Editor’s Note: In recent regulatory and enforcement developments, New Jersey became the latest state to enact a comprehensive privacy law, and the Connecticut Attorney General released the first report on CTDPA. The FTC entered into two privacy consent decrees, both of which centered on the sale of sensitive location data. In litigation, VPPA and wiretapping litigation continues to surge, including a denial of a motion to dismiss filed by Hearst. Internationally, the EU member nations unanimously voted to pass the AI Act, a Canadian government agency experienced a data breach, and the French data protection authority fined a data broker for failing to comply with GDPR.

U.S. Laws and Regulation

NIST Publishes Report on the Cybersecurity of Genomic Data. On December 20, 2023, the NIST National Cybersecurity Center of Excellence (NCCoE) published Final NIST IR 8432, Cybersecurity of Genomic Data. Informed by direction from Congress, this report discusses current practices, challenges, and potential solutions for securing genomic data. Based on this report’s findings, NCCoE has developed Draft NIST IR 8467, Cybersecurity Framework (CSF) Profile for Genomic Data, which provides actionable guidance to organizations that process genomic data to help these organizations manage and protect against cybersecurity risks. NCCoE is also in the process of developing a Privacy Framework Profile for Genomic Data to supplement the CSF. This Privacy Framework Profile will be publicly released later in 2024.

FTC Reaches First Data Broker Settlement. On January 9, the FTC reached its first settlement with a data broker involving the alleged collection and sale of location information that could be used to track individuals’ visits to places of worship, reproductive health clinics, and domestic abuse shelters. Under the proposed order, X-Mode Social, Inc. and its successor Outlogic, LLC will be prohibited from sharing or selling such data going forward. For a deeper analysis by our team, click here.

FTC Bans InMarket Media’s Sale of Precise Location Data. On January 18, the FTC announced another enforcement action focused on the collection and use of consumers’ sensitive location information. The FTC entered into a consent order with InMarket Media for the use or sale of the precise location data it collects for marketing and targeting advertising. InMarket Media must also provide an “easy-to-find way” for consumers to withdraw their consent to location data collection and for the ability to request the deletion of previously collected data. This proposed administrative complaint and consent decree is open for public comment until February 17.

Iowa AG Brings Suit against TikTok. On January 17, Iowa AG Brenna Bird filed a complaint in the Polk County District Court, alleging TikTok misrepresented that access to inappropriate content on its app by children is “infrequent.” In its description on Apple’s app store, TikTok is labeled as an app for individuals aged 12 and above with “infrequent/mild” access to inappropriate content. However, Bird alleges that, “[t]he TikTok app contains frequent and intense sexual content and nudity, profanity and crude humor, mature and suggestive themes, and alcohol, tobacco, and drug use and references.” TikTok has already been subject to scrutiny by other U.S. governmental authorities for ties to China and the app’s data and child safety measures.

U.S. Litigation and Enforcement

ReproSource Fertility Reaches Breach Settlement. On January 10, Massachusetts fertility test center ReproSource Fertility Diagnostics (a Quest Diagnostics company) reached a $1.25 million settlement resolving negligence claims related to an August 2021 ransomware attack that impacted approximately 350,000 patients. Although ReproSource cut off network connection immediately after discovering the unauthorized activity, threat actors were able to gain access to patients’ names, email addresses, dates of birth, and protected health information (PHI) like CPT and diagnosis codes, health insurance billing information, and physician information. Affected individuals were not notified until October 2021. Plaintiffs in the ensuing class action litigation alleged that ReproSource was negligent in failing to safeguard patient information, especially as health care organizations like ReproSource are frequent cyberattack targets. Plaintiffs also noted that ReproSource failed to notify impacted individuals within 60 days, as required by HIPAA for PHI breaches. The settlement allows class members to submit claims of up to $3,000 as reimbursement for out-of-pocket losses. Since the breach, ReproSource claims it has adopted more advanced data security measures, including additional cybersecurity measures, at its own expense.

Burger King Franchisee Says Insurance Carrier Owes Defense Costs for BIPA Suit. In a lawsuit filed on January 17, Burger King franchisee Tri City Foods Inc. (Tri City) claims that its insurance carrier owes the franchisee coverage for a class action alleging violations of Illinois’ Biometric Information Privacy Act (BIPA). The underlying class action was initiated in 2018 by a former employee of Tri City who claimed that Tri City tracked his time worked by requiring him to scan his fingerprint at the beginning and end of each shift. The plaintiff alleged that Tri City violated BIPA by failing to inform him of any biometric data retention policy and failing to obtain a written release for the collection and storage of his fingerprints. This underlying action remains ongoing.

