The California legislature has passed AB 1281 to the Governor’s desk for signature and, given the absence of legislative opposition, it appears the bill is now well positioned to be signed into law. AB-1281 extends by one year the expiration date of the business-to-business (“B2B”) and employee-related exemptions provided for under the California Consumer Privacy Act (“CCPA”) (previously discussed here). If signed into law, it will give California businesses at least one more year to work on folding employee and B2B data into their existing CCPA compliance programs, a welcome reprieve for California employers facing a resurgence of coronavirus cases in workplaces around the State. READ MORE
In one of the world’s first test cases regarding the legality of the use of automated facial recognition and biometric technology, on 11 August 2020 the English Court of Appeal handed down judgment in R (Bridges) v CC South Wales. The court found that the use of this technology by the South Wales Police Force violated privacy, equality and data protection laws. READ MORE
Earlier this month, the U.S. Supreme Court agreed to hear a pair of cases that provide it with the opportunity to severely restrict the Federal Trade Commission’s (“FTC’s”) authority to obtain equitable money relief in consumer protection enforcement actions, including privacy and cybersecurity matters. Under Section 13(b) of the FTC Act, in certain circumstances the FTC is empowered to bring actions in federal court to seek temporary restraining orders and injunctions for violations of the Act. In two consolidated cases, FTC v. Credit Bureau Center, LLC and AMG Capital Management, LLC v. FTC, the Supreme Court will now consider whether, as the FTC claims, this provision also authorizes the agency to seek equitable money relief for such violations, even though the provision makes no mention of money relief. The decision will have broad implications because the FTC has relied on Section 13(b) to seek monetary relief in consumer protection enforcement actions, including privacy and cybersecurity matters. A ruling against the FTC could substantially alter the FTC’s approach to privacy and cybersecurity enforcement.
The FTC’s privacy and cybersecurity enforcement actions typically rely on Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. The FTC takes the position that a failure to implement “reasonable” cybersecurity or privacy practices can constitute an “unfair” practice, and that making false or misleading statements about such practices can be a “deceptive” trade practice under the statute.
The FTC can enforce Section 5 in two ways. First, it can rely on its traditional administrative enforcement authority, which allows the FTC to initiate an administrative proceeding to issue an order to “cease and desist” violations of Section 5, but only provides for monetary relief in limited circumstances. Second, in certain situations the FTC can sue directly in federal court under Section 13(b) of the FTC Act. Although Section 13(b) authorizes only “injunctions,” the FTC often brings cases under this section in federal court seeking monetary relief under equitable doctrines such as restitution, disgorgement and rescission of contracts.
Until recently, courts universally accepted the FTC’s expansive view that its authority under Section 13(b) to obtain “injunctions” enables it to seek equitable monetary relief. But that has begun to change. In Credit Bureau, the Seventh Circuit rejected the FTC’s position that Section 13(b) authorizes monetary relief on the ground that an implied equitable monetary remedy would be incompatible with the FTC Act’s express remedial scheme. Most notably, the court observed that the FTC Act has two detailed remedial provisions expressly authorizing equitable money relief if the FTC follows certain procedures. The FTC’s broad reading of Section 13(b) would allow the agency to circumvent these conditions on obtaining equitable money relief, contrary to the intent of Congress. And in AMG Capital Management, although the Ninth Circuit considered itself bound to follow its prior precedent allowing the FTC to obtain money relief under Section 13(b), two of the three panel members joined a special concurrence arguing that this position is “no longer tenable.” And a decision from the Third Circuit last year, while not addressing whether the FTC is barred from pursuing money relief under Section 13(b), held that to pursue such relief the FTC must, at a minimum, allege facts plausibly suggesting that the company “is violating, or is about to violate,” the law.
