1. A new class action against Apple alleges that the tech giant records detailed information about user activity despite its privacy assurances. According to the plaintiffs, Apple’s own collection of a user’s activity in Apple’s proprietary apps does not change after a user enables the “Allow Apps to Request to Track” setting, which the plaintiffs say is a violation of the privacy promises Apple makes to users.  The case continues a trend of plaintiffs relying on California’s wiretap statute to police companies’ data handling practices. (N.D. Cal., Case No. 5:22-cv-07069)

2. A new data breach class action against Cash App alleges harm to 8.2 million customers. The complaint alleges that a former Cash App employee was able to pilfer sensitive data because of basic human error, namely “a lack of proper communication between the Human Resources and [] IT department on the status of terminated employees.” (N.D. Cal., Case No. 3:22-cv-6787)

3. Multi-factor authentication is an important step towards the “reasonable security” required under California law, but not all forms of MFA are created equal. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently published two fact sheets explaining the risks of using certain types of MFA. Some forms of MFA – including popular forms of app-based authentication - have proven vulnerable to certain types of phishing attacks. CISA recommends “phishing-resistant” forms of MFA, such us FIDO authentication, where feasible, and explains why “number matching” in MFA apps is a good interim measure when phishing-resistant forms of MFA are not available for implementation. 

4. Reminder: enforcement of the California Privacy Rights Act (CPRA) begins on July 1, 2023, and only for violations occurring on or after that date. (Existing CCPA rules are enforceable before July 1, 2023.)