The BR Privacy & Security Download: March 2024

The BR Privacy & Security Download

Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.


Amendments to the Illinois Biometric Information Privacy Act Would Dramatically Affect Accrual of Damages
Lawmakers introduced a bill to revise the Illinois Biometric Privacy Act (“BIPA”) that would, in part, change the manner in which violations of BIPA accrue. The Illinois State Supreme Court ruled in Cothron v. White Castle Sys., Inc. “that a claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent” in violation of BIPA. The proposed bill would change the accrual of violations so that each initial collection of a biometric identifier would amount to one violation, rather than under each scan or transmission. The change would significantly diminish the amount of statutory damages available for BIPA violations. Use of biometric data in the context of employee timekeeping may involve only one initial collection but several scans during a work day to clock in and clock out. Under the new bill, violations would no longer accrue for any of the scans beyond the initial collection. The bill also adds “electronic signature” to the definition of “written release” under the law.

Children’s Privacy Amendment to CCPA Introduced
Assembly Bill 1949 (“AB-1949”) was introduced as an amendment to the California Privacy Rights Act (the “CPRA”). AB-1949 would significantly increase compliance obligations with respect to the personal information of minors. Specifically, AB-1949 would prohibit businesses from collecting, using, or disclosing the personal information of consumers under the age of 18 without consumer consent, or the consent of the consumer’s parent or guardian if the consumer is under the age of 13. The CPRA currently prohibits selling personal information of consumers under 16 or sharing such personal information for cross-contextual behavioral advertising purposes without the consent of the consumer, or the consent of the consumer’s parent or guardian if the consumer is under the age of 13. The CPRA also currently includes an “actual knowledge” standard for violations relating to consumers under 16. That standard would be removed, meaning a business would be in violation of the CPRA if it collected, used, or disclosed personal information of consumers under the age of 18 without consent even without actual knowledge. AB-1949 would also require that the California Privacy Protection Agency (“CPPA”) adopt regulations relating to technical specifications for an opt-out preference signal to show that a consumer is under 13 or between 13 and 17 years old.

Social Media Youth Addiction Law Introduced to California Legislature
California legislators introduced the Social Media Youth Addiction Law, which would make it unlawful for the operator of an addictive social media platform, as defined, to provide an addictive feed to a user, unless the operator has reasonably determined that the user is not a minor or the operator has obtained verifiable parental consent to provide an addictive feed to the user. The bill defines an “addictive social media platform” as “an internet website, online service, online application, or mobile application that offers or provides users an addictive feed that is not incidental to the provision of that internet website, online service, online application, or mobile application.” An “addictive feed” is defined as “multiple pieces of media generated or shared by users are, either concurrently or sequentially, recommended, selected, or prioritized for display to a user based, in whole or in part, on information provided by the user, or otherwise associated with the user or the user’s device,” with certain exceptions. The bill would provide the Attorney General with authority to adopt regulations relating to age verification and parental consent requirements.

Connecticut Attorney General Publishes Report on Connecticut Data Privacy Act
Connecticut’s Office of the Attorney General (“OAG”) published a report on its enforcement actions under the Connecticut Data Privacy Act (“CTDPA”). Under the CTDPA, the OAG is required to issue a report that includes: (1) the number of cure notices the OAG has issued; (2) the nature of each violation; (3) the number of violations cured; and (4) any other matter the OAG deems relevant. According to the OAG’s report, the OAG issued cure notices aimed at addressing specific issues, including privacy policy deficiencies (e.g., lacking requisite disclosures and methods to submit requests), processing sensitive data (e.g., genetic or biometric data and precise geolocation) without consent, the sale/processing for targeted advertising purposes of personal data of children between the ages of 13 and 16 without consent. The OAG also reported that it received more than 30 consumer complaints in the last six months, mostly regarding requests to delete.

