• SB 7 Breathes New Life into CEQA Streamlining Process

    AB 900, a law that provided for speedy resolution of California Environmental Quality Act (CEQA) litigation, was allowed to “sunset” at the end of the 2020 legislative session, without an anticipated legislative extension. On May 20, 2021, Governor Newsom signed SB 7, the Jobs and Economic Improvement Through Environmental Leadership Act of 2021, to reinstate and expand the former AB 900 streamlining process for certain environmental leadership development projects (ELDPs).

    SB 7 allows new ELDPs to be certified through 2023 and approved through 2024, and makes a new class of smaller residential projects eligible for certification for the first time. The new law provides clear benefits to projects that were previously certified as ELDPs under AB 900, but that did not receive project approvals by the prior deadline of January 1, 2021. For many new projects seeking the legislation’s CEQA streamlining benefits, the feasibility to achieve ELDP status is uncertain, given onerous new requirements prioritizing on-site and local direct greenhouse gas emissions reductions over offsets, and imposing new geographic requirements for any offsets that remain necessary.

    AB 900 Background

    Under AB 900, the Jobs and Economic Improvement Through Environmental Leadership Act of 2011, three types of major development projects were eligible for ELDP certification: (1) clean renewable energy projects that generate electricity exclusively through wind or solar; (2) clean energy manufacturing projects; or (3) “residential, retail, commercial, sports, cultural, entertainment, or recreational use projects” on infill sites that would achieve LEED Gold certification and improved transportation efficiency. All ELDPs were required to cause no net additional emissions of greenhouse gases (GHGs) as determined by the California Air Resources Board (CARB), adhere to specific prevailing wage and project labor requirements, and result in at least a $100 million investment in the state, among other requirements.

    Once certified by the Governor, ELDPs were entitled to significant litigation streamlining benefits in exchange for their environmental and economic commitments—namely, that all judicial challenges to an EIR certification or related project approvals, including “any potential appeals,” must be resolved, to the extent feasible, within 270 days. Absent such streamlining, CEQA litigation frequently lasts for two years or more with appeals. To facilitate speedy resolution, the schedule for preparation of the administrative record was shortened, running concurrently with the entitlement process, and the lead agency must certify the record within 5 days of its approval of the project (rather than 60 days after filing a petition under the normal CEQA process). However, despite certain news reports that the legislation was intended to speed up environmental review, it in fact only accelerated the timeline for litigation following completion of environmental review.

    Reviving AB 900 Certifications

    Approximately 20 ELDPs were certified by the Governor between 2012 and the statutory deadline of January 1, 2020, including the 3333 California Street Project in San Francisco and the Inglewood Basketball and Entertainment Center (which proceeded under project-specific legislation). However, under the former act, projects that were certified before January 1, 2020, but not approved by a lead agency before January 1, 2021, were left with expired certifications.

    SB 995, an earlier bill aimed at lengthening the runway for certified projects, passed both the California Senate and Assembly but failed to be finalized in the hectic final hours of the last legislative session. SB 7 picks up where SB 995 left off. Under SB 7, previously certified ELDPs are entitled to the same benefits and subject to the same requirements prescribed in the former act, but now have until January 1, 2022 to obtain final approval by a lead agency. The legislation was enacted with an urgency clause, meaning that it is effective immediately.

    Expanding Eligibility for Certification

    For new projects interested in securing CEQA streamlining, SB 7 offers some good news: ELDPs now may be certified by the Governor before January 1, 2024, and approved by a lead agency before January 1, 2025. Additionally, SB 7 makes a new class of projects eligible for certification—residential infill projects that result in an investment of between $15 million and $100 million, with at least 15% of units affordable to lower income households.

    SB 7 also authorizes the Governor, before a lead agency’s approval of an ELDP, to certify a project alternative if the alternative also complies with AB 900’s statutory conditions at the time of the Governor’s original certification. This clarification is intended to ensure that certification remains valid if the lead agency ultimately selects a project alternative under CEQA.

    Raising the Bar for GHG Neutrality

    At the same time, SB 7 raises the bar for ELDP certification. It adds construction labor requirements to the existing prevailing wage/project labor agreement requirements, requiring eligible projects to use a “skilled and trained” workforce for all construction work, and requires applicants to pay the costs of the trial court (not only the Court of Appeal), in hearing and deciding any case challenging the ELDP’s CEQA certification or project approvals.

