[co-author: Jenny Ji]*

Editor’s Note: The California Privacy Protection Agency released amendments to its draft regulations, and the Consumer Finance Protection Bureau contemplates rulemaking on sharing financial data. In U.S. litigation, the first Illinois Biometric Information Privacy Act jury trial took place, and the Third Circuit provided further guidance on data breach litigation. In international news, the French Data Protection Authority fined Clearview AI for personal information collection violations.

US Laws and Regulation

• CPPA Publishes Updates to Draft Regulations. On November 3, the California Privacy Protection Agency (CPPA) released updated draft regulations and launched a 15-day comment period, which will run through November 21. The draft includes five factors for businesses to consider when determining if collection of personal information would meet the reasonable expectation of an average consumer. Final regulations promulgation still remains unclear.

• CFPB Releases Proposed Rulemaking Outline on Personal Financial Data Rights. On October 27, the Consumer Finance and Protection Bureau (CFPB) published a draft outline of proposals and alternatives under consideration. Under the plan, consumers could more easily share personal financial information with third-party fintechs. Once shared, these aggregators and other firms must protect this sensitive personal information. The outline also addresses data security requirements.

• White House’s Publishes AI Bill of Rights. On October 4, the White House Office of Science and Technology Policy released a “Blueprint for an AI Bill of Rights” “to help guide the design, use, and deployment of automated systems to protect the rights of the American public in the age of artificial intelligence.” The nonbinding white paper calls for greater AI transparency, accountability, and privacy to address the concern that automated systems can replicate or deepen inequalities present in society. Specifically, the blueprint proffers five core principles that should be built into AI technology: safe and effective systems, algorithmic discrimination protections, data privacy, notice and explanation, and alternative options. While the White House’s blueprint is not binding, it signals an increased interest in regulating AI technology.

US Litigation and Enforcement

• Third Circuit Court of Appeals Offers Additional Guidance on Standing to Pursue a Breach Class Action. In Clemens v. ExecuPharm, Inc., the Third Circuit recently analyzed and applied the Supreme Court’s TransUnion LLC v. Ramirez standing decision in its first data breach class action context. Clemens held that the plaintiff had standing to pursue contract and tort claims based on her increased risk of a future harm, stemming from the known misuse of her personal information by a specific threat actor. The Third Circuit’s ruling is noteworthy, not only because it refines the Court’s earlier precedent Reilly v. Ceridian Corp., but also because it elaborates on Article III requirements that an injury-in-fact be both imminent and concrete to confer standing.

• BNSF Loses First Biometric Privacy Trial. On October 12, a federal jury in Rogers v. BNSF Railway Co. found that defendant BNSF recklessly or intentionally violated Illinois’ Biometric Information Privacy Act (BIPA), resulting in a $228 million judgment. The jury deliberated for roughly an hour and found that BNSF unlawfully scanned the plaintiff’s and over 44,000 other truck drivers’ fingerprints for identity verification purposes without written, informed permission or notice when the individuals entered BNSF’s rail yards. BNSF unsuccessfully offered a vicarious liability defense, arguing that since its third-party vendor processed the drivers’ fingerprints at the Illinois rail yards’ gates and was the only party to collect the drivers’ fingerprints, the third-party vendor violated BIPA instead of BNSF. Rogers is a landmark case for biometric privacy law since it (1) is the first BIPA case to go to trial; (2) illustrates that companies can be held liable for BIPA violations under a vicarious liability theory; (3) highlights the urgency for companies and employers to comply with BIPA, as well as confirm that their vendors and other third-parties hired by them are complying with BIPA; and (4) serves as a reminder that reckless or intentional violators will be subject to higher damages.

• Ancestry.com Cannot Arbitrate Minors’ Claims. On September 30, an Illinois federal judge ruled that popular genetic testing site Ancestry.com could not arbitrate claims brought by minors who alleged that Ancestry.com shared their information with third parties. The primary basis for the ruling was that the minors did not have direct accounts with Ancestry.com, and thus, never agreed to its terms and conditions. Since the minors never agreed to Ancestry.com’s terms and conditions, they were not bound by its arbitration clause. To read more, click here.

• Washington Federal Court Finds Illinois’ BIPA Does Not Apply Extraterritorially. On October 17, a U.S. District Court for the Western District of Washington granted summary judgment, ending two related putative class actions that alleged tech companies violated BIPA by using datasets containing geometric scans of the plaintiffs’ faces without their permission. The court held that the statute does not apply extraterritorially to conduct outside of Illinois, and the plaintiffs failed to meet their burden to establish the relevant conduct occurred “primarily and substantially” in Illinois.

International Regulation and Enforcement

• Dutch Employee Refusing Webcam Monitoring Is Awarded €75,000 for Wrongful Termination. On September 28, a Dutch court awarded €75,000 for wrongful termination to an employee after getting fired for his refusal to turn on his webcam during the workday. The Dutch court disagreed with the U.S. firm’s termination reasons of “refusal to work” and “insubordination,” and instead found that the company’s demand for the employee to use his webcam for the entirety of a workday was unlawful. Specifically, the Dutch court ruled that the company’s webcam surveillance practice conflicts with the respect for the privacy of workers and is a human rights violation of Article 8 of the European Convention on Human Rights.

• France Fines Clearview AI €20 Million for GDPR Violations. The French Data Protection Authority “CNIL” found that facial recognition company Clearview AI unlawfully gathered millions of French residents’ images in violation of the European Union’s General Data Protection Regulation (GDPR). The CNIL described Clearview AI’s breaches as (1) the unlawful processing of personal data since no legal basis for the collection and use of the biometric data existed (Article 6); (2) not respecting individuals’ rights, such as ineffectively responding to data requests (Articles 12, 15, 17); and (3) lack of cooperation with the CNIL (Article 31). After Clearview AI’s failed to respond to CNIL’s 2021 formal notice, CNIL imposed a €20 million penalty — the maximum financial penalty permitted under Article 83. Additionally, the CNIL ordered the company to stop gathering French residents’ personal data without legal basis and to delete individuals’ personal data unlawfully collected within two months. Further, the CNIL forewarned Clearview AI that the company has two months to make changes to its photo gathering behavior, or it will be subject to an additional penalty of €100,000 per day until compliance.

• Global Privacy Admits CPPA. On October 27, the Global Privacy Assembly voted to admit the CPPA as a full voting member. Established in 1979 to advance privacy by fostering cooperation and information-sharing among privacy authorities across the globe, the Global Privacy Assembly consists of over 130 data protection and privacy authorities worldwide. The first U.S. voting member the Global Privacy Assembly admitted was the FTC.

*Jenny Ji is not licensed to practice law in any jurisdiction; application pending for admission to the California Bar.