2/21/2019 Gmail - Cyber Report - California Sparks National Privacy Debate

Bennet Kelley <internetlawcenter@gmail.com>

Cyber Report - California Sparks National Privacy Debate

1 message

Bennet Kelley <bkelley@internetlawcenter.net> Thu, Feb 21, 2019 at 6:43 AM

Reply-To: bkelley@internetlawcenter.net
To: internetlawcenter@gmail.com

February 21, 2019

TOP STORY
CaCPA Sparks National
Privacy Debate

Additional Topics Below: Vermont Data Broker Law Goes Into Effect -- California, MasterCard Update
Provisions on Auto-Renewals -- California Employment Update -- FTC Enforcement Priorities and CAN-
SPAM Rules -- New York AG Cracks Down on Fake Social Media Engagement; -- Cyber Harassment
Update -- Cybersecurity Threats 2019 - Public Domain Revival

READ ONLINE EDITION

Last summer, in a matter of seven (7) days, the California legislature passed the
sweeping California Consumer Privacy Act, followed by some technical amendments
in the fall. The legislation grants Californians the right to know what personal
information is being collected about them, how their personal information is sold or
disclosed as well as the right to access their personal information and the right to say
no to the sale of such information.

Who Does CaCPA Apply To?

The law applies to businesses

having gross revenues in excess of $25 million; or

that purchases, receives, sells or shares the personal information of 50,000 or
more “consumer, households or devices": or
derives at least half of its annual income from selling personal information.

The law is not clear whether the thresholds include activities outside of California. In
addition, there is concern that the 50,000 consumer records threshold may ensnare
most online retailers and even bloggers just by the passive collection of IP addresses
as it would only take 137 unique visitors a day.

Enforcement of the statute is generally by the California Attorney General who may
recover up to $7,500 per intentional violation and $2,500 for an unintentional violation
https://mail.google.com/mail/u/3?ik=30487dd800&view=pt&search=all&permthid=thread-f%3A1626089913913186531&simpl=msg-f%3A16260899139… 1/7
2/21/2019 Gmail - Cyber Report - California Sparks National Privacy Debate

that is not cured within thirty (30) days of notice. The law provides a limited private
right of action to a consumer who is the victim of a data breach "as a result of the
business’ violation of the duty to implement and maintain reasonable security
procedures".

Effective Date/How To Comply

The law is set to go into effect on July 1, 2020, but compliance efforts must begin
promptly including (i) beginning to map and inventory data collected online and how it
is used and shared since this will be needed for disclosures for data collected/shared
in the prior twelve months once the law goes into effect; and (ii) determining
operationally what steps are required to have the capability to respond to information
and opt-out requests under CaCPA.

The Internet Law Center has participated in the Attorney General's Office's public
forums on the new law and joined Santa Clara Law Professor Eric Goldman and
other privacy professionals in calling on the California legislature to make changes
and clarifications to the law so that it is less onerous for small businesses.
Unfortunately, the California Attorney General is seeking to expand the reach of the
law with a broad consumer private right of action.

Will Washington Step In?

The law has triggered an intense lobbying effort by big tech for federal privacy
legislation to preempt the California law. Congress begins hearing on the issue next
week and an independent government report has concluded that it is time for
comprehensive privacy legislation. Given the complexities of privacy legislation,
gaining a consensus on a federal privacy framework is no simple task, especially in
this age of Washington gridlock. For example, the question of whether federal law
should preempt California's and other state's privacy laws is becoming a partisan
issue.

At the same time, nine states (including MA, MD, NY and WA) are looking to adopt
comprehensive privacy legislation. In the state of Washington, similar legislation has
won the backing of its oldest tech giant - Microsoft.

Meanwhile, California continues to contemplate further privacy measures, with new

Governor Gavin Newsom announced plans to introduce legislation calling for a "data
dividend" that would share profits achieved from exploiting personal data with the
users themselves.

Contact us to discuss whether the law applies to your business and how to
comply.