    Most notably, SB 7 imposes material new barriers to demonstrating that a project will have no net additional GHG emissions, which typically requires use of GHG “offsets” to reduce emissions beyond what would be possible as part of the project itself. Under AB 900, the determination of GHG neutrality was left up to CARB’s discretion, and there were no geographic restrictions on the location of GHG offset programs, which allowed flexibility in completing or funding cost-effective GHG reduction measures to achieve GHG neutrality. Under SB 7, with the exception of the newly eligible housing development projects described above, projects newly seeking certification must first prioritize direct emissions reductions that also reduce other air emissions within the same air district in which the project is located. If those measures are not sufficient, the project must address any unmitigated GHG impacts through offsets within the same air district as the proposed project, or that otherwise have a “specific, quantifiable, and direct environmental and public health benefit to the region in which the project is located.” The market for offsets is quite constrained, particularly for offset projects located in urban areas in California, and is expected to become even more so in the coming years. Given this change, the feasibility of new ELDPs is uncertain.

    Coblentz has guided clients through certification, approval, and development of several ELDPs and would be happy to discuss the opportunities and challenges of SB 7.

  • Coblentz Recognized in Chambers USA 2021

    Six Coblentz partners and three practices have been recognized by Chambers & Partners in the Chambers USA 2021 Guide, adding newly recognized litigation partner Rees Morgan and Coblentz’s Northern California real estate practice to the list. Real estate and land use partners Pamela Duffy and Harry O’Brien are listed as leading lawyers in the Real Estate: Zoning/Land Use – California category, real estate partner Alan Gennis is listed as leading lawyers in the Real Estate – Northern California category, litigation partners Timothy Crudo and Rees Morgan are listed in the Litigation: White-Collar Crime & Government Investigations – California category, and Employment partner Fred Alvarez is listed in the Labor & Employment – California category.

    Independent and objective, Chambers USA is carefully researched and widely considered to be the most reputable law firm directory in the world. Ranking criteria include technical legal ability, client service, commercial vision and business understanding, diligence, depth of the team, value for money, and other qualities most valued by legal clients.

    Real Estate & Land Use

    Coblentz’s real estate and land use practice is again ranked by Chambers USA 2021 Guide in the top tier, Band 1, in the Real Estate: Zoning/Land Use category for California. Our land use practice has been continuously ranked by Chambers for many years and is now joined by the real estate practice, ranked by Chambers USA 2021 Guide in Band 3 in the Real Estate category for Northern California. Of our real estate and land use practices, one client notes “They are incredibly knowledgeable and detailed on the specifics,” and another added, “They are attentive and provide practical advice.” Three real estate and land use partners continued to receive individual rankings.

    Pamela Duffy is again ranked as a Leading Lawyer in the top tier, Band 1, in the Real Estate: Zoning/Land Use – California category. Clients quoted by Chambers noted that “Pam is a fantastic practitioner,” and, “She is incredibly prominent.” Pam has been recognized by Chambers since 2003.

    Harry O’Brien is also again ranked as a Leading Lawyer in Band 3 in the Real Estate: Zoning/Land Use – California category. When interviewed about Harry, one client remarked, “Harry is smart, articulate and knows the city very well – he has a long and deep experience of projects in San Francisco and is a great resource.” Harry has been recognized by Chambers since 2003.

    Alan Gennis is ranked as a Leading Lawyer in Band 3, in the Real Estate – Northern California category. Clients remarked that “Alan is really knowledgeable, creative and very solution-oriented,” and “He is thoughtful, thorough and well-reasoned and has a really nice bedside manner with clients.” Alan has been recognized by Chambers since 2018.

    Litigation

    Coblentz’s white collar defense and investigations practice is newly ranked by Chambers USA 2021 Guide in Band 4 in the Litigation: White-Collar Crime & Government Investigations category for California. Chambers notes that the practice is a “robust white-collar criminal defense group with strong credentials in defending SEC and DOJ investigations and enforcement actions.” Two litigation partners also received individual rankings in the category.

    Timothy Crudo increased in rankings as a Leading Lawyer in Band 3 in the Litigation: White Collar Crime & Government Investigations category for California. A client noted, “He is a master of facts and a brilliant storyteller for his clients.” Tim has been recognized by Chambers since 2016.

