In 1890, Samuel Warren and Louis Brandeis defined the right to privacy as “the right to be left alone.” This very precise definition is still in use today. But with advances in technology and our increasing use of digital data, “the right to be left alone” has taken on an expanded meaning. The conveniences of modern day life unfortunately create new opportunity for privacy invasions. Having our cell phones with us at all times also makes us susceptible to intrusions from irritating robocalls at all times of day and night. We entrust our most sensitive personal digital financial data to the credit reporting agencies, but can easily fall victim to unauthorized disclosures. Similarly, the information contained in our credit card receipts can make us victims of identity theft.

Conn Law, PC is dedicated to protecting consumers’ privacy rights in this modern digital age, including protecting from:

Illegal Robocalls: Among its many provisions, the 1991 Telephone Consumer Protection Act (“TCPA”) made it illegal for companies to place robocalls to our cell phones without our consent. The TCPA provides for a penalty of between $500 and $1,500 per illegal call and can be used as an effective deterrent to stop annoying robocalls to your phone.

Unauthorized Disclosure of Consumer Credit Reports: A person or company that wants to access your consumer credit report must have a “permissible purpose” to do so. If your credit report is disclosed without a “permissible purpose” the requesting person or company may be in violation of the Fair Credit Reporting Act (“FCRA”) and may have also committed a crime.

California Consumer Privacy Act: The California Consumer Privacy Act (“CCPA”) goes into effect on January 1, 2020. This groundbreaking statute greatly expands the privacy rights of California consumers and will be another way to help protect privacy rights.

Credit Card Truncation Requirements: Every day, we buy things with our credit cards. Most of us just throw away the receipts. The Fair and Accurate Credit Transactions Act (“FACTA”) imposes strict requirements on what can (and cannot) be disclosed on our credit cards. Disclosure of too much information on receipts greatly increases the risk of an identity thief being able to reverse engineer a credit card number and make purchases. FACTA limits what can be disclosed and imposes strict penalties for violations.

Illegal Robocalls to Cell Phones

As early as 1991, Congress realized that robocalls to our cell phones were going to be a problem. The Telephone Consumer Protection Act (“TCPA”) was enacted in response to widespread complaints about unauthorized robocalls being made through automated dialing systems and with artificial and prerecorded voices. In fact, one of the Senators that sponsored the legislation deemed these calls “the scourge of modern civilization.”

Among its many provisions, the TCPA broadly makes it unlawful for any person to make any call (other than a call made for emergency purposes or with the prior express consent of the called party) to any cell phone, using an automatic telephone dialing system, or using an artificial or prerecorded voice. A violation of this provision of the TCPA carries a penalty of between $500 and $1,500, per call.

So what does this all mean?

What Does “Any Call” Mean?

The answer to this question isn’t as obvious as it might seem. The TCPA actually does not define the word “any call.” However, courts and the Federal Communications Commission (“FCC”) have interpreted the word “call” to mean to “try to get in communication with a person by a telephone.” The contents of the “call” do not matter. This interpretation is important because it allows the TCPA to cover modern forms of communication. Keep in mind, text messages did not exist in 1991. But by interpreting “call” broadly, the TCPA now covers all of the ways that people try to get in touch with us by telephone. In addition to normal phone calls, this also includes text messages and even fax transmissions to a cell phone. So each violative “call” carries the $500-$1,500 penalty, whether it is a telephone call, text message, or other type of telephone transmission.

What is an “Automatic Telephone Dialing System”?

This is a good question because the answer is always changing. When Congress enacted the TCPA in 1991, it knew that technology would continue to advance and intended that the statute would be interpreted to adapt to future technologies.

The TCPA itself defines “automatic telephone dialing system” (“ATDS”) as “. . . equipment which has the capacity - (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers” 47 U.S.C. § 227(a)(1)

Some early “dialers” would simply sequentially dial every single number in a local area code or simply dial randomly generated telephone numbers. Technology has evolved since then and modern dialers tend to make calls from call lists, rather than from self-generated numbers. Whether a system is an ATDS requires looking at the “capacity” of the system to perform certain functions. Based on recent case law, there is an open question as to whether the term “capacity” includes both present and potential capacity. In California, the term ATDS includes both devices with the capacity to call numbers produced by a random or sequential number generator and devices with the capacity to dial stored numbers automatically. Ultimately, whether a system is an ATDS is a question of fact.

What is Prior Express Consent?

Robocalls to a cellphone are generally prohibited unless the caller has the recipient's prior express consent. The type of consent required depends on the type of call.

