The BR Privacy & Security Download: January 2022
Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
STATE & LOCAL LAWS & REGULATIONS
Ohio Personal Privacy Act Pulled from Committee Consideration
On December 9, 2021, the Ohio Personal Privacy Act (H.B. 376), was pulled from committee consideration. Following in the footsteps of California’s, Colorado’s, and Virginia’s comprehensive privacy legislation, the bill would provide consumers with the right to know what personal information was collected and to access, delete, and opt-out of the sale of their personal information. The bill would also obligate businesses to provide a “reasonably accessible, clear, and conspicuously posted privacy policy” and to enter into written agreements with processors to prohibit them from processing personal data except to provide services to the business. According to one of the bill’s primary sponsors, Rick Carfanga (R-Genoa Township), the bill was pulled from committee consideration to allow members to digest the issues presented by the bill. While currently on hold, the bill will likely be re-introduced in 2022 and undergo changes as it progresses through the Senate.
California Privacy Protection Agency Releases Public Comments from Stakeholder Consultations on CPRA Regulations
The California Privacy Protection Agency (“Agency”) recently published public comments submitted in response to the Agency’s initial Invitation for Comments from September 22 to November 8, 2021. The Agency is planning to hold hearings to gather information and obtain further preliminary public input. Formal rulemaking activities will begin at the conclusion of the Agency’s fact gathering. Under the California Privacy Rights Act (“CPRA”), the Agency will have until July 1, 2022 to adopt final regulations. The Agency, established by the CPRA, which amends the California Consumer Privacy Act (“CCPA”), has the authority to enforce the CCPA, update existing regulations, and adopt new regulations to implement the changes brought by the CPRA.
NYC Enacts 2023 Law Regulating Automated Decision Tools for Employment Screening
New York City has enacted a law prohibiting employers or employment agencies from using an automated employment decision tool to screen a candidate or employee for an employment decision unless such tool has been subject to a bias audit and the employer or employment agency satisfies certain notice obligations. “Automated employment decision tool” under the law means any computational process, derived from machine learning, statistical modeling, data analytics, or artificial intelligence, that issues simplified output, including a score, classification, or recommendation, that is used to substantially assist or replace discretionary decision making for making employment decisions that impact natural persons. Violations of the law can result in fines of up to $500 for the first violation and each additional violation occurring on the same day as the first violation, and between $500 and $1,500 for each subsequent offense. The law will take effect January 1, 2023.
FEDERAL LAWS & REGULATIONS
FTC Filing Indicates Privacy and Artificial Intelligence Rulemaking on the Horizon
On December 10, 2021, the Federal Trade Commission (“FTC”) filed an Advanced Notice of Proposed Rulemaking (“Advanced Notice”) with the Office of Management and Budget. The short text of the Advanced Notice indicates that the FTC is considering initiating rulemaking activities “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” The Advanced Notice is intended to solicit stakeholder comments before the rulemaking process is officially carried out under a Notice of Proposed Rulemaking. The Advanced Notice is dated February 2022. At that time the FTC will either commence a solicitation period under the Advanced Notice or begin a full rulemaking process. Rules could provide further definition of unfair and deceptive acts and practices with respect to use of personal data. Violation of FTC rules could lead to civil penalties.
U.S. ENFORCEMENT
FTC Settles with OpenX for COPPA Violations
On December 15, 2021, the FTC announced that it had settled a case against OpenX Technologies, Inc. (“OpenX”), an online advertising platform, for collecting personal information from children under thirteen without parental consent in violation of the Children’s Online Privacy Protection Act (“COPPA”). The complaint, filed by the Department of Justice on behalf of the FTC, also alleged that OpenX violated the FTC Act by falsely claiming that OpenX did not collect geolocation from users who opted-out of such data collection, when OpenX continued to collect geolocation data from some Android mobile phone users even after they specifically opted-out. The case settled for $2 million. The settlement order also requires OpenX to delete all ad request data it collected to serve targeted ads, implement a comprehensive privacy program to ensure it complies with COPPA, and stop collection and retention of personal data of children under thirteen.