    Rees Morgan is newly ranked as a Leading Lawyer in Band 5 in the Litigation: White Collar Crime & Government Investigations category for California. Of Rees, one client noted he “is thorough and excellent at describing legal maneuvers and consequences in easy-to-understand terms,” and another mentioned, “He is highly intelligent, deeply analytical and has a real sense of what a case is worth.”

    Employment

    Employment partner Fred Alvarez is recognized as a Senior Statesperson in California in the Labor & Employment category. One client raved that Fred “is a fantastic lawyer. He is highly intelligent and strategically precise and has amazing insights.” Another noted, “He is very smart and pleasant to work with.”

    To view the complete list of Coblentz rankings in Chambers USA 2021, please visit the publication’s website.

    Additional Chambers Rankings: High Net Worth Guide

    Coblentz Family Wealth practice and four Family Wealth partners, James Mitchell, Philip Feldman, Jaime Mannon, and Mitchell Edwards, are ranked in the Private Wealth Law category of the Chambers HNW (High Net Worth) guide for Northern California. Chambers HNW, also published by Chambers & Partners, ranks the top lawyers and law firms for international private wealth. When asked about the Coblentz Family Wealth practice, one source commented, “Besides knowing their subject matter well, they all have tremendous people skills from the litigation attorneys down to the legal secretaries and paralegals. Another strength is that they try and resolve an issue in a fair and sensible fashion. They seem to have respect for the other side, which in my opinion has helped solve matters sooner rather than later. As a whole, I find that everyone I have worked with has had very good mediation skills.” You can read more about our Chambers HNW rankings here.

    Categories: News
  • Ashley Weinstein-Carnes Recognized in Connect Media’s Next Generation Awards

    Coblentz real estate and land use associate Ashley Weinstein-Carnes has been named as a Connect Media 2021 Next Generation Award winner for the California region. Connect Media’s annual Next Generation Awards recognize young leaders who are poised to continue to be influential in the commercial real estate industry — because of their talent, drive, and fresh ideas. The winners were chosen from nearly 500 nominations from all sectors of the commercial real estate industry, ranging from brokerage to development to real estate law and finance.

    Ashley is active in the commercial real estate community and is passionate about engaging her fellow younger generation of leaders. She is a member of several local CRE organizations and holds leadership positions with the Urban Land Institute and UC Berkeley’s Real Estate Alumni Association. Ashley is part of the next generation of land use and real estate attorneys guiding high-profile, complex developments in California. Her land use practice focuses on local administrative permitting, and she has successfully obtained land use approvals for large-scale projects, including mixed-use and multifamily residential developments, corporate R&D and office campuses, and industrial facilities. She also advises institutional investors, lenders, developers, landowners, and lessees and lessors with regard to existing land use restrictions and agreements, as well as strategies and requirements for the re-entitlement of property.

    Categories: News
  • The Future of Commercial Leasing – After the Pandemic

    Coblentz real estate partner Alan Gennis will moderate the Bar Association of San Francisco’s Continuing Legal Education program, “The Future of Commercial Leasing – After the Pandemic,” to be held on May 25 from 3:00 to 4:30 pm.

    The program will cover the current state of commercial leasing, including how to handle defaulting tenants, paying the costs of COVID-time operations, and what provisions future leases may include.

    For more details and to register, please click here.

    Categories: Events
  • Spring 2021 Privacy Law Update: CCPA, CPRA, State Laws and Recent Court Decisions

    By Scott Hall & Mari Clifford

    Download a PDF version of this report here.

    Although we are just a few months in, 2021 has already been another busy year for data privacy developments. From new regulations and legislation to court decisions impacting privacy rights, let’s take a look at a few of the key data privacy developments so far this year.

    New CCPA Regulations

    Just when you thought the CCPA regulations were finalized, on March 15, 2021, the California Attorney General (“AG”) approved additional regulations intended to enhance consumer protections for opt-outs. Most significantly, the regulations ban “dark patterns” that complicate the opt-out process and prohibit businesses from burdening consumers with confusing language or unnecessary steps.

