new york

California Consumer Privacy Act of 2018

On June 28, 2018 California (“CA”) Governor Jerry Brown signed the California Consumer Privacy Act of 2018 (“Act”) into law. The Act zeroes in on the personal information (“PI”) of CA residents, at once: (i) formalizing consumers’ rights regarding their own PI, and (ii) mandating what certain businesses may and may not do (sans permission) if they collect, disclose, or sell such info. Like the recently effective GDPR—and the Internet itself—the Act reaches far beyond its ostensible borders. Its implications should therefore be tracked by any covered entity dealing in PI, as the Act defines it.

This post summarizes certain key aspects of the Act: namely, its rights, requirements, and the entities beholden to both.

Effective Date

The Act will be effective January 1, 2020. §1798.198(a). Until then, the CA legislature will likely rethink, refine, and amend it. §1798.185(a). While getting a head-start on Act-literacy is wise, keeping an eye on its evolution is key.

Covered Businesses

The Act’s requirements fall primarily upon “businesses,” which are defined as:

For-profit legal entities that,

-          collect consumers’ PI (or have PI collected on the business' behalf);

-          alone or jointly determine the purposes and means of PI processing;

-          do business in CA; and

o   have annual gross revenues over $25M;

o   alone or in combination, annually buy, sell, or share for commercial purposes the PI of 50K or more consumers, households, or devices; or

o   derive 50% or more of their annual revenues from selling PI. §1798.140(c)(1).

The Act's covered businesses also include entities that (i) control or are controlled by, and (ii) share common branding (i.e. name, trademark) with, the above businesses. §1798.140(c)(2).

Covered Data

The key phrase here is “personal information.” The Act defines PI as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” §1798.140(o)(1).

The Act provides a non-exhaustive list of PI examples, including: names, SSNs, biometrics, personal property records, records of products considered or purchased, browsing history, geo data, visual, thermal or olfactory data (Note: if you know what "olfactory data" entails, let us know!), education info, and any inferences drawn from these and the other listed data points. Id. Exception: publicly available info, as defined by the Act, is not PI. §1798.140(o)(2).

Consumers and Rights

The Act grants “consumers”—defined as natural persons who are CA residents, §1798.140(g)—distinct rights pertaining to the handling of their PI, including the following.

(1) The right to know what PI each business collects.

Thanks to this right, when requested by a consumer, a business must disclose to that consumer promptly (i.e. generally within 45 days of receipt of request) and free of charge: (i) the categories of PI collected, (ii) specific pieces of PI collected; (iii) categories of sources from which a business collected such consumer's PI; and (ii) categories of third parties with which businesses share that PI.  §1798.100§1798.110.

Also, at or before the point of collection, a business must inform consumers of: (i) the categories of PI collected, and (ii) how the PI will be used. Additional collection or use is prohibited sans this notification. §1798.110.

Exceptions: Businesses are not required to disclose to consumers any unsold or un-retained PI collected for one-time transactions. Also, re-identifying or otherwise linking data that the business does not (in the ordinary course of business) maintain as PI, for the sake of disclosing that PI, is not required.  §1798.100§1798.110.

(2) The right to request the deletion of their PI.

When requested by a consumer, a business must delete that consumer's PI and direct its service providers (defined at  §1798.140(v)) to do the same. §1798.105(c). Exceptions include where the PI is necessary to: (i) perform a contract with the consumer, (ii) detect security incidents, (iii) debug, (iv) exercise a lawful right, (v) comply with certain Penal Code or other legal requirements, (vi) conduct public interest research, or (vii) otherwise use the PI “internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” §1798.105(d).

(3) The right to know whether their PI is sold or disclosed, and to whom.

Upon request by a consumer, businesses who sell PI or otherwise disclose it for a business purpose must disclose to that consumer, essentially, the categories of (i) PI they collected, disclosed for a business purpose, and sold; and (ii) each third party to whom they sold the PI. §1798.115. If a business hasn’t sold the requesting consumer’s PI, such business must disclose that fact. Id.