California Chamber of Commerce Appeals Ruling on Enforcement of the CPRA to the California Supreme Court
The California Chamber of Commerce (“CalChamber”) has petitioned the California Supreme Court to review California Chamber of Commerce v. California Privacy Protection Agency. The California Privacy Rights Act (“CPRA”) expressly provides that its implementing regulations will be enforceable one year after such regulations are finalized. The case centers on whether the California Privacy Protection Agency (“CPPA”) can enforce the CPRA’s implementing regulations before such one-year period. In June 2023, the Sacramento Superior Court ruled in favor of CalChamber and delayed enforcement. However, in February 2024, the Court of Appeals overturned the Sacramento Superior Court’s ruling. If the California Supreme Court grants the petition and rules in favor of CalChamber, enforcement of the CPRA’s implementing regulations will be delayed until March 29, 2024.


U.S. Department of Health and Human Services Issues Final Rule on Substance Abuse Records
The U.S. Department of Health and Human Services (“HHS”) issued a final rule intended to align 42 C.F.R. Part 2 (“Part 2”), which protects substance abuse disorder records, with the Health Insurance Portability and Accountability Act, as an amendment by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”). Among other things, the rule will allow use of a single consent for all future uses and disclosures of Part 2 records for treatment, payment, and healthcare operations. Previously, a consent containing a detailed description of the purpose of the disclosure was required for each disclosure. The final rule also introduces protections similar to those under HIPAA for substance abuse disorder counseling session notes and a right to request an accounting of disclosures and restrictions on disclosures. The final rule also introduces civil enforcement of Part 2 confidentiality provisions in addition to the criminal penalties that were previously available, and Part 2 programs are now required to report breaches in the same manner as breaches are reported under HIPAA. The updated rule is intended to improve care coordination and strengthen privacy protections for Part 2 data.

Biden Administrations Announces U.S. Port Cybersecurity Initiative
The Biden Administration announced several actions aimed at strengthening the security of U.S. ports and maritime cybersecurity, including an executive order that requires the reporting of cyber incidents. Executive Order 14116 expands the U.S. Coast Guard’s authority to protect against cyber threats endangering vessels, waterfront facilities, harbors, and ports. The executive order authorizes the Coast Guard to require that vessels to remediate cybersecurity issues endangering vessels, harbors, or facilities prior to mooring. The Coast Guard is also authorized to supervise and control vessels to secure against cybersecurity threats. The Executive Order also requires entities to report cyber incidents involving vessels, harbors, ports, or waterfront facilities to the Coast Guard, Federal Bureau of Investigation (“FBI”), and Cybersecurity and Infrastructure Security Agency (“CISA”). The U.S. Department of Homeland Security and the U.S. Coast Guard have provided cyber incident reporting guidelines. Other actions that were announced by the administration include issuance of a Maritime Security Directive on cyber risk management for ship-to-shore cranes manufactured in China by the U.S. Coast Guard, and a U.S. Coast Guard Notice of Proposed Rulemaking on Cybersecurity in the maritime transportation system.  

NIST Publishes Guide to Implementing HIPAA Security Rule
On February 14, 2024, the National Institute of Standards and Technology (“NIST”) published a new resource guide on Implementing the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule (“the Guide”). The Guide is designed to provide entities of all sizes with practical tools and guidance for safeguarding electronic health information. The 122-page document provides a high-level overview of the purpose and requirements of the Security Rule, followed by detailed resources designed to assist compliance with the rule. These resources include sample assessments, sample questions designed for conducting gap assessments, and practical guidance on implementing controls. The Guide replaces NIST’s original guide, which was published in 2008.

FinCEN Releases Guidance on Accessing and Safeguarding Beneficial Ownership Information for Small Entities
The U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) released a Small Entity Compliance Guide for Beneficial Ownership information Access and Safeguard Requirements (“Guide”). The Guide is intended to help small banks comply with the Beneficial Ownership Information Access and Safeguards Rule (“Access Rule”) promulgated by FinCEN. The Access Rule implements provisions of the Corporate Transparency Act that authorize certain persons to obtain access to identifying information associated with reporting companies, their beneficial owners, and their company applicants. As detailed in the guidance, financial institutions are subject to restrictions on how they may use beneficial owner information. The Guide provides a number of examples of permissible uses of beneficial owner information to fulfill customer due diligence requirements under applicable law. The Guide also details security and confidentiality requirements, including a prohibition on storage or disclosure of beneficial owner information to persons located in China, Russia, or any jurisdiction subject to sanctions or which has been determined to be a sponsor of terrorism.