New Jersey Attorney General Announces Data Breach Settlement with Health Care Providers
The New Jersey Attorney General announced on December 15, 2021, that it had reached a settlement with three providers of cancer care for allegedly violating the New Jersey Consumer Fraud Act and the Health Insurance Portability and Accountability Act by failing to appropriately safeguard patient data, leading to a breach affecting more than 100,000 consumers. Under the settlement, Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC (collectively, “RCCA”) agreed to pay $425,000 in penalties, attorneys’ fees, and investigative costs, implement a comprehensive information security program, implement an incident response plan, employ a chief information security officer, conduct additional employee training, and obtain independent third party assessments of RCCA security practices. According to the Attorney General’s allegations, RCCA suffered a breach as a result of a phishing attack that compromised several employee email accounts. RCCA then improperly notified the next-of-kin for over 13,000 living patients, leading to an additional unauthorized disclosure of health information.
FTC Bans Stalkerware Provider from Surveillance Business
On December 21, 2021, the FTC finalized an order banning Support King, LLC and its CEO from offering, promoting, selling, or advertising any surveillance app, service, or business. The FTC had alleged that Support King, which did business as SpyFone.com, sold apps that allowed purchasers to monitor photos, texts, web history, GPS location, and other information on phones without the device owner’s knowledge. The company had provided instructions to purchasers on how to hide the apps so that the device user was unaware the device was being monitored. The order also requires Support King to delete all information illegally collected via its apps and notify owners of devices on which the apps were installed that their devices may have been monitored and may not be secure.
INTERNATIONAL LAWS & REGULATIONS
German Court Decision Calls Use of U.S.-Based Cookie Management Provider Unlawful Personal Data Transfer
On December 1, 2021, the Wiesbaden Administrative Court in Germany (“Wiesbaden Court”) issued an interim decision holding that a German university’s use of a cookie management tool that uses a service provided in part by a U.S.-based company to collect personal data creates an impermissible transfer, whether or not the personal data actually ever leaves the European Union. The cookie management tool collected the user’s IP address and a randomly generated user key to track cookie preferences. To facilitate the collection, the cookie management tool used technology from a U.S.-based provider. The Wiesbaden Court held that an impermissible transfer of personal data occurred because the U.S.-based provider could be obligated to produce all data in its possession to U.S. authorities under the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act. The Wiesbaden Court’s analysis differs from recent European Data Protection Board (“EDPB”) guidance on the definition of transfers, which require the presence of a data importer who is “in a third country.” The Wiesbaden Court also failed to assess practices in the applicable third country to determine whether the “transfer” created significant risk, another departure from what EDPB guidance allows. Because the decision was made at an interim stage in the proceedings, it could still be modified as the trial proceeds. If ultimately followed, the decision creates risk for any website operator using plug-in or other technology of a U.S.-based provider. The decision also generally shows a growing trend for restrictive approaches regarding data transfers by European courts and regulators.
European Data Protection Board Announces Final Version of Guidelines on Data Breach Notifications
On December 15, 2021, the EDPB announced that it has adopted a final version of the Guidelines on Examples Regarding Data Breach Notifications following public consultation. The EDPB states that the guidelines complement guidance previously issued by the Article 29 Working Part by introducing more practice oriented guidance and recommendations. The guidelines are intended to assist controllers in handling data breaches and determine what factors to consider during a risk assessment.
