.  Intervening Criminal Conduct [Deleted]  10.88
      • 6.  Negligent Failure to Notify [Deleted]  10.89
    • B.  Misrepresentation [Deleted]  10.90
    • C.  Invasion of Privacy [Deleted]  10.91
    • D.  Breach of Fiduciary Duty [Deleted]  10.92
    • E.  Infliction of Emotional Distress [Deleted]  10.93
    • F.  Defamation [Deleted]  10.94
    • G.  Breach of Contract [Deleted]  10.95
    • H.  Trespass to Chattels [Deleted]  10.96
    • I.  Other Claims and Defenses [Deleted]  10.97
      • 1.  Causation Issues [Deleted]  10.98
      • 2.  Damages [Deleted]  10.99
  • VII.  PROTECTING AGAINST IDENTITY THEFT  10.100
    • A.  FTC Standards for Safeguarding Customer Information  10.101
    • B.  California Business Privacy Handbook  10.102
    • C.  Incident Response Plan  10.103
    • D.  Cyberinsurance  10.104
    • E.  Third Party Contracts  10.105
      • 1.  Exercising Due Diligence in Vendor Selection  10.106
      • 2.  Key Contract Provisions  10.107
  • VIII.  CHECKLISTS AND FORMS
    • A.  Checklist: Implementing and Maintaining a Business Identity Theft Prevention Program  10.108
    • B.  Checklist: Selecting Third Party Service Providers  10.109
    • C.  Form: Model Business Letter Notifying Customer of Theft of Personal Information  10.110

10A

The California Consumer Privacy Act of 2018

Genevieve R. Walser-Jolly

Colin T. Murphy

  • I.  HISTORY OF CCPA AND SCOPE OF CHAPTER  10A.1
  • II.  DEFINITIONS UNDER THE CCPA
    • A.  Aggregate Consumer Information  10A.2
    • B.  Biometric Information  10A.3
    • C.  Business  10A.4
    • D.  Business Purpose  10A.5
    • E.  Collects, Collected, or Collection  10A.6
    • F.  Commercial Purpose  10A.7
    • G.  Consumer  10A.8
    • H.  Control or Controlled  10A.9
    • I.  Deidentified  10A.10
    • J.  Designated Methods for Submitting Requests  10A.11
    • K.  Device  10A.12
    • L.  Health Insurance Information  10A.13
    • M.  Homepage  10A.14
    • N.  Infer or Inference  10A.15
    • O.  Person  10A.16
    • P.  Personal information  10A.17
    • Q.  Probabilistic Identifier  10A.18
    • R.  Processing  10A.19
    • S.  Pseudonymize or Pseudonymization  10A.20
    • T.  Publicly Available  10A.21
    • U.  Research  10A.22
    • V.  Sell, Selling, Sale, or Sold  10A.23
    • W.  Service or Services  10A.24
    • X.  Service Provider  10A.25
    • Y.  Third Party  10A.26
    • Z.  Unique Identifier or Unique Personal Identifier  10A.27
    • AA.  Verifiable Consumer Request  10A.28
  • III.  CONSUMER RIGHTS TO DISCLOSURE AND ACCESS TO COLLECTED PERSONAL INFORMATION  10A.29
    • A.  Pre-Collection Disclosure  10A.30
    • B.  Verifiable Consumer Request About Collected Personal Information  10A.31
    • C.  Single, One-time Transaction Exception to Data Retention  10A.32
  • IV.  CONSUMER RIGHTS TO DISCLOSURE OF PERSONAL INFORMATION SOLD OR DISCLOSED FOR BUSINESS PURPOSE  10A.33
    • A.  Pre-Sale and Pre-Sharing Disclosure  10A.34
    • B.  What Businesses Must Disclose When Personal Information Is Sold or Disclosed for a Business Purpose  10A.35
    • C.  Notice of Resale of Personal Information by Third Party  10A.36
  • V.  CONSUMER RIGHT TO OPT-OUT OF THE SALE OF PERSONAL INFORMATION  10A.37
    • A.  Requirement to Inform Consumer of Right to Opt-Out  10A.38
    • B.  Handling Consumer Opt-Outs  10A.39
    • C.  Opt-In Requirement for Consumers Under the Age of 16   10A.40
    • D.  Consumers May Authorize Third Parties to Opt-Out on Their Behalf  10A.41
  • VI.  CONSUMER RIGHT TO REQUEST DELETION OF PERSONAL INFORMATION  10A.42
    • A.  Deleting Consumer Personal Information  10A.43
  • VII.  PROHIBITION AGAINST RETALIATORY DISCRIMINATION FOR EXERCISING CONSUMER RIGHTS  10A.44
    • A.  Permissible Incentives  10A.45
    • B.  Disclosure of Incentives  10A.46
  • VIII.  BUSINESS LIABILITY FOR SERVICE PROVIDER’S MISUSE OF PERSONAL INFORMATION  10A.47
  • IX.  EXEMPTIONS TO THE CALIFORNIA CONSUMER PRIVACY ACT
    • A.  Exemptions for Complying With Laws, Cooperating with Law Enforcement, or Defending Legal Claims  10A.48
    • B.  Exemptions for Deidentified, Out-of-State, and Aggregate Consumer Information  10A.49
    • C.  Evidentiary Privilege  10A.50
    • D.  Health Information
      • 1.   HIPAA Exemption  10A.51
        • a.  Limitations to the HIPAA Exemption   10A.52
        • b.  Evaluation of Existing Practices for Deidentification Under HIPAA  10A.53
        • c.  Application of HIPAA Exemption to Research and Clinical Trials  10A.54
      • 2.  ERISA Preemption  10A.55
      • 3.  Non-ERISA Benefits  10A.56
      • 4.  Exemption for Health Care Providers Governed by Confidentiality of Medical Information Act (CMIA)  10A.57
    • E.  Personal Information Used by Consumer Reporting Agencies  10A.58
    • F.  Personal Information Used Under Gramm-Leach-Bliley Act   10A.59
    • G.  Personal Information Used Under Driver’s Privacy Protection Act of 1994   10A.60
  • X.  PRIVATE RIGHT OF ACTION FOR DATA BREACH   10A.61
    • A.   Remedies Available to Consumers  10A.62
    • B.  Prelitigation Requirements for Consumer Actions   10A.63
  • XI.  ATTORNEY GENERAL ENFORCEMENT
    • A.  Businesses May Seek Guidance From Attorney General on How to Comply With CCPA  10A.64
    • B.  Civil Penalties Attorney General May Seek  10A.65
  • XII.  REGULATIONS BY THE ATTORNEY GENERAL  10A.66
  • XIII.   RESTRICTIONS ON BUSINESSES FROM CIRCUMVENTING CCPA   10A.67
  • XIV.  FORM: WEBSITE PRIVACY POLICY  10A.68

