Privacy & Cybersecurity practice area category
Privacy & Cybersecurity practice area categoryPrivacy & Cybersecurity

CCPA v. CPRA – Privacy Laws Compared

Press & Published Articles   |   Wednesday, January 06, 2021

The California Consumer Privacy Act (CCPA) is still relatively new, and now there is another expansive privacy law in California, the California Privacy Rights Act (CPRA).

In November 2020, California voters approved of the CPRA, which expands privacy rights and requirements beyond the CCPA. For example, the CPRA does the following:

  • Redefines covered “businesses” and expands applicability to those “sharing” information.
  • Introduces a new category and rights for “sensitive” personal information.
  • Expands other consumer rights, such as the right to amend inaccurate information.
  • Updates requirements for clearly disclosing information use and retention practices.
  • Updates requirements for service providers and “contractors.”
  • Clarifies regulation of cross-context behavioral advertising.
  • Increases fines for violations of the opt-in right for minors.
  • Outlines that disclosure of an email address and password or security question would be considered a data breach under the law, which provides for statutory damages.

Further, the CPRA establishes a stand-alone privacy regulator, the California Privacy Protection Agency, to implement and enforce the law. Thus, while the California Attorney General guided regulatory enforcement of the CCPA in 2020 (resulting in most companies voluntarily agreeing to make recommended changes to privacy practices), businesses will now need to figure out how to deal with a novel agency and new standards, without a 30-day cure period like the CCPA contains.

Companies meeting the thresholds under the CCPA, CPRA, General Data Protection Regulation (GDPR), or other privacy laws should consult with experienced legal counsel to ensure they are complying with applicable laws and minimizing risks of a legal action. While the CPRA does not become fully operative until January 1, 2023, certain provisions look back, and businesses working on privacy compliance should do so with the CPRA in mind.

Kronenberger Rosenfeld helps clients with privacy compliance and responding to related civil and enforcement actions. If you need guidance with expanding privacy laws, please contact our firm.

Do You Need a Cookie Notice?

Privacy laws are continuing to emerge, including privacy laws necessitating cookie notices. Because laws are often complex even for attorneys, and because inquiries into privacy matters often involve reviewing a variety of factors, it is important to work with experienced legal counsel on privacy compliance, including on cookie issues.

For example, there are different types of cookie notices, including a disappearing or notice-only banner, an opt-out notice, and an opt-in consent. There are also laws in various countries, states, and regions that require different types of disclosures, including laws in the European Union and throughout the United States. Further, companies will want to balance compliance with emerging privacy laws against ongoing business objectives, such as maintaining conversion rates and maintaining the user experience.

As an example of just one state law, the California Consumer Privacy Act or “CCPA” has several requirements for companies that “sell” information, which impact the analysis for cookie disclosures. Because the CCPA defines the term “sell” very broadly (i.e., including any selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating of personal information to a third party for monetary or other valuable consideration), this raises questions about whether third-party marketing or other cookies constitute a “sale” of information under the law. Without definitive guidance, companies have interpreted the law in different ways. To make matters more complex, the CCPA outlines an exception to a “sale” if the consumer directed the business to intentionally disclose the personal information (assuming other requirements for the exception are satisfied). Some have interpreted this to mean that opting into cookies (such as through a cookie opt-in notice) is a direction from consumers to use the cookies and thus the cookies do not constitute a “sale” under the law. Nonetheless, California’s new law, the California Privacy Rights Act or “CPRA,” which becomes fully effective in 2023, has additional requirements for companies “sharing” personal information and specifically addresses “cross-context behavioral advertising.” In other words, laws are still emerging and evolving in this area.

Kronenberger Rosenfeld regularly assists clients with privacy compliance, including advice on whether a cookie notice is needed and, if so, how to balance the scope and type of notice with business objectives. If you need guidance with expanding privacy laws, please contact our firm.

Intellectual Property Considerations for E-Commerce Companies

E-commerce businesses, including online websites, mobile apps, and social media networks, are expanding now more than ever. Whether companies are just starting up or are continuing to review existing practices, there are a variety of legal considerations to keep in mind.

For example, while general contract laws apply to internet agreements, businesses should consider whether tailored terms are appropriate, negotiate provisions with service providers, advertisers, affiliates, influencers, and others, and review how third parties, including any consumers, are agreeing to contract terms. Moreover, depending on how and what form of payment is accepted, companies may need to think about specific terms for payment processors, alternative currencies, such as cryptocurrency, and money transmission laws if applicable.

