Privacy Developments

By on August 27, 2025 in Legal Matters, Legal News, Privacy

     There are about twenty state privacy laws currently in effect or that will take effect by January 2026 that affect a website provider (a “Processor”).  Fortunately, there are a lot of common requirements among the various laws that simplify compliance. This article provides an overview of the common requirements. For simplicity and brevity, this article is aggregating the requirements; there are some state-specific variations that also need to be considered for full compliance.

     Processors are required to obtain consumers’ consent via a clear, affirmative act. It is recommended that consent and agreement to the terms of use be obtained prior to allowing the consumer to access the website content or to have personal information collected. Consent must be freely given, specific, informed, and unambiguous, and not obtained via deliberately confusing or obscured means. Explicit consents need to be obtained for processing sensitive information (e.g., sexual orientation, religious beliefs, genetic data, immigration status, etc.) and for processing childrens’ personal information. The consumer must also have the right to revoke consent in a manner as simple as that of granting consent. Processors should have records of the consent to defend themselves in the event that a consumer attempts to repudiate consent and claim that the Processor was processing personal information without authorization.

     Most states set thresholds to be met for the state privacy law to be applicable. Typically these thresholds include collection of personal information for 100,000 state residents or some lesser number of residents combined with some percentage of revenue from sales of personal information. However, many Processors experience such a low volume of consumer inquiries about their personal information that the Processor responds without considering the thresholds for applicability.

     Processors must provide a Privacy Policy that describes, among other things, the personal information that the Processor processes, the personal information it shares with third parties, the categories of the third parties, the purposes of the processing, and the retention period.  Additionally, the Privacy Policy must identify secure and reliable methods for exercising certain consumer rights, including the right to confirm whether the consumer’s personal information is being processed, the right to correct inaccuracies, the right to delete personal information, the right to obtain a copy of the consumer’s personal information in a portable format, and the right to opt out of targeted advertising, sales of personal information, and profiling. The Processor shall support clear and conspicuous links for opting out of targeted advertising, sales, and profiling, and shall accept an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism.  Personnel handling privacy requests must be trained, and Processors should maintain records documenting such training. No discrimination or retaliation is permitted against consumers that exercise their rights.

     Typically, the Processor is required to respond in writing to a request to exercise a consumer right within 45 days from receipt (including any time spent verifying the identity of the requestor) and may request an extension of 45 additional days by informing the requestor within 45 days of receipt and providing a reason for the extension. The Privacy Policy shall also specify a method by which the consumer may appeal the Processor’s response, and the Processor shall have up to 60 days to respond to the appeal.  The Processor shall also provide an electronic means by which the consumer may contact the state Attorney General or other designated authority to submit a complaint if the consumer considers the appeal response to be unsatisfactory.

     The Processor must implement administrative, technical, and physical security practices to protect the confidentiality, integrity, and availability of the personal information it processes. The Processor shall conduct a Data Protection Assessment (DPA) that balances the risks and benefits of the processing against the potential impact on the consumer. Any such DPA must be disclosed to a state Attorney General upon request as part of an investigation.  The Processor must also execute a written agreement with any subcontractors that perform processing of personal information. This agreement shall impose a duty of confidentiality, require the return or destruction of personal information disclosed by the Processor, impose audit rights under which the Processor or its designee may assess the subcontractor compliance policies and procedures, and require compliance with the Processor’s instructions and requests for information for investigations, consumer rights requests, and DPA’s.

     There are certain new rules applying to children. Similar to the Children’s Online Privacy Protection Act (COPPA), children under 13 have additional protections. Recent state laws provide additional provisions for children age 13 until they turn 18. These provisions include a requirement for Processors that are considered “social media” sites to identify the age of their users and ensure that “minors” do not spend longer than one hour daily on a social media site without parental or guardian permission. 