11

Global Jurisdiction Over Privacy, Breach of Security, and Internet Activity Claims

Denis T. Rice

  • I.  SCOPE OF CHAPTER  11.1
  • II.  UNDERSTANDING THEORIES OF LIABILITY  11.2
    • A.  Privacy- and Security-Oriented Statutes
      • 1.  Federal [Deleted]  11.3
      • 2.  State
        • a.  Security Breach and Breach Notification [Deleted]  11.4
        • b.  Other State Statutes [Deleted]  11.5
    • B.  Copyright, Trademark, and Unfair Competition Statutes [Deleted]  11.6
    • C.  Common Law Contract and Tort Theories [Deleted]  11.7
      • 1.  Examples: Breach of Contract [Deleted]  11.8
      • 2.  Examples: Tort Actions [Deleted]  11.9
  • III.  BASIC PRINCIPLES OF JURISDICTION IN THE UNITED STATES  11.10
    • A.  Personal Jurisdiction in General  11.11
    • B.  Subject Matter Jurisdiction  11.12
    • C.  Personal Jurisdiction and the Internet  11.13
    • D.  State Long-Arm Statutes  11.14
    • E.  Federal Rules of Civil Procedure  11.15
    • F.  Constitution  11.16
  • IV.  DETERMINING WHETHER A U.S. FORUM HAS JURISDICTION OVER A DEFENDANT
    • A.  Is There General Jurisdiction?  11.17
      • 1.  Internet Activity as the Sole Basis for General Jurisdiction  11.18
      • 2.  Internet Activity Plus Other Activity as a Basis for General Jurisdiction  11.19
    • B.  Is There Specific Jurisdiction?  11.20
      • 1.  Constitutional Requirement of Minimum Contacts  11.21
        • a.  Three-Part Minimum Contacts Test  11.22
        • b.  Shifting Burdens and Reasonableness  11.23
      • 2.  Purposeful Direction and the Calder “Effects” Test  11.24
        • a.  The “Effects” Test in Federal Courts
          • (1)  The Ninth Circuit  11.25
          • (2)  “Strict Effects” and “Soft Effects” Test Jurisdictions  11.26
        • b.  The Effects Test in California  11.27
        • c.  Calder and Particular Causes of Action  11.28
      • 3.  “Purposeful Availment”  11.29
      • 4.  Internet Activity as a Basis for Specific Jurisdiction  11.30
        • a.  The Zippo Sliding Scale  11.31
          • (1)  Websites Integral to Business; Interactive Websites  11.32
          • (2)  Passive Websites  11.33
        • b.  Calder Effects Test in Internet Cases  11.34
        • c.  Auction Websites  11.35
    • C.  Foreign Defendants in United States Forums  11.36
      • 1.  Burden of Defending in United States  11.37
      • 2.  Sovereignty  11.38
      • 3.  Foreign Sovereign Immunities Act  11.39
      • 4.  Type of Claim and Test Used by Court  11.40
    • D.  Checklist: Jurisdictional Facts in Civil Action for Breach of Privacy or Security  11.41
  • V.  BASIC PRINCIPLES OF JURISDICTION UNDER INTERNATIONAL LAW  11.42
    • A.  Country’s Authority to Exercise Jurisdiction Over Nonresidents  11.43
      • 1.  Jurisdiction to Prescribe  11.44
      • 2.  Jurisdiction to Adjudicate  11.45
      • 3.  Jurisdiction to Enforce  11.46
    • B.  Choice of Law  11.47
  • VI.  JURISDICTION OVER UNITED STATES RESIDENTS UNDER LAWS OF SELECTED OTHER COUNTRIES
    • A.  European Union  11.48
      • 1.  Brussels Regulation
        • a.  Jurisdiction in Member State Where Defendant Is Domiciled  11.49
        • b.  Jurisdiction Over a Non-Domiciliary Defendant  11.50
          • (1)  Contract, Tort, and Maintenance Matters  11.51
          • (2)  Choice of Forum Agreements  11.52
          • (3)  Consumer Contracts  11.53
          • (4)  Individual Employment Contracts  11.54
          • (5)  Insurance  11.55
          • (6)  Exclusive Jurisdiction  11.56
          • (7)  Cross-Border Disputes  11.57
        • c.  Consumer Contracts Via the Internet  11.58
      • 2.  European Union Data Protection Laws and “Safe Harbor” [Deleted]  11.59
    • B.  United Kingdom  11.60
    • C.  Canada  11.61
    • D.  France  11.62
    • E.  Germany  11.63
    • F.  Italy  11.64
    • G.  Australia  11.65
    • H.  Japan  11.66
    • I.  Hong Kong  11.67
    • J.  China  11.68
  • VII.  ENFORCEMENT OF JUDGMENTS
    • A.  Sister State Judgments in the United States: Full Faith and Credit Clause  11.69
    • B.  Foreign Judgments in the United States
      • 1.  Comity  11.70
      • 2.  Uniform Foreign-Country Money Judgments Recognition Act  11.71
      • 3.  Public Policy Considerations  11.72
    • C.  United States Judgments in Foreign Countries
      • 1.  Consider Local Enforcement Requirements  11.73
        • a.  Determine Local Law  11.74
        • b.  Consider Local Enforcement Procedures  11.75
      • 2.  Selected Foreign Countries
        • a.  Canada
          • (1)  “Real and Substantial Connection” Test  11.76
          • (2)  Defenses to Enforcement  11.77
        • b.  France  11.78
        • c.  Germany  11.79
        • d.  United Kingdom  11.80
  • VIII.  PRE-DISPUTE CONSENT TO JURISDICTION OVER INTERNET TRANSACTIONS  11.81
    • A.  United States Approach to Pre-Dispute Contractual Choice of Law and Forum  11.82
      • 1.  Click-Wrap Agreements  11.83
      • 2.  Browse-Wrap Agreements  11.84
    • B.  European Union Approach to Pre-Dispute Contractual Choice of Law and Forum  11.85
    • C.  Checklist: Creating a Website Offering Goods and Services Online to Consumers  11.86