For telemarketing calls, the regulations to the TCPA generally require that the caller have written consent. Telemarketing calls generally mean calls that promote property, goods, or services. And written consent means a signed agreement that clearly authorizes the calls. The writing itself must disclose that the consumer is agreeing to receive autodialed or pre-recorded calls.

For all other types of calls, either oral or written consent is sufficient.

This consent is not unlimited and consumers can revoke consent at any time, in any reasonable way.

And the consent has to be given by the person who currently subscribes to or uses the cell phone. If a cell phone number is reassigned to you, the prior subscriber’s consent does not carry over. For example, if you are getting automated debt collection calls directed at the person who had your number before you, you might have a claim under the TCPA.

If you have received unwanted robocalls to your cell phone, you may have a claim. To request a free consultation, please fill out our online contact form.

Unauthorized Disclosures of Credit Reports

Your consumer credit report contains your most sensitive private data. It includes your:

a. Social Security number;
b. Current and past names;
c. Date of birth;
d. Current and past addresses;
e. Current and past credit accounts;
f. Collection items; and
g. Any Foreclosures, bankruptcies, or judgments entered against you.

One of the primary reasons for enacting the Federal Fair Credit Reporting Act was to protect this confidential information and for individual privacy. As a result, the Fair Credit Reporting Act places limits on who can pull your credit report. The person or company that tries to pull your credit report must have a “permissible purpose” to access your credit report and usually require your permission. “Permissible purposes” for non-governmental entities and individuals are limited to the following:

1. For the extension of credit, where you have made a written application;
2. As part of the review or collection of an existing credit account;
3. For employment purposes, where you have given permission, in writing;
4. For insurance underwriting, where you have made a written application;
5. In connection with a determination of your eligibility for a government license or other benefit;
6. For an assessment of the credit or prepayment risks associated with an existing credit obligation, by a potential investor or servicer, or current insurer;
7. When there is a legitimate business needed, in connection with a business transaction initiated by you; and
8. When there is a legitimate business needed, to review an account to determine whether you continue to meet the terms of the account.

The rule is that a user must have a permissible purpose for obtaining a report; all other uses are “impermissible.”

If your consumer credit report has been accessed without a permissible purpose, your privacy rights may have been violated and you may have grounds for a lawsuit.

If you have further questions or believe that your consumer credit report has been unlawfully accessed, give us a call or fill out an intake form.

California Consumer Privacy Act (Data Privacy)

The California Consumer Privacy Act goes into effect on January 1, 2020. This revolutionary piece of legislative expands and strengthens the digital privacy rights of Californians. It also creates a private right of action and statutory damages for data breach. The CCPA is still a work in progress and new amendments are consistently being proposed. As currently written, the CCPA:

Applies to For-Profit Businesses that Meet Certain Criteria

A business must comply with the CCPA if it meets one the following thresholds: (1) Has annual gross revenue in excess of $25 million; (2) annually buys, receives, sells, or shares the personal information of 50,000 or more consumers; or (3) at least 50 percent of its revenue comes from selling consumers’ personal information.

However, the CCPA does not cover confidential medical information and does not apply to health care providers or clinical medical trials.

Protects Consumers’ “Personal Information”

The CCPA defines “personal information” very broadly. It essentially means any identifying or descriptive information related to a particular consumer or household. It includes:

a. Identifiers, including, but not limited to: real names, aliases, postal addresses, unique personal identifiers, online identifiers, IP addresses, email addresses, account names, social security numbers, driver’s license numbers, and passport numbers;
b. Signatures, physical characteristics or descriptions, telephone numbers, state ID card numbers, insurance policy numbers, education, employment, employment histories, credit and debit card numbers, financial information, medical information, and health insurance information;
c. Characteristics of protected classifications under California or federal law;
d. Commercial information, including: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
e. Identifying biometric information, including: DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
f. Internet activity, including, but not limited to: browsing history, search history, and website use;
g. Geolocation data;
h. Audio, electronic, visual, thermal, olfactory, or similar information;
i. Professional or employment-related information;
j. Non-publicly available education information; and
k. Profiles drawn from the above information that reflects the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

“Personal information” does not include publicly available information.

Provides the Right to Know What Personal Information Has Been Collected and What Personal Information Has Been Disclosed

The CCPA gives consumers the right to ask businesses what categories and specific pieces of personal information of theirs that the businesses have collected. Upon a verified request, the business has to disclose and deliver, free of charge, the personal information collected. The consumer can make this request twice per year. Businesses generally must comply with these requests within 45 days of receipt of the request.