     There is an effort underway to legislate a federal privacy policy, which could supersede the state-by-state approach currently in effect. It seems unlikely that such an effort will be successful because in the early 2020’s the United States Supreme Court ruled that there is no right of privacy under the United States Constitution. There are elements of privacy among various amendments such as protection from unreasonable search and seizure, but no broad right of privacy. In the past, federal law regarding privacy was generally incidental to regulating interstate commerce or the internal administrative practices of the government itself.

  Please contact The Internet Law Group if you wish to discuss your Privacy Policy and Terms of Use to ensure it is up to date.

Comments { 0 }

TILG Releases Terms of Use and Privacy Policy Practical Guidance Videos

By on December 19, 2024 in Legal Matters

These excerpts from Practical Guidance, a comprehensive resource providing insight from leading practitioners, are reproduced with the permission of LexisNexis. Reproduction of this material, in any form, is specifically prohibited without written consent from LexisNexis.

Comments { 0 }

TILG Releases “Website Policy and Agreements” Practical Guidance Video

By on March 10, 2023 in Legal Matters

This excerpt from Practical Guidance, a comprehensive resource providing insight from leading practitioners, is reproduced with the permission of LexisNexis. Reproduction of this material, in any form, is specifically prohibited without written consent from LexisNexis.

Comments { 0 }

New Privacy Notice and Compliance Requirements Taking Effect in 2023

By on February 6, 2023 in Legal Matters

Multiple state Privacy Acts take effect in 2023. Typically, these laws require website operators to implement certain compliance measures and to post a Privacy Notice informing consumers of their rights and the method of exercising those rights. As of January 1, 2023, state privacy laws already in effect include Virginia’s Consumer Data Protection Act and the California Privacy Rights Act which expands the terms of the California Consumer Privacy Act. It should be noted that Nevada’s Security and Privacy of Personal Information Statute is also already in effect but its narrow scope makes it less applicable to website operators. Both Connecticut’s Personal Data Privacy and Online Monitoring Act and the Colorado Privacy Act become effective on July 1, 2023. The Utah Consumer Privacy Act becomes effective on December 31, 2023. Additional states have undertaken development of privacy laws and more new laws are likely in the future.

Similarities among these state laws generally include consumer rights such as access, correction, and deletion of personal information, and the right to obtain a copy in a portable format. Additionally, the laws specify how the website operator must enable the consumer to request to exercise these rights, time periods allowed for the operator’s response or extension request, and, in some cases, an appeal process when requests are denied. Unfortunately, the state laws are not consistent enough to permit compliance with a single “one size fits all” policy.  Most website operators will likely find it advisable to segment their Privacy Policy to discuss each state’s requirements independently of the others. 

Federal privacy laws are limited in scope and address subsets of privacy concerns, such as the Children’s Online Privacy Protection Act and the Health Insurance Portability and Accountability Act. When developing or modifying a Privacy Policy to address the new state laws, a website operator must still ensure compliance with federal requirements.

The Internet Law Group is available to consult concerning these new state requirements and to assist preparation of the necessary compliance materials. If you have questions concerning state privacy laws, please contact us at info@tilg.us.

Comments { 0 }

Kavon Adli of TILG Named 2022 Southern California Super Lawyer

By on May 11, 2022 in Firm Publicity

Kavon Adli, founder and managing attorney of The Internet Law Group, has been selected for inclusion in the Southern California Super Lawyers list for the third consecutive year.

Each year the organization recognizes no more than 5% of lawyers who have attained a high-degree of peer recognition and professional achievement. Lawyers are selected from all 50 states and Washington, D.C. in more than 70 practice areas. The selection process includes independent research, peer nominations and peer evaluations.

“I am honored to be recognized in the business litigation practice area,” said Adli. “When I chose to enter the legal field, I wanted to combine my interest in people, critical reasoning and advocacy by representing clients ethically and with a superior level of competence. This recognition tells me that we are accomplishing those goals.”

Adli founded The Internet Law Group when he saw an unmet need where law intersects the online world.

