2021 proved to be a momentous year for privacy and data security law. The scourge of ransomware continued last year, leading to record-setting ransomware payments, a muscular response from the federal government, a hardening insurance market, and significant corporate anxiety. Two more U.S. states passed comprehensive data privacy laws in 2021. The FTC was very active, issuing new guidance for artificial intelligence (AI), publishing revisions to the GLBA Safeguards Rule, and bringing new enforcement actions. The U.S. Supreme Court issued a number of opinions that had the effect of narrowing the scope of key privacy statutes while biometric litigation in Illinois exploded. The European Commission promulgated new rules for cross-border transfers, and U.S. state regulatory enforcement activities ramped up.
This coming year is also likely to be turbulent as U.S. multinationals respond to new federal and EU privacy regulations, brace for upcoming privacy compliance deadlines and the likely passage of new state privacy laws. Ballard Spahr partners Phil Yannella, Kim Phan and Greg Szewczyk will be hosting a webinar on January 25, 2022 to discuss these developments. You can sign up for the webinar here.
Here is a summary of our predictions for 2022:
State Privacy Law Update—Preparing for 2023
The upcoming year promises to be an active one for state privacy laws on multiple fronts. As a preliminary matter, in 2021, we saw three states pass comprehensive privacy laws: California with the California Privacy Rights Act (“CPRA”), which replaces the existing CCPA; Colorado with the Colorado Privacy Act (“CPA”), and Virginia with the Virginia Consumer Data Privacy Act (“VCDPA”). You can see discussions of these laws in earlier posts, including here and here.
All three of these laws go into effect in 2023, and we expect to see draft regulations published in 2022 for the CPRA and the CPA. While the VCDPA does not currently contemplate the promulgation of regulations, there have been some calls for an amendment that would task an agency with drafting regulations. In any event, the VCDPA and CPA have many similarities, and the CPA regulations will likely influence certain aspects of the VCDPA’s interpretation.
The CPRA regulations will be drafted and published by the newly formed California Privacy Protection Agency (the “Agency”). The CPRA provides numerous topics that the regulations must address. The Agency solicited preliminary written comments from the public from September 22, 2021 through November 8, 2021, and the comments received are now available through the CPPA’s website. The Agency will hold informational hearings to gather information and obtain additional public input, but those hearings have not yet been scheduled. The Agency has not yet commenced its formal rulemaking activities, but it intends to once the preliminary information-gathering process concludes.
The CPA regulations will be drafted by the Colorado Attorney General. Under the CPA, the regulations must detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeting advertising or the sale of personal data, subject to certain parameters. The CPA also specifically authorizes the Attorney General to adopt rules governing the process of issuing opinion letters and interpretative guidance to develop an operational framework for a good faith reliance defense. However, the CPA also provides general rulemaking authority to the Attorney General, and it is expected that the Colorado Attorney General will issue such general regulations. The CPA goes into effect on July 1, 2023, and it appears that the Attorney General’s office has begun preliminary rulemaking activities, including by increasing staffing.
Even in January, we have already seen new proposed and potential privacy legislation in 2022. These bills span the spectrum from comprehensive privacy acts to addressing specific privacy issues. Given the likelihood of change over the following months, we will not identify each bill, discuss the specifics of proposed bills, or speculate on the chances that any particular bill will pass in its current form. Instead, for this post, we will note a few substantive areas where bills are being proposed.
Comprehensive Privacy Bills
Numerous states have already had one or more relatively broad privacy bills introduced, re-introduced, or carried over into their current legislative sessions, including Alaska, the District of Columbia, Florida, Indiana, Kentucky, Maryland, Massachusetts, New Jersey, North Carolina, Pennsylvania, Vermont, and Washington. Other states, such as Connecticut, Minnesota, and Mississippi, are expected to introduce updated bills in the near term.
Some of these states, such as Washington, are considering bills that have failed in the past, while others are considering privacy legislation for the first time. In any event, we expect familiar controversial issues—such as whether or not the public can litigate violations through a private right of action—to play a central role in whether these bills advance.