(4) The right to prohibit—i.e. “opt out” of—the sale of their PI.

A consumer may at any time direct a business that it may not sell that consumer’s PI. §1798.120. Businesses that sell consumer PI must notify consumers that their PI may be sold, and of this opt-out right. Id. Without this notification, a business is prohibited from selling the affected PI. Id. Also, should a business receive a consumer’s opt-out, such business is prohibited from selling that consumer's PI. Id. That is, unless the consumer subsequently opts back in via an express authorization. Id. Stricter rules (e.g. a requirement that consumers “opt in” to allow their PI’s sale in the first place) apply for certain teenagers’ PI. §1798.120(d).

To comply with this requirement, businesses must provide a clear and conspicuous link on their homepage and in their privacy policy, titled “Do Not Sell My Personal Information.” §1798.135. This link must take consumers to an opt-out page; a link to this opt-out page must also appear in the business’s privacy policy, along with a description of consumer rights to prohibit the sale of their PI. Id. Exception: where a business maintains a separate, additional website for its CA consumers, it is permissible for these links to only appear on this CA-centric site, as long as the business “takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.” Id.

Moreover, a business may not require that a consumer creates an account in order to direct the business not to sell the consumer’s PI. Id.

Bonus prohibition: third parties may not sell PI that they bought from a business unless the relevant consumer: (i) has received explicit notice that its PI may be sold; and (ii) has a chance to opt out. §1798.115(d).

(5) The right to equal service and price, even if they exercise their privacy rights under the Act.

A business may not discriminate against consumers because they have exercised any of the above rights, including by denying services to such consumers or charging them different rates. §1798.125. (While the Act provides an exception to this rule, allowing businesses to offer different rates or quality of goods or services to customers “if that price or difference is directly related to the value provided to the consumer by the consumer’s data,” id, the opacity of this exception requires further assessment.)

Finally, businesses may offer financial incentives to consumers in exchange for the collection, sale, or deletion of their PI—as long as: (i) the businesses notify consumers of these incentives; (ii) the relevant consumers opt into this arrangement, which consent is revocable anytime; and (iii) the incentive practices are not unjust, unreasonable, coercive, or usurious. Id.

Penalties and Procedures

If a business fails to implement and maintain reasonable security practices appropriate to the nature of the PI, and this failure results in a consumer’s nonencrypted or nonredacted PI being accessed and exfiltrated, stolen, or disclosed in an unauthorized manner, such consumer/s (individually or as a class) may commence a civil action for: (i) the greater of (a) up to $750 in damages per consumer and incident, and (b) actual damages; (ii) injunctive or declaratory relief; and (iii) any other relief per the court’s discretion. §1798.150. The Act further provides the factors for the court’s consideration in assessing statutory damages. Id.

Consumers have a cause of action for general Act violations—and the statutory damages that may follow—as well, subject to the Act's dispute resolution procedures. Id. A consumer must notify the business 30 days before initiating their action, identifying the allegedly violated provisions of the Act. Id. If the business cures within this period, providing an “express written statement” to this effect (which statement is enforceable), no action may be brought concerning that cured matter. Id. Exception: no notice is required by an action for actual pecuniary damages. Id.

If 30 days pass without cure, a business is in violation of the Act. §1798.155.

A consumer must also notify the Attorney General (“AG”) within 30 days of filing an action for statutory damages under the Act. §1798.150. Within 30 days following receipt of this notice, the AG must either: (i) notify the consumer of the AG’s intent to prosecute, in which case the consumer may not proceed with their action (however, if the AG doesn’t prosecute within 6 months, the consumer may proceed with their action); or (ii) notify the consumer that they may not proceed with their action. Id. If the AG does nothing within these 30 days, the consumer may proceed. Id.

Any person, business, or service provider who intentionally violates the Act may be liable for a civil penalty of up to seven thousand $7,500 for each violation. §1798.155(b).

Miscellaneous Requirements and Exclusions

-          Businesses must provide at least two methods by which consumers may make the requests for info about their PI detailed above, e.g. a phone number and web address. §1798.130.

