The BR Privacy & Security Download: March 2023
Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
STATE & LOCAL LAWS & REGULATIONS
CPPA Approves CPRA Regulations and Accepts Comments on New Proposed Regulations
The California Privacy Protection Agency (“CPPA”), the agency tasked with enforcing the California Privacy Rights Act (“CPRA”), has unanimously approved the final CPRA regulations (“CPRA Regulations”) and has submitted its substantive rulemaking package for the CPRA Regulations with California’s Office of Administrative Law (“OAL”). The OAL will have until March 29, 2023, to review the CPRA Regulations and, if approved, the CPRA Regulations will be submitted to the California Secretary of State for filing. If the OAL does not approve of the CPRA Regulations, it must provide notice to the CPPA with a written decision detailing the reasons for disapproval. The CPPA has also issued an invitation for preliminary comments on proposed rulemaking for the following topics: cybersecurity audits, risk assessments, and automated decision-making. The comments must be submitted by March 27, 2023.
State Legislators Continue Work on Comprehensive Privacy Laws
Comprehensive privacy laws continue to move through state legislatures. The Texas Data Privacy and Security Act was introduced in the Texas legislature. The proposed Texas law is modeled largely on the Virginia Consumer Data Protection Act (“VCDPA”) and would apply to entities processing personal data of Texans that are not “small businesses” as defined by the U.S. Small Business Administration. The Texas bill exempts certain entities and data, including covered entities, business associates, and protected health information regulated by the Health Insurance Portability and Accountability Act and non-public personal information regulated by the Gramm-Leach-Bliley Act (“GLBA”). The Indiana State Senate passed SB5 and referred the bill to the Indiana House of Representatives, where it was referred to the Judiciary Committee. Kentucky’s proposed SB15 was moved to a second reading in the Senate Rules Committee. Montana’s Business, Labor, and Economic Affairs Committee passed SB 384. The Illinois state House of Representatives adjourned without passing the comprehensive privacy law that had been proposed in its most recent legislative session.
Amendment to VCDPA on Children’s Data Advances in Committee
The Virginia Legislature previously introduced an amendment to the Virginia Consumer Data Protection Act (“VCDPA”). The bills (HB 1688/SB 1026) have now passed the Senate’s Committee on General Laws and Technology. If passed, the bills amend the definition of “child” to include all individuals under the age of 18 and require operators to obtain verifiable parental consent before registering any child with the operator’s product or service or before collecting, using, or disclosing such child’s personal data.
Massachusetts Gaming Commission Issues Emergency Privacy and Security Regulations for Sports Wagering Operators
The Massachusetts Gaming Commission (“Commission”) issued emergency regulations that impose several data privacy and security-related requirements on sports wagering operators (“Operators”). Under the Commission’s Sports Wagering and Account Management and Uniform Standards of Accounting Procedures and Internal Controls regulations, Operators are required to provide specific privacy policy disclosures, afford consumers rights, such as the right to correct, delete, and object to processing, provide transparency with respect to any automated decision making used by the Operator, and adopt certain data security safeguards, including encryption of certain data and the multi-factor authentication for consumer accounts. The emergency regulations appear to borrow text from the European Union’s General Data Protection Regulation (“GDPR”). As a result, the emergency regulations include concepts that require further definition to clarify Operator compliance obligations. For example, an Operator is required to define its legal basis for processing personal data in its privacy policy, but the defined legal bases for processing personal data under the GDPR were not transposed under the emergency regulations. Accordingly, it is not clear what legal bases are available to Operators for processing personal data.
FEDERAL LAWS & REGULATIONS
Stop Spying Bosses Act Introduced
U.S. Senators Bob Casey (D-PA), Cory Booker (D-NJ), and Brian Schatz (D-HI) introduced the Stop Spying Bosses Act, which aims to protect employees and job applicants from being tracked, monitored, managed, and disciplined by invasive and exploitative technologies. The Stop Spying Bosses Act would: (1) require any employer engaging in surveillance and collecting data on employees or applicants to disclose such information in a timely and public manner; (2) prohibit employers from collecting sensitive data on workers (i.e., off-duty data collection, data collection that interferes with organizing, etc.); (3) create rules around the usage of automated decision systems to empower workers in employment decisions; and (4) establish the Privacy and Technology Division at the Department of Labor to enforce and regulate workplace surveillance as novel and emerging technologies.
FTC Commissioner Resigns
Christine Wilson, the sole Republican on the Federal Trade Commission (“FTC”), has resigned from the agency over opposition to FTC Commissioner Lina Kahn. In an op-ed, Wilson revealed her decision to resign was due to what Wilson characterized as Kahn’s “disregard for the rule of law and due process and the way senior FTC officials enable her.” Wilson cited several examples of alleged overreach, including the FTC’s launch of the rulemaking process to ban almost all non-compete clauses in employee contracts. Without Wilson, the FTC will have three remaining members of what is usually a five-member panel: Khan and Democrats Rebecca Kelly Slaughter and Alvaro Bedoya.