“We have a unique focus in online law and provide a boutique personal service to our clients,” added Adli. “The Internet continues to evolve and so does The Internet Law Group but, at its foundation, the firm will always be focused on providing our clients with knowledgeable and personal service.”

Comments { 0 }

TILG publishes “Website Policy and Agreements” Practice Note (LexisNexis Practical Guidance, 2021)

By on December 7, 2021 in Legal Matters

By Kavon Adli and Jason Civalleri

* For informational purposes only; not intended as legal advice or as a recommendation/suggestion to act or omit to act.

Powered By EmbedPress

Comments { 0 }

Nextdoor.com Post Denied Anti-SLAPP Protection

By on February 6, 2020 in Defamation, Legal Matters, Legal News

After the Leys’ dog killed neighbor Jeppson’s cat, the Leys paid Jeppson $2,000 as part of a settlement agreement.  After the settlement, a court granted Cates a restraining order against Jeppson.  Cates and her husband Otto alleged Jeppson hired men to cut through their fence, to trespass, and to trim their tree.  Jeppson previously demanded Cates and Otto cut the tree because it interfered with his ocean view; he had threatened action if he did not get his way.  They said Jeppson had intimidated them by screaming at them at their house.  Part of the restraining order commanded Jeppson to dispose of guns.

Cates told Heidi Ley about her troubles with Jeppson.  Heidi Ley told Eric Ley, who “felt compelled” to warn the community to be aware of Jeppson.  In a post on the Nextdoor.com website titled “Michael Jeppson’s Restraining Order” that allegedly reached some 951 neighbors, Eric Ley wrote as follows:

Since this is a neighborhood blog, I feel it is important to provide information about the case against Michael Jeppson for trespassing and vandalism on his neighbor’s property. Michael Jeppson of Raymond James Financial Corporation and Jeppson Wealth Management could face jail time for these charges. Most importantly, a restraining order was issued on 6/27/2017, and the courts forced Michael Jeppson to relinquish his gun arsenal due to the danger he poses to his neighbors. If interested, you can review the court document at lacourts.org for a one dollar fee. The signs in Michael Jeppson’s yard pictured below warn the neighborhood that he intends to solve disputes with gun violence, and he has stated this intent in countless blog posts and neighborhood fliers. Beware!

Jeppson v. Ley, 2020 WL 486970 (Cal. App. Ct. Jan. 30, 2020) *3. 

Ley’s post attached three photos of Jeppson’s yard signs, which forbade trespassing with images of guns and a bullet riddled human silhouette.  Jeppson sued the Leys for breach of contract, defamation, and intentional infliction of emotional distress.  The Leys filed a special motion to strike under Code of Civil Procedure section 425.16 in response to Jeppson’s complaint, which was denied.  The Leys appealed.  On January 30, 2020 the California Court of Appeals affirmed the order of the Superior Court of Los Angeles County denying the anti-SLAPP motion, finding as follows at *14-15: 

Neither Ley nor Jeppson were in the public eye.

None of their acts directly affected a large number of people beyond the three households. Ley claimed the mantle of town crier, but the conduct had directly involved only dog owner Ley, cat owner Jeppson, and tree owner Cates.

Despite the medium of the internet, the topic was not of widespread public interest. There is no issue of public interest when the speaker’s words are merely an effort to gather ammunition for another round in the speaker’s neighborhood wrangle.

Ley and Jeppson had a history of personal conflict when Ley decided to upload to the internet about Jeppson. … Ley sought to endow his statements with lofty justifications.  But the matter boiled down to Ley’s interest in gathering ammunition for another round in his clash with Jeppson.  Ley’s internet post merely manifested, and remained, his altercation with his neighbor.

… The website had a potential audience of 951, but there is no evidence anyone actually read or cared about Ley’s post.  There was a restraining order on Jeppson that barred him from harassing his tree-owning neighbor Cates. Ley proclaimed Jeppson a threat to public safety, but this involved Jeppson trimming Cates’s tree without her permission and Jeppson putting “no trespassing” signs in his yard.  Jeppson owned guns, but the restraining order blocked Jeppson’s access to them.