    The revisions implement the following changes:

    • Offline Collection and Notices: Businesses that sell personal information collected offline are now required to inform consumers in an offline method of their right to opt-out. This includes providing instructions on how to submit an opt-out request.
    • Ban on Dark Patterns or Complications to the Opt-Out Process: Opt-out requests must “be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” The new regulations prohibit businesses from using any method that is designed to, or has the effect of, preventing a consumer from opting out. Specifically, businesses cannot require consumers to scroll through a privacy policy or listen to reasons why they should not opt-out before confirming their request. Additionally, the opt-out process cannot require more steps than the process to opt-in to the sale of personal information after having previously opted out, or use confusing language.
    • Opt-Out Icon: Businesses may use an opt-out icon in addition to, but not in lieu of, notice of a right to opt-out or a “Do Not Sell My Personal Information” link.
    • Requests from Authorized Agents: A business may require an authorized agent who submits a request to “know” or “delete” to provide proof that the consumer gave the agent signed permission to submit a request.
    • Children’s Information: The regulations added the word “or” to section 999.332. As a result, businesses that sell personal information (“PI”) of children under the age of 13 “and/or” between the ages of 13 and 15 are now required to define in their privacy policies how consumers can make an opt-in to sale requests.

    CPRA Preparation and Compliance

    In November 2020, Californians voted to enact Proposition 24, also known as the California Privacy Rights Act (“CPRA”). The CPRA expands on the California Consumer Privacy Act of 2018 (CCPA), establishes a new privacy regulatory agency called the California Privacy Protection Agency (CPPA), provides new rights for consumers, and imposes new obligations on businesses.

    The CPRA’s enforcement is set to begin on July 1, 2023, but the act has a look-back period to January 1, 2022. This means that data collected from January 1, 2022, is subject to the act, so businesses shouldn’t wait to develop the requisite policies and procedures in response to new requirements. CPRA compliance should be a priority for every covered business. Here are a few key points that businesses need to be thinking about:

    Modification to the Scope of the CCPA

    The CPRA modifies the CCPA’s scope in that it applies to businesses that (1) have annual gross revenue over $25 million in the preceding calendar year; (2) buy, sell, or share personal information of 100,000+ consumers or households; or (3) derive at least 50% of their annual revenue from selling or sharing consumer PI. Notably, the CPRA’s threshold of 100,000 consumers or households doubles the previous threshold under the CCPA of 50,000 consumers, households, or devices, and therefore could significantly reduce the scope of the act and its impact on smaller businesses.

    Cross-Context Behavioral Advertising

    The CPRA introduces the concept of data “sharing,” which is defined as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” (Emphasis added.) The CPRA explicitly requires businesses to provide notice to consumers about data sharing practices and extends consumer opt-out rights to the sharing of personal information by a business to a third party.

    Data Minimization

    The CPRA introduces data minimization principles similar to those in the GDPR by prohibiting businesses from collecting more personal information than “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed . . .”[1]  The CPRA also requires that businesses not retain personal information for longer than is reasonably necessary for the purpose for which it was collected, as well as to identify retention periods of data in the privacy notice to consumers.[2] Thus, all businesses should focus on making changes to limit data collection and processing of personal information to only what is reasonably necessary for the business.

    Creation of California Privacy Protection Agency (CPPA)

    The CPRA establishes a new enforcement agency, the CPPA. As the first agency of its kind in the United States, the CPPA will have the authority to investigate potential breaches and violations, draft enforcement regulations, and issue fines. This transfers the current CCPA and CPRA responsibilities from the Office of the Attorney General to the CPPA. Importantly, the CPRA cancels the grace period of 30 days that businesses have after being notified of an alleged breach or violation and raises the maximum on fines for violations.

    Expanded Consumer Rights

    Expansion of the Private Right of Action

    The CPRA has expanded the scope of the private right of action by adding a cause of action for the unauthorized access and exfiltration, theft, or disclosure of an email address in combination with a password or security question and answer that could permit access to content. The act also clarifies that the implementation and maintenance of reasonable security procedures and practices following the breach do not constitute a cure.

    New Consumer Rights Under the CPRA

    • Right to correct: California residents have the right to correct inaccurate personal information the business holds about them. This mirrors the right to correction under the GDPR.
    • Right to know about and opt-out of automated decision making: California residents can request access to and knowledge about how automated decision technologies work and what their outcomes are, and have a right to opt-out of the use of their PI for automated decision making.
    • Right to opt-out of data “sharing”: In addition to being able to opt-out of data “selling,” consumers will be able to opt-out of data “sharing” for cross-context behavioral advertising purposes.
    • Right to limit use of sensitive personal information: The CPRA introduces a new category of personal information called “sensitive personal information.” This includes precise geolocation data, race, religion, sexual orientation, social security numbers, and certain health information outside the context of HIPAA. Consumers may limit the use and disclosure of sensitive personal information by businesses. Businesses may also need to add another link to their website homepage to allow consumers to exercise their rights to limit the use of their sensitive information.