More information: CaCPA as Amended: A Dozen Things to Know, Cyber Report; ILC Joins
Privacy Professionals Calling for Changes to CalCPA,Cyber Report; Tech Industry Offers
Privacy “Grand Bargain” Which Critics Claim Offers Little Protection, Cyber Report; GAO Calls
for Federal Privacy Legislation on Eve of Congressional Hearings, Cyber Report, Microsoft
Endorses Washington State Proposed Privacy Bill, Media Post; Gov. Gavin Newsom wants to
give you a ‘data dividend.’ Good luck with that, San Francisco Chronicle.

Vermont Data Broker Law

Goes Into Effect

In 2018, the state of Vermont enacted the nation’s first law regulating data brokers
which went into effect on January 1, 2019. Data brokers were required to register by
February 1, 2019. The law defines a data broker as a business that
“knowingly collects and sells or licenses to third parties the brokered personal
information of a consumer with whom the business does not have a direct

https://mail.google.com/mail/u/3?ik=30487dd800&view=pt&search=all&permthid=thread-f%3A1626089913913186531&simpl=msg-f%3A16260899139… 2/7
2/21/2019 Gmail - Cyber Report - California Sparks National Privacy Debate

relationship.” The law applies only to data brokers with information on Vermont
consumers and does not apply to businesses that collect information from their own
customers, employees, users or donors, or to businesses that “provide services for
consumer-facing businesses and maintain a direct relationship with those consumers,
such as a website, ‘app,’ and e-commerce platforms.”

More Information: Vermont Data Broker Law Goes Into Effect, Cyber Report.

California, MasterCard Update

Provisions on Auto Renewals

California updated its law regulating the use of automatic renewals for the purchase
of goods or services. Existing law requires that businesses obtain a consumer’s
affirmative consent to automatic renewals but only after disclosing the terms of the
offer in a clear and conspicuous manner and provide an easy-to-use mechanism for
cancellation. The new law augments existing provisions by also requiring that: (i) for
promotional free or discounted trial offers, the offer shall include a clear and
conspicuous explanation of the price that will be charged after the trial ends or the
manner in which the subscription or purchasing agreement pricing will change upon
conclusion of the trial; and (ii) a consumer who accepts an automatic renewal offer
online is now permitted to terminate the offer online.

MasterCard also announced that consumers who sign up for free-trials of physical
goods only must receive a notice of the transaction amount, payment date, merchant
name and instructions on how to cancel. The notice must be included with each
payment thereafter.

More Information: New California Law on Automatic Renewal Agreements, Cyber Report, Free
Trials Without The Hassle, MasterCard

California
Employment Update

In our last issue, we addressed the California Supreme Court decision in May in the
Dynamex case that narrowed who may be considered an independent contractor v.
an employee. The court held that a worker is an independent contractor only if he/she
is "free from the control and direction of the hirer in connection with the performance
of the work"; (ii) performs work that is outside the usual course of the hiring entity’s
business; and (iii) the worker is customarily engaged in an independently established
trade, occupation, or business of the same nature as the work performed for the
hiring entity.

New California employment provisions include:

a prohibition on language in contracts or settlement agreements prohibiting

anyone from testifying in administrative, legislative or judicial proceedings
concerning alleged criminal conduct or sexual harassment;
a prohibition on non-disclosure provisions in settlement agrements in sexual
harassment/assault cases; and

https://mail.google.com/mail/u/3?ik=30487dd800&view=pt&search=all&permthid=thread-f%3A1626089913913186531&simpl=msg-f%3A16260899139… 3/7
2/21/2019 Gmail - Cyber Report - California Sparks National Privacy Debate

requiring all companies with 5 or more employees to provide two (2) hours of
sexual harassment training to supervisors.