It is also advisable to take action to protect website content, logos, and other trademarks and copyrights, including by using appropriate TM, ® or © symbols or other notices, securing enforceable contract provisions that protect and clearly define proprietary content, considering registration of trademarks and copyrights, and monitoring potential infringement of rights. Likewise, contract terms should clearly lay out provisions for confidential and trade secret information and, if applicable, non-disclosure, non-compete, and non-solicitation provisions.

Conversely, companies should ensure that they are not violating third-party rights, including by avoiding use of others’ trademarks, ensuring rights to use any photos, videos, and creative content, reviewing how they are communicating with consumers, including under CAN-SPAM for emails and the Telephone Consumer Protection Act (TCPA) for calls and texts, and satisfying criteria to take advantage of immunity and safe harbor sections of the Communications Decency Act (CDA) and/or Digital Millennium Copyright Act (DMCA) if applicable. Websites allowing user-generated content should also conspicuously identify licenses to display and use consumer content, if appropriate, and define what constitutes prohibited conduct, such as through conspicuous user terms or platform guidelines; and companies may want to consider related defense and indemnification provisions to protect against user violations.

E-commerce businesses should also review data privacy and security compliance under both general laws and any applicable specific statutes and regulations, such as laws relating to medical, financial, or minor/child records. Having privacy and security policies and procedures in place before incidents like data breaches or other law violations, can prevent further costs down the line. Importantly, the Federal Trade Commission (FTC) has been targeting companies for data privacy and security issues and just recently in December 2020 released orders to nine social media and video and streaming services seeking information about how they collect and use information as well as settled cases involving alleged failure to secure sensitive consumer data and claimed failure to ensure a vendor was adequately protecting consumer data.

Kronenberger Rosenfeld regularly assists e-commerce businesses with protecting intellectual property rights, including through routine compliance review, transactional work, and litigation.

Can the FTC Obtain Monetary Relief?

Section 13(b), 15 U.S.C. §53(b), of the Federal Trade Commission (FTC) Act authorizes suit to obtain a temporary injunction where an entity “is violating or is about to violate” a law and a permanent injunction “in proper cases.” There is no mention of restitution, disgorgement, or any other form of monetary or equitable relief. However, the FTC has used Section 13(b) for years to obtain monetary relief, including restitution and disgorgement to remedy past violations.

This FTC practice has come under recent scrutiny. For example, Section 13(b)’s restriction to past violations was highlighted in

FTC v. Shire ViroPharma, Inc., 917 F.3d 147 (3d Cir. 2019), and the Seventh Circuit in FTC v. Credit Bureau Center, LLC, 937 F.3d 764 (7th Cir. 2019) confirmed the FTC’s lack of authority to seek ancillary relief last year. While the FTC has continued to try to rely on Ninth Circuit case law, such as FTC v. AMG Capital Management, LLC, that case included a concurrence stressing that the FTC’s broad interpretation of the FTC Act is “no longer tenable.” See FTC v. AMG Capital Management, LLC, 910 F.3d 417 (9th Cir. 2018) (O'Scannlain, J., specially concurring). To resolve this circuit split, the U.S. Supreme Court recently granted certiorari and consolidated the AMG Capital Management and Credit Bureau Center cases (although later vacating the grant in the Credit Bureau Center case, the issue will still be reviewed in AMG Capital). Moreover, in Liu v. SEC, 140 S. Ct. 1936 (2020), the Supreme Court confirmed that the Securities and Exchange Commission (SEC) may generally only seek net (and not gross) profits as disgorgement where the remedy benefits victims and the authorizing statute expressly provides for “equitable relief” (which the FTC Act does not do).

In fact, the FTC recently issued a prepared statement in which it agreed that its ability to obtain monetary relief “has been threatened or curtailed by recent judicial decisions.” See Prepared Statement of the FTC: Oversight of the FTC at 3-4 (Aug. 5, 2020). Thus, companies facing an FTC federal or administrative lawsuit, investigation, civil investigative demand, subpoena, or even a warning letter should understand the FTC’s powers and potential arguments regarding the FTC’s apparent limitations. For example, businesses may be able to assert that certain requests for relief (such as restitution, disgorgement, or an asset freeze) are not authorized, including where the claimed misconduct has voluntarily stopped, monetary amounts would be going to the FTC or receiver instead of to consumers, and the requested relief would shut down a legitimate business (which the FTC has publicly stated is not its intent).