    Next Steps For Businesses

    Update Website Links

    Covered businesses will need to (1) update their “Do Not Sell My Personal Information” links to read “Do Not Sell or Share My Personal Information,” and (2) include a separate link titled “Limit the Use of My Sensitive Personal Information” where such information is collected. The CPRA encourages businesses to make “a single, clearly-labeled link” that allows a consumer to swiftly and simultaneously opt-out of sale or sharing of PI and limit the use or disclosure of the consumer’s sensitive PI. If a business complies with automated opt-out signals sent from browsers or other extensions then a business will not need to provide such links.

    Update Contracts

    Businesses will need to impose expanded duties on their service providers and contractors to protect information, comply with audit requests, and assist businesses in responding to consumer requests or other obligations. The CPRA requires all sales, sharing, and disclosures of personal information for a business purpose to be made pursuant to a contract. Even disclosures of deidentified information to any recipient will require a contract setting out clear restrictions on attempts at reidentification. To comply with these new CPRA provisions, businesses will need to (1) develop the necessary contracting materials in preparation for a contracting exercise; (2) assess all transfers of personal information to identify which provisions are required for which recipients; and (3) begin the process of updating and negotiating the required agreements.

    Conduct Additional Data Mapping

    Businesses will need to identify any information that is shared, not just sold. To meet the CPRA’s data minimization requirements, businesses will need to establish and comply with document retention periods. Additionally, businesses need to understand what algorithms or automated decision-making processes are being performed on personal information collected and maintained by the business.

    Adjust Responses to Data Subject Access Requests

    The CPRA now requires businesses to use commercially reasonable efforts to correct inaccurate personal information in response to a verifiable consumer request. As a result, businesses must be prepared to adjust their response procedures or be ready to explain why they cannot meet a consumer request because “doing so proves impossible or would involve a disproportionate effort.”

    Businesses should also start preparing processes for how they will respond to California consumers who exercise their new privacy rights which include “do not share” requests, correction requests, and requests to limit the use of sensitive data. Finally, with more state privacy laws looming, many businesses will need to consider whether a “California versus everyone else” approach still makes sense for their business.

    Assess High-Risk Activities

    Per the CPRA, the California AG will at some point issue regulations requiring businesses whose processing poses “significant” risks to consumer privacy and security. These “high-risk” businesses will then need to perform annual security audits and submit regular risk assessments to the new CPPA. Companies that collect large volumes of sensitive data should start designing internal audit procedures in anticipation of this requirement. More details on this to come.

    Update Do-Not-Track and Advertising Models

    Businesses will need to anticipate and prepare their models for what advertising looks like with fewer cookies, tags, and pixels. They will also need to start reacting to Do-Not-Track signals and may need to adopt new opt-in marketing strategies. Given the volume of work this may entail, businesses should commence this earlier rather than later so as not to run into compliance issues when enforcement of the CPRA begins.

    More State Legislation Regarding Data Privacy

    The landscape of privacy law and compliance issues is changing rapidly as many states beyond California are enacting or contemplating new, more comprehensive privacy legislation similar to the CCPA/CPRA.

    Virginia Privacy Law

    Virginia became the second state to pass comprehensive data privacy legislation when it enacted the VCDPA on March 2, 2021. The VCDPA applies to entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents and either (1) control or process the personal data of at least 100,000 consumers during a calendar year, or (2) control or process the personal data of at least 25,000 consumers and derive at least 50% of gross revenue from the sale of personal data. The VCDPA provides consumers rights of access, correction, deletion, data portability, appeal, and exclusion. Because the Act does not provide for any exceptions to these rights, businesses are expected to comply regardless of the hardship posed or the impractical nature of the request.

    To best prepare for these eventualities, businesses will need to update their policies that address the new obligations imposed upon them under the VCDPA including data minimization, purpose limitations, security controls, express consent requirements, and data protection assessments. Given that the VCDPA goes into effect in two years, businesses are strongly advised to start evaluating their current data processing activities and begin developing a compliance program that meets the requirements of the VCDPA.

    Other States Introducing Privacy Laws

    As the internet and new technologies continue to raise questions about privacy and use of PI, state lawmakers are trying to keep up by addressing novel privacy issues through legislation.