Senators Announce Renewed Bipartisan Support for Kids Online Safety Act
Lead sponsors Marsha Blackburn (R-Tenn.) and Richard Blumenthal (D-Conn.) recently announced renewed bipartisan Senate support for the Kids Online Safety Act (“KOSA”). The bill, originally introduced in February 2022, was reintroduced in May 2023 following criticism from both industry groups and consumer privacy advocates such as the Electronic Frontier Foundation. At a high level, KOSA would apply to online services and platforms “likely to be used by minors” under the age of 13. These entities would be required to design and operate their products and services to prevent and mitigate harm to minors arising from their use, such as sexual exploitation and bullying. More specifically, these entities would be required to provide new disclosures, including details regarding the use of any personalized recommendation systems; provide new rights to parents and guardians; refrain from facilitating advertising of age-restricted products or services to minors; and provide annual reports on foreseeable risks of harm to minors resulting from use of the relevant platform or offering. Although KOSA has sufficient support to pass the Senate, no companion bill has yet been introduced to the House of Representatives.

Bipartisan Coalition of Senators Announce Updated Version of COPPA 2.0
A bipartisan group of senators announced that Senator Maria Cantwell (D-Wash) and Senator Ted Cruz (R-Texas) cosponsored an updated version of the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”). The updated version of COPPA 2.0 would expand the original 1998 law, named the Children’s Online Privacy Protection Act (“COPPA”), by strengthening and expanding online privacy protections, including banning targeted advertising to kids and teens, prohibiting excessive data collection on minors, and expanding existing COPPA protections to teenagers. The proposed bill will also create an “Eraser Button” for parents and kids on the internet by requiring companies to permit users to delete information.

House Members Announce Establishment of Bipartisan Task Force on Artificial Intelligence
A group of House of Representatives members are forming a bipartisan task force on artificial intelligence. The task force will be formed with 12 Democrats and 12 Republicans picked by House Speaker Mike Johnson (R-LA) and Minority Leader Hakeem Jeffries (D-NY). House leaders stated that the new task force would focus on ways to ensure advancements in artificial intelligence would benefit “everyday Americans” while stopping “bad actors from exploiting” the technology. The task force will also produce a “comprehensive report” featuring “bipartisan policy proposals.” While both the House and Senate have held high-profile hearings and forums on AI technology, no significant legislation regulating AI has made progress thus far in either chamber.


Federal Court Denies Kochava’s Motion to Dismiss FTC Amended Complaint
A Federal District Court Judge dismissed data broker Kochava’s motion to dismiss a Federal Trade Commission complaint alleging Kochava engages in unfair business practices by aggregating and selling vast amounts of data from mobile devices that could be used to track individuals, including to reproductive health clinics, places of worship, and other sensitive locations. The Court had previously dismissed the FTC’s complaint with leave to amend. The FTC then filed its amended complaint with more detail on the scale of the collection and sale of geolocation of hundreds of millions of mobile devices without the knowledge or consent of individuals and the aggregation of that data with personal characteristics such as age and ethnicity. The FTC is seeking to permanently enjoin Kochava from selling precise location data that reveal consumers’ visits to sensitive locations.

Federal Judge Rules Ohio’s New Social Media Law Unconstitutional
U.S. District Court Judge Algenon Marbley granted a motion for a preliminary injunction to pause enforcement of Ohio’s Parental Notification By Social Media Operators Act (the “Act”). The Act, which was signed into law in July 2023, was supposed to take effect on January 15, 2024. The Act would require certain operators to obtain parental consent before permitting children under the age of 16 to create accounts on their platforms. NetChoice, a technology trade association, sued to block the law as unconstitutional. NetChoice argues that the Act restricts minors’ First Amendment right to express themselves and access speech. Judge Marbley sided with NetChoice, stating that the Act “regulates access to and dissemination of speech when it could instead seek to regulate the – arguably unconscionable – terms of service that these platforms require.”

