Quantity Over Quality? CCPA Expands Definition of Personal Biometric Information but Limits Civil Recovery in Many Instances

Written By: Julia Aguilar

On January 1, 2020, the California Consumer Privacy Act of 2018 (“CCPA”) took effect. Created as a resource to offer “consumers more control over the personal information collected about them,” the CCPA was partly introduced in an effort by the California legislature to compete with privacy protections offered in other states.[1] Prior to 2020, biometric data laws were limited to a handful of states including Arkansas, Illinois, Louisiana, Texas, and Washington, offering citizens privacy protection from businesses that had access to their data. Biometrics are “unique physical characteristics, such as fingerprints, that can be used for automated recognition.”[3]

The CCPA requires businesses to give consumers notice of the personal information they retain in their files, and the option to consent or request deletion of that information. Additionally, it includes unauthorized storage of browsing and search history in its list of actionable offenses.[5] When a consumer is harmed following a breach of their personal data, however, their remedies are often limited under the act, which begs the question, how much protection does the CCPA actually offer consumers?

For instance, the social-media giant Facebook settled a class-action lawsuit just last month for $650 million brought by Illinois residents under the Illinois Biometric Information Privacy Act (“BIPA”).[6] The complaint alleged that Facebook created and stored users’ face templates without prior notification and written consent following the law’s enactment in 2008, which allows for a private right of action.[7] California District Judge James Donato, who approved the settlement payout of $350 to each class member on January 14, 2021, stated, “[t]his is money that’s coming directly out of Facebook’s own pocket. . . . The violations here did not extract a penny from the pockets of the victims. But this is real money that Facebook is paying to compensate them for the tangible privacy harms that they suffered.”[8]

For a similar breach under the CCPA, however, the California Attorney General’s own webpage admits that “[y]ou cannot sue businesses for most CCPA violations.”[9] In fact, “[y]ou can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances.”[10] You may be able to sue if your personal information was stolen as a result of a business’ data breach, following their negligence.[11] However, if you are able to sue for statutory damages, “if the business is able to cure the violation and gives you its written statement that it has done so” then your ability to sue is null unless the business continues its unlawful conduct.[12]

If damages serve the function of deterring unlawful behavior, then how effective can laws such as the CCPA be, when tech companies have more than enough money to throw away on costly litigation? Compared to the CCPA, the BIPA cracks the whip on companies, like Facebook, in a much more palpable manner. By granting injured litigants a direct path to these business’ wallets, such verdicts send a resounding message discouraging data collection in a privacy war that has only just begun.


[1] California Consumer Privacy Act (CCPA), State of Cal. Dep’t of Just. Off. of the Att’y Gen. (Feb. 13, 2021, 1:00PM), https://oag.ca.gov/privacy/ccpa [https://perma.cc/3DWC-655Z].

[2] Seyfarth Shaw, LLP, The Growing Number of Biometric Privacy Laws and the Post-COVID Consumer Class Action Risks for Businesses, Jdsupra (June 11, 2020), https://www.jdsupra.com/legalnews/the-growing-number-of-biometric-privacy-62648/ [https://perma.cc/9QQA-ULSQ].

[3] Biometrics, U.S. Dep’t of Homeland Sec. (July 13, 2020), https://www.dhs.gov/biometrics [https://perma.cc/W3DN-SUXH].

[4] Seyfarth Shaw, LLP, supra note 2.

[5] Id.

[6] Robert Channick, Nearly 1.6 Million Illinois Facebook Users to Get About $350 Each in Privacy Settlement, Chicago Tribune (Jan. 14, 2021, 8:04PM), https://www.chicagotribune.com/business/ct-biz-facebook-privacy-settlement-illinois-20210115-2gau5ijyjff4xd2wfiiow7yl4m-story.html [https://perma.cc/C9FN-U8YE].

[7] Meg Graham, Illinois Biometrics Lawsuits May Help Define Rules for Facebook, Google, Chicago Tribune (Jan. 17, 2017, 9:00AM), https://www.chicagotribune.com/business/blue-sky/ct-biometric-illinois-privacy-whats-next-bsi-20170113-story.html [https://perma.cc/27PN-Y5XU].