Biometric Information Bills
Over the past few years, there has been a deluge of litigation stemming from Illinois’ Biometric Information Privacy Act, including high profile cases that have made mainstream news headlines.
It is therefore unsurprising that state legislatures continue to propose and consider their own biometric information laws, especially during an election year. To date, we have seen some form of biometric information bills proposed in Maryland, Massachusetts, Kentucky, and West Virginia. We understand that additional bills are likely forthcoming in more states, and we expect that trend to continue in the early part of 2022.
Data Broker Bills
California and Vermont are currently the only states with laws dedicated to regulating data brokers. Under both of those laws, data brokers must register with the state and provide additional information regarding consumers’ ability to control their data. The states then provide lists of data brokers on their websites.
With the increased focus on privacy, additional states may join California and Vermont in 2022. Delaware has already proposed such a bill, and we understand that other states will likely be considering similar legislation soon.
Federal Privacy Law Update
Federal scrutiny of industry practices relating to privacy and data security increased steadily throughout 2021, and this trend is expected to continue into 2022 especially as President Biden’s picks to lead key agencies are confirmed and focus their efforts on privacy and data security.
Federal Trade Commission
The Federal Trade Commission (“FTC”), which serves as the country’s de facto privacy and data security enforcement authority, will likely soon be led by a long-time privacy advocate, Alvaro Bedoya. While Bedoya’s confirmation as a FTC commissioner was stalled at the end of 2021, Biden has re-nominated him for re-consideration by the Senate in 2022. As the Founding Director of Georgetown University’s Center on Privacy & Technology, if Bedoya is confirmed, he will be a strong voice steering the FTC’s efforts with regard to privacy and data security.
The FTC has already been highly active in this area. The FTC already has authority to enforce a variety of privacy laws, including the Gramm-Leach-Bliley Act (“GLBA”), which protects the privacy of financial information; the CAN-SPAM Act, which allows consumers to opt out of receiving commercial email messages; the Children’s Online Privacy Protection Act (“COPPA”), which protects the online privacy of children under 13 years of age; the Fair Credit Reporting Act (“FCRA”), which protects the privacy of consumer report information; the Fair Debt Collection Practices Act (“FDCPA”), which regulates communications by debt collectors; and the Telemarketing and Consumer Fraud and Abuse Prevention Act, under which the FTC implements the Do Not Call registry. Under this authority, on December 9, 2021, the FTC finalized comprehensive changes to the GLBA Safeguards Rule, which will impose proscriptive new requirements for information security programs at financial institutions. During 2022, the FTC will consider further amendments to the GLBA Safeguards Rule, which may include a new data breach notification requirement.
The FTC has also consistently sought ways to expand its privacy and data security enforcement activity under its Section 5 authority prohibiting unfair and deceptive acts or practices (“UDAP”). For example, during 2021, the FTC brought its first enforcement action involving facial recognition technology against Everalbum. We can anticipate that in 2022, the FTC will continue to focus on technology, especially with regard to Big Tech platforms and artificial intelligence. The FTC may soon receive additional capabilities to enforce privacy and data security as recent legislative proposals have included increasing FTC funding, creating a new privacy division, and giving the FTC broad privacy rulemaking authority.
The prudential regulators that oversee the nation’s financial institutions are also devoting increasing amounts of time and resources to privacy and data security issues.
The Consumer Financial Protection Bureau (“CFPB”) has powers similar to the FTC, in that it can bring actions to enforce a prohibition against unfair, deceptive, and acts or practices (“UDAAP”). During the CFPB 10-year history, it has seldom exercised this authority with regard to privacy or data security claims, but we can expect that to change in 2022. The new director, Rohit Chopra, is taking over the CFPB leadership after departing from his role as a FTC commissioner, a role in which he frequently supported stringent penalties for privacy and data security practices that resulted in consumer harm. Already during his short tenure, the CFPB has released new IT Examination Procedures, which make clear the CFPB’s belief that IT controls are critical to companies’ ability to comply with Federal consumer financial laws, and that companies are expected to incorporate technology controls into their overall compliance management systems. We should expect to see an increased IT focus during CFPB supervisory exams, which could result in enforcement actions.
