Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
STATE & LOCAL LAWS & REGULATIONS
Connecticut Passes Comprehensive Privacy Bill
The Connecticut Legislature has become the fifth state in the United States to pass a comprehensive privacy law. The Connecticut Data Privacy Act (“CDPA”) most closely resembles Colorado and Virginia privacy laws. The CDPA will generally apply to businesses holding the personal data of more than 100,000 Connecticut consumers or businesses that derive 25 percent or more of their annual revenue from the sale of data belonging to 25,000 or more consumers. The Connecticut Attorney General has sole enforcement authority for violations of the CDPA. It will become law when signed by Governor Ned Lamont or once 15 days have passed following adjournment of the current legislative session (May 20, 2022). The CDPA will take effect July 1, 2023.
Amendments to the Virginia Consumer Data Protection Act Passed
Virginia passed three amendments (HB 381, SB 534) to the Virginia Consumer Data Protection Act (“VCDPA”). HB 381 adds a new exception to the right to delete personal data by enabling controllers that have obtained a consumer’s personal data from a source other than the consumer to comply with a deletion request by either: (a) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’ records and not using such retained data for any other purpose; or (b) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the VCDPA. SB 534 expands the definition of nonprofit organization exempt from the VCDPA to include political organizations and insurers exempt from taxation under Internal Revenue Code 501(c)(4) that receive immunity from liability under Va. Code Ann. § 52-41. SB 534 also abolishes the previously established Consumer Privacy Fund and directs all penalties, expenses, and attorneys’ fees collected under the VCDPA to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. The VCDPA will take effect on January 1, 2023.
Colorado Attorney General Remarks on Colorado Privacy Act Enforcement Priorities and Regulations
Colorado Attorney General Phil Weiser commented at the International Association of Privacy Professionals’ (“IAPP”) Global Privacy Summit 2022 in Washington, D.C., that his office anticipates releasing draft regulations to the Colorado Privacy Act (“ColoPA”) by this fall or even as early as August and is aiming to finalize them by January 2023. As previously reported, the Colorado Attorney General’s Office is currently seeking informal comments from the public for the rulemaking. Attorney General Weiser added that his office would not begin enforcement until binding regulations are in place and that his office would foster dialogue with potential violators before taking enforcement action to achieve compliance. According to Attorney General Weiser, those willfully violating the ColoPA would be a top priority for enforcement actions. He further stressed the need to facilitate conversations and coordinate with the state attorneys general in California, Virginia, and Utah, which each has its own comprehensive privacy legislation, to streamline rulemaking and make compliance more harmonious for businesses.
California Privacy Protection Agency Holds Informational Sessions and Announces Stakeholder Session Dates
The California Privacy Protection Agency (“CPPA”), which has rulemaking authority under the California Privacy Rights Act (“CPRA”), held two public pre-rulemaking informational sessions via videoconference. The first session provided an overview of personal information and the CPRA and the second focused on risk assessments and consumer rights with regards to automated decision-making. Highlights of the sessions included: Supervising Deputy Attorney General Stacey Schesser advocating for the retention of the current California Consumer Privacy Act (“CCPA”) regulations on user-enabled global privacy controls; Deputy Attorney General Lisa Kim suggesting that the CPRA’s right to opt out of sharing for cross-context behavioral advertising applies to real-time bidding in advertising auctions; Jennifer King (Privacy and Data Policy Fellow at Stanford’s Institute for Human-Centered Artificial Intelligence) noting that toggle switches for the CCPA’s “Do Not Sell” requests may be considered a dark pattern; discussions on the need for transparency and the need to limit racial profiling in automated decision-making and the requirements for privacy risk assessments under the General Data Protection Regulation (“GDPR”). The CPPA also announced that it will be holding stakeholder sessions from May 4, 2022, to May 6, 2022.
California Introduces the Workplace Technology Accountability Act
The Workplace Technology Accountability Act (“WTAA”) was introduced in the California Assembly. The WTAA would regulate employer use of technology to surveil employees, job applicants, and independent contractors (“workers”). The WTAA would require employers to provide advance notice to workers of the categories of worker data that will be collected and/or used by the employer, whether and how the data will be used to make or assist an employment-related decision, to whom the data is shared, and for what purpose and how long such data will be retained. The WTAA also provides workers with the rights to access and correct their data. Additionally, the WTAA requires employers that electronically monitor a worker to provide advance notice of such electronic monitoring and explain how, when, and why monitoring technology is being used on the job. The WTAA further prohibits employers from monitoring workers who are off duty or on their personal devices; the use of facial recognition, gait, or emotion recognition technology; and relying solely on algorithms to make hiring, promotion, termination, or disciplinary decisions.