[8] Channick, supra note 5..

[9] California Consumer Privacy Act (CCPA), State of Cal. Dep’t of Just. Off. of the Att’y Gen. (Feb. 13, 2021, 1:00pm).

[10] Id.

[11] Id.

[12] Id.








TikTok’s Uncertain Future in the Short-Form Video app Market

Written By: Edgar Guzman

TikTok, a short-form video social networking application owned by Chinese company ByteDance, has amassed worldwide popularity since late 2018. Unfortunately, alongside a rise in popularity, the app has gained controversy with U.S. lawmakers raising “national security and privacy concerns over ByteDance’s ties to the Chinese government.”[1]

In late 2019, a college student named Misty Hong filed a class-action lawsuit in California alleging that “TikTok and its Chinese parent company, ByteDance, neglected their duty to handle user data with care and knowingly violated a slew of statutes governing data gathering and the right to privacy.”[2]

Under the direction of President Trump and the U.S. Treasury, the Committee on Foreign Investment in the United States (“CFIUS”) has conducted investigations into the acquisition of Musical.ly by ByteDance.[3] CFIUS is a committee that “has the power to block or unwind deals involving foreign investors, and the President of the United States has ultimate authority over its decisions.”[4] According to a report by the Congressional Research Service, the statutory process for CFIUS “sets a legal standard for the President to suspend or block a transaction if not other laws apply and if there is ‘credible evidence’ that the transaction threatens to impair the national security.”[5]

The power afforded to CFIUS investigations is evident based on precedent. Based on similar concerns surrounding personal data collection from application users, CFIUS has previously “forced Chinese investors to divest from PatientsLikeMe, a healthcare startup, and Grindr, an online dating platform, both bought by U.S.-based companies.”[6]

In an Executive Order issued on August 6, 2020, President Trump addressed national security concerns surrounding TikTok.[7] The executive order “seeks to ban business dealings with TikTok by any US citizen or organization after Sept. 20,” while a second executive order, signed on August 14, requires “any sale or transfer of TikTok [to] be approved by CFIUS.”[8] In response, TikTok filed a lawsuit against the U.S. government stating that President Trump’s orders are not supported by evidence or due process, and “disagree[ing] with the characterization of TikTok as a national security threat,” further commenting “that the Trump administration ignored all of TikTok’s efforts to address those concerns.”[9] These efforts included “spen[ding] nearly a year working in good faith to give the CFIUS requested details and information about TikTok’s Business.”[10]

For now, the Trump administration demands TikTok operations be placed in U.S. hands and, as an alternative solution, TikTok and Oracle have agreed to become business partners since “Microsoft announced that it will not buy TikTok’s U.S. operations from ByteDance.”[11] While the exact nature of the agreement and whether it will allow TikTok to survive a ban remains unknown, other competitors are taking advantage of the situation, including Facebook’s new Reels feature on Instagram.[12]


[1] Paige Leskin, Inside the Rise of TikTok, the Viral Video-Sharing App Wildly Popular with Teens and Loathed by the Trump Administration, Business Insider (Aug. 7, 2020, 2:20 PM), https://www.businessinsider.com/tiktok-app-online-website-video-sharing-2019-7 [https://perma.cc/9FEM-CU69].

[2] Blake Montgomery, California Class-Action Lawsuit Accuses TikTok of Illegally Harvesting Data and Sending It to China, The Daily Beast (Dec. 2, 2019, 5:20 PM), https://www.thedailybeast.com/california-class-action-lawsuit-accuses-tiktok-of-illegally-harvesting-data-and-sending-it-to-china [https://perma.cc/Q5KJ-6CX2].

[3] Katie Canales, The US Treasury is Investigating TikTok over National Security Concerns, Treasury Secretary Mnuchin says, Business Insider (July 29, 2020, 10:17 AM), https://www.businessinsider.com/us-treasury-investigating-tiktok-bytedance-2020-7 [https://perma.cc/VV9B-GWSN].