House Committee Reviews Financial Data Privacy Bill
The House Financial Services Committee Subcommittee on Financial Institutions and Monetary Policy reviewed a discussion draft of a financial data privacy bill that would expand the scope of the Gramm-Leach-Bliley Act (“GLBA”) to include new financial data rules. The discussion draft would provide consumers with rights to their data, including the ability to stop collection and request deletion. The proposed bill also enhances requirements for notices that financial institutions provide to consumers with respect to the processing of their personal data.
U.S. LITIGATION
BIPA Claims Subject to 5-Year Statute of Limitations
In Tims et al. v. Black Horse Carriers, Inc., the Illinois Supreme Court held Section 15 claims under the Illinois Biometric Information Privacy Act (“BIPA”) are subject to the state’s catch-all 5-year statute of limitations (“SOLs”). BIPA’s section 15 requires private entities to provide notice and obtain consent prior to possessing, using, or disseminating the biometric information of Illinois residents, among other requirements. In Tims, the employee-plaintiffs alleged that Black Horse Carriers, Inc. (“Black Horse”) violated BIPA in connection with Black Horse’s collection and use of employees’ fingerprint scans for timekeeping purposes. The Illinois lower courts previously applied one- or two-year SOLs to certain BIPA claims, but the Tims court reversed the intermediate appellate court’s application of a one-year limit and rejected the variance in SOLs applied to different sections of BIPA.
BIPA Damages Accrue per Scan or Disclosure
The Illinois Supreme Court held in Cothron v. White Castle Systems that claims arising from the state’s Biometric Information Privacy Act (“BIPA”) accrue with each instance of unlawful collection and disclosure. Cothron will now proceed toward a jury trial with the understanding that BIPA claims do not arise solely from an initial loss of privacy, but each “statutory violation itself is the ‘injury’ for purposes of a claim under [BIPA].” BIPA permits plaintiffs to recover up to $1,000 for each negligent violation and up to $5,000 for each intentional or reckless violation. The Cothron Court acknowledged that giving effect to the clear statutory language would authorize, but not require, trial courts to fashion “potentially excessive damage awards” and consequences which may be “harsh, unjust, absurd or unwise,” but such policy-based concerns should be addressed by the legislature.
Virtual Try-on Tool Covered under BIPA Exemption
The federal district court in Delma Warmack-Stillwell v. Christian Dior, Inc. dismissed the putative class action against Christian Dior, Inc. (“Dior”) arising from claims that Dior’s virtual try-on tool unlawfully collected users’ biometric information (i.e., facial geometry) in violation of Illinois’ Biometric Information Privacy Act (“BIPA”). The plaintiff class alleged that Dior violated BIPA by failing to provide adequate notice or obtain consent from users of the tool prior to collecting their biometric information or disclosing that information to third parties, and further failing to establish a public retention-and-destruction policy prior to collection. The Dior court determined that BIPA’s health care exemption (which applies to information collected from “patients” in a “health care setting”) barred the class action because Dior’s try-on tool “facilitates the purchase of sunglasses,” which are classified as medical devices by the FDA, and such use “exactly . . . fulfills that product's medical purpose,” rather than another purpose (e.g., monetary compensation).
U.S. ENFORCEMENT
FTC Announces First Enforcement Action under Health Breach Notification Rule
The FTC announced it settled its first enforcement action alleging a violation of the Health Breach Notification Rule. In the enforcement action, the FTC alleged that GoodRx Holdings Inc. (“GoodRx”) failed to notify consumers that it shared personal health information with third parties for advertising purposes despite promises in its privacy notices to the contrary, used personal health information to target users with ads, failed to limit the collection of personal health information, and misrepresented its compliance with HIPAA. The Health Breach Notification Rule (the “Rule”) requires vendors of personal health records to notify consumers about the unauthorized disclosure of individually identifiable health information. According to the FTC, GoodRx violated the Rule by failing to notify consumers about its disclosure of personal information to third parties for advertising purposes. Under the complaint and proposed order, GoodRx will pay a $1.5 million penalty for violating the Rule and be prohibited from sharing health data for advertising. GoodRx will further be required to obtain the affirmative express consent of users before disclosing health data, direct third parties with whom health data was shared to delete the data, limit retention of health data, and implement a comprehensive privacy program.
