Articles Posted in Consumer Law

The genetic testing company, 23andMe, known for its popular DNA ancestry and health reports, is facing a class-action lawsuit following a data breach that resulted in the personal information of Jewish customers being exposed on the dark web.

The so-called “dark web” is the world wide web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user’s location. The dark web forms a small part of the deep web, the part of the web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web. The breach raises significant concerns not only about the security of sensitive genetic data but also the potential for this information to be exploited in harmful ways. This lawsuit underscores the growing need for robust cybersecurity measures in the genetic testing industry.

The Data Breach

In the digital era, where personal interactions, commerce, and even the way we perceive reality have migrated to online platforms, data privacy has become a paramount concern. Among the technology giants, Facebook, now rebranded as Meta, stands as a towering figure in the realm of social media and virtual reality. As the company’s influence expands, its data collection practices, utilization of pixel technology, and implications for wiretapping laws have sparked profound discussions about the balance between innovation and individual privacy.

The Meta Transformation

In October 2021, Facebook announced a significant rebranding effort, transforming itself into Meta. This rebranding signaled the company’s intention to shift its focus towards the metaverse—a digital realm where virtual reality, augmented reality, and interconnected experiences converge. This transition raises pertinent questions about data privacy within the metaverse, as these interconnected experiences often involve the seamless sharing of personal information.

The rapid growth of the internet and the widespread use of social media platforms have provided individuals with new avenues for communication, networking, and information sharing. However, the rise of the digital age has also brought about the concerning issue of internet cyberspace harassment. Online harassment encompasses various forms of abusive behavior, including cyberbullying, online stalking, revenge porn, hate speech, and other forms of malicious online activities. To combat this pervasive problem, lawmakers around the world have been enacting laws and regulations specifically targeting internet cyberspace harassment. In this article, we will explore the significance of these laws and regulations in addressing online harassment and ensuring a safer digital environment.

Defining Internet Harassment

Internet cyberspace harassment refers to the intentional use of digital platforms to harass, intimidate, threaten, or harm individuals or groups. It can take various forms, such as sending abusive messages, sharing explicit or defamatory content, spreading false information, or engaging in persistent online stalking. These acts of harassment can have severe psychological, emotional, and even physical consequences for the victims.

The franchise and business opportunity rules mandate sellers to issue a clear and concise disclosure document at least ten days before the consumer pays funds. The document must include the following information:

  1. Names, addresses, and telephone numbers of other purchasers;
  2. Fully-audited financial statement of the seller;

The federal Lanham Act (“Lanham Act”) allows civil actions for false advertising that misrepresents the nature, characteristics, qualities, or geographic origin of goods or services. See 15 U.S.C. § 1125(a) stating in relevant part as follows:

(1) Any person who, on or in connection with any goods or services, or any container for goods, uses in commerce any word, term, name, symbol, or device, or any combination thereof, or any false designation of origin, false or misleading description of fact, or false or misleading representation of fact, which: (A) Is likely to cause confusion, or to cause mistake, or to deceive as to the affiliation, connection, or association of such person with another person, or as to the origin, sponsorship, or approval of his or her goods, services, or commercial activities by another person, or (B) In commercial advertising or promotion, misrepresents the nature, characteristics, qualities, or geographic origin of his or her or another person’s goods, services, or commercial activities, shall be liable in a civil action by any person who believes that he or she is or is likely to be damaged by such act.

(2) As used in this subsection, the term “any person” includes any State, instrumentality of a State or employee of a State or instrumentality of a State acting in his or her official capacity. Any State, and any such instrumentality, officer, or employee, shall be subject to the provisions of this chapter in the same manner and to the same extent as any nongovernmental entity.

It is not legal or ethical to engage in false or misleading advertising for selling products or services. This is especially true when the advertising harms consumers or competitors in violation of state or federal laws.

A business that uses misleading words for the sale of a product or service can be sanctioned by state or federal agencies. The use of keywords like healthy, organic, gluten free, or 100% natural can be deceptive. The usage of false scientific support claims or endorsements may be unethical. The posting of a false or deceptive picture or video can be against the law. There have been instances where the advertiser used a false or misleading color to make its product look different. Also, there have been instances where the advertiser made a false claim that its product contained a certain product or it had clinically proven health benefits to enhance sales.

A business that engages in deceptive pricing by hiding true fees or surcharges can be sanctioned by state or federal agencies. In most cases, the consumers are misled by not knowing the true price of the product or service – e.g., a communication service provider hides the cell phone bill’s real charges from the consumer when signing up for service.

A business organization has legal responsibilities when it comes to data access, control, and management. The government has recently issued an opinion regarding disclosure requirements for the so-called “inferred data” which comprise of internally generated inferences within the context of a consumer’s right of access request. California Civil Code Section 1798.140(v)(1)(K) defines “inferred data” as inferences drawn from a consumer’s personal information to create a profile which reflects the consumer’s preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, abilities and aptitudes.