[4] Jeff John Roberts, ‘A strange power’: The Secretive Presidential Committee that Could Kneecap TikTok, Fortune (Aug. 7, 2020, 8:31 AM), https://fortune.com/2020/08/07/tiktok-ban-trump-committee-foreign-investment-us-cfius/ [https://perma.cc/4T6G-7T3F].

[5] Congressional Research Service, The Committee on Foreign Investment in the United States (CFIUS) Summary (2020) https://crsreports.congress.gov/product/pdf/RL/RL33388 [https://perma.cc/H7T2-YLTE].

[6] Shining Tan, TikTok on the Clock: A Summary of CFIUS’s Investigation into ByteDance, Center for Strategic & International Studies (May 13, 2020), https://www.csis.org/blogs/trustee-china-hand/tiktok-clock-summary-cfiuss-investigation-bytedance [https://perma.cc/XY7B-6RGX].

[7] Brian Fung, Does TikTok’s Deal with Oracle Avert a US ban?, CNN Business (Sept. 14, 2020, 12:06 PM), https://www.cnn.com/2020/09/14/tech/tiktok-deadlines/index.html [https://perma.cc/2R8H-YN5K].

[8] Id.

[9] Nathan Ingraham, TikTok Sues the US Government over Upcoming ban, Engadget (Aug. 24, 2020), https://www.engadget.com/tiktok-sues-us-government-152040736.html [https://perma.cc/2B8P-2MZV].

[10] Id.

[11] Brian Fung & Selina Wang, TikTok will Partner with Oracle in the United States after Microsoft Loses bid, CNN Business (Sept. 14, 2020, 4:29 PM), https://edition.cnn.com/2020/09/13/tech/microsoft-tiktok-bytedance/index.html [https://perma.cc/33GA-8D3M].

[12] Julia Alexander, Instagram Launches Reels, its Attempt to Keep you off TikTok, The Verge (Aug. 5, 2020, 9:00 AM), https://www.theverge.com/2020/8/5/21354117/instagram-reels-tiktok-vine-short-videos-stories-explore-music-effects-filters [https://perma.cc/F58Z-2686].


Terms of Service and the Erosion of the Right to Privacy

Written By: Elliot Millerd-Taylor

“I wouldn’t want to slow the wheels of progress. But then, on the other hand, I wouldn’t want those wheels to run over my client in their unbridled haste.” [1]

In a set of recent decisions, courts in the Ninth and Tenth Circuit have held that as long as the government stays within the parameters of the intrusions you agree to in the Terms of Service (TOS) with an internet service provider there is no search subject to the warrant requirement or, in the alternative, a reasonable expectation of privacy. [2]

For example, in United States v. Wilson, the court denied a motion to suppress evidence implicating the defendant in the possession, distribution, and solicitation of child pornography because the government’s visual examination of the images turned over by Google did not “significantly expand” on the proprietary technology Google uses to search someone’s email. [3]

Facially, the district court’s decision comports with the majority of Fourth Amendment case law.  However, this surface level appearance masks the troubling implications of the decision.

First, Google’s TOS for Gmail reserves the right to investigate suspected misconduct, review content, and remove or refuse to display content that violates policy. [4] In short, you are not obligated to use or be allowed to use the service if you break the law.

Second, 18 U.S.C. 2258(a) compels Google to turn over “actual knowledge of any facts or circumstances” that indicate a user is distributing, solicitating, or producing child pornography to the CyberTipline of the National Center for Missing and Exploited Children (NCMEC).  This includes relevant identity, geographic, and historical reference material.

Finally, Google goes beyond 18 U.S.C. 2258(a)’s requirements. Google uses a proprietary hashing technology to identify possible violations which are then manually identified by trained employees who catalogue and assign a hash value to the image.  Next, Google places this information into a server that matches the hash value to known media.  Then, Google turns the information over to NCMEC.  In short, Google searches a user’s email in a manner that would require a law enforcement office to procure a warrant. [5]

Where does this leave things?