FEDERAL LAWS & REGULATIONS
FDA Publishes Draft Guidelines for Developing Secure Medical Devices
The U.S. Food and Drug Administration (“FDA”) published draft guidance on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (“Guidance”) to provide recommendations to the industry regarding cybersecurity device design, labeling, and the documentation the FDA recommends be included in premarket submissions for medical devices with cybersecurity risk. The FDA developed the Guidance in response to increasing cybersecurity threats to the healthcare sector and the growing use of wireless, and Internet- and network-connected medical devices. The Guidance updates and replaces the draft guidance the FDA previously proposed in October 2018. The Guidance sets forth a total product lifecycle approach to cybersecurity and recommends a Secure Product Development Framework (“SPDF”) to satisfy the Quality System Regulation (“QSR”) requirements set forth in 21 C.F.R. Part 820. The Guidance also provides detailed recommendations on how to address cybersecurity as a component of design controls (including through robust threat modeling as part of risk assessment) and promotes the inclusion of a Software Bill of Materials (“SBOM”) with all new products. The FDA is seeking comments on the Guidance until July 7, 2022.
U.S. Department of Commerce Appoints National AI Advisory Committee Members
The U.S. Department of Commerce appointed 27 experts to the recently established National Artificial Intelligence Advisory Committee (“NAIAC”), which was created in response to the National AI Initiative Act of 2020 (the “Initiative”). The Initiative directs the NAIAC to provide recommendations on topics including the current state of U.S. artificial intelligence (“AI”) competitiveness, the state of science around AI, and AI workforce issues. The NAIAC provides advice regarding the management and coordination of the Initiative and is directed to establish a subcommittee to consider matters related to the use of AI in law enforcement and advise the President on topics including bias, security of data, the adoptability of AI for security or law enforcement, and legal standards that ensure that AI use is consistent with privacy rights, civil rights and civil liberties, and disability rights. The NAIAC will hold its first public meeting via webcast on May 4, 2022.
HHS Solicits Comments on Recognized Security Practices and Distribution of Civil Monetary Penalties
The Office for Civil Rights (“OCR”) for the U.S. Department of Health and Human Services (“HHS”) released a request for information (“RFI”) soliciting public comment on the consideration of recognized security practices of covered entities and business associates when OCR makes determinations regarding fines, audits, and remedies to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the distribution to harmed individuals of a percentage of civil money penalties (“CMPs”). Public Law 116-321, passed in January 2021, requires OCR to consider “recognized security practices” that HIPAA-covered entities and business associates adequately demonstrate were in place for 12 months. OCR hopes to receive comments on what constitutes recognized security practices and how entities should demonstrate that such practices have been in place over the requisite period. With regard to the distribution of CMPs, OCR seeks input on the types of harm it should consider when distributing CMPs to individuals. Comments are due June 6, 2022.
U.S. LITIGATION
Ninth Circuit Finds “Web Scraping” of Publicly Available Data Likely Does Not Violate the Computer Fraud and Abuse Act
On remand from the Supreme Court for further consideration in light of its decision in Van Buren v. United States, 141 S. Ct. 1648 (2021), the Ninth Circuit reaffirmed a district court order preliminarily enjoining LinkedIn from denying hiQ Labs, Inc. access to publicly available member profiles on LinkedIn’s website. The Ninth Circuit found hiQ’s web scraping—the process of extracting and copying data from a website in a way that allows for manipulation or analysis—from LinkedIn members’ publicly available profiles is unlikely to constitute “access [to a computer] without authorization” under the Computer Fraud and Abuse Act (“CFAA”). The Ninth Circuit pointed to the Supreme Court’s Van Buren decision in support of its conclusion, positing that the CFAA’s “without authorization” prohibition applies to those who access private data without permission. By contrast, the prohibition does not reach publicly available data, which does not require permission to access in the first place.
Data Broker Accused of Violating California Invasion of Privacy Act by Tracking the GPS Locations of Thousands of Drivers without Consent
A class action complaint filed in California Superior Court claims that data broker Otonomo Inc. has violated and continues to violate the California Invasion of Privacy Act (“CIPA”). Passed in 1967, CIPA prohibits (among other things) using an “electronic tracking device to determine the location or movement of a person” without consent. The complaint alleges that Otonomo collects, in secret and without ever requesting or obtaining consent from drivers, “real-time GPS location information for more than 50 million cars throughout the world,” including thousands of cars in California. This data, which Otonomo sells, enables it and its clients to identify consumers’ precise locations and gain insights into where they spend their time and money. The lawsuit seeks injunctive relief and $5,000 for each CIPA violation.