-          The 45-day deadline for a response to a consumer request for info about their PI may be extended once by a business for another 45 days when reasonably necessary, provided the relevant consumer is notified of this extension within the initial 45 days. Id. A 90-day extension is also available based on the complexity and numerosity of requests a business receives, as are exceptions to, and even payment terms concerning, this obligation. §1798.145(g).

-          Businesses' PI disclosures must cover the 12-month period preceding the receipt of consumer’s request. §1798.130.

-          Businesses must include and update in their privacy policies every 12 months, as necessary: (i) their consumers’ rights; (ii) methods of submitting requests; (iii) the categories of PI they have collected, sold, and disclosed for business purposes in the prior 12 months. Id.

-          Businesses must ensure their relevant personnel are adequately informed of the Act’s requirements, and know how to help consumers exercise the rights it provides. Id.

-          Businesses are not obligated to provide a consumer with info on the sales or disclosures of that consumer’s PI more than twice in 12 months. Id.

-          Businesses must “respect” a consumer’s opt-out for at least 12 months before requesting that the consumer revisit their decision and authorize the business’ sale of the consumer’s PI. §1798.135.

-          A consumer may opt-out via a proxy. Id.

-          The Act does not apply to:

o   Consumer information that is “deidentified or in the aggregate consumer information.” §1798.145. ("Deidentified" is defined at §1798.140(h) and "aggregate consumer information" is defined at §1798.140(a).)

o   The collection or sale of PI “if every aspect of that commercial conduct takes place wholly outside of California.” §1798.145(a). Meaning, (i) if the business collected PI while the consumer was out of CA, (ii) no part of the PI sale occurred in CA; and (iii) no PI collected while the consumer was in CA is sold. Id. The Act cautions that this exception does not permit a business to store PI (e.g. on a device) while the relevant consumer is in CA, only to collect that PI once the consumer (and their stored PI) leaves CA. Id.

o   Evidentiary privileges. §1798.145(b).

o   Protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act or certain HIPAA rules. §1798.145(c).

o   PI collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act, where such law conflicts with the Act. §1798.145(e).

-          A business is not liable for violations of the Act by its service providers, if the business didn’t know (or have reason to believe), when it disclosed PI to that service provider, that it intended to commit such a violation. §1798.145(h). A service provider is similarly not liable for the businesses it deals with. Id.

-          A business is not considered by the Act to have sold PI when the relevant consumer directs the business to make such disclosure or “uses the business to intentionally interact with a third party.” §1798.140(t)(2)(A).

-          Contract provisions that purport to waive or limit consumer rights under the Act are contrary to public policy, void, and unenforceable. §1798.192.

GDPR Overlap

The Act’s implicit intent is “to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal information.” §1798.175. To this end, where other sweeping PI statutes such as GDPR conflict with the Act, “the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.” Id.

Conclusion

Though lengthy, this synopsis of the Act is not exhaustive. While the Act provides additional—and potentially pivotal—requirements and exceptions for businesses, their service providers, and third parties in relation to consumer PI, this post may serve as a guide to certain highlights of this new law and a primer for the internal discussions the Act should stimulate within entities of all (covered) stripes.

SLG's 50 State Survey Part One: New York

This post is a preview of a nationwide survey report we’re working on here at SLG, which will ask the questions listed below of each of the fifty U.S. states. Our preview, like the coming survey, discusses the keys to contract disputes: (i) limits of liability, (ii) damages, (iii) warranty disclaimers, and (iv) dispute resolution—and the parameters of each within the subject State.

For now, New York seemed a fine place to start.

 

NEW YORK

I. LIMITS OF LIABILITY

Are contractual caps, ceilings, or limits on direct damages enforceable?

Yes. Unless the damages stem from gross negligence or willful misconduct, as discussed below.

Are agreements that exclude all indirect (i.e. consequential, incidental) damages enforceable?