As noted in Amicus Curae in Wilson, this potentially means that one will need to operate their own email server in order to maintain a reasonable expectation of privacy on the internet. [6] A ridiculous proposition, but it would not be the first time a Fourth Amendment case said facially or economically ridiculous and impracticable behavior was reasonable. [7]

Recent decisions and jurisprudence however, portend good omens. In Byrd v. United States, the court held that violating a signed contract which had provisions barring certain behavior did not eliminate the reasonable expectation of privacy the Fourth Amendment provides. In short, the court held you cannot sign away your rights or your reasonable expectations of privacy. [8]

Finally, the concern over third party or private searches in the internet age held in dissenting opinions regarding the Fourth Amendment. Most recently, Justice Gorsuch’s dissent in Carpenter v. United States now seem justified. [9] There may be five votes on the court to expand upon the Carpenter holding. [10] Justice Gorsuch noted that the Smith and Miller exceptions to the Katz test could have dramatic and deeply problematic implications for the Fourth Amendment in an era when the majority of American society conducts its business through electronic mediums. [11] In noting that even the reasonableness test leads to unreasonable results, Gorsuch’s dissent notes that the court’s case-by-case approach to the Fourth Amendment threatens the ability of the court to adequately address these new concerns with the Fourth Amendment. [12]

Much like the internet’s disruption of the American economy, it now seems that it provides challenges to the fundamental civil liberties of all Americans as frequently as, well, someone sending an email.


[1] Star Trek: Court Martial, (NBC Television Broadcast 1967).

[2] United States v. Wilson, 2017 U.S. Dist. Lexis 98432; see also United States v. Wolfenbarger, 2019 U.S. Dist. LEXIS 148822 (N.D. Cal. 2019); United States v. Ackerman, 296 F. Supp. 3d. 1267 (D. Kan. 2017); and United States v. Stratton, 229 F. Supp. 3d 1230 (D. Kan. 2017).

[3] United States v. Wilson, 2017 U.S. Dist. Lexis 98432 at 17-18.  The first indictment was two counts under 18 U.S.C. §§ 2252(a)(2) and 2252(a)(4)(b). A second indictment a month later charged defendant under 18 U.S.C. § 2251 (d)(1)(A), §2252 (a)(2), and § 2253 (a)-(b).

[4] Id. at 19-20.

[5] See United States v. Comprehensive Drug Testing, Inc., 621 F.3d 1162 (9th Cir. 2010) (Kozinski, J., concurring) (“These and similar search tools should not be used without specific authorization in the warrant, and such permission should only be given if there is probable cause to believe that such files can be found on the electronic medium to be seized.”). A discussion of the limitations placed on the government’s use of hashing technology.

[6] Jennifer Lynch, Your Fourth Amendment Rights Should Not be Limited by Terms of Service, ELECTRONIC FRONTIER FOUNDATION (Sep. 27, 2019), https://www.eff.org/deeplinks/2019/04/your-fourth-amendment-rights-should-not-be-limited-terms-service. See also, Carol D. Leonning, Rosalind S. Helderman & Tom Hamburger, FBI Looking Into The Security of Hillary Clinton’s Private E-mail Setup, THE WASHINGTON POST (Sep. 27, 2019) (discussing as to why this is a bad idea – Secretary of State Hillary Clinton, George W. Bush administration, and the Trump administration), https://www.washingtonpost.com/politics/fbi-looks-into-security-of-clintons-private-e-mail-setup/2015/08/04/2bdd85ec-3aae-11e5-8e98-115a3cf7d7ae_story.html?noredirect=on&utm_term=.e7190be442d0. See also, Matt Apuzzo & Maggie Haberman, At Least 6 White House Advisors Used Private Email Addresses, THE NEW YORK TIMES (Sep. 27, 2019), https://www.nytimes.com/2017/09/25/us/politics/private-email-trump-kushner-bannon.html. See also, Nina Burleigh, The George W. Bush White House ‘Lost’ 22 Million Emails, NEWSWEEK MAGAZINE (Sep. 27, 2019), https://www.newsweek.com/2016/09/23/george-w-bush-white-house-lost-22-million-emails-497373.html.

[7] United States v. Carpenter, 138 S. Ct. 2206, 2266 (2018).