More Information: Cal Supreme Court Establishes New Test for Employees v Independent
Contractors, Cyber Report; New California Employment Laws for 2019; California Employment
Law

FTC Enforcement Priorities

and CAN-SPAM Rules

The Federal Trade Commission released a summary of its enforcement priorities for
2019 and it included:

Health Claims. The FTC will continue to crack down on unsubstantiated health
claims and recently announced a joint effort with the FDA announced to combat
unsubstantiated health claims in the supplement space.
FinTech. The FTC is focusing on new financial apps to ensure that material
terms are disclosed.
Social Media Marketing and Customer Reviews. The use of influencers, native
advertising, and consumer reviews remain hot enforcement topics. Remember
fake or paid reviews create real legal problems.
Data Security and Privacy. In the last decade, the FTC has filed
101 enforcement actions regarding Internet privacy and this will remain a
priority going forward.
Deceptive "Free Trial" and Negative Option Offers. The FTC continues to
enforce the Restore Online Shoppers’ Confidence Act requirement that online
sellers of products with a negative option feature must clearly and
conspicuously disclose the material terms of the transaction up front and must
obtain the consumer’s “express informed consent” to the charges.

The FTC also announced that it had completed its review of its rules implementing
the "CAN-SPAM Act" and determined that no changes were necessary.

More Information: Hey Nineteen: Nine FTC developments that could impact your business in
2019, FTC Business Blog; FTC & FDA issue warning letters to supplement sellers, FTC
Consumer Information Blog; FTC Completes Review of CAN-SPAM Rule, FTC Press-Release.

New York AG Cracks Down on

Fake Social Media Engagement

The New York Attorney General reached a settlement with Devumi LLC finding
that “selling fake social media engagement and using stolen identities to engage in
online activity is illegal”. Attorney General Letitia James explained that "[b]ots and
other fake accounts have been running rampant on social media platforms, often
stealing real people’s identities to carry out fraud. . . With this settlement, we are
sending a clear message that anyone profiting off of deception and impersonation is
breaking the law and will be held accountable."

https://mail.google.com/mail/u/3?ik=30487dd800&view=pt&search=all&permthid=thread-f%3A1626089913913186531&simpl=msg-f%3A16260899139… 4/7
2/21/2019 Gmail - Cyber Report - California Sparks National Privacy Debate

The settlement is the latest reminder that law enforcement is very closely watching
online influencers and fake reviews.

More Information: Firm Selling Social Media Followers and Likes Busted by NYAG, Cyber
Report

Cyber Harassment
Update

A much anticipated California Supreme Court ruling on removing defamatory content

has sided in favor of review sites over defamation plaintiffs. In a 4-3 decision
in Hassell v Bird, the California Supreme Court reversed a Court of Appeal decision
ordering non-party Yelp to remove an offending post made by the defendant. Three of
the judges believed such an order was prohibited by Section 230 of the
Communications Decency Act which immunizes websites such as Yelp from liability
for third-party content. The fourth judge, however, indicated there could be
circumstances in which such an order may be appropriate. As a result, this issue will
continue to be litigated until the court provides a more definitive ruling.

In other developments, the Anti-Defamation League released a report that found over
half of Americans experienced online harassment and 37 percent were subject to
severe harassment.

Amnesty International, which earlier in 2018 released a report on Toxic Twitter stating
that its failure to protect women on its platform was a human rights violation, released
a supplemental report finding that women on Twitter received an abusive tweet every
30 seconds. Twitter's stock declined 11 percent after an analyst labeled Twitter as
"toxic" and "the Harvey Weinstein of social media."

More Information: Cal Supreme Court Blocks Order That Yelp Remove Defamatory Post, Cyber
Report; Online Hate and Harassment: The American Experience, Anti-Defamation
League; Women abused on Twitter every 30 seconds - new study, Amnesty
International; Twitter’s toxic misogyny just helped knock 11% off its stock value, Fast Company.

Cybersecurity Threats
2019

In February 2018, the City of Atlanta's computers were shut down by a ransomware
attack. The city refused to pay the $51,000 ransom and ultimately incurred $17
million in response costs and upgrades, as it took months for the city websites to be
fully operational. Ransomware, denial of service attacks, internet of things breaches,
deep fakes and crypto jacking are among the top threats in 2019 according to
experts.