Under California Civil Code Section 1798.110(a)(1), consumers have the right to know the specific pieces of personal information a business organization has collected about them. The California Consumer Privacy Act (“CCPA”) did not address inferred data in its provisions and only implied that businesses should disclose personal data they collected from consumers. However, the Attorney General’s Office issued Opinion No. 20-303 to address whether business organizations that are subject to the CCPA should include inferred data when a consumer submits a Data Subject Access Request (“DSAR”). In short, with limited exceptions (e.g., trade secret protection), the answer was affirmative.

The question is whether inferred data elements fall under trade secret protection rules. In his opinion, the state Attorney General stated that the CCPA only mandates a business to share the product of its internal algorithms even though the algorithms themselves are protected trade secrets. In fact, internal algorithms fall under the classic definition of trade secrets because they’re not publicly accessible to competitors, they confer a competitive advantage, their secrecy is maintained from external disclosure. See California Civil Code § 3426.1(d)(2) for more information about trade secrets. In fact, trade secrets include customer lists, processes, and software or commercial methods. It is conceivable, and probably foreseeable that, a business may withhold inferences because they’re protected trade secrets but it has the burden of proof. So, in short, a business has two options when it comes to disclosing inferred data. First, it can fulfill the DSAR according to the most recent opinion and face the risk of exposing its internal algorithm. Second, it can withhold the data inferences and face the risk of receiving a non-compliance notice from the state Attorney General’s office.

We’ve discussed how the states have passed privacy laws to protect their residents. We have also referenced the state and federal rules or regulations that are designed to promote transparency, security, accuracy, proper data collection, and accountability.

The Federal Constitution has not expressly mentioned the right to privacy. However, under Article I Section 1, the California Constitution has mentioned the “inalienable right to privacy” that is applicable to the government and private individuals. The courts have confirmed this fundamental right. In White v. Davis (1975) 13 Cal.3d 757, 774, the Supreme Court analyzed the facts and confirmed the right of privacy. In Hill v. National Collegiate Athletic Association (1994) 7 Cal.4th 1, 39, the Supreme Court outlined the following framework to decide whether there is a constitutional violation: (1) there must be a legally protected privacy interest; (2) there must a reasonable expectation of privacy; and (3) there must be a serious invasion of privacy interest.

There is also a common law right of privacy. First, there is intrusion into plaintiff’s seclusion. Second, false light as a result of false and negative publicity. Third, public disclosure of private facts. Fourth, there is the commercial appropriation of plaintiff’s name or likeness without consent. The courts have also recognized negligence as a cause of action when the defendant fails or refuses to manage data in a reasonable manner. In other words, the defendant can be sued for failing to comply with the industry data management standards if it causes damages to the plaintiff.

We have briefly discussed some of the state and federal privacy laws that are applicable to consumers and commercial organizations. It is important to understand how personal information is being obtained and distributed by businesses. Personal information is also being obtained and distributed by bad actors – i.e., criminals who gain access to customer information through clandestine methods and sell the information for profit. This information can be extracted by using cookies which is a software program that records the customer’s activities when visiting the website. Yet, a computer can be configured to not automatically accept cookies. Tracking software is being used to follow and monitor the customer’s online activities. The Federal Trade Commission, which has the authority to bring legal action for unfair or deceptive trade practices affecting commerce, has prosecuted companies for their failure to properly disclose this information.

What are the federal privacy laws?

The Federal Constitution has implicitly granted privacy rights. The Fourth Amendment prohibits unreasonable searches and seizures. There has been a series of legal cases that have dealt with this provision in order to determine the definition of unreasonable searches and seizures. However, some courts have held website monitoring programs that may reveal Internet Protocol or electronic mail addresses do not implicate the Fourth Amendment. The federal privacy laws that have been promulgate by the federal government include: (1) Driver’s Privacy Protection Act; (2) Electronic Communications Privacy Act; (3) Family Educational Rights and Privacy Act; (4) Fair Credit Reporting Act; (5) Fair Debt Collection Practices Act; (6) Federal Privacy Act; (7) Financial Services Modernization Act a/k/a “Gramm-Leach Bliley Act;” and (8) Video Privacy Protection Act which grants consumers the right to opt-out from disclosure of their personal information and file a legal action if their rights are violated. Also, the Federal Identity Theft and Assumption Deterrence Act prohibits the production and possession of false or unauthorized documents or the usage of another person’s identity.

Part I: DMV Sale of Personal Information

A group has investigated and allegedly found that the California Department of Motor Vehicles has earned more than $50 million by selling personal information of drivers to third parties without consent. This data may include names, addresses, and registration information. The DMV claims on its website that it does not sell information to advertisers or marketers for advertising or direct marketing purposes. It also claims that:

Most information acquired by the DMV is subject to public inspection under Vehicle Code Section 1808. Other statutes, regulations or laws governing subpoenas, discovery for litigation, Public Records Act requests, and commercial requestor requester accounts also apply to information gathered at this website. However, various provisions of law do prohibit or restrict the disclosure of certain electronically transmitted information such as social security numbers, residence addresses, and credit card accounts numbers. DMV also uses the information gathered on this website to help improve this website. For example, by tracking the number of website visitors, the date of visit, and the pages visited, DMV can balance resources so that the maximum number of visitors can obtain needed information. Additionally, by tracking what visitor software is being used (e.g. browser) DMV can avoid using features that visitors can not view or use.