[8] Byrd v. United States, 138 S. Ct. 1518 (2018).

[9] Carpenter, 138 S. Ct. at 2261.

[10] Id. 

[11] See Katz v. United States, 88 S. Ct. 507  (1967) (Harlan, J., concurring); Smith v. Maryland, 99 S. Ct. 2577 (1979); United States v. Miller, 96 S. Ct. 1619 (1976).

[12] United States v. Carpenter, 138 S. Ct. 2206, 2266 (2018) (Gorsuch, J., dissenting) (harbors particularly sharp opinions on the reasonableness of a police helicopter flying 400 feet above one’s backyard).


Mind What You “Like” on Facebook

Written By: Ali Mousavi

The connection between a person’s browsing history and his or her own state of health is too tenuous to support plaintiffs’ contention that the disclosure requirements of HIPAA or California Civil Code section 1798.91 apply in the Smith case.[1]

Facebook has been capturing and selling the details of users who browse third-party health sites.[2] Plaintiffs, Winston Smith and two Jane Does, alleged that Facebook violated numerous federal and state laws by collecting and using their browsing data from various healthcare related websites.[3] The suit names Facebook and seven cancer institutions as defendants.[4]

The suit alleges that Facebook’s use of tracking cookies means that any site with a “like” button can potentially send browsing data to Facebook. That includes the site they have visited, any pages within that site, and anything they might enter into the search bar.[5] Plaintiff Smith alleges that Facebook captured the information about his “likes” and sold the information without his consent.[6]

In determining consent, courts determine “whether the circumstances, considered as a whole, demonstrate that a reasonable person understood that an action would be carried out so that their acquiescence demonstrates knowing authorization.”[7] The court cited an excerpt of Facebook’s disclosure that explains its collection and use of information of a person who visits or uses a third-party website that in turn uses Facebook’s services, for example, the “like” button.[8] The Ninth Circuit’s reading of the disclosure is that a reasonable person viewing the pertinent part of the disclosure would understand that Facebook maintains the practices of “(a) collecting its user’s data from third-party sites and (b) later using the data for advertising purposes.”[9] Consequently, the court held that knowing authorization of these practices constitutes the plaintiff’s consent.[10] Therefore, the Ninth Circuit held that the district court properly dismissed the action due to the fact that knowledge is a consent.

Plaintiff also argued that the collected data is subject to more stringent disclosure requirement under the Health Information Portability and Accountability Act of 1996 (“HIPAA”).[11] The court rejected this argument stating that the connection between a person’s browsing history and his or her own state of health is too “tenuous” to be protected under HIPPA.[12] The court reasoning was that the information available on publicly accessible websites “stands in stark contrast” to the personally identifiable patient record and medical histories protected by the statute.[13]

What is left as an option for Smith and other Facebook users is to be mindful of what they “like” on Facebook.


[1]Smith v. Facebook, Inc., 745 F. App’x 8 at 9 (9th Cir. 2018).

[2] Emma Woollacott, Man Called Winston Smith Files Lawsuit Against ‘Big Brother’ Facebook, Forbes, Mar. 19, 2016, https://www.forbes.com/sites/emmawoollacott/2016/03/19/man-called-winston-smith-files-lawsuit-against-big-brother-facebook/#1217059c7e28 (last visited Mar. 10, 2019).

[3] Smith, 745 F. App’x 8 at 8.

[4] Woollacott, supra note 2.

[5] Id.

[6] Id.

[7] Smith, 745 F. App’x 8 at 8.

[8] Id.

[9] Id. at 8-9.

[10]Id. at 9.

[11] Id.

[12] Id.

[13] Id.

The Judicial System: NSA’s Key Recovery Service

By Kennard Herfel

Among the global gossamer of controversies concerning the NSA revelations brews a key case involving Ladar Levison, the founder of the encrypted email provider Lavabit. Levison created Lavabit soon after the Congress passed the Patriot Act to preserve citizens’ privacy in online messages.

