Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

State Actions:  

• California Keeps Privacy Momentum Going
  • CA Delete Act Passed: California legislature passed the Delete Act, SB 362, a suite of new obligations on data brokers registered in the State, and the Act was subsequently signed into law by State Governor Newsom. The Act submits the roughly 500 data brokers registered in the State to the oversight of California’s Privacy Protection Agency (“Agency”), with updated registration and fee requirements. Most significantly, the Act requires the Agency to create a “one-stop deletion mechanism” by which consumers can submit a single deletion request to have their information deleted from all registered data broker databases. Some have compared this one-stop deletion mechanism to the Do Not Call list under the Telephone Consumer Protection Act. Data brokers are required to monitor the deletion list and have monitoring requirements in place to make sure they honor requests. The law and deletion mechanism will go into effect in 2026.
  • CA Privacy Agency Meets to Discuss Draft CCPA Regs: The Agency met on Sept. 8^th and extensively discussed its draft risk assessment and cybersecurity audit regulations which are being promulgated under the California Consumer Privacy  Act, and which are expected to be further revised in advance of the Agency’s next meeting on Dec. 8^th.
  • California Age-Appropriate Design Code Act Blocked by District Court: U.S. District Judge Beth Labson Freeman issued a preliminary injunction blocking California from enforcing the California Age-Appropriate Design Code Act due to go into effect next year. The law would require online platforms to assess whether their products could harm children, estimate the age of their users, and configure privacy settings to protect those users by default. The District Court stated that the law’s commercial speech restrictions likely violate the U.S. Constitution’s First Amendment. If the California Age-Appropriate Design Code Act goes into force in July 2024 it will signal a significant increase in required protections for children’s online information.
• Delaware Becomes 13^th State to Enact Data Privacy Law: On September 11, 2023, Delaware Governor John Carney signed into law the Delaware Personal Privacy Act. The law is not set to take effect until January 1, 2025, and the Delaware Department of Justice plans on publicizing the rights of consumers and responsibilities of businesses under the law no later than July 1, 2024. The law is similar to some of the other comprehensive consumer data privacy laws recently enacted but does include some definitions and provisions making it somewhat stricter than others—including defining children under the act as those under the age of 18 and requiring consumers to opt-in to the collection and use of sensitive personal data.  Delaware joins California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, and Oregon in having enacted comprehensive state privacy law.
• New York Governor Announces New York Child Data Proposal and SAFE Act: Taking aim at social media companies and seeking to protect children in New York State, the Governor, Attorney General and several state legislators jointly announced new legislation to regulate unhealthy social media usage by prohibiting minors from accessing addictive feeds without parental consent. The two bills seek to prohibit online platforms from collecting and sharing their personal data without consent and limiting addictive features of social media platforms that are known to harm their mental health and development.

Regulatory: 