In another example, on November 23, 2022, the Office of the Comptroller of the Currency (“OCC”), in conjunction with the Board of Governors of the Federal Reserve System (“Federal Reserve”), and the Federal Deposit Insurance Corporation (“FDIC”) published a joint final rule (Rule) to establish computer-security incident notification requirements for banking organizations and their bank service providers. Under the new rule, any banking organization that experiences certain computer-security incident must notify its primary federal regulator as soon as possible, but no later than 36 hours, after the bank determines that a notification incident has occurred. The new rule also requires a bank service provider to notify any bank customer as soon as possible after determining that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the bank for four or more hours. Financial institutions must be ready to comply with this new rule by May 1, 2022.
Federal Guidance on Ransomware, Cyberattacks, and other Private Sector Threats
As the private sector struggles with cyber threats from all sides, the federal government has stepped up efforts to provide guidance on how to enhance privacy and data security controls. To the extent that this guidance becomes standardized across various industry sectors, this may move the bar on what is considered “reasonable” with regard to minimum safeguards that companies must have in place to avoid liability in the wake of a data breach.
For example, on November 16, the Cybersecurity and Infrastructure Security Agency (“CISA”) published Federal Government Cybersecurity Incident and Vulnerability Response Playbooks, which CISA has encouraged private sector organizations to review as a benchmark for their own vulnerability and incident response practices. Last year, CISA also released a fact sheet on preventing and responding to ransomware attacks.
However, the federal position remains clear that in the event of a ransomware attack, the federal government strongly discourages the payment of ransoms. According to the Treasury Department, companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating regulations by the Office of Foreign Assets Control (“OFAC”). Furthermore, on November 8, 2022, the Financial Crimes Enforcement Network (“FinCEN”) updated Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments to remind financial institutions of their regulatory obligations, such as filing Suspicious Activity Reports (“SARs”) and information sharing relating to ransomware payments under the USA PATRIOT Act.
In 2021, the United States Supreme Court issued a number of rulings that, overall, had the effect of narrowing the availability of civil remedies under key privacy statutes. We are likely to see privacy litigators in 2022 look to probe the limits of these key rulings.
For example, the Court’s ruling in Facebook v. Duguid narrowed the definition of an autodialer under the TCPA to systems that have the capacity to store or make calls using a random or sequential number generator and to make such calls. This ruling has the effect of seemingly invalidating TCPA claims premised on automated calls made to pre-recorded lists, but plaintiff’s lawyers are likely to explore the contours of Duguid. Already we have seen an uptick in claims involving robo-calls – which are not addressed by Duguid. Some plaintiffs have also argued (thus far with no success) that a dialer can qualify as an ATDS if it uses a random number generator to determine the order in which to make calls from a pre-recorded list. Another argument that plaintiffs are exploring is that all mobile calls and texts made to minors below the age of 13 are per se invalid because a minor of this age cannot provide adequate consent.
The Supreme Court’s ruling in the Van Buren v. United States case narrowed the viability of claims under the CFAA. The Court held that the “exceeds authorization” provision of the CFAA cover instances where a party accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to the party. We are likely to see defendants in pending CFAA cases assert that the Court’s ruling forecloses claims based on violations of internal use policies.
The effects of the Court’s June 2021 ruling in TransUnion v. Ramirez – which holds that a mere risk of harm is not sufficient to establish Article III standing – on data breach class actions is likely to play out in the coming year. Many defendants in data breach class actions have filed motions to dismiss arguing that claims for risk of identity theft are not viable in federal court under TransUnion. This is likely to be a hot issue in 2022.