12

Class Actions, Data Breach Litigation, and Privacy Concerns Before and During Trial

James G. Snell

Sheila M. Pierce

  • I.  SCOPE OF CHAPTER  12.1
  • II.  LITIGATION IN DATA BREACH AND PRIVACY CASES
    • A.  Class Actions  12.2
      • 1.  Statutory Class Certification
        • a.  California Class Actions   12.3
        • b.   Federal Class Actions  12.4
      • 2.   Constitutional Standing Requirements  12.5
        • a.  Injury in Fact  12.6
          • (1)  Assertion of Violation of Statute  12.6A
          • (2)  Fear of Injury and Threat of Future Harm  12.6B
          • (3)  Mitigation Costs as Injury  12.6C
        • b.  Causation  12.7
      • 3.  Damages
        • a.  Pleading Damages  12.8
        • b.  Mitigation  12.9
      • 4.  Cy Pres Settlements  12.10
    • B.  Causes of Action
      • 1.  Private Rights of Action  12.11
        • a.  Under Federal Law  12.12
        • b.  Under State Law  12.13
      • 2.  Defenses  12.14
      • 3.  Common Law Causes of Action  12.15
        • a.  Negligence  12.16
        • b.  Negligent or Intentional Misrepresentation  12.17
        • c.  Invasion of Privacy  12.18
        • d.  Breach of Fiduciary Duty  12.19
        • e.  Infliction of Emotional Distress  12.20
        • f.  Defamation  12.21
        • g.  Breach of Contract  12.22
        • h.  Trespass to Chattels  12.23
        • i.  Traditional Tort Actions  12.24
        • j.  Unjust Enrichment  12.25
        • k.  Breach of Covenant of Good Faith and Fair Dealing  12.26
      • 4.  Unfair Business Practices  12.27
      • 5.  Shareholder Derivative Action  12.28
  • III.  PRIVACY CONSIDERATIONS DURING INVESTIGATIONS  12.29
    • A.  Public Records  12.30
    • B.  Specific Requests for Government Agency Information  12.31
      • 1.  Freedom of Information Act (FOIA)  12.32
        • a.  Obtaining Information Under the FOIA  12.33
        • b.  FOIA Privacy Exemptions  12.34
      • 2.  California Public Records Act  12.35
        • a.  Obtaining Information Under California Public Records Act  12.36
        • b.  Exemptions From the California Public Records Act  12.37
          • (1)  Specific Exemptions  12.38
          • (2)  “Catchall” Exemption  12.39
    • C.  Other Information  12.40
      • 1.  Personal Medical and Credit Information  12.41
      • 2.  Financial Institution Customer Information  12.42
      • 3.  Prohibitions of Deceptive Acts or Practices  12.43
      • 4.  Obtaining Phone Records Without Consent or by Fraud or Deceit  12.44
      • 5.  “Phishing”  12.45
      • 6.  Eavesdropping  12.46
      • 7.  Accessing Computers  12.47
      • 8.  Adhering to Contractual Obligations  12.48
      • 9.  Contacting Parties and Witnesses
        • a.  Represented Party  12.49
          • (1)  Actual Knowledge of Representation  12.50
          • (2)  Communications With Opposing Party’s Employees, Officers, or Directors  12.51
        • b.  Expert Witnesses  12.52
      • 10.  Government Access to Information; Sharing Information With Government  12.52A
    • D.  Document Preservation  12.53
      • 1.  Duty to Preserve Under Federal Law
        • a.  Spoliation  12.54
        • b.  Spoliation and Electronic Documents  12.55
        • c.  Preservation Orders  12.56
      • 2.  Duty to Preserve Under California Law  12.57
      • 3.  Privacy and Metadata  12.58
  • IV.  PRIVACY CONSIDERATIONS WHEN LAWSUIT IS FILED
    • A.  Protecting the Name of the Plaintiff  12.59
      • 1.  Federal Practice  12.60
      • 2.  California  12.61
    • B.  Social Security and Other Numbers  12.62
    • C.  Privacy in Electronic Court Documents  12.63
      • 1.  California  12.64
      • 2.  Federal  12.65
  • V.  PRIVACY CONSIDERATIONS WHEN RESPONDING TO DISCOVERY REQUESTS
    • A.  Producing Metadata  12.66
    • B.  Inadvertent Disclosure  12.67
    • C.  Work Product Doctrine, Specific Privileges, and Other Protections  12.68
      • 1.  Work Product Doctrine
        • a.  California  12.69
        • b.  Federal  12.70
      • 2.  Attorney-Client Privilege
        • a.  California  12.71
        • b.  Federal  12.72