Banner Health Settles OCR Action for $1.25 Million
The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a settlement with Banner Health Affiliated Covered Entities (“Banner Health”) for alleged violations of the HIPAA Security Rule. As part of the settlement, Banner Health has agreed to pay $1.25 million to resolve an investigation. The alleged violations arose after Banner Health suffered a 2016 cybersecurity attack by a threat actor, which resulted in a data breach affecting 2.81 million consumers. As part of the settlement, Banner Health must also implement a corrective action plan to address the potential violations OCR identified in Banner Health’s data practices, including insufficient monitoring of health information systems’ activity, failure to implement an authentication process to safeguard protected health information online, and failure to have security measures in place to protect against unauthorized access to electronic protected health information being transmitted.
FTC Launches New Office of Technology
The FTC has launched a new Office of Technology to strengthen the FTC’s ability to keep pace with technological challenges in the digital marketplace. Specifically, the Office of Technology will support FTC investigations into business practices and the technologies underlying them, provide technological expertise on non-enforcement actions (e.g., reports, policy statements, requests for information, congressional briefings, etc.), and engage with the public and external stakeholders through workshops, research conferences, and consultations and highlight key trends and best practices.
INTERNATIONAL LAWS & REGULATIONS
EDPB Issues Opinion on EU-U.S. Data Privacy Framework
The European Data Protection Board (“EDPB”) issued its opinion on the proposed EU-U.S. Data Privacy Framework. The Data Privacy Framework is intended to provide a data transfer mechanism similar to the Privacy Shield Framework, which was invalidated by the Court of Justice of the European Union in July 2020. The EDPB noted substantial improvements in the proposed Data Privacy Framework relating to principles of necessity and proportionality, an individual redress mechanism for EU data subjects, and commitments from U.S. authorities to monitor and enforce the Data Privacy Framework. However, the EDPB also noted a number of areas where clarification is required, or safeguards may need to be improved. For example, the EDPB noted that there is no requirement for prior authorization by an independent authority for bulk collection of data for intelligence purposes and that the effectiveness of Executive Order 14086, which seeks to provide stronger protections for EU residents against U.S. intelligence activities, will depend on the adoption of policies and procedures for its implementation by U.S. intelligence agencies. The opinion of the EDPB is not binding but may influence members of a committee of EU member states and the European Parliament, which are tasked with review of the Data Privacy Framework as part of the approval process. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs previously submitted a draft motion for a resolution opposing the Data Privacy Framework and urging the European Commission not to adopt an adequacy decision based on the framework.
China’s Final SCCs Released
The Cyberspace Administration of China (“CAC”) published the final Chinese standard contractual clauses (“SCCs”) and regulatory measures (the “Measures”), effective June 1, 2023, for international transfers of data from China. The Measures provide a 6-month grace period (ending November 30, 2023). The final China SCCs provide the third legal transfer mechanism for “Personal Information Controllers” (“Controllers”) in China seeking to export data to other countries, and these SCCs share many similarities with the EU SCCs under the GDPR. However, the final China SCCs include notable departures from the EU SCCs, including a limited availability for use only by certain Controllers, greater restrictions for onward transfers, and a requirement to submit to CAC supervision.
Australia Publishes Privacy Act Review Report
The Australian Attorney-General’s Department (the “Department”) published the Privacy Act Review Report (the “Report”), reviewing the Privacy Act and issuing 116 recommendations based on 30 key themes and stakeholder proposals received over the past two years. The Report’s recommendations seek to strengthen privacy protections and control for individuals, support digital innovation, and enhance Australia’s reputation “as a trusted trading partner.” The proposed reforms cover various topics addressed under existing privacy frameworks in the EU and certain U.S. states, including targeted advertising, individual privacy rights, automated decision-making, overseas data flows, and applicable exemptions. Notably, the proposed reforms, if adopted, would also apply to small businesses, which are currently exempt from the Privacy Act’s provisions. The Department is seeking public feedback, which must be submitted by March 31, 2023, to inform the government response to the Report.
RECENT PUBLICATIONS & MEDIA COVERAGE
-
California Expands Its Confidentiality of Medical Information Act to Regulate Mental Health Digital Services (Pratt's Privacy & Cybersecurity Law Report)
-
Biometric Privacy and Healthcare: Jeffrey Rosenthal will serve as a speaker at the Pennsylvania Bar Institute’s (“PBI”) Health Law Institute 2023, being held March 14 and 15, 2023, at the Pennsylvania Convention Center.
-
Illinois Supreme Court Dramatically Expands Liability by Ruling Each Scan of a Biometric Identifier Is a Separate Violation (Blank Rome Biometric Privacy Insider blog)
-
Illinois Supreme Court Holds Five-Year Statute of Limitations Applies to All Biometric Information Privacy Act Claims (Blank Rome Biometric Privacy Insider blog)