The BR Privacy & Security Download: September 2022
Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
STATE & LOCAL LAWS & REGULATIONS
California AG Settles First CCPA Enforcement Action
California Attorney General Rob Bonta (“Attorney General”) announced his office had concluded the first-ever settlement of a California Consumer Privacy Act (“CCPA”) enforcement with Sephora, Inc. The Attorney General alleged that Sephora violated the CCPA by failing to disclose that the company “sells” personal information, provide a “Do Not Sell My Personal Information” link, provide appropriate methods to opt-out of sales, and process opt-out requests submitted by consumers through user-enabled global privacy controls. The Attorney General also stated that Sephora violated California’s Unfair Competition Law by making false or misleading statements about Sephora’s practices regarding the sale of consumer information and depriving consumers of the ability to opt-out of sales as required by the CCPA. All violations stemmed from Sephora’s use of third parties to provide website analytics and digital advertising services on Sephora’s website and mobile app. Sephora agreed to pay a $1.2 million penalty and make several changes to bring its business practices into compliance with the CCPA. Sephora must also provide reports to the Attorney General about its sale of personal information, service provider relationships, and how it honors user-enabled global privacy controls. Read additional analysis of this and other recent California privacy developments in our client alert.
California AG Highlights Ongoing CCPA Enforcement Efforts Focused On “Sales” of Personal Information
The California Attorney General announced its continued efforts to enforce the CCPA, including its requirement that businesses provide consumers with the ability to opt-out of the sale of their personal information. Notably, the Attorney General stated it sent a number of new notices to businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls like the Global Privacy Control (“GPC”). Combined with the first-ever settlement of a CCPA enforcement action with Sephora, Inc., the announcement and new enforcement efforts send a strong signal to businesses regarding the Attorney General’s expectation that businesses will implement technologies and processes that respond to GPC signals on websites and mobile applications. As part of the announcement, the Attorney General issued an updated summary of CCPA enforcement case examples.
California Age-Appropriate Design Code Act Passed
California has passed the Age-Appropriate Design Code Act, which is largely modeled after the United Kingdom Information Commissioner’s Office (“ICO”) code of practice for age-appropriate design. The bill applies to “businesses” (as defined under the CCPA) that provide an online service, product, or feature “likely to be accessed” by children who are under eighteen years old. Application is likely to be broader than the Children’s Online Privacy Protection Act, which defines a child as under thirteen years old and applies to online services directed to children or who have actual knowledge they are collecting personal information from children. The bill imposes new requirements on covered businesses, such as: performing a data protection impact assessment before launching any product or service subject to the bill; providing prominent, accessible, and responsive tools to help children (or their parents/guardians) exercise their privacy rights and report concerns; providing an obvious signal to a child if the child’s online activity is being monitored or if the child’s location is tracked; and configuring all default privacy settings to those that offer a high level of privacy. Unlike the ICO’s code of practice that applies to “connected” toys or devices, the California Age-Appropriate Design Code Act exempts the delivery or use of physical products. The bill also exempts broadband Internet access services and telecommunications services.
California Fails to Pass CCPA Employee Exemption Extensions and Biometric Privacy Law
With the end of the California legislative session on August 31, 2022, several California privacy bills have failed to pass. Most notably, AB 2871 and 2891, which proposed to extend the exemption under the CCPA for information collected in the employment context indefinitely and until January 1, 2026, respectively, have failed to pass. This enables employees, job applicants, and independent contractors to exercise the rights afforded under the CCPA on January 1, 2023. Additionally, SB 1189, a bill similar to the Illinois Biometric Information Privacy Act, which would have prohibited private entities from profiting from biometric information and required consumer consent prior to the collection of biometric information, has failed to pass. While these bills are presumed “dead,” such bills may be reintroduced when the California Legislature reconvenes on December 5, 2022, for the 2022-2023 legislative session.
CPPA Urges U.S. House of Representatives to Oppose the American Data Privacy and Protection Act
In a letter to Speaker of the House Nancy Pelosi, the California Privacy Protection Agency (“CPPA”) (the agency tasked with enforcing the CCPA, as amended by the California Privacy Rights Act) reiterated its opposition to the American Data Privacy and Protection Act (“ADPPA”). The ADPPA is the federal comprehensive privacy bill currently awaiting a vote by the House after being advanced by the House Energy and Commerce Committee in July. On July 28, 2022, the CPPA unanimously voted to oppose the ADPPA and any other bill that seeks to preempt the CCPA. In the letter, the CPPA states that the ADPPA is substantively weaker than the CCPA and “represents a false choice, that the strong rights of Californians and others must be taken away to provide privacy rights federally.” Governor Newsom, Assembly Speaker Rendon, 10 attorneys general including California’s Rob Bonta, and members of the California Senate have also released letters raising concerns about ADPPA.