Federal District Court Cites Policy Exclusion to Deny Coverage for BIPA Claims
The Illinois Biometric Information Privacy Act (“BIPA”) has spawned an avalanche of litigation, which, in turn, has led to disputes between policyholders and insurers over coverage for BIPA claims. In the first major decision to address coverage for BIPA claims, West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., the Illinois Supreme Court held that the policy at issue provided coverage. In Citizens Insurance Co. of America v. Wynndalco Enterprises, LLC, the U.S. Court of Appeals for the Seventh Circuit also upheld coverage for BIPA claims. But several decisions have come out against coverage. Last month, a federal district court in Citizens Insurance Co. of America v. Mullins Food Products, Inc., became the latest example of such a decision. The court held that two exclusions precluded coverage for BIPA claims. Interestingly, one of the exclusions was almost identical to the exclusion at issue in Wynndalco. The Mullins court distinguished Wynndalco based on a few extra words in the exclusion’s heading. Do decisions like Mullins signal that the tide is turning against coverage for BIPA claims? First, the cases show that coverage for BIPA claims turns on the specific policy wording at issue. Thus, policyholders facing BIPA claims should be guided by the specific language in their policies (and the relevant facts and circumstances), and not necessarily by the number of decisions for or against coverage. Second, nearly all the decisions that have construed coverage for BIPA claims involve general liability coverage. They say nothing about whether other types of insurance may cover BIPA claims. For example, in Remprex, LLC v. Certain Underwriters at Lloyd’s London Syndicates, the court held that a cyber insurance policy provided coverage for the policyholder’s defense against BIPA claims. Thus, policyholders should look beyond general liability policies as they evaluate their coverage options. In short, securing coverage for BIPA claims may be challenging, but that should not deter policyholders from considering whether their policies have wording that could unlock coverage.


California Attorney General Announces Second CCPA Enforcement Settlement
California Attorney General Rob Bonta announced a settlement with DoorDash to settle allegations that the company violated the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”). The California AG alleged in its complaint that DoorDash sold its California customers’ personal information without providing notice or an opportunity to opt-out, in violation of CCPA and CalOPPA. The alleged violations occurred in connection with DoorDash’s participation in a marketing cooperative, where businesses contribute the personal information of their customers in exchange for the opportunity to advertise their products to each other’s customers. Information that was shared by DoorDash included names, addresses, and transaction histories. The Attorney General alleged that providing this information to the marketing collective was a sale under the CCPA and that a failure to state in its privacy notice that it disclosed personally identifiable information to marketing cooperatives was a violation of CalOPPA. DoorDash will pay a $375,000 civil penalty and comply with injunctive terms, including providing annual reports to the Attorney General, which monitors the potential sale or sharing of consumer personal information.

FTC Settles with Blackbaud
Blackbaud Inc. (“Blackbaud”), represented by Blank Rome, announced a settlement with the Federal Trade Commission (“FTC”) related to a ransomware attack the company suffered in 2020. Blackbaud has not been fined by the FTC and is not otherwise required to make any payment as part of this settlement. However, Blackbaud has agreed not to make misleading statements related to its privacy, security, availability, confidentiality, or integrity of personal information; delete personal information that it no longer needs to provide its products and services and establish a data retention schedule that explains the purposes for retention and sets forth deletion timelines. Blackbaud is also required to implement and improve certain cybersecurity programs and tools and report to the FTC data breaches requiring notice to federal, state, or local entities. The settlement is subject to public comment for thirty days after its publication in the Federal Register, after which the FTC will decide whether to make the proposed settlement final.

Biden-Harris Administration Announces Consortium Dedicated to AI Safety
The U.S. Secretary of Commerce announced the creation of the U.S. AI Safety Institute Consortium (“AISIC”), which will unite AI creators and users, academics, government and industry researchers, and civil society organizations in support of the development and deployment of safe and trustworthy artificial intelligence. The AISIC will contribute to priority actions outlined in President Biden’s Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence, including developing guidelines for red-teaming, capability evaluations, risk management, safety and security, and watermarking synthetic content. The AISIC includes over 200 member companies and organizations that create and use advanced AI systems and hardware. AISIC also represents the largest collection of test and evaluation teams established thus far and will focus on establishing foundations for a new measurement science in AI safety. State and local governments are included in AISIC, which will work with organizations from other nations that have a key role in developing global AI safety tools.