If you are seeking an FTC compliance review or faced with responding to an FTC investigation or lawsuit, Kronenberger Rosenfeld can assist. The firm routinely counsels clients in FTC matters, including responses to subpoenas, civil investigative demands, financial disclosures, administrative and federal complaints, settlement offers, and requests for preliminary injunctions.

Tips for Updating Arbitration Agreements

Business contracts, including website terms of service, often purport to require arbitration of claims and waiver of class actions, but how do you know whether you want an arbitration agreement and, if so, how to make your arbitration agreement enforceable and effective?

Should you require arbitration?

There are a number of considerations relating to whether to require arbitration of claims. Critical for many businesses is the ability to mandate waiver of class action lawsuits in arbitration, rather than in court, which can greatly lower risks of class action claims where plaintiffs seek damages on behalf of a much larger group. Arbitration also gives flexibility for choosing the arbitrator(s) and relaxed rules, and it may be cost effective. On the other hand, arbitration can still cost significant time and money, counsel and parties may be less familiar with the procedures, and there may be limitations on appeals, juries, and discovery. Thus, before requiring arbitration, you should consider whether the benefits of arbitration outweigh the potential downsides.

What should you include in your arbitration agreement?

There are several potential clauses to consider for your arbitration agreement. Many of these considerations are centered on trying to create a binding agreement that is not unconscionable. As some examples, companies may want to consider the following in an arbitration agreement:

  • The location of the arbitration, choice of law, and whether to allow remote appearances.
  • The arbitrator(s), such as through the American Arbitration Association (AAA) or JAMS, and related arbitrator requirements.
  • The scope of the provision, for example, to cover all contract, tort, and other claims arising out of or relating to the contract or any services, rather than just claims about the contract.
  • Who is responsible for payment of fees, including the initial filing fee by any consumers, taking any applicable fee-shifting restrictions and fee waivers into consideration.
  • Whether to include any exceptions, such as for small claims cases or injunctive relief.
  • Whether to include an opt-out choice and how to assess related costs and benefits.
  • How to mandate that the arbitrator determine all issues, including the interpretation and enforceability of the arbitration agreement.
  • Whether to try to limit the statute of limitations for claims.
  • Whether to require informal negotiation first.
  • Whether to include third-party beneficiaries of the provision, such as related parties.
How should you prepare your arbitration agreement?

Retaining experienced counsel to prepare legal terms, including an arbitration provision, and to review consent disclosures can lower risks of related issues arising in the future. Given ongoing court decisions regarding arbitration agreements and consent to website terms in particular, it is also important for companies to periodically review their practices. Kronenberger Rosenfeld regularly assists clients with terms of service, privacy policies, and other contracts.

Online Speech Claims and Defenses

Negative online reviews and disparaging social media posts are more prevalent now than ever before. So what constitutes actionable defamation versus mere rhetoric or opinion, and how can you navigate the scope of free speech rights online?

First, while defamation claims apply to both online and traditional forms of speech, there may be special considerations when dealing with internet claims. Further, anyone bringing a defamation or speech-based claim should carefully consider whether it is subject to an anti-Strategic Lawsuit Against Public Participation (SLAPP) motion under state or federal rules, which may entitle the movant to recover attorney’s fees and costs where the conduct was protected speech. Moreover, both plaintiffs and defendants should consider the implications of internet laws, such as the Computer Fraud and Abuse Act (CFAA) and the Communications Decency Act (CDA).

In particular, professionals, including doctors, dentists, professors, lawyers, managers, accountants, real estate agents, brokers, and others, commonly face negative online reviews and attacks. However, they must balance the desire to file a litigation complaint or to publicly respond with potential privacy considerations and statutes restricting disclosure of private information, including the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and other laws regarding client or consumer privilege and confidentiality.

Finally, online speech cases often involve unique discovery issues, such as how to effectively preserve evidence and whether subpoenas to third parties like Google and Facebook are worth the cost and whether they will likely produce helpful information.