No. New York courts insert an implicit exception to these blanket caps, even if the applicable agreements explicitly don’t. Where the damages at play arise from gross negligence or willful misconduct, public policy dictates the offenders are limitlessly liable, and the cap fails. So, no matter what, liability for such egregious behavior is unlimited.

Despite this exception, caps on indirect damages are enforceable against other (less egregious) claims.

Additional Notes on Gross Negligence in New York:

1.       Drafters should note that evidencing gross negligence or willful misconduct can be difficult, these standards high. Parties must show that a breaching party’s “egregious intentional misbehavior evince[s] some extreme culpability.” Otherwise, no gross negligence or willful misconduct is present, and the relevant liability remains limited under the contract. Metropolitan Life Ins. Co. v. Noble Lowndes Int'l, Inc., 643 N.E.2d 504, 506-07 (N.Y. 1994) (defendant’s “voluntary and intentional … refusal to perform a contract [to develop and install software] for economic reasons,” without plaintiff proving fraud or other willful intent, fell short of gross negligence and willful misconduct and the limit of liability survived; also, entering a contract intending never to perform is not in itself gross negligence or willful misconduct).

Can remedies be limited to the express remedies solely and exclusively provided for in a contract?

Yes.  Per New York’s adoption of the Uniform Commercial Code ("UCC") § 2-316 (more on this below), remedies for breach of warranty may be limited to liquidation or limitations of damages as captured by a contract, or via a contractual modification of the subject remedies.  However, these routes carry their own rules and limitations.  For example, per UCC § 2-718, liquidated damages must represent “an amount which is reasonable in the light of the anticipated or actual harm caused by the breach, the difficulties of proof of loss, and the inconvenience or nonfeasibility of otherwise obtaining an adequate remedy.”  An unreasonably large liquidation of damages is, therefore, void.

II. DAMAGES

Does New York law mandate any blanket limits on the amount of (a) consequential damages, or (b) punitive damages that a party may recover?

(a)       No. Unlimited consequential damages resulting from a breach of contract are generally available to parties under traditional contract principles. That is, so long as these damages were (i) a foreseeable result of the breach; (ii) “within the contemplation of the parties” when contracted; and (iii) not unconscionable. The UCC adds that consequential damages may be limited or excluded—except where those limits or exclusions are unconscionable themselves. UCC § 2-719 (3).

(b)       No.

Additional notes:

1.       Similarly, courts will generally enforce a contractual cap on consequential damages unless the cap is unconscionable, violates public policy, or enforcement causes the contract to fail of its essential purpose. Taylor Inv. Corp. v. Weil, 169 F. Supp. 2d 1046, 1058-59 (D. Minn. 2001).  If the provision was reasonable and negotiated as part of an arms-length agreement, however, proving unconscionability may be difficult. Finally, New York does not allow a manufacturer to disclaim liability borne of its own gross negligence, willful, wanton or intentional conduct. Kalisch-Jarcho Inc. v. New York, 58 N.Y.2d 377, 448 N.E.2d 413 (N.Y. 1983).

2.       In recent years New York made it possible for policyholders to squeeze insurers for unlimited consequential damages for breach of policy. This remedy is available where the insurer’s denial of policy benefits (i) breaches the covenant of good faith and fair dealing; and (ii) the applicable damages were foreseeable at the contracting time.

Are punitive damages recoverable in contract matters? If so, when?

Generally, no. Even if a breach is willful and without justification. Campo v. 1st Nationwide Bank, 857 F.Supp. 264, 273 (EDNY 1994).

Additional Notes:

1.       Contract claims fused with tort claims may earn punitive damages. Meaning, where a tort claim stems from a contractual relationship. There a plaintiff must show: (i) the defendant’s conduct is actionable as an independent tort; (ii) the tortious conduct is egregious; (iii) the egregious conduct is directed at the plaintiff; and (iv) the defendant’s conduct is part of a pattern directed at the public generally. Conocophillips v. 261 E. Merrick Rd. Corp., 428 F.Supp.2d 111, 129 (EDNY 2006).