      • 3.  Personal Financial Privilege
        • a.  California  12.73
        • b.  Federal  12.74
      • 4.  Marital Privileges
        • a.  California  12.75
          • (1)  Testimonial Privilege  12.76
          • (2)  Spousal Communications Privilege  12.77
        • b.  Federal  12.78
          • (1)  Adverse Spousal Testimonial Privilege  12.79
          • (2)  Marital Communications Privilege  12.80
      • 5.  Physician-Patient Privilege
        • a.  California
          • (1)  Nature of Privilege  12.81
          • (2)  Exceptions  12.82
        • b.  Federal  12.83
      • 6.  Psychotherapist-Patient Privilege
        • a.  California  12.84
        • b.  Federal  12.85
      • 7.  Clergyperson-Penitent Privilege
        • a.  California  12.86
        • b.  Federal  12.87
      • 8.  Privilege Against Self-Incrimination
      • 9.  California  12.88
      • 10.  Federal  12.89
    • D.  Sexual Assault Victim-Counselor Privilege
      • 1.  California  12.90
      • 2.  Federal  12.91
    • E.  Domestic Violence Victim-Counselor Privilege
      • 1.  California  12.92
      • 2.  Federal  12.93
    • F.  Self-Critical Analysis Privilege
      • 1.  California  12.94
      • 2.  Federal  12.95
    • G.  Official Information Privilege
      • 1.  California  12.96
      • 2.  Federal  12.97
    • H.  State Secrets Privilege  12.98
    • I.  Settlement/Mediation Privilege
      • 1.  California  12.99
      • 2.  Federal  12.100
    • J.  Trade Secrets  12.101
      • 1.  California  12.102
      • 2.  Federal  12.103
    • K.  Voter Privilege  12.104
    • L.  Common Interest Privilege or Joint Defense Privilege
      • 1.  California  12.105
      • 2.  Federal  12.106
    • M.  Free Speech Privileges
      • 1.  Free Association  12.107
      • 2.  Anonymous Speech  12.108
      • 3.  Journalist’s Privilege
        • a.  Federal Law  12.109
        • b.  California Law  12.110
    • N.  Traditional Privacy Rights  12.111
      • 1.  California Constitution  12.112
      • 2.  Federal Privacy Act of 1974  12.113
      • 3.  Personal Financial Information Privacy  12.114
      • 4.  Consumer and Employment Records Subpoenas  12.115
      • 5.  Consumer Records Subpoenas in Class Actions  12.116
      • 6.  Overbroad Subpoenas  12.117
    • O.  Discovery in Specific Types of Cases
      • 1.  Marital Dissolution  12.118
      • 2.  Sexual Harassment Lawsuits  12.119
    • P.  Discovery When One Party Is a Corporation  12.120
    • Q.  International Considerations  12.121
  • VI.  MOTIONS TO SEAL  12.122
    • A.  Federal Court Motions to Seal
      • 1.  General Principles  12.123
      • 2.  Local Court Rules  12.124
    • B.  California Court Motions to Seal  12.125
      • 1.  Procedure  12.126
      • 2.  Cases Concerning Interest to Seal Versus Public’s Right to Access  12.127
  • VII.  PRIVACY AT TRIAL  12.128
    • A.  Gag Orders  12.129
    • B.  Privilege Against Self-Incrimination  12.130
    • C.  Media Access to Courtroom  12.131
    • D.  Sixth Amendment Right to Confront Witnesses  12.132
    • E.  Request for Private Trial  12.133

PRIVACY COMPLIANCE AND LITIGATION IN CALIFORNIA

(1st Edition)

September 2019

TABLE OF CONTENTS

 

File Name

Book Section

Title

CH03

Chapter 3

Information Security and Security Breach

03-049B

§3.49B

Model Security Breach Notification

CH04

Chapter 4

Internet and Electronic Privacy

04-034

§4.34

Checklist: Steps for California Businesses to Meet Obligation to Protect Personal Customer Information

CH05

Chapter 5

Marketing and Sales Regulation

05-018

§5.18

Sample Children’s Website Privacy Policy

05-029

§5.29

Checklist: COPPA Compliance

05-045

§5.45

Opt-Out Notice

05-091

§5.91

Sample Information-Sharing Disclosure Statement; Nonaffiliated Entities

05-093

§5.93

Sample Information-Sharing Disclosure Statement; Affiliated Entities

CH06

Chapter 6

Financial Data Privacy

06-064

§6.64

Checklist: PCI DSS Requirements

CH07

Chapter 7

Health Information Privacy

07-088

§7.88

General Authorization for the Use and/or Disclosure of Protected Health Information