Ley’s arguments are ‘too tenuously tethered to the issues of public interest they implicate, and too remotely connected to the public conversation about those issues, to merit protection . . . ‘ (FilmOn, supra, 7 Cal.5th at p. 140 [2019].)   Under the case law, this neighborhood flap did not raise issues about the ‘public interest,’ even though it made an appearance on the internet.

Comments { 0 }

Online Terms of Use “Browsewrap” Agreement Found Binding

By on July 12, 2019 in Legal Matters

On May 3, 2019, the United States District Court for the Northern District of California granted Defendant’s motion to compel arbitration, finding that its online terms of use agreement (the “Terms”) was enforceable even in the absence of the consumer’s express assent to the Terms.  Guttierrez v. Friendfinder Networks, Inc., No. 18-05918 (N.D. Cal. May 3, 2019). 

Defendant AdultFriendFinder (“AFF”) is an adult online dating site.  Plaintiff website user alleges that in October 2016 “a hacker or group of hackers breached Defendant’s system and downloaded two decades worth of personal information of 339 million AFF users.”  Compl. ¶ 32.  Based on this breach, and Defendant’s alleged failure to prevent and timely cure it, Plaintiff brought a putative class action against AFF.  Defendant moved to compel arbitration and dismiss the action based on the arbitration provision contained in the Terms.  The Court stated that the Ninth Circuit’s decision in Nguyen v. Barnes & Noble Inc., 763 F.3d 1171 (9th Cir. 2014) guided its decision.

“In Nguyen, the Ninth Circuit determined that the plaintiff had not agreed to the defendant’s terms of use (and the arbitration clause therein) by purchasing a product on the defendant’s website, even though the terms were displayed on every page of the website and on each page of the website’s online-checkout process.  The court rejected the defendant’s argument that ‘the placement of the terms of use hyperlink on its website put [the plaintiff] on constructive notice of the arbitration agreement’ such that the plaintiff’s ‘subsequent use of the website[] was enough to bind him to the Terms of Use.'”

Guttierrez at *5.  In reaching this conclusion, the Ninth Circuit noted that courts are “traditional[ly] reluctant to enforce browsewrap agreements against individual consumers,” and set forth the basic legal framework governing online contracts:  

“Contracts formed on the Internet come primarily in two flavors: ‘clickwrap’ (or ‘click-through’) agreements, in which website users are required to click on an ‘I agree’ box after being presented with a list of terms and conditions of use; and ‘browsewrap’ agreements, where a website’s terms and conditions of use are generally posted on the website via a hyperlink at the bottom of the screen. . . . Unlike a clickwrap agreement, a browsewrap agreement does not require the user to manifest assent to the terms and conditions expressly . . . a party instead gives his assent simply by using the website. . . . The defining feature of browsewrap agreements is that the user can continue to use the website or its services without visiting the page hosting the browsewrap agreement or even knowing that such a webpage exists.”

Nguyen, supra, at 1175–76 (citations, alterations, and internal quotation marks omitted).  In the case at hand, although “the website did not require Plaintiff to agree to the Terms or otherwise acknowledge that he had read them,” (Guttierrez at *10), a call with a customer service representative placed Plaintiff on inquiry notice of the Terms:

“The customer service representative informed Plaintiff that he had been banned because he violated the Terms.  A few seconds later, when Plaintiff asked for further elaboration as to why he had been banned from the chat, the customer service representative reiterated: ‘Because we set restrictions on the website so you need to follow our rules and regulations.’  This constituted notice to Plaintiff that if he wanted to use the site, he needed to comply with the Terms. . . .Plaintiff responded with ‘Yeah I know,’ acknowledging that he understood that he needed to follow those rules and regulations when using the site.  And the Terms were readily available to Plaintiff on the website, such that his failure to read them, despite knowing he was bound by them, cannot absolve him of his need to comply with them.”