If the Supreme Court restricts or eliminates the FTC’s pursuit of equitable money relief under Section 13(b), its decision would represent a significant setback for the FTC’s recent attempts to expand its remedial authority in privacy and cybersecurity cases, among others. In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning an FTC cybersecurity enforcement action, convincing the Eleventh Circuit that an FTC cease-and-desist order imposing injunctive relief requiring LabMD to implement “reasonable” data security was impermissibly vague. (The team directing that effort – led by Doug Meal and Michelle Visser – joined Orrick in January 2019.) In the wake of LabMD, the FTC’s new Chairman, Joseph Simons, stated that he was “very nervous” that the agency lacked the remedial authority it needed to deter allegedly insufficient data security practices and that, among other things, the FTC was exploring whether it has additional untapped authority it could use in this space. The FTC has followed through on that promise in the ensuing years, pursuing a wide range of additional remedies, including equitable money relief. An adverse ruling by the Supreme Court could strike a severe blow to the FTC’s efforts on this front.
Such a ruling is entirely possible. Just last month in SEC v. Liu, the Supreme Court recognized limits on the disgorgement power of the Securities and Exchange Commission, determining that it is restricted to situations where the remedy does not exceed a wrongdoer’s net profits and is awarded for victims. However, unlike the FTC Act, the SEC Act specifically authorizes the SEC to seek “equitable relief.” Therefore, the consolidated AMG and Credit Bureau cases afford the Supreme Court an opportunity to recognize even greater restrictions on the FTC’s authority to obtain equitable money relief under Section 13(b) – or, as the Seventh Circuit did in Credit Bureau, to reject such authority altogether.
While in the short term such a ruling may reduce the monetary risks of FTC privacy and cybersecurity enforcement for companies collecting personal information, it could serve as a catalyst for a legislative proposal that would provide the FTC significant new authority to police privacy and security violations and assess civil penalties.
To discuss these cases in more detail, or for advice on the FTC’s privacy and cybersecurity enforcement program more generally, please feel free to contact any member of our privacy & cybersecurity team, which has immense experience in this area.
On July 6, 2020, the United States Supreme Court issued its ruling in Barr v. American Ass’n of Political Consultants, a case in which the plaintiffs challenged a government-debt collection exception to the Telephone Consumer Protection Act’s (“TCPA”) ban on “robocalls” to cell phones on First Amendment grounds, and sought to have the entire robocall-regulating statute invalidated. The Court agreed with the plaintiffs—political and nonprofit organizations that wanted to make political robocalls to cell phones—that the exception unconstitutionally favors government-debt collection speech over political and other speech in violation of the First Amendment. However, instead of nullifying the entire set of robocall restrictions found at 47 U.S.C. § 227(b)(1)(A)(iii), as plaintiffs sought, the Court found the government-debt collection exception severable and invalidated only that portion of the statute, leaving the general robocall restrictions in place.
In its July 6 decision, the Supreme Court seemed to endorse the need for a broad ban on “robocalls.” The Court referred back to the context in which the TCPA was enacted in 1991, characterizing it as a time when “more than 300,000 solicitors called more than 18 million Americans every day.” According to the Court, “[t]he Act responded to a torrent of vociferous consumer complaints about intrusive robocalls.” The Court’s July 6 decision shifts the universe of acceptable practices back to a pre-2015 framework, prior to the enactment of the government-debt-collection exception.
Later in the same week, on July 9, the Supreme Court granted certiorari in another case, taking issue with the TCPA’s robocall provision, Facebook, Inc v. Duguid. In that case, the Supreme Court will address what qualifies as an automatic telephone dialing system (“ATDS”) —an issue that has been brewing in the courts with materially different interpretations across several circuits. The Facebook decision should have significant implications on the scope of the robocall restrictions.
Passed in 1991, 47 U.S.C. § 227(b)(1)(A)(iii) of the TCPA prohibits a caller from using an ATDS to call a cell phone and prohibits calls using an artificial or prerecorded voice, unless the caller has obtained prior express consent. The TCPA defines an ATDS as “equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers.” This definition, and the FCC’s expansive interpretation of it, has been the subject of intense litigation. The proper scope of the ATDS definition is a high-stakes question. This TCPA provision imposes strict liability with statutory damages of $500 per violation—trebled to $1,500 per violation if the violation is deemed willful or knowing. A company found to have used a telephone system that qualifies as an ATDS to call cell phones without prior consent can find itself subject to millions (or even billions) of dollars in damages.
