U.S. State Law | Privacy and Information Security Law Blog

California AG’s Mobile App Case Against Delta Dismissed

Posted on May 10, 2013 by Hunton & Williams LLP

A state court has dismissed the California Attorney General’s claims that Delta Air Lines Inc. (“Delta”) violated the California Online Privacy Protection Act by failing to have an appropriately posted privacy policy for its mobile application, Bloomberg reports. The California AG sued Delta in December as part of an enforcement campaign that began with the issuance of warning letters to approximately 100 operators of mobile apps, including Delta. According to the Bloomberg report, a basis for the dismissal was the federal Airline Deregulation Act, under which a state “may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier that may provide air transportation under this subpart.” 49 U.S.C. § 41713.

Tags: California, Enforcement, Mobile App, Online Privacy, Personally Identifiable Information, Privacy Policy, State Attorneys General, U.S. Federal Law, U.S. State Law

Court of Appeals Rules that HIPAA Preempts Florida Law

Posted on April 12, 2013 by Hunton & Williams LLP

On April 9, 2013, the United States Court of Appeals for the Eleventh Circuit held that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law regarding the disclosure of patient records by nursing homes. The law required nursing homes in Florida to provide the medical records of a deceased nursing home resident to the “spouse, guardian, surrogate, proxy, or attorney in fact,” including “medical and psychiatric records and any records concerning the care and treatment of the resident performed by the facility, except progress notes and consultation report sections of a psychiatric nature.”

Tags: Florida, Health Privacy, HIPAA, Privacy Rule, Protected Health Information, U.S. State Law

Supreme Court Limits Plaintiffs Ability to Cap Damages Prior to Class Certification

Posted on March 22, 2013 by Hunton & Williams LLP

As reported in the Hunton Employment & Labor Perspectives Blog:

On March 19, 2013, in Standard Fire Insurance Co .v. Knowles, the United States Supreme Court ruled that stipulations by a named plaintiff on behalf of a proposed class prior to class certification cannot serve as the basis for avoiding federal jurisdiction under the Class Action Fairness Act of 2005 (“CAFA”).

Tags: Class Action, Cookies, Litigation, Supreme Court, U.S. Federal Law, U.S. State Law, Workplace Privacy

Google Enters into Multi-State Wi-Fi Settlement

Posted on March 12, 2013 by Hunton & Williams LLP

On March 12, 2013, Connecticut Attorney General George Jepsen announced that a coalition of 38 states had entered into a $7 million settlement with Google Inc. (“Google”) regarding its collection of unsecured Wi-Fi data via the company’s Street View vehicles between 2008 and 2010. The settlement is the culmination of a multi-year investigation by the states that we first reported on in 2010.

Tags: Connecticut, Enforcement, Google, Information Security, Online Privacy, State Attorneys Wireless Network, U.S. State Law, YouTube

Massachusetts Court Ruling Benefits Plaintiff in Zip Code Case

Posted on March 11, 2013 by Hunton & Williams LLP

On March 11, 2013, in Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court effectively reinstated the suit against the retailer by answering favorably for the plaintiff three certified questions from the United States District Court for the District of Massachusetts regarding Massachusetts General Laws Chapter 93, Section 105(a) entitled “Consumer Privacy in Commercial Transactions” (“Section 105(a)”). The court ruled that (1) a ZIP code constitutes personal identification information under the Massachusetts law; (2) a plaintiff may bring an action for a violation of the Massachusetts law absent identity fraud; and (3) the term “credit card transaction form” refers equally to electronic and paper transaction forms. The Massachusetts court’s determination that a ZIP code constitutes personal identification information is similar to the determination in Pineda v. Williams-Sonoma Stores, Inc., in which the California Supreme Court held that ZIP codes are “personal identification information” under California’s Song-Beverly Credit Card Act. More than 15 states, including Massachusetts and California, have statutes limiting the type of information that retailers can collect from customers.

Tags: California, Class Action, Consumer Protection, Enforcement, Identity Theft, Information Security, Litigation, Massachusetts, Payment Card, Personally Identifiable Information, Song-Beverly Act, U.S. State Law, ZIP Codes

California Ruling Finds Song-Beverly Act Does Not Apply to Online Transactions

Posted on February 5, 2013 by Hunton & Williams LLP

On February 4, 2013, the Supreme Court of California examined whether Section 1747.08 of the Song-Beverly Credit Card Act (“Song-Beverly”) prohibits an online retailer from requesting or requiring personal identification information from a customer as a condition to accepting a credit card as payment for an electronically downloadable product. In a split decision, the majority of the court ruled that Song-Beverly does not apply to online purchases in which the product is downloaded electronically.