FTC Order Requires Software Provider to Pay $16.5 Million for Selling Browsing Data
The FTC will require Avast Limited (the “Company”), a software provider based in the United Kingdom, to pay $16.5 million and prohibit the Company from selling or licensing web browsing data for advertising purposes. In its Complaint, the FTC states that Avast unfairly collected consumers’ browsing information through the Company’s browser extension and antivirus software. Avast then stored this information indefinitely and sold it without adequate notice and consumer consent. The FTC also states that Avast deceived users by claiming that the software would protect consumers’ privacy by blocking third-party trackers but failed to notify consumers it would then sell their re-identifiable browsing data. Avast sold consumer information to an entity named Jumpshot, which then sold the information to a third-party advertising conglomerate. In addition to the $16.5 million payment, Avast will be required to obtain affirmative express consent from consumers before selling or licensing browsing data and implement a privacy program that addresses the misconduct.

OCR Settles with Montefiore Medical Center for Data Breach
The U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) has settled with Montefiore Medical Center (“MMC”) for violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule. According to the settlement, one of MMC’s employees inappropriately accessed the patient account information of 12,517 patients from MMC’s electronic medical record system, including the patient’s name, address, Social Security number, next of kin, and health insurance information, and sold such information to an identity theft ring. OCR’s investigation found potential violations of HIPAA by MMC, including the Security Rule’s requirements to conduct risk analyses, regularly review records of information system activity, and implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems containing protected health information. The settlement requires MMC to pay OCR $4.75 million and implement a corrective action plan. OCR will also monitor MMC for two years.

OCR Settles with Green Ridge Behavioral Health for Ransomware Attack
OCR settled its second-ever ransomware attack case against Green Ridge Behavioral Health, LLC (“Green Ridge”). The settlement resolves an investigation following a ransomware attack that affected the protected health information of more than 14,000 individuals. OCR’s investigation found evidence of potential violations of the HIPAA Privacy and Security Rules leading up to and at the time of the breach, including Green Ridge’s failure to conduct risk analyses, implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level, and have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack. Under the terms of the settlement, Green Ridge is required to pay OCR $40,000 and implement a corrective action plan (including conducting an audit of all third-party arrangements to ensure a business associate agreement is in place where applicable) that will be monitored by OCR for three years.

New York Attorney General and NYSED Settles with College Board for Violating Students’ Privacy
The New York Attorney General and New York State Education Department (“NYSED”) entered into a $750,000 settlement with College Board for violating students’ privacy and unlawfully licensing that personal data to others. College Board collected students’ personal information when they took the PSAT, SAT, and AP exams in school, and then licensed this data to colleges, scholarship programs, and other customers who used it to solicit students to participate in their programs. Under the settlement, College Board is prohibited from using New York student data it collects or receives in connection with a contract with a New York educational agency for any marketing or commercial purposes. In addition, College Board cannot solicit students to participate in its Student Search Services (which licenses student data such as names, contact information, ethnicity, GPA, and test scores to colleges and scholarship programs) or similar programs.

Pennsylvania Attorney General Settles with Shopgala
The Pennsylvania Attorney General has settled with Shopgala, LLC (“Shopgala”) for selling the information of Pennsylvania residents to telemarketing companies. According to the Pennsylvania Attorney General, Shopgala obtained information from consumers who registered to receive allegedly free samples or payment for completing online surveys. Those promotional offers did not include clear disclosures to consumers that their information could be sold to telemarketers. The settlement permanently enjoins Shopgala from selling or sharing consumer data, unless the consumer data was acquired in accordance with the requirements set forth under the Federal Telemarketing Sales Rule. The settlement also requires Shopgala to pay $25,000 to the Pennsylvania Office of Attorney General to be used for public protection and educational purposes.