    California’s and Virginia’s legislatures are not the only ones paying attention to these shifting tides in the privacy law landscape. Several states, including Washington, Oklahoma, Connecticut, Florida, Illinois, and New Jersey currently have active bills awaiting committee hearings or votes. Other states such as Alabama, Arizona, Colorado, Kentucky, Maryland, Massachusetts, Minnesota, New York, Rhode Island, South Carolina, Texas, Utah, Vermont, and West Virginia recently introduced comprehensive privacy acts to state legislatures. Progress on these laws should be monitored closely over the next few months.

    Status of a Federal Privacy Law

    And, of course, no update would be complete without monitoring federal privacy legislation. Congresswoman Suzan DelBene (WA) introduced the Information Transparency and Personal Data Control Act on March 10, 2021, which would create a national data privacy standard for the protection of personal information, including information related to financial, health, genetic, biometric, geolocation, sexual orientation, citizenship and immigration status, social security numbers, and religious beliefs, as well as information about minors.

    Given the potential patchwork of state laws mentioned above, many businesses would welcome a uniform standard, but the timing of when a comprehensive federal law will actually be enacted remains unclear.  For now, businesses must closely monitor the various state laws being passed and determine what laws they may need to comply with.

    Recent Court Decisions Regarding Privacy

    Data privacy litigation remains active, and recent court decisions have provided some clarity and guidance regarding the scope of certain privacy laws.

    Scope of CCPA’s Private Right of Action

    Certain recent court rulings have limited the scope of the CCPA’s private right of action.  For example, in Gardiner v. Walmart Inc. et al, No. 4:20-cv04618 (N.D. Cal.), defendants secured a ruling rendering a narrow interpretation of the CCPA. In Gardiner, a Walmart customer sued the retail company under the CCPA for failing to implement and maintain reasonable and appropriate security procedures and practices to protect information he gave to Walmart to create an account on the company’s website. Gardiner claimed that his personal information had been subject to unauthorized exfiltration on Walmart’s website and sold on the dark web, exposing him to purportedly ongoing risk of financial fraud and identity theft. On March 5, 2021, the District Court for the Northern District of California dismissed Gardiner’s claim for damages under the CCPA on two grounds. First, the court could not determine whether the alleged breach occurred before or after the effective date of the CCPA because the complaint did not specifically allege a date when the purported breach occurred. Second, the court held that in order to state a viable CCPA claim, a plaintiff must allege specific, unauthorized disclosure of “personal information.” This could indicate that courts will strictly interpret the CCPA to apply only where the specific categories of personal information listed in the law are actually exposed in a data breach. However, it is important to note that the court granted the Plaintiff leave to amend, allowing the Plaintiff to potentially cure the complaint’s shortcomings and perhaps get a second shot at litigating his claims.

    In McCoy v. Alphabet, Inc. et al., No. 5:20-cv-05427 (N.D. Cal.), the court held that there is no general private right of action under CCPA. Plaintiff Robert McCoy had filed a class action complaint against defendants Alphabet Inc. and Google LLC for monitoring and collecting the sensitive personal data of Android Smartphone users when they interact with non-Google applications on their smartphones, without first obtaining users’ consent. In its February 2, 2021 order denying in part and granting in part the Defendants’ motion to dismiss, the court emphasized that the Plaintiff had not pled a data security incident and had conceded during arguments that the CCPA claims should be dismissed because no data breach occurred. The order states that the CCPA, “confers a private right of action for violations of section [Cal. Civ. Code § 1798.150](a), which is related to personal information security breaches. Further, it explicitly states that ‘[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.’ Cal. Civ. Code § 1798.150(c).” Whether this reasoning is adopted in other cases remains to be seen.

    Standing in Data Privacy Cases

    At the Circuit Court level, there is currently ongoing dialogue regarding whether data breach victims can establish a right to sue merely by showing that they are at increased risk of identity theft.