European Commission Releases Adequacy Decision for South Korea
On December 17, 2021, the European Commission, together with South Korea’s Personal Information Protection Commission (“PIPC”), released a joint press statement announcing the adoption of the European Commission’s decision for the transfer of personal data from the European Union to South Korea under the General Data Protection Regulation (“GDPR”). The adequacy decision affirms that South Korea’s Personal Information Protection Act (“PIPA”) provides similar principles, safeguards, individual rights, and obligations as the GDPR. The adequacy decision follows amendments to PIPA that strengthened the investigatory and enforcement powers of the PIPC, South Korea’s independent data protection authority. Furthermore, during the adequacy talks, the European Commission and the PIPC agreed on several additional safeguards to increase the protection of personal data processed in South Korea, including with respect to transparency (by requiring South Korean data importers to inform Europeans about the processing of their data) and onward data transfers (by ensuring that data continues to benefit from the same level of protection when further transferred to third countries). These rules are binding and enforceable by the PIPC and South Korean courts.
LIVE CLE WEBINAR
Future Proofing Privacy Compliance Part II: Operationalizing State Consumer Rights & Notices
Wednesday, January 12, 2022
1:00—2:00 p.m. ET
10:00—11:00 a.m. PT
Register Now>>
The California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (Colo PA) significantly expand the scope of consumer rights and control over their personal information, and mandate new notice and transparency requirements. Key differences between the obligations of these laws and existing obligations under other comprehensive privacy legislation such as the California Consumer Privacy Act and EU General Data Protection Regulation will require companies to carefully assess how they operationalize compliance with these new laws.
Join us for the second installment of Blank Rome’s multi-part webinar series on Future Proofing Compliance, where knowledgeable attorneys from our Privacy, Security & Data Protection practice group will dive into the details and key differences in the consumer rights, transparency, and opt-out requirements of the CPRA, VCDPA, and Colo PA.
Contact Courtney Litman for more information about the event.
WEBINAR SERIES
Protecting Trade Secrets & Gaining a Competitive Edge in the Digital Age: Sophisticated Strategies to Protect Critical Assets When Key Employees Depart & Business Relationships Break Down
Hiring from the Competition in a High-Risk, High-Reward Labor Market
January 25, 2022
12:00-12:30 p.m. ET
9:00-9:30 a.m. PT
Recent Developments in Corporate M&A and Commercial Restrictive Covenants
February 8, 2022
12:00-12:30 p.m. ET
9:00-9:30 a.m. PT
Protecting Information from Insider Threats and External Hackers
February 22, 2022
12:00-12:30 p.m. ET
9:00-9:30 a.m. PT
High Crimes & Misdemeanors: Litigation & Criminal Enforcement
March 8, 2022
12:00-12:30 p.m. ET
9:00-9:30 a.m. PT
Register Now>>
Join trusted attorneys from Blank Rome’s dynamic Trade Secrets and Competitive Hiring practice with special guests from our cross-disciplines in Labor & Employment, Antitrust Counseling & Litigation, Privacy, Security & Data Protection, and White Collar Defense & Investigations for a special multi-part webinar series on strategies companies can use to curb the heightened risk of loss of trade secret information, valuable customer relationships, and key employees to the competition while retaining their competitive advantage in the age of digital media and remote work.
Contact Jennifer Reda for more information about the series.
RECENT PUBLICATIONS & MEDIA COVERAGE
- 2022 Privacy Legislation Success Viable as Three States Lead Way (Bloomberg Law)
- Legal Tech’s Predictions for Cybersecurity in 2022 (Legaltech News)
- The Biggest Cyber Coverage Decisions of 2021 (Law360)
- Biometric Privacy in 2022: The Current Legal Landscape (Part 1) (Legaltech News)
- Maritime Cybersecurity: Prepare, Detect, and Respond (MAINBRACE: December 2021)
- Changing EU Data Transfer Requirements Create New Challenges (MAINBRACE: December 2021)
- Resolve to Beef Up Your Cyber Health (CPO Magazine)
- FTC Updates GLBA Safeguards Rule for Financial Institutions to Strengthen Security (Blank Rome Client Advisory)
- What the New DOJ Cryptocurrency Enforcement Team Means for Crypto Exchanges and Other Entities That Facilitate Digital Asset Transactions (New York Law Journal)
- Beware of Hidden Pitfalls: Biometric Privacy Guidance for California Employers (Biometric Privacy Insider)