Court Rules Illinois Biometric Privacy Act Does Not Exclude Face Geometry Derived from Photographs
The U.S. District Court for the Northern District of Illinois denied a motion to dismiss a lawsuit brought under Illinois’s Biometric Information Privacy Act (“BIPA”) by Onfido Inc., an identity verification service provider, finding that facial biometrics extracted by Onfido from uploaded photographs could plausibly constitute biometric identifiers. Onfido had argued that photographs and information derived from photographs are not protected by BIPA. BIPA defines a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” BIPA also lists items that do not constitute “biometric identifiers” or “biometric information.” Biometric identifiers do not include photographs, and biometric information “does not include information derived from items excluded under the definition of biometric identifiers.” While the court acknowledged that data extracted from photographs cannot be “biometric information” under BIPA, the court held that such information could qualify as a “biometric identifier” and be subject to regulation by BIPA, which requires consent to collection of biometric identifiers and development of publicly available retention schedule for such information, among other things.
U.S. ENFORCEMENT
Enforcement Action against TransUnion for Use of Dark Patterns
The Consumer Financial Protection Bureau (“CFPB”) announced an enforcement action against TransUnion; TransUnion, LLC; TransUnion Interactive, Inc.; and a former executive (“TransUnion”) for its violation of a consent order from 2017 by using dark patterns to mislead consumers. The complaint alleges TransUnion has been violating the consent order ever since it went into effect and that TransUnion has engaged in numerous other misleading tactics to get customers to enroll in subscription products and prevent them from canceling. The CFPB contends TransUnion violated the following core requirements of the consent order: (1) ensuring that consumers were not misled about the nature and terms of their credit-monitoring product; (2) adding a checkbox to their trial offer subscription products to ensure consumers consented to enrolling in such products; and (3) providing a way for consumers to immediately and easily cancel their subscriptions and obtain refunds instead of facing roadblocks.
INTERNATIONAL LAWS & REGULATIONS
European Data Protection Board Releases Statement on New Trans-Atlantic Data Privacy Framework Agreement
The European Data Protection Board (“EDPB”) released a statement welcoming the agreement in principle between the European Commission and the United States, stating the United States’ commitment to establishing “unprecedented” measures to protect the privacy and personal data of individuals in the European Economic Area when their data is transferred to the United States is a positive step in the right direction. Like national data protection authorities that have released statements on the agreement, the EDPB stressed that the agreement does not yet constitute a legal framework for cross-border data transfers. The EDPB stated it will issue an opinion on the proposed framework when all supporting documentation has been provided by the European Commission.
United States and APAC Countries Establish Global Cross-Border Privacy Rules Forum
The United States, Canada, Japan, the Republic of Korea, the Philippines, Singapore, and Taiwan issued a declaration announcing the establishment of the Global Cross-Border Privacy Rules Forum (the “Forum”). The Forum intends to establish an international certification system based on Asia-Pacific Economic Cooperation (“APEC”) Cross Border Privacy Rules and Privacy Recognition for Processors Systems to help companies demonstrate compliance with internationally recognized data privacy standards and support the free flow of data and effective data protection. Participation in the Forum is intended to be open to all countries that accept the objectives and principles of the Forum as outlined in the declaration.
Court of Justice of the European Union Rules Consumer Groups Can Sue Under Data Protection Laws
The Court of Justice of the European Union (“CJEU”) ruled that consumer associations can sue for violations of data protection laws in representative actions. The CJEU found that the EU General Data Protection Regulation (“GDPR”) does not preclude national legislation from permitting representative actions by consumer groups. Currently, not all EU country legislation permits representative actions by consumer groups, which could lead to forum shopping in the short term. However, next year the EU Representative Actions Directive will set minimum procedural standards for EU member states in collective redress actions and provide more alignment among EU member states with respect to the ability to bring collective actions under data protection and other laws.
NOW AVAILABLE ON DEMAND
The Winding Road of Data Privacy & Security Regulation: Enforcement Trends & Best Practices
In this 60-minute webinar session, knowledgeable attorneys from Blank Rome’s Privacy, Security & Data Protection and White Collar Defense & Investigations Groups, and cyber and IT security experts and advisors from Withum, provide in-depth analysis of trends in data privacy and enforcement; the changing data security landscape; and the power of regulators.
View the Webinar>>