Hearst’s VPPA Claim Continues. On January 11, a judge denied a media company’s motion to dismiss a putative class action under the Video Privacy Protection Act (VPPA). The plaintiffs allege that the company disclosed their personally identifiable information (PII), including a record of every video they viewed on Hearst’s mobile applications, to third parties in violation of the VPPA. The court found that the plaintiffs plausibly alleged that they were consumers, the company was a video tape service provider, and that there was a knowing transmission of PII, as defined under the statute. The court also found that the plaintiffs did not need to plead actual damages and may proceed without alleging any specific pecuniary loss. Further, the court rejected the company’s argument that the ordinary course of business exception applies because the alleged uses of plaintiffs’ information (marketing, advertising, and analytics) does not fall within the exception’s narrow list of permissible uses. Lastly, the court found that the allegations involve commercial speech, so the VPPA satisfies the intermediate scrutiny test in accordance with the First Amendment.

Carnival’s Wiretap and Invasion of Privacy Claims Proceed. On January 19, a judge granted in part and denied in part, defendant Carnival Corporation’s motion to dismiss plaintiffs’ federal and state wiretap and invasion of privacy claims. Plaintiffs allege that the travel company enlists third-party companies to embed session replay software on its website, which collects information about the user’s system and “all mouse movements, clicks, scrolls, zooms, window resizes, keystrokes, text entry (even if deleted), and numerous other forms of a user’s navigation and integration through the website.” The court found the company’s argument that it provided the consumers notice of its recording policy through a cookie policy banner displayed at the bottom of its website and that consumers assented to the terms of that policy through their continued use of the website to be premature. Specifically, the court noted that the banner’s text is smaller than the rest of the bolded large text on its homepage and the company has not demonstrated that the banner appears immediately or that it persists for a user’s entire visit. Thus, the court held that the plaintiffs plausibly alleged the interception of their communications without consent. However, the court dismissed the Consumer Fraud and Abuse Act claim without prejudice because plaintiffs’ allegations of damage or loss were entirely conclusory.

Fidelity National Financial Reveals Data Breach Affected 1.3M Consumers. Insurance company Fidelity National Financial Inc. revealed it suffered a cyberattack in November that affected 1.3 million consumers. Ransomware gang ALPHV (or BlackCat) claimed responsibility for the attack in a post on its dark web leak site. At this time, Fidelity is providing credit monitoring and identity theft restoration services to consumers after also reporting it was hit with several lawsuits in the wake of the attack.

Papa John’s Faces Putative Class Action in California Web Tracking Suit. Popular pizza chain, Papa John’s, was unable to dismiss in full a class action lawsuit, alleging the pizza chain illegally tracked users’ online activity on its website. The court held that plaintiffs adequately alleged that Papa John’s had violated the California Invasion of Privacy Act (CIPA). Papa John’s was successful, however, in dismissing the plaintiff’s bid for injunctive relief as well as claims that the company had intercepted telephone communications under CIPA. The court found that there was no threat of future harm for injunctive relief and that CIPA applied only to communications between two certain types of telephones, not the internet, which the complaint failed to allege. The claims were dismissed with leave to amend.

International Regulation and Enforcement

EU Members Unanimously Vote to Advance the AI Act. On February 2, EU Members reached a political agreement on the Artificial Intelligence (AI) Act (the Act). Two parliamentary committees (the internal market and civil liberties committees) will vote on February 13 and a full plenary vote is expected either April 10 or 11. The Act will create new rules and obligations for providers and users of AI depending on the level of risk from AI. The Act will ban unacceptable risks, such as social scoring or biometric identification, and will require other AI, such as generative AI to comply with transparency requirements. Once adopted, the AI Act will enter into force 20 days after publication. The AI Act contains several application dates, including those for high-risk AI systems and prohibited AI Systems.

Canadian Government Agency Experiences Data Breach. On January 30, Global Affairs Canada announced an “unplanned IT outage” to address the discovery of malicious cyber activity. The Canadian Broadcasting Corporation (CBC) reported that an internal email stated that the internal systems were vulnerable between December 20, 2023 and January 24, 2024. Global Affairs Canada manages diplomatic and consular relations, promotes Canadian international trade, and leads Canada’s international development and humanitarian assistance.

French Data Protection Authority Fines Data Broker €75,000. On January 30, the Commission Nationale de L’informatique et des Libertés (CNIL) announced it had fined data broker Tagadamedia €75,000. During the investigation, the CNIL discovered Tagadamedia failed to comply with the obligation to have a legal basis for processing data and that the forms used by the company failed to provide consumers with free, informed, and unambiguous choices. The CNIL also stated that Tagadamedia’s record of processing activities was shared with a second company, but the record of processing activity did not specify which company was acting as a data controller.