Tags: Apple Inc., California, Class Action, Consumer Protection, Litigation, Online Privacy, Payment Card, Personally Identifiable Information, Song-Beverly Act, U.S. State Law

California Ruling Permits Collection of ZIP Codes After Receipt Is Provided to Customer

Posted on January 11, 2013 by Hunton & Williams LLP

As reported in BNA’s Privacy & Security Law Report, on December 14, 2012, a federal district court in California ruled that a retail store’s policy of collecting personal information only after providing customers with receipts does not violate the Song-Beverly Credit Card Act (“Song-Beverly”). Under Section 1747.08(a)(2) of Song-Beverly, a retailer that accepts credit cards for the transaction of business may not “[r]equest, or require as a condition to accepting the credit card as payment … the cardholder to provide personal identification information,” which the entity accepting the credit card then “writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”

Tags: California, Class Action, Consumer Protection, Enforcement, Information Security, Litigation, Payment Card, Personally Identifiable Information, Safe Harbor, Song-Beverly Act, U.S. State Law, ZIP Codes

Medical Practices Agree to $140,000 Settlement with Massachusetts Attorney General

Posted on January 10, 2013 by Hunton & Williams LLP

On January 7, 2013, Massachusetts Attorney General Martha Coakley announced that several Massachusetts medical practices have agreed to a consent judgment and $140,000 payment to settle charges they improperly disposed of medical information. The defendants, which include several pathology practices and a firm that provided medical billing services to those practices, were accused of dumping hard copy medical records at the Georgetown Transfer Station, a waste management facility open to the public. The records allegedly contained the names, Social Security numbers and medical diagnoses of approximately 67,000 individuals. The illegal dumping allegations were publicized in a Boston Globe article after a photographer for the newspaper discovered medical records at the facility while he was disposing of his own trash.

Tags: Consent Order, Consumer Protection, Enforcement, Health Privacy, HIPAA, Massachusetts, Penalty, Privacy Rule, Protected Health Information, Social Security Number, State Attorneys General, U.S. State Law

California AG Sues Delta for Failure to Post a Privacy Policy on Its Mobile App

Posted on December 7, 2012 by Hunton & Williams LLP

On December 6, 2012, California Attorney General Kamala D. Harris announced a lawsuit against Delta Air Lines, Inc. (“Delta”) for violations of the California Online Privacy Protection Act (“CalOPPA”). The suit, which the Attorney General filed in the San Francisco Superior Court, alleges that Delta failed to conspicuously post a privacy policy within Delta’s “Fly Delta” mobile application to inform users of what personally identifiable information is collected and how it is being used by the company. CalOPPA requires “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service,” such as a mobile application, to post a privacy policy that contains the elements set out in CalOPPA. According to Attorney General Harris’ complaint, Delta has operated the “Fly Delta” application for smartphones and other electronic devices since at least 2010. The complaint alleges that “[d]espite collecting substantial personally identifiable information (“PII”) such as user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs, and geo-location, the Fly Delta application does not have a privacy policy. It does not have a privacy policy in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.”

Tags: California, Enforcement, Online Privacy, Penalty, Personally Identifiable Information, Privacy Policy, State Attorneys General, U.S. State Law

Time Running Out for Mobile App Operators Targeted by California Attorney General

Posted on November 26, 2012 by Hunton & Williams LLP

In late October 2012, California Attorney General Kamala D. Harris began sending letters to approximately 100 mobile app operators, informing them that they are not in compliance with the California Online Privacy Protection Act (“CalOPPA”). Pursuant to CalOPPA, “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” must post a privacy policy that contains specified elements. A mobile app arguably could be an “online service” under CalOPPA, which provides that an online service operator that collects “personally identifiable information” and “fails to post its policy within 30 days after being notified of noncompliance” is in violation of CalOPPA. The law affects a wide range of mobile app operators because of its very broad definition of “personally identifiable information,” which includes any “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form,” such as a name, an email address or any other identifier “that permits the physical or online contacting of a specific individual.”

Tags: California, Mobile App, Mobile Device, Online Privacy, Personally Identifiable Information, Privacy Policy, State Attorneys General, U.S. State Law

Privacy and Information Security Law Blog - Global privacy and information security law updates and analysis

California AG’s Mobile App Case Against Delta Dismissed

Court of Appeals Rules that HIPAA Preempts Florida Law

Supreme Court Limits Plaintiffs Ability to Cap Damages Prior to Class Certification

Google Enters into Multi-State Wi-Fi Settlement

Massachusetts Court Ruling Benefits Plaintiff in Zip Code Case

California Ruling Finds Song-Beverly Act Does Not Apply to Online Transactions

California Ruling Permits Collection of ZIP Codes After Receipt Is Provided to Customer

California AG Sues Delta for Failure to Post a Privacy Policy on Its Mobile App

Time Running Out for Mobile App Operators Targeted by California Attorney General

Published By Hunton & Williams

Search

Subscribe

Topics

Recent Updates

Blogroll

Stay Connected

Privacy News