NYDFS Proposes Amendments to Its Cybersecurity Regulations
New York Department of Financial Services (“NYDFS”) has published proposed amendments to its Part 500 Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Rules”) that expand upon the cybersecurity requirements applicable to all covered entities, including those related to governance, risk assessments, incident response plans, business continuity, training, and technology. Most notably, the proposed amendments require notification to NYDFS within: (i) 72 hours of any cybersecurity event involving unauthorized access to a privileged account or resulting in the deployment of ransomware within a material part of the covered entity’s information systems; and (ii) 24 hours of any extortion payment connected with a cybersecurity event, along with a 30-day reporting requirement explaining why payment was necessary, alternatives that were considered, and the sanctions diligence that was conducted. Additionally, the proposed amendments impose heightened requirements for a new category of “Class A Companies” (i.e., covered entities with over 2,000 employees or over $1 billion in gross annual revenues averaged over the past three years from all business operations of the company and its affiliates), such as requiring the implementation of endpoint detection and response and password vaulting solutions, annual independent audits of the covered entity’s cybersecurity program, risk assessments by external experts at least once every three years, and weekly scans or reviews of information systems.
FEDERAL LAWS & REGULATIONS
FTC Officially Starts Privacy Rulemaking
The Federal Trade Commission (“FTC”) filed an Advance Notice of Proposed Rulemaking (“ANPR”) to explore the development of rules addressing commercial surveillance and lax data security. FTC Chair Linda M. Khan stated the FTC’s goal is “to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.” The filing opens up a 60-day public consultation period. Publication of any final rule could be years away. Following the public comment period, the FTC will provide a 30-day notice to Congress regarding the proposed rulemaking, following which the FTC must conduct further analysis and public consultation on its findings prior to the beginning of hearings on draft rules. If federal legislation were to pass before the adoption of a final rule, the FTC could drop its proposed rulemaking and shift focus to enforcing any federal legislation. The FTC hosted a virtual public forum on September 8, 2022, to discuss the ANPR.
CFPB Warns Digital Marketing Providers to Comply with Consumer Financial Protection Law
The Consumer Financial Protection Bureau (“CFPB”) issued an interpretive rule describing when digital marketing service providers must comply with federal consumer financial protection law. The CFPB stated that digital marketers that are involved in the identification or selection of prospective customers or the selection or placement of content to affect consumer behavior are typically service providers for purposes of consumer financial protection laws. Accordingly, digital marketing service providers may be liable for committing unfair, deceptive, or abusive acts and practices as well as other consumer financial protection violations.
NIST Publishes Second Draft of AI Risk Management Framework
The National Institute of Standards and Technology (“NIST”) issued a second draft of its AI Risk Management Framework (“AI RMF”). NIST is developing a framework to better manage risks to individuals, organizations, and society associated with artificial intelligence (“AI”). The NIST AI RMF is intended for voluntary use and aims to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. Comments on the updated draft must be received by September 29, 2022. NIST has scheduled a workshop relating to the development of the AI RMF scheduled for October 18–19, 2022.
Improving Cybersecurity of Credit Unions Act Introduced
A bipartisan group of U.S. Senators introduced the Improving Cybersecurity of Credit Unions Act to help protect credit union members from cybersecurity threats. The bill would empower the National Credit Union Administration to assess cybersecurity risks posted by service providers and take action to protect credit union members.
FTC Seeks Additional Comment on Digital Advertising to Kids
The FTC announced it is seeking public comment on how children are affected by digital advertising and marketing messages and their ability to distinguish such messages from surrounding content. The FTC is seeking public comment in connection with a virtual event, “Protecting Kids from Steal Advertising in Digital Media,” that the FTC will host on October 19, 2022.
FCC Releases Mobile Carrier Responses to Data Privacy Probe
Federal Communications Commission (“FCC”) Chairwoman Rosenworcel shared the responses of the nation’s top 15 mobile carriers from the FCC’s request for information about their data retention and privacy policies and practices. Chairwoman Rosenworcel stated that she has also “asked the FCC Enforcement Bureau to launch a new investigation into mobile carriers’ compliance with FCC rules that require carriers to fully disclose to consumers how they are using and sharing geolocation data.”
U.S. LITIGATION
Eleventh Circuit Holds Absent Putative Class Members Must Have Article III Standing
The U.S. Court of Appeals for the Eleventh Circuit issued a decision in Drazen v. Pinto holding that absent putative class members in a lawsuit involving alleged violations of the Telephone Consumer Protection Act (“TCPA”) must have Article III standing. The district court had held that only named plaintiffs must have standing for certification of a damages class pursuant to Federal Rule of Civil Procedure 23(e). Under the Eleventh Circuit ruling, all plaintiffs within the defined class must have standing to recover individual damages, which could make it more challenging to certify classes or may result in the certification of smaller classes than under the district court ruling.
Third Circuit Revives Suit against Retailer Claiming Online Tracking Violates Pennsylvania’s Anti-Wiretapping Law
The Third Circuit ruled that Harriet Carter Gifts and a third-party marketer NaviStone Inc. must face a putative class action brought by online shoppers claiming that Harriet Carter and NaviStone violated Pennsylvania’s anti-wiretapping law when the online shoppers’ activity was tracked on Harriet Carter’s website. A lower court had held that Harriet Carter and NaviStone were exempt from liability as direct parties to the electronic communication. However, the Third Circuit stated there was no such exception to Pennsylvania's Wiretapping and Electronic Surveillance Control Act, which requires all parties to consent to share the information.