Another issue to watch for in 2022 is litigation under the Illinois Biometric Protection Act (BIPA), which provides for statutory damages where defendants collect or share biometric data of Illinois residents without an express release. This has been among the most prevalent privacy claims in the U.S. over the past five years. There are, however, a number of key issues – such as claim accrual and the applicable statute of limitations – that are currently on appeal to the Illinois Supreme Court. The effect of the Court’s ruling will significantly shape the contours of BIPA litigation in 2022 and beyond.
We should also expect to see plaintiffs in the coming year continue to explore new theories of liability for privacy violations. For example, there has been a recent spate of lawsuits seeking damages under state right of publicity statutes for the sale of personal information. (See Brooks v. Thomson Reuters (N.D. Cal., Aug. 2021), Callahan v. Ancestry (N.D. Cal, June 2021). These statues cover the commercialization of a person’s likeness without remuneration and often allow for statutory damages. The definition of likeness under these statutes is often broad and can include individual names.
Plaintiff’s attorneys have also had some recent success in asserting claims for improper data sharing. In Russo v. Microsoft, for example, plaintiff alleged that Microsoft shared data stored in Office 365 with third parties, such as Facebook Connect, in violation of the company’s stated policies and that plaintiffs would not have consented to such sharing had they been aware of the fact. The Northern District of California denied Microsoft’s motion to dismiss plaintiff’s claim under the Washington Consumer Protection Act and claim for common law intrusion upon seclusion. We are likely to see plaintiff’s attorneys bring claims for improper sharing under state UDAP statutes or as unjust enrichment claims, which have also seen some success, particularly in California courts.
The Russo case is an example of another trend we are likely to see continued in 2022: namely, damage claims based on the “benefit of the bargain” theory, which holds that privacy and security representations are relied upon by consumers and thus comprise a portion of the sales price for a product that can be recovered by consumers where the representations prove to be false. California courts in particular have been receptive to this damages theory.
We should also expect to see in 2022 more decisions from California courts fleshing out key issues under the CCPA’s private right of action, such as meaning of the statute’s cure provision.
The Scourge of Ransomware
The threat of ransomware is nothing new. Indeed, file-encrypting attacks date back to the 1990s, and the rise in cryptocurrency in the 2010’s led to widespread and well known attacks. However, ransomware truly became a household term in 2021.
By most accounts, 2021 was the most active year for ransomware on record. According to some studies, there was a year-over-year increase of 148% through the third quarter of 2021, with there being 190.4 million ransomware attacks as opposed to 104.9 million at that point in 2020. Other studies found that in the banking industry, there was a year-over-year increase of 1,318% in the first half of 2021. We see no sign of slowdown in 2022.
On top of the sheer volume of ransomware attacks, 2021 also saw an increase in high profile cases. For example, in April 2021, Colonial Pipeline received primetime media coverage as the attack disrupted gas supplies all along the East Coast of the United States. Soon thereafter in May 2021, JBS Foods—one of the largest meat processing companies in the world—was hit with an attack believed to be perpetrated by the Russia-based hacking group REvil. One reason these attacks garnered such extensive media attention is the secondary effect—i.e., the impact on the public in the form of panic over the availability of gas and meat.
Notably, many of the high profile ransomware attacks appear to have been perpetrated by Russian-based groups. With rising tension relating to Russia’s positions on Ukraine, it is unfortunately very possible that new attacks will be launched in 2022 on critical infrastructure and healthcare industries.
Tightening of the Cyberinsurance Market
While the cyberinsurance market experienced rapid expansion for several years, 2021 saw carriers feeling the pressure from more frequent and more severe claims—especially from ransomware. Indeed, according to some carriers, “the industry was essentially ill-equipped to underwrite for ransomware. As the market saw more claims than anticipated, the market began to harden, increasing premiums and reducing coverage.”
In practice, a tightening cybersecurity market has much broader impacts than businesses feeling unprotected against security incidents. For example, many vendor contracts require the service provider to maintain cyberinsurance with specific minimum limits. If a vendor needs to renew their policy during the term of the contract, it may not be able to renew at a premium that allows profitability. Accordingly, they may need to decide between being in breach of contract, terminating the contract, or operating at a loss.