Businesses must provide consumers with at least two ways for submitting requests for information, including a toll free number and a website address, if the business has a website.

For businesses that collect personal consumer information, a consumer will be able to ask a business to disclose: (1) the categories of personal information it has collected about that consumer; (2) the sources from which the personal information is collected; (3) the business or commercial purpose for collecting and selling personal information; (4) the categories of third parties with whom the business shares personal information; and (5) the specific pieces of personal information collected about that consumer.

Before a business even collects a consumer’s personal information, the business has to tell the consumer what information is being collected and why. No new categories of information can be collected without notifying the consumer

And for businesses that sell or otherwise discloses a consumer’s personal information, that consumer will have the right to ask that business to disclose: (1) the categories of personal information collected about the consumer; (2) the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold; and (3) the categories of personal information disclosed. In responding, the business will have to disclose what personal information has been disclosed/sold or inform the consumer that no personal information has been disclosed/sold.

Provides the Right to Have Collected Personal Information Deleted

The CCPA also provides that consumers can ask businesses to delete any collected personal information. Businesses must also tell consumers about their right to have their collected personal information deleted.

However, there are a number of exceptions to this rule and the business does not have to delete the information if it is necessary for the business to keep the collected personal information for one of the following reasons: (1) to complete a transaction between the business and the consumer; (2) for data security reasons; (3) to debug errors; (4) to exercise free speech; (5) to comply with other specific statutes or comply with a legal obligation; (6) to engage in ethical research that is in the public interest; (7) to enable reasonably expected internal uses; (8) otherwise lawfully use the consumer’s information in the context in which it was originally provided.

Provides the Right to Opt-Out of the Sale of Personal Information

The CCPA gives consumers the right to direct businesses not to sell their personal information. Businesses that sell personal information to third parties will be required to provide a notice of the right to opt out to consumers before any personal information is sold. Once a consumer opts-out, the business cannot sell that consumer’s personal information.

The CCPA will require businesses to conspicuously put a link on their webpages to a page titled “Do Not Sell My Personal Information” that allows consumers to exercise their opt-out rights.

Businesses will not be able to sell personal information about consumers who are less than 16 years old, unless they “opt-in.” For consumers between the ages of 13 and 16, either the consumers themselves or their guardians can “opt-in.” Only guardians can “opt-in” for consumers younger than 13.

Prohibits Discrimination Against Consumers Who Opt-Out

The CCPA will prohibit businesses from discriminating against consumers that exercise their opt-out rights. Businesses cannot deny consumers goods or services, cannot charge opting-out consumers different prices, and cannot offer opting-out consumers a different level of quality of goods or services.

However, businesses will be able to pay consumers, or otherwise offer financial incentives, for their personal information.

Provides Statutory Damages for Data Breach

If a consumer’s personal information is part of the data breach as a result of a business’s failure to implement and maintain reasonable security procedures, the consumer can bring a lawsuit to recover actual damages, statutory damages of between $100 and $750, per incident, injunctive and declaratory relief, and any other relief the court deems proper.

As the statute is currently written, prior to bringing an action for statutory damages, the consumer must first provide the business with 30 days’ written notice identifying the CCPA provisions that are being violated and providing the business with an opportunity to cure. If the business does not (or cannot) cure the violations, then the consumer may bring the lawsuit.

Credit Card Receipt Privacy

You probably do not pay too much attention to your credit card receipts. Maybe you should. The information contained on some of your credit and debit card receipts, if placed in the wrong hands, could potentially lead to identity theft. With just your credit card expiration date and just a few digits of the card, identity thieves can reconstruct the entire credit card number and use this information to make unauthorized transactions.

Identity theft is no laughing matter. In 2014, 12.7 million consumers were the victims of identity thieves who stole a total of $16 billion. It can take years to recover from identity theft.

These concerns are why Congress enacted the Fair and Accurate Credit Transactions Act (“FACTA”) in 2003. Under FACTA, merchants may only print up to the last five digits of your credit and debit card numbers on electronically printed receipts. They are also prohibited from printing any part of the expiration date. Congress has decided that any more information printed on a receipt creates an unacceptable risk of theft.

Without these protections and the printing of full credit numbers, anyone can grab a credit card receipt out of the trashcan, find out a credit card number, and make charges.

Willful violations of FACTA’s credit card receipt truncation requirement carry a penalty of up to $1,000, per bad receipt.

If you believe that you have received a receipt that violates FACTA, give us a call or fill out an online contact form to request a free consultation.

Have your privacy rights been violated?

Let us know your concerns.