Id. at *12-13 (internal citations omitted).

“Because the Terms clearly stated that continued use of the site would constitute acceptance of the Terms, Plaintiff’s continued use of the site after being put on notice of the Terms and his need to comply with them constituted acceptance of the Terms.”  Id.

Comments { 0 }

Copyright Office Registration Decision Required in Order to Sue for Copyright Infringement

By on March 11, 2019 in Copyright, Legal News

On March 4, 2019, Justice Ruth Bader Ginsburg, delivering a unanimous opinion of the Supreme Court of the United States, held that in order to commence a lawsuit for copyright infringement, 17 U. S. C. §411(a) generally requires the Copyright Office to have registered or denied registration of a copyright.  Fourth Estate Pub. Ben. Corp. v. Wall-Street.com, LLC, 586 U. S. ____ (2019), 2019 U.S. LEXIS 1730.

§411(a) states in pertinent part, “no civil action for infringement of the copyright in any United States work shall be instituted until preregistration or registration of the copyright claim has been made . . .” However, where “registration has been refused, the applicant is entitled to institute a civil action for infringement if notice . . . is served on the Register of Copyrights . . . The Register may . . . become a party to the action . . .”  17 U. S. C. §411(a).

Petitioner Fourth Estate Public Benefit Corporation is a news organization producing online journalism.  Its license agreement with Wall-Street.com, LLC required it to remove from its website all content produced by Fourth Estate before canceling the agreement. Wall-Street canceled, but continued to display Fourth Estate articles. Fourth Estate sued for copyright infringement. The complaint alleged that Fourth Estate had filed applications to register the articles with the Register of Copyrights. Because the Register had not yet acted on Fourth Estate’s applications, the District Court dismissed the complaint, and the Eleventh Circuit affirmed.  Id. at *4-5.  The Supreme Court granted Fourth Estate’s petition for certiorari to resolve a split among U. S. Courts of Appeals on when registration occurs in accordance with §411(a).

“All parties agree that, outside of statutory exceptions not applicable here, §411(a) bars a copyright owner from suing for infringement until ‘registration . . . has been made.’ Fourth Estate and Wall-Street dispute, however, whether ‘registration . . . has been made’ under §411(a) when a copyright owner submits the application, materials, and fee required for registration, or only when the Copyright Office grants registration. Fourth Estate advances the former view—the ‘application approach’—while Wall-Street urges the latter reading—the ‘registration approach.’ The registration approach, we conclude, reflects the only satisfactory reading of §411(a)’s text. We therefore reject Fourth Estate’s application approach.

Id. at *7.

The Court’s opinion may be found at: https://www.supremecourt.gov/opinions/18pdf/17-571_e29f.pdf.

Comments { 0 }

TILG Attorney Named to 2020 Southern California Super Lawyers List

By on January 15, 2019 in Firm Publicity

We are pleased to announce that Kavon Adli, shareholder at The Internet Law Group, has been selected to the 2020 Southern California Super Lawyers list. This is an exclusive list, recognizing no more than five percent of attorneys in the state.

Super Lawyers, part of Thomson Reuters, is a research-driven, peer influenced rating service of outstanding lawyers who have attained a high degree of peer recognition and professional achievement. Attorneys are selected from more than 70 practice areas and all firm sizes, assuring a credible and relevant annual list.

The annual selections are made using a patented multiphase process that includes:
• Peer nominations
• Independent research by Super Lawyers
• Evaluations from a highly credentialed panel of attorneys

The objective of Super Lawyers is to create a credible, comprehensive and diverse listing of exceptional attorneys to be used as a resource for both referring attorneys and consumers seeking legal counsel.

The Super Lawyers lists are published nationwide in Super Lawyers Magazines and in leading city and regional magazines and newspapers across the country, as well as the Southern California Super
Lawyers Digital Magazine.

Please join us in congratulating Kavon Adli on his selection.

For more information about Super Lawyers, go to SuperLawyers.com

Comments { 0 }
Older posts