Cannabis companies nationwide are facing yet another statutory obstacle that can have serious (and potential ruinous) consequences for the emerging industry if not appropriately addressed—the Telephone Consumer Protection Act (“TCPA”). There is a recent uptick in class-action lawsuits filed against cannabis companies across the country premised on alleged violations of the TCPA including lawsuits in Michigan and California. These complaints allege cannabis companies sent unsolicited marketing text messages or placed automated phone calls to individuals without their consent. Cannabis dispensaries and other cannabis-related businesses should add TCPA compliance protocols to their checklist of regulatory requirements to be satisfied in this quickly emerging industry.

The TCPA

Enacted in 1991, the TCPA heavily regulates the ability to send phone, text, or facsimile messages through automatic telephone dialing systems. Non-compliance with the statute can be costly, as companies found to have violated the TCPA can be liable for $500 per call or text sent in violation of the Act, and up to $1,500 for willful or knowing violations. Damages are also not capped under the TCPA, so even a small number of texts or calls sent to a large number of recipients can lead to hefty damage awards. The ability to recover significant damages results in most TCPA claims being brought as class-actions. As a result, it is imperative that cannabis businesses that communicate with customers via text or by phone understand the rules governing the TCPA to avoid or at least minimize their liability exposure.
Continue Reading Why Cannabis Companies Need to Care About the TCPA

On July 6, the United States Supreme Court issued its decision in Barr v. American Association of Political Consultants, Inc.. The Court considered whether a 2015 amendment to the Telephone Consumer Protection Act (“TCPA”) that created an exemption for debt collection calls relating to debts owed to, or guaranteed by, the federal government ran afoul the First Amendment. The American Association of Political Consultants, Inc. (“AAPC”) wished to make political calls to cell phones, just as the collectors of federal government debt are allowed to. The AAPC challenged the 2015 amendment’s constitutionality, claiming that it violated the First Amendment because it content-based and did not satisfy the strict scrutiny standard. The Fourth Circuit Court of Appeals agreed that the exemption unconstitutional but declined to strike down the entire TCPA as unconstitutional. The Fourth Circuit instead elected to sever the constitutionally offensive amendment and permit the balance of the TCPA to stand. The Supreme Court appeal considered two discrete questions: (1) whether the 2015 exemption for debt collection calls relating to government-backed debt was constitutional; and (2) if not, then what was the proper remedy to address the constitutional violation.
Continue Reading The Big TCPA Case That Wasn’t

In a case of first impression, the Seventh Circuit just answered a much-anticipated question about standing in cases filed under the Illinois Biometric Information Privacy Act (“BIPA”).  Bryant v. Compass Grp. USA, Inc. decided whether a BIPA plaintiff has Article III standing. The answer is both yes and no.  This dual answer is not surprising given the awkwardness of the arguments presented. Though the holding is a victory for the defense bar, Bryant is the latest evidence of an ever-increasing circuit split that should culminate in the United States Supreme Court further clarifying its holding in Spokeo v. Robins concerning Article III standing.

Like most BIPA cases, the Bryant complaint was originally filed in Illinois state court. The Bryant plaintiff asserted claims under both sections 15(a) and 15(b) of BIPA. The former relates to the defendant’s failure to make publicly available disclosures, and the latter relates to the defendant’s failure to secure the plaintiff’s individual informed consent. The defendant removed the case to federal court. The plaintiff then moved to remand, ironically contending that she lacked a sufficiently concrete injury in fact to maintain Article III standing to maintain federal court jurisdiction. The defendant paradoxically argued that plaintiff alleged such an injury, relying on the Illinois Supreme Court opinion in Rosenbach v. Six Flags Entm’t Corp., wherein the court held that a violation of the right to receive certain information is an actionable grievance. The novelty of these arguments was not because of their substance, but instead, which side advanced them—an observation that Judge Wood noted in her opinion. Siding with the defendant, the district court remanded the case, and the plaintiff appealed.
Continue Reading BIPA Case Addressing Article III Standing Foreshadows Potential SCOTUS Review of Spokeo

The California Consumer Protection Act (“CCPA”) was in effect for just over three months when the American economy stopped cold in the face of the COVID-19 global pandemic. Much effort was expended in the months before the January 1, 2020 effective date to ensure compliance with the CCPA which, like its European cousin, the General Data Protection Regulation (“GDPR”) aspires to protect data and personal information. But also like the GDPR, many anticipated enforcement by the California attorney general (scheduled to begin on July 1, 2020) to provide guidance on how the CCPA would be interpreted and applied. Then the world came to a halt. Literally. Notwithstanding, as discussed in our earlier post, the California Attorney General has signaled that businesses subject to the CCPA should not expect any delays in enforcement. To be clear, privacy concerns did not cease to exist because of the pandemic. These concerns simply took a back seat as the world focused on defeating the virus. But privacy rights may be moving to the forefront again with the advent of COVID-19 tracking applications under consideration by governments seeking to use this technology to contain the spread of the virus. Most recently, on April 10, 2020, Google and Apple announced a joint endeavor to use Bluetooth technology in conjunction with apps from public health authorities to allow contact tracing of those individuals affected with COVID-19. The system is supposed to ensure users’ privacy and operate only with valid consent. See also our recent blog post on Locating COVID-19 Without the Location Data. Although tracking technology is not new–other iterations were used to track other diseases such as the seasonal flu–its use here would be one of the first to be used in the CCPA era. And arguably, the need to comply with the CCPA–passed by referendum in one state–has affected the usefulness of contact tracing solutions in every state. The Apple-Google solution, for example, covers the vast majority of mobile devices and is likely to be the only solution agreed upon by these two companies. It skirts the need to handle geolocation data, reducing the regulatory footprint under the CCPA, but the very lack of geolocation data degrades the usefulness of this system to local governments for finding and locking down hotspots–and to users in avoiding them. Few, if any, privacy professionals envisioned that preparation for CCPA compliance needed to include protocols for responding to governmental requests for data in combatting a public health crisis. But here we are.
Continue Reading Will COVID-19 Finally Prompt a Federal Privacy Law?