Fifth Circuit Holds Mere Statutory Violation of FDCPA Insufficient for Article III Standing
In Perez v. McCreary, Veselka, Bragg & Allen, P.C., the Fifth Circuit vacated a class certification order and remanded the case to be dismissed for lack of jurisdiction, holding that a statutory violation of the Fair Debt Collection Practices Act (“FDCPA”), alone, is insufficient to confer Article III standing. Further, the Fifth Circuit held that a purported future risk of harm, experiencing confusion, and/or lost time are insufficient to allege the required injury-in-fact for Article III standing to maintain a lawsuit in federal court. Read Blank Rome’s Financial Institutions Litigation and Regulatory Compliance team’s in-depth analysis of the decision here.
U.S. ENFORCEMENT
OCR Settles HIPAA Enforcement Action Alleging Improper Disposal of PHI
The Department of Health and Human Services Office for Civil Rights (“OCR”) announced a settlement with a health care provider relating to the improper disposal of protected health information (“PHI”). The provider had reported a breach of PHI caused by the disposal of empty specimen containers in a garbage bin in the provider’s parking lot. The specimen containers had PHI on the labels, including patient names and dates of birth, dates of sample collection, and the name of the provider who took the specimen. The OCR found potential violations of HIPAA, including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI. The provider paid a $300,640 civil penalty and agreed to implement corrective action to resolve the investigation.
FTC Sues Company for Selling Sensitive Location Data
The FTC announced it had filed a lawsuit against Kochava Inc. for selling the geolocation data “from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” According to the FTC, Kochava’s data selling practices allow others to identify individuals, exposing them to threats of stigma, stalking, discrimination, job loss, and physical violence. The FTC’s lawsuit seeks to stop Kochava’s sale of sensitive geolocation information and requires that the company delete the sensitive geolocation data it has collected. The FTC lawsuit follows a lawsuit filed by Kochava two weeks earlier, seeking to block the FTC from pursuing the action.
FTC Launches First Crypto Investigation
Following President Biden’s Executive Order on Ensuring Responsible Development of Digital Assets, which calls for stronger consumer and investor protections in cryptocurrency, the FTC has launched an investigation of the U.S. operators of the BitMart cryptocurrency exchange, Spread Technologies LLC (“Spread”) and Bachi.Tech Corporation (“Bachi.Tech”). In December 2021, hackers were able to withdraw approximately $200 million from BitMart by using a stolen private key to gain access to two of BitMart’s hot wallets (i.e., a crypto wallet connected to the Internet). The investigation was disclosed in a denial of Spread and Bachi.Tech’s petitions to quash the FTC’s civil investigative demands on whether the companies misled consumers about the extent of its data security and consumer privacy protections and whether they violated the Gramm-Leach-Bliley Act.
NYDFS Penalizes Robinhood Crypto
NYDFS announced that it fined Robinhood Crypto, LLC (“Robinhood”) $30 million for failure to maintain effective bank secrecy act/anti-money laundering and cybersecurity programs. With respect to cybersecurity, NYDFS stated that Robinhood’s cybersecurity program did not fully address Robinhood’s operational risks and specific policies within the program were not in full compliance with several provisions of the Department’s Cybersecurity Rules. In addition to the penalty, Robinhood will also be required, as part of the settlement, to retain an independent consultant that will perform a comprehensive evaluation of Robinhood’s compliance with the Department’s regulations and its remediation efforts with the specifically identified deficiencies and violations.
INTERNATIONAL LAWS & REGULATIONS
China Issues Rules for Use of Certification for Cross-Border Data Transfer Mechanism
China’s National Information Security Standardization Technical Committee issued “Technical Specifications for the Certification of Cross-Border Processing of Personal Information.” The specifications provide the requirements that entities must meet to obtain certification that personal information is being protected in accordance with the regulations of the Chinese National Cyberspace Authority. Certification is one of three legal mechanisms for transferring personal information outside of China under the country’s Personal Information Protection Law. The other mechanisms are undergoing a security assessment organized by the Chinese National Cyberspace Authority or the use of a standard contract.
Revised Swiss Data Protection Law to Come Into Effect September 2023
Following the decision of the Swiss Federal Council to approve Switzerland’s new Data Protection Act, the law will officially come into effect on September 1, 2023. The revised law was passed by the Swiss Parliament in September 2020 to ensure compatibility with European data protection law. The one-year lead-in to the effective date is intended to give entities sufficient time to come into compliance with the new law.
RECENT PUBLICATIONS & MEDIA COVERAGE
- What Cos. Can Learn from Uber Breach Nonprosecution Deal (Law360)
- Congressional Hearing Update: “Privacy in the Age of Biometrics” (Biometric Privacy Insider)
- Delta Airlines Debuts “Parallel Reality” Biometric Flight Information Display (Biometric Privacy Insider)