• Federal Trade Commission (FTC) Updates
  • The FTC Issues Guidance On Health Breach Notification Rule: The FTC issued guidance entitled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.” The guidance reminds businesses that collect, use, or share consumer health information that not only should they understand their compliance obligations under HIPAA and its Privacy, Security, and Breach Notification Rules, but the Federal Trade Commission Act (FTC Act) and the FTC’s Health Breach Notification Rule as well. The FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce. The FTC Act’s obligations apply to HIPAA-covered entities and business associates, as well as to companies that collect, use, or share health information that are not required to comply with HIPAA. The FTC’s Health Breach Notification Rule applies to some businesses that are not covered by HIPAA such as vendors of personal health records and related entities, and third-party service providers, and requires companies that experience a breach of security of consumers’ identifying health information to notify affected consumers, the FTC, and, in some cases, the media.
  • FTC Target Marketing to Children: The FTC published a Staff Paper called Protecting Kids from Stealth Advertising in Digital Media. The Staff Paper recommends that businesses, social media influencers and others who market or promote products online to children should avoid blurring advertising by clearly separating advertising and entertainment, educational, and other content to help limit potential harms to children, among other recommended actions.
  • Consumer Tax Data Subject of FTC Notices: The FTC issued Notices of Penalty Offenses to five tax preparation firms, warning they could face penalties if they use/disclose consumer confidential data collected for tax preparation for unrelated purposes, such as advertising, absent express consent.
• HHS OCR Announces $1.3 Million Settlement With LA Care Health Plan: On September 11, 2023, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced a $1.3 million settlement and Resolution Agreement and Corrective Action with LA Care Health Plan (LA Care), the nation’s largest publicly operated health plan, for potential HIPAA Security Rule violations from two separate incidents. The first incident stems from a 2014 media report that some LA Care members were able to view the PHI of other LA Care members when they logged into their payment portal website. The second incident occurred in March 2019, when LA Care reported a mailing error that caused LA Care member ID cards to be mailed to the wrong members. HHS OCR’s investigation found that LA Care failed to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic PHI (ePHI), failed to implement sufficient security measures to reduce risks and vulnerabilities to ePHI, failed to implement adequate procedures to regularly review information system activity, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
• DHS Announced New Policies Regarding its Use and Acquisition of Al Technologies and Federal Travel Regulation: The U.S. Department of Homeland Security (DHS)  announced new policies on its use and acquisition of artificial intelligence (AI) technologies, including facial recognition and face capture technologies. The new policies, which were developed by the DHS Artificial Intelligence Task Force, focus on two areas: (1) acquisition and use of AI technologies; and (2) use of facial recognition technologies. Both policies require DHS to use tools only in a manner that is consistent with the Constitution and other applicable laws. The DHS also appointed Eric Hysen as its first chief AI officer.
• Consumer Financial Protection Bureau Starts Rulemaking to Limit Disclosure of Medical Debts in Credit Reports: The CFPB announced on September 21st that it is starting the rulemaking process to restrict the inclusion of medical bills on an individual’s credit report. The CFPB states that this effort is to remove a burden that affects a large portion of the United States population. The goals of the rulemaking are to 1) remove medical bills from consumers’ credit reports; 2) stop creditor from relying on medical bills for underwriting decisions; and 3) stop coercive collection practices. If these changes go into effect it could have a wide ranging impact on industries that have relied on this information to make decisions.

Litigation & Enforcement: 

• After $228 Million Verdict, BNSF Railroad Reaches Confidential BIPA Settlement: The long saga of Rogers v. BNSF Railway Company, 19-cv-03083, has come to an out-of-court conclusion. A BNSF truck driver in 2019 sued the company, alleging that a fingerprint scan requirement at the company’s Illinois facilities violated the state biometric privacy law. At trial in 2022, the jury awarded Rogers and the class $228 Million in damages. A Court decision vacated that award this summer, on the basis that BIPA damages are discretionary and not automatic, allowing re-trial on the question of damages (but not liability). The details of the settlement were not disclosed.
• Tile, Life360, and Amazon to Defend Allegations of Inadequate Security Measures: A federal class action was filed in the Northern District of California on August 14, 2023, against Tile, its parent company Life360, and Amazon alleging that the Tile Tracker does not have adequate security measures in place to prevent stalking despite knowing of its capability for misuse. The Tile Tracker is a device that allows users to track their things within Bluetooth range. The suit names Amazon as a defendant as it partnered with Tracker in 2021 to expand the reach of the tracking device using Amazon’s expansive community network of Echo and Ring devices. The suit follows media reporting on the misuse of location-tracking devices like Apple’s Air Tag and the Tile Tracker. The complaint alleges, “[d]espite having knowledge of the propensity for misuse of the Tile tracker, Tile waited nine years before implementing any type of safety feature on its trackers” and criticized the marketing of the device and alleges still-current privacy design flaws. The suit alleges 11 causes of action ranging from design defects, negligence and violations of privacy.
• California Announces $93M Settlement With Google Over Its Location Tracking Practices: On September 14, 2023, California Attorney General Rob Bonta announced a $93 million settlement with Google to resolve allegations that its location tracking practices violated California consumer protection laws. Attorney General Bonta alleged that Google deceived users in numerous ways regarding how it collected, stored, and used a person’s location data. The complaint also alleges that Google deceived users about their ability to opt out of advertisements targeted to their location. As part of the settlement, Google is required to show additional information to users when enabling location-related account settings, provide more transparency about location tracking, provide users with detailed information about the location data that Google collects and how it is used through a “Location Technologies” webpage, and disclose to users that their location information, including location history data, may be used for ad personalization, and to build ad targeting profiles for users.