One of the biggest cyber threats for businesses is simply human error, as employees
who are not trained in spotting phishing attacks and opening suspicious attachments
are a huge vulnerability. Just as Sony. In addition, you should review your "bring your
own device" (BYOD) policies and ensure that adequate security measures are being
employed.

https://mail.google.com/mail/u/3?ik=30487dd800&view=pt&search=all&permthid=thread-f%3A1626089913913186531&simpl=msg-f%3A16260899139… 5/7
2/21/2019 Gmail - Cyber Report - California Sparks National Privacy Debate

The new year is a good time to review or implement cybersecurity training, evaluate
your security measures, review or implement a data breach plan and review your
insurance coverage in this area. We have published on our blog a series of fact
sheets on Cybersecurity Basics for small business from the Federal Trade
Commission.

More Information: Cyber Security Predictions: 2019 and Beyond, Symantec; Top 15 Cyber
Threats for 2019, Cyber Security Insiders; 2019 Cyber Security Guide: Emerging And Enhanced
Threats, Solis Security; Five emerging cyber-threats to worry about in 2019, MIT Technology
Review.

Hundreds of Works Enter the

Public Domain for First Time
Since 1978

In the 1998, as a number of early motion picture and music properties were about to
fall into the public domain, Congress enacted the Sonny Bono Copyright Term
Extension Act which effectively froze copyrighted items from entering the public
domain for twenty years. The legislation derisively referred to as the Mickey Mouse
Protection Act since it postponed the initial Mickey Mouse films from entering the
public domain until 1924. On January 1, 2019, for the first time since 1998, hundreds
of works entered into the public domain.

Works now in the pubic domain which may be freely used and adapted by content
creators and performers include silent films with Charlie Chaplin, Buster Keaton and
Harold Lloyd (pictured above) and the original Felix the Cat cartoon; songs such as
"Who's Sorry Now" and "The Charleston", as well as a number of works of literature
and classic artworks. Note that a song in the public domain refers to its sheet music
meaning it may be performed without a royalty but individual recordings may still be
copyrighted.

More Information: These 1923 Copyrighted Works Enter the Public Domain in 2019, Lifehacker;
31 free public domain image websites (use with care), 99Designs; Where to download free
stock photos and public domain images, Digital Trends.

FYI:
Additional Reading

One of the journalists covering the internet space whom I have followed with great
interest over the years is Gizmodo's Kashmir Hill. She recently wrote a six-part series
on her attempt to disconnect for a week from Amazon, Facebook, Google, and
Microsoft. I highly recommend it for anyone interested in the role the tech giants have
in our daily life.

https://mail.google.com/mail/u/3?ik=30487dd800&view=pt&search=all&permthid=thread-f%3A1626089913913186531&simpl=msg-f%3A16260899139… 6/7
2/21/2019 Gmail - Cyber Report - California Sparks National Privacy Debate

About Us

The Internet Law Center is a law firm dedicated to helping businesses navigate the evolving
legal standards for today's digital economy. The firm serves a diverse client base that
includes startups and large companies both online and offline across four continents on issues
ranging from online marketing, e-commerce, privacy, domain names to cyber-harassment, as
well as entertainment, general transactional and litigation matters. The firm also represents
clients in the emerging cannabis industry.

The Internet Law Center was founded by Bennet Kelley, who has been named as one of the
Most Influential Lawyers in Digital Media and E-Commerce by the Los Angeles Business
Journal. We are actively licensed in California and Washington, D.C.

We also have been named as one of the top internet law feeds to follow on Twitter.

Cyber Report is the award-winning newsletter of the Internet Law Center that has been named
one of the top 50 internet law blogs. Our newsletter It is for informational and promotional
purposes only and is not meant to express any legal opinion or advice. No attorney-client
relationship has been or will be formed by any communication in connection with this newsletter.-
FOLLOW US

Unsubscribe

This message was sent to internetlawcenter@gmail.com from bkelley@internetlawcenter.net

Bennet Kelley
Internet Law Center
100 Wilshire Blvd Suite 700
Santa Monica, CA 90401

-------------------------------

https://mail.google.com/mail/u/3?ik=30487dd800&view=pt&search=all&permthid=thread-f%3A1626089913913186531&simpl=msg-f%3A16260899139… 7/7