In 2015, the FCC issued a Declaratory Ruling setting forth its interpretation of the ATDS definition. According to the FCC, an ATDS includes “dialing equipment [that] has the capacity to store or produce, and dial random or sequential numbers [without human intervention] … even if it is not presently used for that purpose, including when the caller is calling a set list of consumers.” The Declaratory Ruling explicitly stated that “the capacity of an autodialer is not limited to its current configuration but also includes its potential functionalities.” This interpretation drastically broadened the scope of equipment implicated by the Act to potentially include almost all technology that is capable of being upgraded with software to permit automated dialing.
In 2018, the D.C. Circuit in ACA International v. Federal Communications Commission struck down the FCC’s 2015 interpretation of an ATDS, holding that it “offered no meaningful guidance to affected parties” on whether their equipment was covered by the TCPA restrictions. The Court noted that the FCC’s interpretation was so expansive that it could lead to unreasonable outcomes such as conventional smartphones being considered covered equipment. The opinion was most critical of the potential future capacity aspect of the FCC’s interpretation, explaining that “[i]t cannot be the case that every uninvited communication from a smartphone infringes federal law, and that nearly every American is a TCPA-violator-in-waiting, if not a violator-in-fact.” With the D.C. Circuit’s invalidation of the FCC’s 2015 interpretation, the courts have been left to interpret the provision based on the plain language of the statute.
Courts have disagreed on the critical issue of the functions a device must have the capacity to perform in order to qualify as an ATDS. In its 2018 decision in Marks v. Crunch, the Ninth Circuit succinctly stated that “[t]he question is whether, in order to be an ATDS, a device must dial numbers generated by a random or sequential number generator or if a device can be an ATDS if it merely dials numbers from a stored list.”  The Ninth Circuit answered that question with an expansive interpretation, holding that “the statutory definition of ATDS includes a device that stores telephone numbers to be called, whether or not those numbers have been generated by a random or sequential number generator.” The Ninth Circuit’s interpretation potentially means that any telephone system with the capacity to automatically dial a stored list of telephone numbers without human intervention qualifies as an ATDS. The Second Circuit recently adopted an interpretation similar to that of the Ninth Circuit in Marks.
The Third, Seventh and Eleventh Circuits adopted starkly different interpretations of the ATDS definition based on a plain reading of the statutory language. In Gadelhak v. AT&T, for example, the Seventh Circuit held that “the capacity to generate random or sequential numbers is necessary to the statutory definition,” expressly rejecting the Ninth Circuit’s reading of the statute in Marks. The Third and Eleventh Circuits adopted a similar approach in Dominguez v. Yahoo and Glasser v. Hilton, respectively.
The Supreme Court’s decision in Facebook v. Duguid will likely once and for all resolve this circuit split and provide litigants with a uniform interpretation of what constitutes an ATDS under the Act. The adoption of a narrow interpretation will likely result in a dramatic decrease in TCPA litigation where fewer dialing systems would qualify as an ATDS—most modern telephone systems do not generate random or sequential telephone numbers for dialing. However, a broad interpretation may result in an influx of litigation, particularly in circuits such as the Third, Seventh and Eleventh, where recent rulings had limited such cases and led serial litigators to file suit elsewhere.
 Barr v. Am. Ass’n of Political Consultants, Inc., No. 19-631, 2020 WL 3633780 (U.S. July 6, 2020).
 Id. at *3.
 The Supreme Court granted certiorari on question 2 of the petitioner’s brief, which reads: “Whether the definition of ATDS in the TCPA encompasses any device that can ‘store’ and ‘automatically dial’ telephone numbers, even if the device does not ‘us[e] a random or sequential number generator.’” Facebook, Inc. v. Duguid, no. 19-511.
