Commonwealths Coalesce on Confronting Biometrics
In today’s digital world, data breaches may seem as common as Zoom calls. During April alone, the Houston Rockets basketball team was targeted by a sophisticated ransomware attack; ParkMobile (a popular mobile app that allows users to pay for parking spots from their phone) suffered a data breach that led to users’ information being listed for sale on a crime forum; and the personal details of 533 million Facebook users were discovered in a hacking forum.
As the saying goes, there are two types of businesses: those that were hacked, and those that will be.
With data breaches drawing national headlines, the commonwealths of Pennsylvania and Virginia have turned their attention to passing consumer privacy laws that stand to significantly impact legal risk profiles for businesses using biometric data. In April, the Pennsylvania General Assembly reintroduced the Consumer Data Privacy Act, H.B. 1126, (PCDPA)—a broad consumer privacy law that encompasses the use of biometric data, much like the California Consumer Privacy Act of 2018 (CCPA).
Virginia, meanwhile, recently became the second state to enact a comprehensive state privacy law (following California) and the first state to do so on its own initiative (the CCPA was enacted in 2018 to preempt a ballot measure). Signed by Gov. Ralph Northam on March 2, the Virginia Consumer Data Protection Act, H.B. 2307 (VCDPA), will go into effect on Jan. 1, 2023, and includes what may very well be the broadest definition of biometric data in the country.
Companies doing business in Pennsylvania or Virginia would be well advised to take immediate, protective measures to ensure compliance with the PCDPA and VCDPA. And while a fulsome analysis of the complex CCPA is beyond the scope of this article, the same holds true for companies doing business in California.
Legislative Overview
The VCDPA applies to businesses that control or process personal data of: at least 100,000 consumers annually; or at least 25,000 consumers annually and derive more than 50% of their gross revenue from the sale of personal data. The statute covers entities based in Virginia as well as those that provide products or services to Virginia residents.
The PCDPA is similar in scope. It applies to entities conducting business in Pennsylvania that: have gross annual revenue in excess of $10 million; buy, sell, receive, or share the personal information of 50,000 or more consumers, households, or devices; or derive 50% or more of their revenue from the sale of consumers’ personal data.
Unlike the PCDPA, the VCDPA includes a specific definition of biometric information: “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.” This definition is reminiscent of the Illinois Biometric Information Privacy Act (BIPA). But unlike BIPA—which applies to biometric identifiers and biometric information—the VCDPA does not limit its scope to specific types of biometric data.
The VCDPA and PCDPA afford consumers similar privacy rights, including the rights to access, know, delete and opt-out of the sale of their data. The VCDPA goes a step further, granting Virginia residents the ability to correct their consumer data (similar to the EU’s General Data Protection Regulation), opt-out of the sale and processing of their data for targeted advertising and profiling purposes, and obtain and reuse their personal data for their own purposes across different services (known as data portability).
Business Obligations
Both the PCDPA and VCDPA require implementation of various technical safeguards to protect consumers’ data. Under each statute, “reasonable” data security measures must be implemented and maintained to protect biometric data from being improperly accessed, acquired, or disclosed. Targeted notices informing consumers of their rights must be provided under each statute as well. And both laws require businesses to respond to consumer requests regarding the use of their data within 45 days.
The statutes are different in some respects. The VCDPA alone allows consumers to appeal companies’ decisions to deny consumer requests. The VCPDA also includes a mandatory provision requiring businesses to inform consumers when their data has been sold to a third party or processed for targeted advertising. And while a similar disclosure requirement exists under the PCDPA, it is triggered only upon the request of a consumer. Additionally, the PCDPA imposes certain employee training requirements; the VCDPA does not.
Enforcement
When it comes to enforcement, the PCDPA and VCDPA differ in a material way: while the PCDPA grants consumers the ability to bring a private right of action for certain violations of the statute, enforcement under the VCDPA is limited exclusively to the Attorney General.
Under the PCDPA, consumers can pursue individual or class litigation if their personal data is affected by a data breach and the entity is found to have violated its duty to maintain reasonable security measures. In such circumstances, consumers would be able to recover between $100 and $750 in statutory damages per incident. For non-data-breach violations, enforcement authority is vested in the Attorney General. Here, businesses could be held liable for civil penalties of up to $7,500 for “each violation” of the law.
The VCDPA grants the Attorney General exclusive authority to enforce its provisions, subject to a 30-day cure period for any alleged violations. The Attorney General may seek injunctive relief and damages for up to $7,500 for each violation, as well as “reasonable expenses incurred in investigating and preparing the case, including attorney fees.”
Consumers’ ability to pursue a private right of action under the PCDPA means businesses may face significant class action exposure if the law is enacted. Indeed, one need look no further than California, where a flurry of class action lawsuits has been filed over the past year for purported violations of the CCPA. Many such lawsuits are unconnected to a data breach—a notable development given that the CCPA, like the PCDPA, limits private suits to data breach incidents only. Plaintiffs attorneys are essentially able to sidestep the CCPA’s limitation on private causes of action by alleging a violation under California’s plaintiff-friendly Unfair Competition Law (UCL), which allows plaintiffs to “borrow” purported violations from other statutes—such as the CCPA—for use in alleging “unlawful” practices.
A similar concern exists regarding Pennsylvania’s proposed PCDPA, especially since the Keystone State’s Unfair Trade Practices and Consumer Protection Law (UTPCPL) is very closely aligned with California’s UCL. Like the UCL, the UTPCPL creates a private right of action for individuals subjected to unfair/deceptive acts or practices and contains a catch-all provision that includes all fraudulent conduct which creates a likelihood of confusion or misunderstanding.
To establish a violation of this catch-all provision, a consumer need only show the business’s conduct “has the tendency or capacity to deceive”—a very low bar that could likely be satisfied by pointing to violations of the PCDPA. Thus, it is reasonable to posit consumers will “borrow” purported violations of the PCDPA for use in asserting claims under the UTPCPL’s catch-all provision.
While attempts to expand the scope of liability under the PCDPA may ultimately fail, those businesses targeted with class action lawsuits will incur significant litigation costs in defending such suits, further raising the importance of strict, advance compliance with the PCDPA’s mandates.
Conclusion
The VCDPA and PCDPA portend a massive shift in privacy legislation. To get ahead of the curve, companies should immediately assess their compliance (and possible noncompliance) with consumer privacy laws across the country—using the VCDPA, PCDPA, CCPA and BIPA as guideposts. For example, businesses would be well advised to analyze how these laws will affect their internal operations, vendor contracts, privacy policies, data mapping inventories, and personal training. To assist in this process, companies should consult with experienced data and biometric privacy counsel, as doing so is the best way to ensure conformity with the ever-evolving privacy legal landscape.
“Commonwealths Coalesce on Confronting Biometrics,” by Jeffrey N. Rosenthal and Thomas F. Brier Jr. was published in The Legal Intelligencer on May 12, 2021.
Reprinted with permission from the May 12, 2021, edition of The Legal Intelligencer © 2021 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.