2.       In New York, certain fraudulent conduct may also earn punitive damages, i.e. fraud with “evil and reprehensible motives.” Solutia Inc. v. FMC Corp., 456 F.Supp.2d 429, 453 reconsideration denied (SDNY 2006).

3.       Contracts commonly exclude all incidental, indirect, and consequential damages subject to certain exceptions; punitive damages may be expressly excluded.

III. DISCLAIMERS/LIMITATIONS OF WARRANTY

Are disclaimers of any and all implied warranties enforceable in New York?

Yes. Regarding all issues concerning implied warranties, New York adopted UCC § 2-316, which states that all implied warranties may be disclaimed.  However, such disclaimers must use contract language that is commonly understood to call a buyer's attention to the exclusion of warranties.  Expressions like "as is" or "with all faults" suffice, per the UCC, to adequately warn buyers and, thus, establish warranties.

For the two most prevalent implied warranties—those of merchantability and fitness—New York and the UCC permit sellers to disclaim:

(A) the implied warranty of merchantability, as long as the disclaimer is:

(i) conspicuous, and

(ii) explicitly includes the word “merchantability.”

(B) the implied warranty of fitness as long as such disclaimer is

(i) "affected by a writing," and

(ii) "conspicuous.”

Drafters should note, however, that the UCC places a limitation on these disclaimers: they’re valid “unless the circumstances indicate otherwise.”  Meaning, if the facts indicate that a warranty did exist—perhaps as a deciding factor in the subject sale of goods—regardless of what the contract purports to disclaim, a warranty may exist.  Also noteworthy is the UCC § 2-316’s dictate that “an implied warranty can also be excluded or modified by course of dealing or course of performance or usage of trade.” Although these are likely tougher to prove than black and white ink on a contract is to read.

IV. DISPUTE RESOLUTION

When the State of New York is sued over a contract dispute, does New York mandate any dispute resolution procedures such as venue requirements or jury trial requirements?

No.  The Court of Claims has jurisdiction over contract dispute claims brought against the State of New York and certain State-related authorities.  Rather, to serve New York with a suit for breach of contract, a claim must be delivered to a New York Assistant Attorney General at an office of the Attorney General within six months after the claim’s accrual.  The claim's venue is determined by the county where the claim accrued.

When Assignment Bars & Termination Rights Fail: Bankruptcy Code §365(f)

Intro

Certain of your termination and anti-assignment clauses might be unenforceable.  Here’s why, when and how, and what you can do about it.

The Scenario

You’re shopping to license hardware or software from a reliable company. Maybe the company you settle on is a household name—let’s call it Tech Company—an industry leader in the service you’re seeking.  After some fruitful internal discussions, you reach out to Tech Company’s sales squad and within a matter of days or weeks money changes hands, new products are installed, and your organization is changed for the better.  Soon your employees learn to deftly handle the upgrade and before you know it, you and your customers rely on its speed and interface.  

A month later a notice arrives in the mail.  It’s from your new partners at Tech Company, but they’re not inviting you to the corporate Labor Day BBQ.  This letter is terser than the communications they’ve sent in the past.  You don’t understand its jargon, but you catch the gist.  Tech Company has filed for Chapter 11 bankruptcy.  Now it is assigning your contract to another company you’ve never heard of, called New Entity.  It seems Tech Company has suddenly washed its hands of you and introduced New Entity in its place without your knowledge—certainly without your consent.

The Roller Coaster

Here’s when you might scramble to your agreement with Tech Company.  Your review of the PDF begets more questions than answers, though; it’s practically a rollercoaster of positive and negative results. 

First, in the assignment section, you see something like this:

“Neither Party may assign this Agreement nor any rights or obligations hereunder...”

Point for the home team.

Then, a couple lines later, you read:

“…except to any entity that acquires the applicable assets of Tech Company as a result of a bankruptcy proceeding…”

Point for the away team.

You lighten back up as you come across a backdoor to the exception:

“…provided that You may, in such an instance, terminate this Agreement for convenience under Section…”

You flip to the termination section, and it’s all there, in slightly pixilated black and white.