07-109A

§7.109A

Sample Business Associate Agreement

CH08

Chapter 8

Workplace Privacy

08-073

§8.73

Sample Electronic Information Systems Policy

CH10

Chapter 10

Identity Theft

10-108

§10.108

Checklist: Implementing and Maintaining a Business Identity Theft Prevention Program

10-109

§10.109

Checklist: Selecting Third Party Service Providers

10-110

§10.110

Model Business Letter Notifying Customer of Theft of Personal Information

CH10A

Chapter 10A

The California Consumer Privacy Act of 2018

10A-068

§10A.68

Form: Website Privacy Policy

CH11

Chapter 11

Global Jurisdiction Over Privacy, Breach of Security, and Internet Activity Claims

11-041

§11.41

Checklist: Jurisdictional Facts in Civil Action for Breach of Privacy or Security

11-086

§11.86

Checklist: Creating a Website Offering Goods and Services Online to Consumers

 

Selected Developments

September 2019 Update

The discussion in chap 1 of developing technologies, trends, and hot topics has been updated to reflect developments during the last year, including facial recognition technology, new Illinois biometrics legislation, the biggest data breaches yet, a new “Internet of things” law, research on wearable devices, and the status of federal and state net neutrality rules. See §1.3.

Among other important developments, California enacted the California Consumer Privacy Act of 2018 (CCPA) (CC §§1798.100–1798.198), operative January 1, 2020, to give customers of specified businesses in California expanded control over personal information that businesses collect about them and to expand the ability to bring lawsuits for data breach. See §§1.3, 3.4, 3.10A, 3.49D, 4.11A, 5.1, 5.68, 7.3A, 12.6. A completely new chapter has been added to the book discussing the CCPA in detail and including a website privacy policy that is compliant with the Act. See chap 10A.

In addition, the California Legislature enacted new “Internet of things” legislation, which defines “connected devices” and requires that a manufacturer of such devices must equip them with reasonable security features. See §§1.3, 3.10B, 4.21A.

The Eleventh Circuit held that searches of cell phones occurring at the border require neither a warrant nor probable cause; rather, all that is needed is “reasonable suspicion.” U.S. v Vergara (11th Cir 2018) 884 F3d 1309. It also found that a traveler’s privacy interest should not be given much weight in light of the government’s paramount interest in protecting the nation’s territorial integrity. U.S. v Touset (11th Cir 2018) 890 F3d 1227. See §2.4A.

The Seventh Circuit found that a garage door opener does not carry a reasonable expectation of privacy and affirmed the conviction of a defendant for possession of drugs police officers found in a garage which they opened using an opener found on his person when they searched him pursuant to a minor traffic offense. U.S. v Correa (7th Cir 2018) 908 F3d 208. See §2.4A.

The California Legislature amended CC §47(c), which establishes the common interest privilege, to add language extending the privilege to communications about sexual harassment between a former employer and a prospective employer with regard to an applicant for employment. Stats 2018, ch 82. See §§2.21, 4.21A, 8.92.

The U.S. Supreme Court held that it is reasonable to require a person arrested for drunk driving to submit to a breath test, but not to a blood test, which is more intrusive and would violate a driver’s expectation of privacy (Birchfield v North Dakota (2016) __ US __, 136 S Ct 2160), unless the defendant voluntarily consented to a blood test (People v Gutierrez (2018) 27 CA5th 1155). See §2.4A.

The California Legislature amended CC §1939.23 to permit rental car companies to use authorized electronic surveillance technology in circumstances when the rental vehicle has not been returned within 72 hours after the contract return date. Stats 2018, ch 344. See §4.11.

In an exception to the normal rule that personnel records of peace officers are confidential, new California legislation provides that such records must be made public in certain cases including those when a gun was fired, when death or great bodily harm occurred, or when a peace officer assaulted a member of the public. Pen C §832.7. See §4.21.

The FTC has released a resource designed to help small businesses and nonprofits with cybersecurity issues, containing tips on 12 different topics, such as phishing, ransomware, vendor security, cyber insurance, physical security, and tech support scams. See https://www.us-cert.gov/ncas/current-activity/2018/10/25/FTC-Releases-Cyber-Resources-Small-Businesses. See also §4.56.

In one of the largest settlements to date, the FTC imposed civil penalties of $5.7 million on a music app producer for violating the Children’s Online Privacy Protection Act of 1998 (COPPA) by collecting personal information from children without parental consent. U.S. v Musical.ly (CD Cal, Feb. 27, 2019, No. 2:19-cv-01439) FTC File No. 172 3004. See §5.28.

The Attorney General of New York obtained a settlement from Oath, Inc. (formerly known as AOL Inc.) to pay $4.95 million in penalties and to adopt comprehensive reforms to protect children from improper online tracking. See https://ag.ny.gov/press-release/ag-underwood-announces-record-coppa-settlement-oath-formerly-aol-violating-childrens. See also §5.28.

After seeking public comment on possible technical updates to the existing rule under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), the FTC announced that it was retaining the rule without modification. See §5.39.

In June 2019, the FCC issued a declaratory ruling dramatically expanding previous policy and allowing phone carriers to start automatically blocking both illegal robocalls and robocalls that carriers believe customers do not want. FCC Declaratory Ruling and Third Further Notice of Rulemaking (June 6, 2019) CG Docket No. 17–59. See §5.53A.