    The Second Circuit Court of Appeals recently issued a decision in McMorris v. Carlos Lopez & Assocs., 2021 U.S. App. LEXIS 12328 (2d Cir. Apr. 27, 2021) clarifying that the risk of identity theft after a data breach may be grounds to sue. The latter notwithstanding, the court affirmed the dismissal of a proposed class action against a veteran’s health services company over an accidentally sent email that contained workers’ social security numbers. In the summer of 2018, Defendant’s employee accidentally sent an email to 65 others at the company. Attached to the email was a spreadsheet containing sensitive personally identifiable information of approximately 130 current and former employees. Three plaintiffs whose information had been disclosed filed suit. They asserted claims for negligence, negligence per se, consumer protection, and other state law claims on behalf of California, Florida, Texas, Maine, New Jersey, and New York classes. Upon the Defendant’s motion, the District Court dismissed the case for lack of subject matter jurisdiction. An appeal to the Second Circuit followed.

    On appeal, the Second Circuit noted that it has been “suggested” that there is a circuit split on standing in the data breach context concerning whether a plaintiff may establish standing based on a risk of future identity theft or fraud stemming from the unauthorized disclosure of that plaintiff’s data. However, the court found that “requiring plaintiffs to allege that they have already suffered identity theft or fraud as the result of a data breach would seem to run afoul of the Supreme Court’s recognition that ‘[a]n allegation of future injury may suffice’ to establish Article III standing ‘if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.’” The Second Circuit then went on to hold that in the abstract, “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.”

    The Second Circuit’s decision contrasts somewhat with the Eleventh Circuit’s recent opinion in Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332, 1339 (11th Cir. 2021) holding that a plaintiff alleging a threat of future identity theft or other harm lacks Article III standing unless the hypothetical harm alleged is either certainly impending or there is a substantial risk of such harm taking place. (Emphasis added) The Tsao case arose out of a security breach at PDQ, a group of American restaurants owned by Captiva MVP Restaurant Partners. Within two weeks, PDQ posted a notice notifying its customers that its systems had been a victim of a cyber-attack. Tsao filed suit to recover damages stemming from the breach. The dispute in the class-action lawsuit was based on two questions. First, whether Tsao and the class of patrons of the restaurant had standing to sue because they were exposed to the future risk of identity theft, despite not suffering any misuse of their information. Second, whether Tsao’s efforts to mitigate the risk of future identity theft presented a concrete injury sufficient to establish standing. The Eleventh Circuit answered no to both issues.

    Conclusion

    In sum, we’re off to a fast and furious start to 2021, but more is coming. This ever-changing area of the law requires businesses to take proactive measures now to prepare themselves for the compliance obligations coming their way. Stay tuned for further developments. If your company needs assistance with any privacy issues, Coblentz Cybersecurity and Data Privacy attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

    Download a PDF version of this report here.

     

    [1] CPRA, Section 1798.100(c).

    [2] CPRA, Section 1798.100(a)(3).

  • Recent Developments In Music Copyright Law

    Coblentz partner Jeffrey Knowles will present during the Marin County Bar Association’s virtual webinar “Recent Developments In Music Copyright Law,” to be held on May 11 from 12:00 to 1:00 pm.

    Recent years have seen major developments in the law of music copyright. Legislatively, the enactment of the Music Modernization Act in 2018 was a major milestone that dramatically altered the landscape for licensing of musical works and, for the first time, extended federal protection to pre-1972 sound recordings. Case law developments have been equally dramatic, especially in the Ninth Circuit. After first lowering the bar for establishing infringement of musical works in the 2018 and 2019 “Blurred Lines” and “Stairway to Heaven” decisions — setting off a wave of challenges to major recording artists — the  Ninth Circuit reversed course in 2020. Overturning a number of earlier decisions, including the 2019 panel decision in the “Stairway to Heaven” case, the court sitting en banc once again raised the bar for establishing infringement of musical works. Jeff Knowles will be joined by Judith Finell and David Kostiner to walk attendees through these developments.

    For more details and to register, please click here.

    Categories: Events
  • Jeff Dodd Recognized as Forty Under 40 by the North Bay Business Journal

    Coblentz real estate and land use partner Jeff Dodd was named to the North Bay Business Journal’s 2021 Forty Under 40 list, recognizing 40 young professionals making an impact in the North Bay.

    Jeff specializes in land use, environmental, and water law. Born and raised in Napa Valley, Jeff’s work has had a wide-reaching impact on the North Bay business community. He assists entrepreneurs, small business owners, wineries, farmers, and non-profits seeking to own, develop, and add value to real property. Jeff takes pride in helping his clients understand the regulatory and political issues associated with their projects and working with local communities to develop environmentally-responsible and sustainable developments.

    Read Jeff’s profile in the North Bay Business Journal here.

    Categories: News