Kronenberger Rosenfeld helps a wide variety of clients with online speech claims. Attorneys Jeff Rosenfeld and Liana Chen presented the Continuing Legal Education course Free Speech in the Digital Age: Your Guide to Litigating Online Speech Claims for the Bar Association of San Francisco, Litigation and Intellectual Property and Internet Law Sections of the Barristers Club.

Key Provisions for Internet Contracts

Internet businesses needing contracts, including a Master Services Agreement (MSA) or website terms of service (also called terms of use or terms and conditions), should make sure to invest in solid terms upfront and periodically review the terms to keep up with constantly changing laws. While experienced counsel should assist with preparing terms that are tailored to specific business needs, the below outlines common contract provisions that are often considered.

  • Introduction to obtain agreement to the terms and any incorporated documents
  • Dispute resolution to set standards for how claims are resolved, such as through binding arbitration on an individual basis in a certain location
  • Payments and refunds to outline any material terms and restrictions, including regarding any subscription billing, membership plans, and limitations on returns
  • Accounts to cover how users can create and maintain accounts
  • User content to describe rights and prohibitions relating to user content, and relatedly, a disclaimer under the Communications Decency Act if the website is solely a platform as well as a policy under the Digital Millennium Copyright Act to add protections against copyright infringement claims if the website is acting as a service provider
  • Prohibited conduct to providing warnings to users and others
  • Disclaimers and limits of liability to protect rights as much as possible
  • Intellectual property to identify who owns certain property and to outline any licenses
  • Representations and warranties to outline what is being promised or disclaimed
  • Indemnification to identify any defense and indemnification rights
  • Assumption of risk and releases to obtain user agreement to those issues
  • Third-party content to establish whether the website is responsible for third parties
  • Consent to communications and opt-outs to confirm consent and provide notice
  • Termination and modification to confirm how the terms, and any accounts or features, may be terminated or modified
  • Miscellaneous terms, such as a severability clause, force majeure provision, assignment and transfer restrictions, waiver limitations, and other provisions
  • Contact section to outline how to contact the different parties

While there are many templates online, attorney-prepared terms and other contracts can help tailor provisions to a particular business model, reduce risks, and ensure that terms are protective while at the same not too one-sided, which could risk terms being disregarded as unconscionable.

Kronenberger Rosenfeld regularly assists businesses with preparing and reviewing website terms and other internet-related contracts, such as platform contracts, social media terms, software-as-a-service (SaaS) agreements, advertising network contracts, and lead generation agreements.

Defending Website ADA Claims

The Americans with Disabilities Act (ADA) historically applied to physical businesses open to the public. However, the ADA’s requirements have now been routinely enforced against online businesses and all different types of websites. With the rise of e-commerce and remote ventures, including during the COVID-19 pandemic, and with the increasing number of lawsuits claiming that websites violate the ADA, businesses should review their practices for compliance.

In particular, many plaintiffs’ firms have been filing lawsuits claiming that business websites are places of public accommodation under the ADA and that those websites are not adequately accessible to persons with disabilities, such as the blind or hearing impaired. These cases often seek injunctive relief, monetary damages, and attorney’s fees under the ADA and related state statutes regarding unfair business practices, which may provide for statutory damages.

Securing experienced counsel at the outset can help companies get compliant before legal issues arise. Further, if companies become targeted, knowledgeable attorneys can help raise appropriate defenses and try to obtain early dismissal or settlement of the case. For example, there may be arguments that a defendant actually complied with the relevant standard, that free speech rights are impeded, that a particular court lacks personal jurisdiction over the defendant, or that claims are moot or frivolous. Counsel can also assist with ensuring ongoing website compliance, working with technical ADA vendors, and filing any pertinent motions.

Kronenberger Rosenfeld has counseled many clients with ADA matters, both to increase compliance to prevent claims from arising and to respond to legal demands and complaints. Don’t hesitate to contact our firm if you have an ADA legal matter.

This entry was posted on Wednesday, January 06, 2021 and is filed under Press & Published Articles, Internet Law News.






Related articles

Privacy & Cybersecurity
Privacy & Cybersecurity practice area category
CCPA v. CPRA – Privacy Laws Compared

The California Consumer Privacy Act (CCPA) is still relatively new, and now there is another expansive privacy law in California, the California Privacy Rights Act...

Read More

Open Newsletter Signup Popup