In reviewing the issue of whether a business engaging a vendor is liable for the vendor’s violation of the Telephone Consumer Protection Act (TCPA), the Ninth Circuit held that that calls placed by an agent of an advertiser are treated as if the advertiser itself had placed the call. Kristensen v Credit Payment Servs. (9th Cir 2018) 879 F3d 1010. The court reached a similar conclusion in Jones v Royal Admins. Servs. (9th Cir 2018) 887 F3d 443. See §5.56A.

In 2019, California enacted the Parent’s Accountability and Child Protection Act, operative January 1, 2020, requiring businesses to take “reasonable steps” (as defined) to verify a purchaser’s age when selling products that are illegal to sell to minors, and permitting businesses to retain or use any information collected to verify age only when necessary to comply with the statute. CC §1798.99.1. A section has been added in chap 5 discussing this new law. See §5.68B.

When the California medical board sought to subpoena records of a pain management physician suspected of over-prescribing controlled substances, it was required to show good cause to overcome the patients’ constitutional rights to privacy, but it failed the test by showing merely that the physician occasionally prescribed more than the usual dose because that did not suggest that the physician was negligent in treating patients or prescribed controlled substances without meeting the relevant standard of care. Grafilo v Cohanshohet (2019) 32 CA5th 428; see Grafilo v Wolfsohn (2019) 33 CA5th 1024. See also §§7.2, 7.66.

A new discussion of laws governing the use of health information in research and the Federal Policy for the Protection of Human Subjects has been added to chap 7. See §7.14A.

On October 19, 2018, the California Department of Public Health issued proposed regulations to implement Health & S C §1280.15, which requires clinics, health facilities, and hospices to prevent unauthorized access to or disclosure of patients’ medical information. See https://www.cdph.ca.gov/Programs/OLS/Pages/DPH-11-009.aspx. See also §7.16.

An entirely new discussion of complex organizations, which may be covered by the HIPAA Privacy Rule, has been added to chap 7. The discussion covers affiliated covered entities, hybrid entities, and organized health care arrangements. See §§7.130A–7.130D.

The country of Brazil has adoped a comprehensive new data protection law, effective February 14, 2020, and a complete discussion of it has been added in chap 9. Law No. 13,709 (Aug. 14, 2018), “Lei Geral de Protecçao de Dados Pessoais” (LGPD). See §9.137A.

Canada’s new security breach disclosure regulations require organizations to notify the Canadian Privacy Commissioner and affected individuals of any breach of security involving personal information in the control of the organization if it is reasonable to believe that a breach poses a risk of significant harm. Breach of Security Safeguards Regulations (SOR/2018-64). See §9.144A.

In a data breach case involving the question of US Const art III standing to bring a class action, the Ninth Circuit found that the data breach victims sufficiently alleged injury in fact to confer standing based on the substantial risk that the hackers would commit identity theft. Ree v Zappos.com (In re Zappos.com) (9th Cir 2018) 888 F3d 1020. See §§12.6A–12.6B.

In a case in which the parties negotiated a cy pres settlement, the U.S. Supreme Court found that, despite the settlement, substantial questions remained about whether any of the named plaintiffs had suffered sufficiently concrete injury to give them standing to sue, so the Court vacated and remanded the Ninth Circuit decision so that the lower court could determine standing. Frank v Gaos (2019) ___ US ___, 139 S Ct 1041.See §12.10.

The U.S. Supreme Court found that the exemption in the Freedom of Information Act (FOIA) (5 USC §522) for “confidential” commercial or financial information applies to all information treated as private by the owner. Food Mktg. Inst. v Argus Leader Media (Jan. 11, 2019, No. 18–481) 2019 US Lexis 577. See §12.34.

The Legislature has amended the Government Code to provide that certain video or audio recordings related to a critical incident cannot be withheld more than 45 days, even if they were otherwise confidential under the California Public Records Act. Stats 2018, ch 960. See §12.38.

About the Authors

JONATHAN D. AVILA is Vice President, Chief Privacy Officer of Wal-Mart Stores, Inc., where he supervises data privacy law counseling and compliance for the domestic and international operations of Walmart Stores. He was formerly Vice President—Chief Privacy Officer of the Walt Disney Company. Before joining Disney, he was General Counsel and Chief Privacy Officer of Mvalue.com, Inc., and also served as Litigation Counsel to CBS Broadcasting, Inc., where he represented CBS in privacy litigation. Mr. Avila is a past President of the International Association of Privacy Professionals (IAPP) and was a member of the Advisory Group to the California Office of Privacy Protection with respect to its Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements (SB 27). Mr. Avila received a B.A. degree from Yale University (cum laude) and a J.D. degree from Harvard Law School as well as a diploma from the University of Salamanca (Spain). He is a co-author of chapter 5 (Marketing and Sales Regulation).

MATTHEW J. COONEY is Senior Counsel at California State Automobile Association of Northern California, Nevada, and Utah, where he leads the technology and procurement practice areas. Mr. Cooney is an active member of the San Francisco Bar Association and the State Bar of California, where he is also a member of the Cyberspace Law Committee of the Business Law Section. He received a B.S. degree from the University of California, Berkeley, and a J.D. degree from Golden Gate University School of Law (cum laude). Mr. Cooney is a co-author of chapter 10 (Identity Theft).