Coverage litigation relating to liability claims arising out of the Illinois Biometric Information Privacy Act (“BIPA”) has been relatively non-existent. One reason for this may be insurers’ reasonable conclusion that an exclusion introduced in 2006 in response to litigation arising under the Telephone Consumer Protection Act (“TCPA”) applies to this new genre of privacy litigation. That exclusion, generically referred as the Violation of Statutes Exclusion, was the insurance industry response to decisions from around the country finding that TCPA violations qualified as “personal injury” under liability policies. The exclusion evolved over time and now includes a catch-all provision that applies to violations of federal or state statutes or ordinances or regulations other than the enumerated statutes referenced in the exclusion—the TCPA, the CAN-SPAM Act of 2003 and the Fair Credit Reporting Act (“FCRA”). The Illinois court’s opinion in Westbend Mutual Insurance Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 Ill.App.(1st) 191384, is an example of how important the wording of that catch-all provision is for insurers seeking to rely on it to exclude coverage for BIPA violations.
Continue Reading Not All Violation of Statutes Exclusions Are Created Equal

As businesses and privacy professionals were holding their breath awaiting the California Governor’s signature on pending amendments to the much anticipated California Consumer Privacy Act (“CCPA”), California’s Attorney General took the spotlight yesterday by releasing the similarly anticipated CCPA Regulations, Cal. Code Regs. tit. 11, .§999.300, et seq. (“Regulations”). Since the passage of the CCPA in June 2018, the regulations to accompany the CCPA have been touted as “guidance” on how to comply with the CCPA. Although only in draft form, some may argue that the newly released regulations increase the CCPA compliance burden, while others may argue the Regulations merely provide much needed detail on how to comply with the CCPA.

On October 10, 2019, California’s Office of the Attorney General released a notice of proposed rulemaking action, text of the proposed regulations, initial statement of reasons, and economic impact statement. The deadline to provide comments is December 6, 2019. 
Continue Reading The Regs are In! California’s Attorney General Releases the Long Awaited CCPA Regulations

On September 5, 2019, the federal district court for the Northern District of Illinois issued an order that denied a motion to dismiss a class action brought under the Illinois Biometric Information Privacy Act (“BIPA”). Although the claims in Rogers v. CSX Intermodal Terminals, No. 19-2937, 2019 U.S. Dist. LEXIS 151135 (N.D. Ill. Sept. 5, 2019) largely survived a motion to dismiss, the district court did hand the defense bar a small—but potentially significant—victory.

The plaintiff in Rogers is a former truck driver.  His duties included visiting CSX facilities to pick up and deliver freight. The plaintiff was required to scan his fingerprints to gain entrance to the facility. The plaintiff filed a BIPA class action based on CSX’s failure to provide the required disclosures before collecting his fingerprints and to maintain a publicly available policy on CSX’s retention of biometric data. The complaint also alleged that CSX’s violations were intentional and reckless, an allegation which if proven would result in a $5,000 per violation penalty. 
Continue Reading A BIPA Defense Victory—If You Squint

This blog post is the third in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”). The statute takes effect on January 1, 2020–which is less than six months away. Please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.

You may see our first and second posts here and here.

Thanks for reading!


Continue Reading February 27, 2019, CCPA Webinar Q&As: Private Claims Under the CCPA

Over the last few months, we have been presenting and reporting on the California Consumer Privacy Act (CCPA), the county’s first comprehensive state law designed to give consumers significant control over the personal data that companies collect. Not to be outdone, New York is working on data privacy legislation that imposes even heavier burdens on companies that collect consumer information.

The proposed New York Privacy Act (NYPA), Senate Bill S5642, sponsored by Democrat Kevin Thomas, has not yet been passed. If it passes in its current form, however, it would impose the strictest requirements in the country relating to companies’ collection, maintenance, use, and disclosure of consumer information. 
Continue Reading New York Data-Privacy Proposal More Stringent than California’s CCPA

April was another busy month for legislative activity on the California Consumer Privacy Act (CCPA), following a very busy February [see our prior post here]. A proposed sweeping revision to the CCPA, AB 1760, was withdrawn, while three key amendments, AB 25, AB 873, and AB 874, are up for a floor vote. Meanwhile, SB 561, which greatly expands the private right of action under the CCPA, is now in the Senate Appropriations Committee’s Suspense File awaiting a May 17, 2019 deadline for a vote as to whether it makes it out of the Suspense File. 
Continue Reading CCPA Watch: Proposed Sweeping Overhaul Withdrawn, Three Amendments Providing Key Clarifications Remain Pending