 47 U.S.C. 227(a)(1)(A)-(B).
 47 U.S.C. 227(3).
 In the Matter of Rules & Regulations Implementing the Tel. Consumer Prot. Act of 1991, 30 F.C.C. Rcd. 7961 (2015).
 ACA Int’l v. Fed. Commc’ns Comm’n, 885 F.3d 687, 701 (D.C. Cir. 2018).
 Id. at 692.
 Id. at 698.
 Marks v. Crunch San Diego, LLC, 904 F.3d 1041, 1050 (9th Cir. 2018), cert. dismissed, 139 S. Ct. 1289, 203 L. Ed. 2d 300 (2019).
 Id. at 1043.
 See Duran v. La Boom Disco, Inc., 955 F.3d 279, 280 (2d Cir. 2020).
 Gadelhak v. AT&T Servs., Inc., 950 F.3d 458,469 (7th Cir. 2020).
 Dominguez on Behalf of Himself v. Yahoo, Inc., 894 F.3d 116, 117 (3d Cir. 2018); Glasser v. Hilton Grand Vacations Co., LLC, 948 F.3d 1301, 1304 (11th Cir. 2020).
We expect national and international privacy regulators to take a pragmatic and reasonable approach to helping organisations navigate data protection compliance during the current COVID-19 crisis. This week, both the European Data Protection Supervisor (the “EDPS”) and the UK’s Information Commissioner’s Office (the “ICO”) have shown that expected pragmatism. READ MORE
The Federal Trade Commission (“FTC”) plans to aggressively police companies that use deceptive marketing to take advantage of consumers’ fears relating to the COVID-19 pandemic. The FTC is focused on a broad range of potential deceptive practices, including unapproved or unsubstantiated health claims, work-at-home schemes, finance schemes, and misrepresentations as to the current availability of in-demand products, such as cleaning, household, and health or medical supplies. The FTC has already issued warning letters to seven sellers of unapproved and misbranded products who claimed that their products could treat or prevent the coronavirus, and additional warning letters or enforcement actions are likely to follow as the pandemic progresses and economic uncertainty increases. READ MORE
Cybercriminals are known to attack networks and individuals at inopportune times of crisis—and the coronavirus pandemic unfortunately presents just such an opportunity as millions are accessing corporate networks and databases from home. This past weekend New Jersey and Connecticut joined the growing list of jurisdictions (e.g., California, Delaware, Illinois, Louisiana, Ohio, and New York) to issue orders effectively requiring non-essential workers to avoid the workplace, and in some cases, to shelter-in-place. READ MORE
On January 30, 2020, the U.S. Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”) framework (CMMC overview here; CMMC Version 1.0 and appendices here). By 2026, DoD plans to require CMMC certification for all defense contracts. For companies looking to play a role – any role – in the defense industry supply chain, now is the time to develop, assess, and augment cybersecurity practices.
The EDPB’s new Guidelines on Article 6(1)(b) may severely limit e-commerce business’ ability to enhance data processing by unilaterally defining contractual services.
On October 8, 2019, the European Data Protection Board (“EDPB”) released the “Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects” (the “Guidelines”) after public consultation. The text of the Guidelines is available here. Largely in line with previous guidance, the EDPB takes the view that companies cannot expand legal justifications for data processing operations based on broader definitions of their services. The legal justification of a processing for performing a contract does not cover processing operations, which, reasonably, the individuals would not expect when entering into the contract. Businesses should thus carefully review the legal justifications for the processing operations and be prepared to consider limitations on certain data processing should individuals object. READ MORE
In an increasing trend, the Federal Trade Commission (FTC) joined other federal regulators seeking to hold individuals – not just companies – liable in enforcement proceedings. The most recent target was San Francisco-based UrthBox, Inc. and its principal, Behnam Behrouzi. Specifically, Urthbox and Behrouzi agreed to settle FTC allegations that UrthBox engaged in unfair or deceptive acts or practices by: (1) failing to adequately disclose key terms of its “free trial” automatic renewal programs, and (2) misrepresenting that customer reviews were independent when, in fact, UrthBox provided customers with free products and other incentives to post positive reviews online.