With ransomware and other attacks showing no signs of slowing, businesses, vendors, and counsel should all pay particular attention to cyberinsurance provisions—including whether they provide any flexibility—especially for contracts that extend several years.
Supply Chain Chaos
Another trend from 2021 that may unfortunately carry into 2022 are supply chain attacks. As with ransomware attacks, supply chain attacks are nothing new. However, the high profile attacks in 2020 and 2021 have reinforced the large scale consequences that supply chain attacks can have.
For example, the SolarWinds attack perpetrated by Nobelium—which was reportedly being directed by Russian intelligence—impacted thousands of SolarWinds’ customers. The Kaseya attack similarly affected thousands of companies worldwide.
But, while the high profile attacks get headlines, small scale supply chain attacks have also been a favored method of attack for sophisticated threat actors. Such attacks have been especially prevalent in the developer or mobile environments.
2022 is unlikely to see a decrease in the supply chain threat. In fact, as noted above, rising tensions with Russia over Ukraine may present a situation where Russian-based groups are encouraged to perpetrate such attacks. Businesses should therefore take particular caution.
U.S. multinationals are likely to spend much of their time in 2022 ensuring that proper cross-border transfer mechanisms are in place. The European Commission’s promulgation of new Standard Contractual Clauses (SCCs) in June 2021, coupled with the requirement for Transfer Impact Assessments, has required U.S. companies to devote resources to revising vendor agreements to align with the new requirements. New SCCs must be put in place by December 2022. The work for many companies has only just begun and will likely carry through for the remainder of 2022.
Cookie compliance remains a hot button issue in the EU. France’s CNIL brought fines under the current ePrivacy Directive against Facebook and Google for a combined 210M Euros for alleged cookie violations. These fines focus on the ease of opting out of online tracking. CNIL stated that Cookies were a primary priority for enforcement actions in 2021, a trend expected to continue in 2022. Another focus of regulatory scrutiny has been the lack of legal basis for processing. Failure to honor data subject rights, and lack of data security controls are also areas of continued focus by EU privacy regulators. Many companies will also wait to see the fallout from the Austrian privacy regulator’s recent ruling that Google Analytics violates the GDPR’s cross-border rules. The ruling, if upheld, may lead to a flurry of new disclosure requirements for companies using Google Analytics.
U.S. multinationals, particularly tech platforms, will likely spend much of 2022, monitoring the progress of several new proposed new laws, and preparing for compliance. The first of these is the proposed Digital Services Act (“DSA”), which require that certain online platforms establish internal complaint handling systems, dispute resolution requirements, internal review systems, and criminal conduct reporting.
The second of these proposed laws, the Digital Markets Act, focuses on internet “gatekeepers” – core platform such as Google, Amazon and Facebook. The DMA imposes a number of new restrictions, such as prohibiting “self-preferencing” (for example, preferencing a platform’s own ads in search results), prohibit re-use of people’s personal data from subsidiaries, imposing “device neutrality rules” to allow users to delete pre-installed applications, prohibiting some bundling practices, and ensuring a higher degree of data portability, interoperability, and access to data for platform’s business and end-users.
The long-awaited ePrivacy Regulation would replace the ePrivacy Directive and covers the use and collection of digital communications and related metadata, the use of tracking technologies including cookies and pixels, and direct marketing via electronic channels. The most recent draft of the ePrivacy Regulation was approved by the EU Council in April 2021. It is currently in the “trilogue negations” stage, in which the EU Council, EU Parliament, and EU Commission must all agree on and finalize a singular consistent draft.
In addition to these proposals, the EU also rolled out new guidance for Artificial Intelligence in 2021 as well as s a proposed Cyber Resilience Act, which would provide common cybersecurity standards for connected devices. U.S. multinationals will be monitoring these proposed laws very carefully.