FRANÇOISE GILBERT is the CEO of DataMinding Legal Services, Palo Alto, California. She advises clients on developing and implementing information privacy and security strategies and compliance programs at the domestic and global levels. A significant portion of her time is dedicated to the creation of data governance and protection programs that comply with applicable laws, such as the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR). She assists clients in their efforts to implement data privacy and security safeguards in the design of products and services that rely on artificial intelligence, big data analytics, or Internet of things technologies, such as smart cities, autonomous vehicles, wearables, and other connected objects and devices. She is the author of Global Privacy and Security Law (Aspen Publishers/Wolters Kluwer Law and Business). She holds CIPP/US, CIPP/EU, and CIPM certifications from the International Association of Privacy Professionals. Her work in the information privacy and cybersecurity areas has been consistently recommended by Chambers Global (2009–present), Best Lawyers in America (2008–present), and Who’s Who in Internet, ECommerce and Telecommunication Laws (1998–present). Ms. Gilbert holds undergraduate and graduate degrees in mathematics from the Universities of Paris and Montpellier (France) and J.D. degrees from the University of Paris (France) and Loyola University School of Law in Chicago, Illinois. She is the author of chapter 3 (Information Security and Security Breach) and chapter 9 (International Personal Data Protection and Cross-Border Data Transfers).

ROBERT V. HALE II is in-house counsel at Apollo Group, Inc., where he handles consumer, transactional, and regulatory matters. Before joining Apollo in 2010, he served as Vice President and Senior Counsel at HSBC North America, and in similar roles at other financial institutions. He is the author of Wi-Fi Access and Operation Liability, published in The SciTech Lawyer. Mr. Hale serves as an Advisor to the Financial Institutions Committee and the Cyberspace Committee of the Business Law Section of the State Bar of California. He is Executive Managing Editor of the Journal of Internet Law (Aspen Publishers). Mr. Hale received his B.A. degree from Sarah Lawrence College and his J.D. degree from the University of San Francisco School of Law. He is a co-author of chapter 10 (Identity Theft).

CATHERINE D. MEYER is Counsel with Pillsbury Winthrop Shaw Pittman LLP. She was a partner with the firm for 20 years, practicing in the areas of finance and privacy regulation and compliance. Ms. Meyer advises financial institutions and other companies on privacy, including rights to financial privacy and protection of customers’ privacy rights under state, federal, and international statutes and regulations. She regularly counsels commercial clients on compliance with regulations affecting the collection, use, sale, transfer, and sharing of customer and employee information on a local to global scale. She assists with marketing issues, such as unsolicited commercial e-mail, fax, and telephone communications, marketing to children, and issues specific to credit card and check transactions and data security breaches. She has served as co-chair of the Business Department of the Los Angeles Office and of the firm-wide Privacy and Data Protection Practice Team. Ms. Meyer is a frequent speaker and writer on data protection and privacy issues, and sits on the Board of Editors of the Privacy & Data Security Law Journal and the Privacy & Data Security Review. Ms. Meyer received an A.B. degree from Bryn Mawr College and a J.D. degree from Northwestern University School of Law. She is a co-author of chapter 5 (Marketing and Sales Regulation).

COLIN T. MURPHY, an attorney in the San Francisco and Orange County offices of Severson & Werson, APC, has particular experience representing international and domestic clients in the defense and trial of construction defects, cybersecurity and data protection, products liability, professional liability, sports, and leisure and entertainment. Mr. Murphy represents national and international insureds and insurers. In 2019, he was recognized as a Distinguished Lawyer by the international organization Lawyers of Distinction. He is a member of the San Francisco and Orange County Bar Associations, the International Association of Privacy Professionals (IAPP), and the Professional Liability Underwriting Society. He received a B.A. from the University of California, Santa Cruz, and a J.D. from Santa Clara University, and is a co-author of chapter 10A (The California Consumer Privacy Act of 2018).

DENISE OLRICH, of the Law Office of Denise Olrich, is a business attorney specializing in the legal needs of the entrepreneur, including e-commerce, privacy and cyberlaw matters, intellectual property matters, trademark registration, business formation, corporations and partnerships, business transactions, bankruptcy and bankruptcy litigation, as well as business litigation in the state courts. Ms. Olrich regularly lectures to attorneys, business groups, and students regarding business and cyberspace law matters. She served on the committee that drafted California’s new revised limited partnership law. She is an Advisor to the Executive Committee of the Business Law Section of the State Bar of California and has chaired the Cyberspace Law Committee, as well as the Partnerships and Limited Liability Companies Committee of the Business Law Section. Ms. Olrich received a B.A. degree from Michigan State University and a J.D. degree from Thomas M. Cooley Law School in Lansing, Michigan. She is the author of chapter 4 (Internet and Electronic Privacy).

SHEILA M. PIERCE is an associate in the Silicon Valley office of Bingham McCutchen LLP, where she represents clients on issues such as breach of contract, patent infringement, securities violations, privacy matters, civil rights matters, and product liability. She has also advised clients on issues related to Internet privacy and data security laws. Ms. Pierce has a J.D. degree from the University of San Francisco School of Law and a B.A. degree from San Francisco State University (summa cum laude). She is a co-author of chapter 12 (Class Actions, Data Breach Litigation, and Privacy Concerns Before and During Trial).