“You may terminate this Agreement at any time upon sixty (60) days written notice to Tech Company…”

You breathe a little easier.  You still control some measure of your fate.  Tech Company cannot unilaterally unload you onto one of its competitors that you’ve never so much as spoken to.  If you don’t like what New Entity is selling, you can terminate the agreement for convenience based on Tech Company’s bankruptcy-fueled assignment.  Reassured, having disembarked the rollercoaster with your lunch intact, you ring your attorney to talk it over.

And she straps you right back in.

Apparently, there’s something called the Bankruptcy Code, Ms. Attorney says, and it rejiggers your agreement.  Per the Code’s §365, not only is Tech Company’s assignment permitted, but your right to terminate as a result of this assignment is void.

What?

Via §365(f), anti-assignment clauses are often useless in the face of bankruptcy.  Regardless of any provision that “prohibits, restricts, or conditions [an] assignment,” the Bankruptcy Code permits an assignment by the trustee of a bankrupt entity.  The only prerequisites, per the same section, are that:

(A) the trustee assumes such contract or lease in accordance with the provisions of this section; and

(B) adequate assurance of future performance by the assignee of such contract or lease is provided, whether or not there has been a default in such contract or lease.

Since the Bankruptcy Court has already approved the assignment—a.k.a. sale—of your contract to New Entity, these prerequisites have already been met; otherwise the Court wouldn’t have let the process go this far.  According to the Court Order referenced in the letter you received, Ms. Attorney continues, Tech Company’s trustee took control of the contract along with the rest of Tech Company in line with the Code.  Thus, (A) above has been met.  In terms of (B), whether or not Tech Company provided you with “adequate assurance” of New Entity’s ability to future perform your contract, Tech Company has assured the Court that it can and will “promptly take any actions reasonably required to obtain a Bankruptcy Court finding that there has been sufficient evidence of adequate assurance of future performance,” per the Order.  Satisfied with this promise and that New Entity’s performance of your contract wouldn’t result in material, economically significant detriment to you, the Court moved forward, and blessed the assignment.

But don’t I have a right to be notified at least? To object to the assignment? you ask.

Ms. Attorney reads from the Court Order: “If any consent is not obtained or notice is not given prior to the assignment’s closing, the closing shall nonetheless take place subject to the terms and conditions herein…”

And what about my termination rights? you follow up.  These rights were expressly provided for in your contract’s assignment section.

§365(f)(3) erases those, Ms. Attorney replies.

Under this subsection of the Code: “Notwithstanding a provision in an executory contract” that grants a termination right “on account of an assignment of such contract,” the subject contract “may not be terminated or modified under such provision because of the assumption or assignment of such contract or lease by the trustee.”

So, bankruptcy and its ensuing assignment cannot be the root of a termination right.  If it is, that right is itself terminated. 

Keep the Code in Mind

§365 intends to help trustees elicit the max value from debtors’ estates.  To do so it allows trustees to assign executory contracts that benefit the estate—no matter what the contract itself might prohibit or permit.  As long as the trustee assures the Bankruptcy Court that the assignee’s future performance will be adequate as compared to the performance promised under the contract, then the non-debtor (in this case, your company) is in a position level to the one it bargained for with the debtor in the first place, business can proceed, and everyone wins.  Though, as here, it might not feel that way. 

This scenario begs the question: Why do anti-assignment and termination rights hinging on bankruptcy persist if they’re rendered meaningless by the Bankruptcy Code?  Why include them at all?

The prevailing guess is that sometimes, folks don’t know the law.

Whatever side of the table a party and its attorney may occupy, anti-assignment and termination rights—along with an unfamiliarity with §365—can underpin a party’s confidence in their agreement.  However, this confidence could be false.  Through §365, the Bankruptcy Code seeks to right the ship when one entity to an executory contract is sinking.  Bankruptcy can be tricky, and a working knowledge of the Bankruptcy Code at the negotiation stage is key.  When negotiating technology agreements in general—and their assignment and termination clauses in particular—parties and attorneys must keep §365 in mind, or certain rights might be unenforceable after all.