September 2018 Update
As of March 28, 2018, when Alabama enacted its own data breach notification law, all the states now have such laws. See §1.2.
California enacted the California Consumer Privacy Act of 2018 (CC §§1798.100–1798.198), operative January 1, 2020, to give customers of specified businesses in California expanded control over personal information that businesses collect about them and to expand the ability to bring lawsuits for data breatch. See §§1.3, 4.11A, 12.6.
In a medical privacy case, the California Supreme Court held that the state’s interest overcomes the privacy interests of patients for whom certain drugs were prescribed. Lewis v Superior Court (2017) 3 C5th 561. See §§1.3, 7.2.
The United States Supreme Court held that, generally speaking, someone in otherwise lawful possession and control of a rental car has a Fourth Amendment reasonable expectation of privacy in it even if the rental agreement did not list him or her as an authorized driver. Byrd v U.S. (May 14, 2018, No. 16–1371) 2018 US Lexis 2803. See §§1.3, 2.4A.
The U.S. Supreme Court held that the government’s accessing of a defendant’s cell-site location information was a search under the Fourth Amendment requiring a warrant supported by probable cause. Furthermore, an order under 18 USC §2703(d) is insufficent to obtain the location information from a wireless carrier. Carpenter v U.S. (June 22, 2018, No. 16–402) 2018 US Lexis 3844. See §§1.3, 2.4A, 4.43, 8.70.
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was enacted on March 23, 2018, as part of the Consolidated Appropriations Act, 2018 (Pub L 115–141, 132 Stat 348). It amends the Stored Communications Act (SCA) (18 USC §§2701–2713) to establish processes and procedures for law enforcement requests for data in other countries. See §§1.4, 4.43, 12.52A.
An unanimous California Supreme Court held that the identity of various members of a statewide class did not constitute private information. Williams v Superior Court (2017) 3 C5th 531. See §§2.7, 12.116.
The Ninth Circuit Court of Appeals held that a unique IP address is not protected “personally identifiable information” under the Video Privacy Protection Act of 1988 (VPPA) (18 USC §2710). Eichenberger v ESPN (9th Cir 2017) 876 F3d 979. See §§4.9A, 12.6A.
In another Ninth Circuit case, the court rejected a challenge to a cy pres settlement fund as invalid due to potential conflicts of interest resulting from connections between Google and some of the cy pres fund recipients. Gaos v Holyoak (In re Google Referrer Header Privacy Litig.) (9th Cir 2017) 869 F3d 737, cert granted sub nom Frank v Gaos (Apr. 30, 2018) 2018 US Lexis 2658. See §4.9A.
The California Legislature amended provisions governing when a rental car company may use electronic surveillance technology to permit its use when a rental car company’s vehicle is the subject of an AMBER Alert. Stats 2017, ch 163. See §4.11.
The U.S. District Court for the Northern District of California granted a motion for summary judgment and permanently enjoined the State of California from enforcing CC §1798.83.5 on the grounds that it violates the First Amendment. IMDb.com, Inc. v Becerra (ND Cal, Feb. 20, 2018, No. 16-cv-06535-VC) 2018 US Dist Lexis 27898. See §4.12.
The Ninth Circuit affirmed the conviction of a company IT manager under the Computer Fraud and Abuse Act (CFAA) (18 USC §1030) when he had taken several actions designed to damage the company’s computer network, even though he argued on appeal that because he had authority over the network as part of his job he did not exceed his authority to access the system as required for a conviction under the CFAA. U.S. v Thomas (5th Cir 2017) 871 F3d 591. See §4.21.
In October 2017, the U.S. Department of Justice revised its policy regarding the use of so-called gag orders for subpoenas and search warrants issued pursuant to the Stored Communications Act (SCA) (18 USC §§2701–2713) to permit service providers to alert users when their data has been provided to the government. See §4.43.
The U.S. District Court for the Northern District of California dismissed a plaintiffs’ cause of action under Bus & P C §17529.5 against a defendant who allegedly sent the plaintiff 1300 false or misleading commercial e-mails on the grounds that §17529.5 only prohibits advertisers (but not senders) from engaging in these practices and the the sender of the e-mails involved did not advertise in the e-mails. Blanchard v Fluent, Inc. (ND Cal, Sept. 22, 2017, No. 17-CV-04497-MMC) 2017 US Dist Lexis 155535. See §5.52.
