Celebrating Data Privacy from A to Z
In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!
A is for Advance Encryption Standard or AES, approved by NIST. Are you encrypting transmissions of sensitive data and portable storage devices? See more below.
B is for Breach Notification Laws, including the 45 state laws, District of Columbia, Puerto Rico, Virgin Islands, HITECH Act, and international regulations. (Also Behavioral Advertising.)
C is for . . . what to Choose? -- Contracts? Cloud Computing? How about California - the first state to enact a breach notification law, California Civil Code sections 1798.29, 1798.82 et seq. (SB 1386), and the first state Office of Privacy Protection
D is for Data Protection Authorities in the European Union
E is for the EU Data Protection Directive. Oh, and Encryption, of course. See above and below.
F is for Financial Institutions, regulated by (wait for it . . . after the jump . . .)
G is for the Gramm-Leach-Bliley Act and the new model privacy notice form
H is for HIPAA and the HITECH Act, which impose privacy and data security obligations on health care providers and their business associates
I is for the International Association of Privacy Professionals, IAPP
J is for John and Jane Doe, anonymity - is there any such thing?
K is for Kearney v. Salomon Smith Barney Inc, California Supreme Court (2006), requiring two-party consent for recording or eavesdropping on telephone conversations, even if only one of the participants is in a two-party consent state
L is for Legislation -- will there be a federal breach notification law in 2010 (other than HITECH) that will preempt the state data breach notification laws?
M is for Massachusetts and its new data security regulations, 201 CMR 17.00 et seq., effective March 1, 2010
N is for Nevada and its new encryption law, SB 227, effective January 1, 2010
O is for Outsourcing, and the need for due diligence and contractual provisions to safeguard personally identifiable information (and other kinds of sensitive information) shared with third parties. See, e.g., Massachusetts 201 CMR 17.00 et seq. and California Civil Code section 1798.81.5. Oh yes, and don't forget the Cloud in this context - are you putting data in the cloud? Have you done your due diligence?
P is Personally Identifiable Information or PII -- what IS it anyway? Depends where you live.
Q is for Questions, Q & A, and the Q in FAQ: ASK QUESTIONS early and often about how your organization will use personal information of customers and/or employees in its business operations.
R is for Radio Frequency Identification or RFID and locational privacy issues - should organizations be able to use RFID to track customers/products?
S is for SO many things -- Social Networking, Social Security numbers, Surveillance, Spam, . . .
T is for Telemarketing, Text Messages, and the TCPA -- do you have opt-in for your mobile marketing campaigns?
U is for the UK ICO, which will order companies to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act
V is for the Video Privacy Protection Act or VPPA, the basis for a recent privacy class action filed against Netflix in the Northern District of California
W is for Website Privacy Policies, required under California law for any website that collects information from California residents, Cal. Bus & Prof. Code section 22575 et seq. When was the last time you updated yours? Is it accurate?
X is for XXXXX -- Redact the information!
Y is for Yes, You can implement a successful data protection program in Your organization
Z is for Zango, the adware distributor that settled FTC charges that it used unfair and deceptive methods (FTC Act Section 5) to download adware and block consumer efforts to remove it
Happy Data Privacy Day!
California Court Rejects Class Action Based on Data Collection for PII Aggregation Purposes
On Friday, the California Court of Appeal, Fourth Appellate District, certified for publication its October 8 opinion in Pineda v. Williams-Sonoma, the most recent in a string of decisions regarding California's Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08. On first glance, Pineda appears uneventful. The Court merely reiterated its December 2008 holding in Party City v. Superior Court, 169 Cal.App.4th 497 (2008), that zip codes are not personal identification information for purposes of the Act, right? Not so fast. In fact, the Pineda court added a couple of new wrinkles that are worth a second look. First, the court reaffirmed its Party City holding even though Pineda specifically alleged that Williams-Sonoma collected the zip code for the purpose of using it and the customer's name to obtain even MORE personal identification information, the customer's address, through the use of a "reverse search" database. Second, the court held that a retailer's use of a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of a consumer's privacy under California law.
The Song-Beverly Credit Card Act prohibits retailers that accept credit cards from requesting and recording "personal identification information" concerning the cardholder. The statute defines "personal identification information" (sometimes referred to as "pii") as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." Cal. Civ. Code § 1747.08(b). As noted above, the Fourth Appellate District held last December that zip codes are not, as a matter of law, pii for purposes of the Act. So, why the need for a new published opinion on the subject?
Here, Pineda alleged that the retailer at issue collected zip codes in order to search databases and gather even more pii about the individual. Specifically, Pineda alleged Williams-Sonoma used "customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, residential telephone numbers and residential addresses, and are indexed in a manner that resembles a reverse telephone book," and that the software matched her name, zip code or other personal information with her previously unknown address. Pineda further alleged that Williams-Sonoma then maintained all this information in a database.
Pineda filed what has become the typical Song-Beverly Credit Card Act putative class action, alleging claims for violation of California's infamous Business & Professions Code section 17200 (California's unfair business practices act) and for invasion of privacy.
The Fourth Appellate District affirmed the trial court's ruling sustaining Williams-Sonoma's demurrers to Pineda's claims.
First, with respect to the Song-Beverly Credit Card Act, the court rejected Pineda's argument that Party City was distinguishable because there was no evidence in that case showing that the defendant used the collected zip codes to obtain its customers' addresses:
. . . the Party City court was well aware of the allegation that the defendant used the collected zip codes to locate individuals before it concluded, as a matter of law, that a zip code did not constitute "personal identification information" within the meaning of the Act.
Simply put, the Act either allows a retailer to ask customers for a zip code or it prohibits this conduct. The Party City court concluded, and we agree, that the Act does not prohibit this conduct. Although Pineda asserts a zip code should be covered by the Act because existing technology allows any company or person to locate an individual based on the individual's name and zip code, this argument is best presented to the Legislature.
(Italics in original; emphasis added.)
Second, the court examined and rejected plaintiff's claim that Williams-Sonoma's conduct constituted an illegal intrusion into her privacy, finding no allegations (a) that her home address was not otherwise publicly available or (b) of any efforts she made to keep her address private:
Without such facts, using a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of her privacy.
. . . Even assuming Pineda had [alleged Williams-Sonoma had sold her home address to third parties for profit], we fail to see how selling an address that is otherwise publicly available amounts to "an egregious breach of the social norms underlying the privacy right." . . .
Additionally, . . . the complaint contains absolutely no facts showing the extent and gravity of the alleged invasion of privacy. Under the facts alleged, the disclosure of Pineda's address amounted to a trivial invasion of her assumed privacy interest.
(Emphasis added.)
Bottom line - it is not surprising that, given the extent of already publicly available information about individuals (including home address, phone number, etc.) available in databases and online, and the difficulty of establishing harm, plaintiffs continue to encounter difficulty in pursuing purported claims for invasion of privacy beyond the demurrer, motion to dismiss, or summary judgment stage.
The more difficult question, and the subject of a future blog post, is the extent to which individuals understand that the information they regularly share online or in other contexts becomes forever public (see, e.g., NPR's recent interview with Professor Viktor Mayer-Schonberger about social media and what he calls the "temporal Panopticon"). Stay tuned for more on that front.