DENIS T. RICE, of Arnold & Porter, LLP, San Francisco, practices in a broad range of areas, including corporate and securities matters, and Internet and e-commerce law. Mr. Rice was a founding director of Howard Rice Nemerovski Canady Falk & Rabkin PC. He is chair of the Committee on Developments in Business Financing of the American Bar Association and a Board Member of the International Technology Law Association. He has litigated complex cases, including class actions, in state and federal courts involving securities fraud, fiduciary duties, corporate governance, antitrust, trademarks, and trade secrets. Mr. Rice has lectured on information technology, privacy, securities, electronic commerce, and litigation in cities around the world. He serves as a panel arbitrator and mediator for both the American Arbitration Association and the World Intellectual Property Organization. Mr. Rice holds an undergraduate degree from Princeton University, Woodrow Wilson School of Public and International Affairs (Phi Beta Kappa), and a law degree from the University of Michigan Law School (Order of the Coif; Associate Editor, Michigan Law Review). He is the author of chapters 1 (Challenges of Privacy Compliance and Litigation) and 11 (Global Jurisdiction Over Privacy, Breach of Security, and Internet Activity Claims).

PAUL T. SMITH is a partner with Hooper, Lundy & Bookman, PC, San Francisco, where he advises clients in health care and other industries on corporate formation and governance, joint ventures, financing, reimbursement, and regulatory compliance, and also represents technology companies in transaction, financing, and licensing matters, and data privacy and security. Mr. Smith has practiced in the U.S. health care industry since 1982, representing hospitals, hospital associations, medical groups, and provider network organizations. He has been named as one of “America’s Leading Lawyers for business” in health care by Chambers USA, 2005–2010, and was selected to the “Northern California Super Lawyers” in health care law and business/corporate law in 2010. He has spoken on health-care-related topics at numerous conferences, including the American Bar Association, the California Society of Healthcare Attorneys, the IBM/Modern Healthcare National HIPAA Conferences, and the HIPAA Summits. He holds B.A. and LL.B. (cum laude) degrees from the University of Natal School of Law (South Africa). Mr. Smith is the author of chapter 7 (Health Information Privacy).

JAMES G. SNELL is a partner in the Silicon Valley office of Bingham McCutchen LLP, where he is co-chair of the firm’s Privacy and Security Group and former co-chair of the firm’s Intellectual Property Group. He has particular experience in privacy, Internet, and marketing issues, and represents clients in a broad range of complex commercial matters, including Internet, privacy, and trade secret matters, false advertising, and class actions. Mr. Snell is a frequent speaker at bar association and firm events and in-house seminars regarding electronic discovery issues, patent litigation, unfair competition, trade secret law, electronic communications and privacy, among other topics. He was recognized as a Northern California “Super Lawyer” by Law & Politics and San Francisco magazine in 2005. He has a J.D. degree from the University of California, Hastings College of the Law, and a B.A. degree from the University of California, Santa Barbara. Mr. Snell is a co-author of chapter 12 (Class Actions, Data Breach Litigation, and Privacy Concerns Before and During Trial).

RONALD J. SOUZA is a partner in the law firm of Lynch, Gilardi & Grummer PC, in San Francisco, where he practices in the area of labor and employment litigation. He has been an employment law specialist for the last 15 years. A frequent presenter, speaker, and panelist, Mr. Souza regularly addresses professional groups and corporate executives on employment-related topics, including employment privacy, sexual harassment, and employment litigation practices. Mr. Souza is a member of the American Board of Trial Advocates (ABOTA). He also serves as Judge pro tem for the San Francisco Superior Court. He is a founding member of a chapter of the American Inns of Court, an organization of lawyers and judges dedicated to civility and ethics in law practice. Mr. Souza graduated with academic and athletic honors from Washington State University in 1969 and earned his J.D. (cum laude) degree from Santa Clara University School of Law in 1974. He is the author of chapter 8 (Workplace Privacy).

GENEVIEVE R. WALSER-JOLLY is a member of Severson & Werson, APC, where she is managing partner of the Orange County office. Ms. Walser-Jolly’s practice includes developing data privacy programs, complex litigation representing auto finance companies, and defending individual and class action consumer cases under the Telephone Consumer Protection Act (TCPA). She is active in the American Bar Association’s Consumer Financial Services Committee and is a member of the International Association of Privacy Professionals (IAPP), the National and California Mortgage Bankers Associations, and the Orange County Bar Association. Ms. Walser-Jolly regularly speaks on the latest developments in TCPA litigation and how businesses can comply with the California Consumer Privacy Act of 2018. She received her B.A., cum laude, from Northwest Christian College; her M.A. from Pepperdine University, magna cum laude; and her J.D. from Loyola Law School. She is a co-author of chapter 10A (The California Consumer Privacy Act of 2018).

ROY G. WEATHERUP is a partner of Lewis Brisbois Bisgaard & Smith LLP, where he heads the Appellate Practice Group in the firm’s Los Angeles office. He specializes in appellate practice, about which he has lectured extensively. Mr. Weatherup is a member of the California Academy of Appellate Lawyers and the committee that produces the Book of Approved Jury Instructions (BAJI). He has been responsible for more than 1200 appellate briefs in over 800 cases, resulting in about 200 published opinions. He holds a law degree from Stanford University School of Law and an undergraduate degree from Stanford University. He is the author of chapter 2 (Common Law and Constitutional Privacy Protection).

OnLAW System Requirements:
Desktop: Windows XP, 7 or 8, Mac OS 10.8
Mobile: iOS6, iOS7, Android 4.2
Firefox, Chrome, IE and Safari browsers

Note: OnLAW may work with some devices running older versions of these Operating Systems or Windows RT; however, functionality is not guaranteed.

Please see FAQs for more details.
Products specifications
PRODUCT GROUP Publication
PRACTICE AREA Business Law
Products specifications
PRODUCT GROUP Publication
PRACTICE AREA Business Law