Regulations governing the federal Telephone Consumer Protection Act (TCPA) (47 USC §227), which are at 47 CFR §64.1200, were amended on January 12, 2018, to allow voice service providers to block certain calls. 83 Fed Reg 1577 (Jan. 12, 2018). See §5.55.
In February 2018, the SEC adopted “interpretive guidance” to assist public companies on disclosing cybersecurity risks and incidents. 83 Fed Reg 8166 (Feb. 26, 2018). See §6.2.
Allegations that the defendant published a consumer credit report that falsely stated the plaintiff’s age, marital status, wealth, education level, and profession, which prevented plaintiff from finding employment, were sufficiently concrete to establish US Const art III standing. Robins v Spokeo, Inc. (9th Cir 2017) 867 F3d 1108 (Spokeo III). See §§6.29, 12.6A.
The Bureau of Real Estate has no mandatory duty to remove evidence of previous criminal convictions of a real estate salesperson from its website. See Skulason v California Bureau of Real Estate (2017) 14 CA5th 562. See §8.14.
To be an actionable offense, an employer illegally recording or eavesdropping on employee phone calls must be acting intentionally. Rojas v HSBC Card Servs. (2017) 20 CA5th 427. See §8.65.
The California Code of Regulations was amended to permit employees to perform job duties that correspond to their gender identity or gender expression. 2 Cal Code Regs 11031(e). See §8.84.
Effective January 1, 2018, the Immigrant Worker Protection Act imposes various prohibitions and requirements on private and public employers regarding employment eligibility verification forms and workplace inspections by immigration enforcement agents. A new section has been added in chap 8 discussing the Act. Stats 2017, ch 492. See §8.98A.
The Social Security Number Fraud Prevention Act of 2017 (Pub L 115–59, 131 Stat 1152) amends the Social Security Act to require federal agencies to issue regulations specifying when inclusion of a Social Security number on a document sent by mail is necessary. See §10.45A.
A federal district court in New York held that a plaintiff was entitled to insurance coverage for an e-mail–based “spoofing” fraud that resulted in the company transferring over $4.7 million to the spoofer. Medidata Solutions v Federal Ins. Co. (SDNY 2017) 268 F Supp 3d 471. See §10.104.
A violation of the Fair Credit Reporting Act (FCRA) (15 USC §§1681–1681x) gives rise to an injury sufficient for US const art III standing even without evidence that the plaintiffs’ information was used improperly. In re Horizon Healthcare Servs. Data Breach Litig. (3d Cir 2017) 846 F3d 625. However, although a plaintiff received a credit card receipt displaying the card’s full expiration date, his mere allegation of violation of FCRA was insufficient to confer art III standing. Bassett v ABM Parking Servs., Inc. (9th Cir 2018) 883 F3d 776. See §12.6A.
Law enforcement training manuals need not be linked to enforcement of a more specific statute to be exempt from disclosure under the exemption of 5 USC §552 for materials compiled for law enforcement purposes. ACLU of N. Cal. v FBI (9th Cir 2017) 881 F3d 776. See §§12.34, 12.38.
The California Legislature amended CC §1708.85 to provide more protections throughout the proceedings for plaintiffs suing for relief from “revenge porn” and using pseudonyms to protect their identities from the public. Stats 2017, ch 233. See §12.61.
A California state court held that the psychotherapist-patient privilege does not prevent disclosure of a patient’s records to the state. Cross v Superior Court (2017) 11 CA5th 305. See §12.84.
A California appellate court found that Yelp could be compelled to produce documents that might reveal the identity of a reviewer who posted on its website because the plaintiff had demonstrate a sufficient prima facie case of defamation. Yelp, Inc. v Superior Court (2017) 17 CA5th 1. See §12.108.
In an issue of first impression, the Sixth Circuit developed a test for whether and under what circumstances a court can properly protect the identity of an anonymous online speaker after entry of judgment against him or her. Signature Mgmt. Team, LLC v Does (6th Cir 2017) 876 F3d 831. See §12.108.