U.S. Department of Health and Human Services Announces Study to Assess HIPAA Compliance Audit Program
HHS published a notice in the Federal Register stating that the HHS Office for Civil Rights (“OCR”) would begin a study to assess its HIPAA audit program. OCR last engaged in compliance audits in 2017. OCR stated in the notice that it will survey 207 covered entities and business associates that participated in OCR’s previous round of audits using a 39-question online survey. The survey is intended to gather information relating to the effect of the audits on the audited entities and the entities’ opinions about the audit process. The survey and study will be used to assist the OCR in its conduct of future audits.


European Union Countries Vote to Approve AI Act
EU member state representatives unanimously voted to approve the EU AI Act. The next steps for enactment of the landmark legislation will be a European Parliament vote scheduled for March 13, 2024, and final European Council endorsement. The EU AI Act will enter into force 20 days after publication in the EU’s official journal. EU AI Act requirements would then take effect in a staggered fashion, with all requirements in effect 24 months after entry into force. Requirements that will take effect earlier relate to bans on prohibited AI, which will apply six months after the entry into force, and requirements related to codes of practice (nine months after entry into force), general-purpose AI rules, including governance (12 months after entry into force), and obligations for high-risk systems (36 months).  

EU Establishes AI Office
On January 24, 2024, the European Union established the EU AI Office within the European Commission. The AI Office is designed to be the center of AI expertise and the foundation for a singular EU AI governance system. The AI Office will assist in implementing the EU AI Act by supporting Member State governance bodies, enforcing the rules, conducting evaluations for general-purpose AI Models, and applying sanctions for violations. The AI Office is also intended to develop tools and methodologies for classifying models with systemic risks, draft codes of practice to detail AI rules and guidelines, and investigate possible infringements of the AI Act and any relevant regulations. The European Commission has announced that it intends to begin hiring talent to fill this AI office “soon” and that external experts and stakeholders will have the chance to join and contribute through a separate call for “expressions of interest.”

EDPB Launches Website Auditing Tool for Legal Compliance
The European Data Protection Board (“EDPB”) introduced a website auditing tool as part of the EDPB Support Pool of Experts (“SPE”) initiative. The tool was designed to simplify enforcement for national data protection authorities and compliance checks for controllers who wish to test their own websites. The tool was developed by an SPE expert under EDPB Secretariat supervision and presented at the EDPB Bootcamp in June 2023. The tool specifically facilitates audit preparation, execution, and evaluation directing within the platform by visiting the target website. The tool is also compatible with other tools, such as the EDPS website evidence collector. A second version of the tool featuring additional functionalities is set for release later in 2024. This version aligns with the EDPB’s 2021-2023 strategy to help data protection authorities increase their enforcement capacity by developing common tools and providing them access to a wide pool of experts.

U.S./EU Issue Joint Statement on Cybersecurity
On January 30, 2024, U.S. Secretary of Homeland Security Alejandro Mayorkas and European Commissioner for Internal Market Theirry Breton released an updated joint statement on EU-U.S. cooperation in the field of cyber resilience. In this statement, Mayorkas and Breton highlighted the importance of “close cooperation between the EU and U.S. to secure our people, critical infrastructure, and businesses against detrimental cyber activities.” They lauded the successes of the EU-U.S. partnership over the past year, including commitments to compare and align cyber incident reporting requirements, the creation of a transatlantic working group of open-source security experts, and the launch of the EU-U.S. Cyber Fellowship. In light of these successes, Mayorkas and Breton announced renewed commitments to align regulatory requirements and guidelines, provide guidance on the safe implementation of AI tools, work bilaterally to combat cybercrime, jointly advance security of software and hardware in critical fields and infrastructure, and deepen personnel and talent exchanges between the regions.


© 2024 Blank Rome LLP. All rights reserved. Please contact Blank Rome for permission to reprint. Notice: The purpose of this update is to identify select developments that may be of interest to readers. The information contained herein is abridged and summarized from various sources, the accuracy and completeness of which cannot be assured. This update should not be construed as legal advice or opinion, and is not a substitute for the advice of counsel.