Last Tuesday, the Fourth Circuit Court of Appeals heard oral arguments regarding the legitimacy of the contempt order placed on Levison for not providing the FBI with the Secure Sockets Layer (“SSL”) key to Lavabit. SSL is security technology that encrypts the links between server, client, and browser. The SSL encryption by Lavabit was likely too elaborate for the FBI to decrypt; thus, the FBI’s SSL request.

When the feds can’t decrypt SSL, like that used by Lavabit, they customarily turn to other methods to obtain the desired information, such as using “backdoor” hardware installation or asking the company to disclose the information or turn over the SSL key. To the extend of public knowledge, a company has never refused to comply with a government request for encryption keys—until Lavabit. Continue Reading

CA Eraser Law: Sending the Wrong Message?

By Lauren Harriman

California’s new eraser law lets minors remove their posts from websites. But in a time where everything anyone posts is a google search away from being uncovered, is Internet erasability really something we want to teach the next generation? While I recognize that children need the opportunity to learn from their mistakes, should be we teaching them that the Internet is an acceptable place to make those mistakes? Rather than encouraging children to share every uncensored opinion though on Twitter, every bad outfit choice on Instagram, and every awkward dance move on Youtube, perhaps it’s better to instruct the young generation that the Internet is more like the podium at the school assembly rather than the note passed in class. I’m all for encouraging children to experiment, but perhaps that experimentation is best done at home, or at least in person, rather than in front of an Internet audience of over 1 billion people. Although the new law allows for the erasure of content, there is no way to erase it from the minds of the multitude of people who have already seen it.

Read more at: New California Law Lets Teen Press ‘Erasure Button’ Online

Google Fined $1.2 Million by Spanish Privacy Authority

By Emily Poole

Google has just been hit with a €900,000 ($1.2 million USD) fine, the maximum amount possible for violation of Spain’s data protection law. Google was found guilty of three distinct violations: (1) collecting users’ data, (2) combining users’ data from a variety of its services and (3) storing the data indefinitely, all without properly informing its users or obtaining consent.

Last year, privacy watchdogs from the 28 EU member states contacted Google, urging the company to amend its privacy policies to better align with the EU’s data protection principles. It appears that Google didn’t take the hint, however, as none of its privacy policies were revised after the notice.

Google has since responded in a written statement that the company is working with the Spanish authority to determine the next steps toward creating a privacy framework that will pass termpapersworld muster under Spanish law. Perhaps this week’s fine finally hit a nerve, though it’s more likely negative media attention is what actually struck a cord . . . what’s $1.2 million to a multi BILLION dollar conglomerate?

In the coming year, Google could also face fines in five other EU nations for similar privacy violations.



The EU’s Move Toward Stronger Digital Data Privacy

By Emily Poole

The European Union (“EU”) is in the process of strengthening its online data privacy laws, the far-reaching effects of which will be felt by any U.S. company or organization operating in the EU. The latest move toward implementation of the General Data Protection Regulation (“Regulation”) occurred in late October 2013, when the European Parliament approved certain amendments to the current draft of the legislation.

Right now, the 1995 Data Privacy Directive (“Directive”) regulates data privacy in the EU. It directs each of the twenty-eight member countries to create its own set of privacy laws that comply with the Directive’s seven principles: notice, purpose, consent, security, disclosure, access and accountability. Since the Directive only provides a framework by which countries are expected to abide, rather than imposing concrete regulations, privacy law in the EU is a patchwork of country-specific rules, with some countries implementing and enforcing robust privacy regulations and others creating laws that simply meet the minimum requirements of the Directive. Continue Reading

Secure Email: No Such Thing?

By Emily Poole

Encrypted email provider Lavabit, founded by Ladar Levison, closed shop last August after being ordered to give the U.S. government the SSL keys to the entire Lavabit website. With the keys, the government—appearing to only be after information regarding whistleblower Edward Snowden, one of Lavabit’s users—simultaneously obtained access to the content of 400,000 other Lavabit email users.

On October 10, 2013, Lavabit filed an appeal in the U.S. Court of Appeals for the Fourth Circuit, arguing that the government’s demand for the SSL keys was unconstitutional and in violation of the Fourth Amendment. The Department of Justice is meant to file a response brief later this month. Continue Reading