International Updates:

• UK-US Data Bride Effective: The UK agreed to the UK-US Data Bridge (effective October 12, 2023), an extension to the EU-US Data Privacy Framework.
• EU Lawmaker Urges Compromise on EU AI Act: In an effort to see the European Union’s Artificial Intelligence Act pass the European Commission Parliament this year, the co-rapporteur has urged signatories to compromise on issues pertaining to biometric surveillance and copyright.
• Euro Commission Makes DMA Gatekeeper Designation: The European Commission designated six tech companies as “gatekeepers” under the Digital Markets Act. Gatekeepers are important market players that hold considerable market power and provide at least one core platform service. The six designated gatekeepers provide 22 core platform services in total. They must comply with the new requirements of the European Union under the DMA by March 2024.
• Businesses Have New Privacy Requirements under Quebec’s Law 25: On September 22, 2023, provisions of Quebec’s Law 25 went into effect that empower Quebec’s data protection authority, the Commission d’accès à l’information du Québec, to enforce new requirements for individuals operating a business in Quebec. Those requirements include establishing policies and practices regarding the governance of personal information and publishing detailed information about it on the company’s website; conducting privacy impact assessments before transferring personal data outside Quebec; and destroying personal information when the purpose of its collection is accomplished, or anonymize the information for legitimate uses, subject to the conditions and retention period provided for by law. Businesses are advised to take inventory of the personal information held by their company (or on behalf of a third party) and assess the sensitivity of that information and specify the roles and responsibilities of the staff members involved in the protection of personal information.

Industry Updates:

• Microsoft Indemnifies Commercial Users of its AI: On September 7, Microsoft announced that, if a commercial customer uses a paid version of one of Microsoft’s AI tools (specifically its Copilot services and Bing Chat Enterprise), and is sued for copyright, or other specific IP-rights, infringement, Microsoft will defend and pay any adverse judgments or settlements resulting from the lawsuit. There are certain conditions to the indemnity – including that it (a) does not apply to non-IP claims such as defamation, false light, etc., (b) does not cover the use of the data the customer inputs into the tools, alterations of the output, or using output the customer “knows or should know will infringe the rights of others,” (c) requires that the customer used the filters and other protections against infringement provided in the tools, and (d) does not apply if the customer attempted to generate infringing materials, including by providing inputs that the customer had no right to use. As the use of AI becomes more prevalent, questions regarding infringement, and who is responsible, will continue to proliferate.
• Elon Musk’s “X” Updates its Policies on the Collection of Biometric Data: On August 30, 2023, Bloomberg reported that X, formerly Twitter, updated its Privacy Policy and now plans to collect and process Biometric Data as well as Job and Education History.
• Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force Releases Hardware Bill of Materials Framework: In an effort to empower purchasers of IT hardware to better understand the supply chain risks associated such purchases, the Cybersecurity and Infrastructure Security Agency (CISA), the National Risk Management Center (NRMC) and various private sector representatives have published a Hardware Bill of Materials Framework. Implementation of this framework should provide purchasers of IT hardware with greater visibility into the underlying components in the hardware, thus increasing a purchaser’s ability to assess the risk associated with the hardware supply chain.
• Privacy and Civil Liberties Oversight Board Publishes Opinion on Section 702: Section 702 is a law that authorizes the National Security Agency to collect digital communications of non-U.S. citizens and is set to expire at the end of the year. During this collection, data of U.S. citizens can be incidentally collected as well. U.S. intelligence agencies are then allowed to run queries on this database for information related to US citizens without a warrant. A May opinion by the Foreign Intelligence Surveillance Court revealed several problematic uses of the database by the FBI. The Oversight Board has recommended the program be re-authorized on a partisan split, but with major new safeguards.