Here’s a snapshot of the privacy, security, and data developments tracked by our team over the past few weeks. If you missed our last post, you can find it here.
US STATE LAW
New York Department of Financial Services (NYDFS) Proposed Amendments to State Cybersecurity Regulation
The NYDFS proposed a significant update to their cybersecurity regulation featuring a three-tiered regulation based on an entity’s size, operation, and nature. The proposal emphasizes requirements designed to increase accountability at the C-suite level and controls to prevent initial unauthorized access. Comment period ends January 8, 2023.
New York AG Settled with E-Commerce Giants For $1.9 Million Based on State Breach Law Violations
The New York Attorney General settled with Zoetop, the parent company to e-commerce giants SHEIN and ROMWE, for $1.9 million based on their handling of a 2018 breach. Zoetop allegedly failed to timely inform customers of the breach, misrepresented the scale and nature of the breach to customers, and failed to maintain a written breach response plan.
NYDFS Settled with Vision Benefits Company For $4.5 Million Based on State Cybersecurity Regulation
NYDFS settled with EyeMed Vision Care, a vision benefits company, for $4.5 million following an investigation into EyeMed’s data security practices. The settlement highlighted EyeMed’s alleged failures to conduct periodic risk assessments, implement multi-factor authentication, and secure access controls as causing a 2020 breach involving their customers’ nonpublic personal health data.
NYDFS Proposed Rule and Published Guidance on Virtual Currency
NYDFS proposed a rule to assess fees on virtual currency businesses to cover NYFDS regulatory costs, and published guidance for banking organizations that want to engage in virtual currency-related activities, including guidance requiring monitoring, managing, and mitigating security risks.
New York City Delayed Enforcement of Automated Employment Decision Tool Law
On January 1, 2023, a New York City law takes effect requiring employers using automated employment decision tools to give notice to their applicants and employees. The City recently announced that enforcement will not begin until April 15, 2023, pending rulemaking from its Department of Consumer and Worker Protection.
Attorneys General of 40 States Settled with Experian and T-Mobile For Combined $18.4 Million
The two breach claim settlements require Experian to pay $16 million and T-Mobile to pay $2.4 million, across 40 states. Experian must further satisfy several data security requirements and T-Mobile must strengthen oversight of its vendors, with emphasis on contractual data security requirements.
Attorneys General Asked Apple to Improve Reproductive Data Security
Ten Attorneys General called on Apple to improve security and privacy controls for reproductive health apps. Apple responded that its own Health app meets these criteria but did not address the AGs’ point that non-health data such as location and search histories can also reveal a person’s reproductive decisions.
IAB Multi-State Privacy Agreement Updated for New State Laws
IAB updated its contractual framework to support compliance with new state privacy laws, superseding the IAB Limited Service Provider Agreement. The Multi-State Privacy Agreement, which becomes effective in 2023 is designed to be used in conjunction with the IAB's U.S. State Signal specifications.
Attorneys General of 40 States Settled with Google for Combined $391 Million
Google settled with 40 state attorneys general for $391 million based on deceptive location tracking claims. You can read more about the historic settlement in our blog post.
Sonic Restaurant Chain Settled Negligence Claim Related to Breach For $5.7 Million
Sonic must pay $5.7 million to a class of financial institutions who reissued cards or reimbursed accounts for Sonic customers whose data was allegedly compromised in a 2017 breach payment data. A class action with aggrieved Sonic customers was settled separately.
California State Court Dismissed Potential FCRA Disclosure Class Action
California’s Fifth Appellate District Court held in Limon v. Circle K Stores, Inc. that the plaintiff could not pursue a class action against his employer based on faulty disclosures required under the Fair Credit Reporting Act. The District Court provided several examples of potential injuries to a plaintiff’s privacy interests and determined that Limon failed to plead any of them.
California Privacy Protection Agency (CPPA) Held Board Meeting
Members of the CPPA Board met in mid-December to discuss progress on proposed regulations. CCPA/CPRA regulations will likely not be finalized before April 2023, and rulemaking for automated decision-making will take place in the new year.
California Passed Three Laws Concerning Social Media and Content Moderation
AB 587 requires "social media companies to include in their terms of service (TOS) details of what conduct violates the TOS and how users can report violations and to submit annual transparency reports on content moderation practices to the state Attorney General with the first report due January 1, 2024. SB 1056 requires social media platforms with over one million users to declare whether they have a mechanism to report violent posts, make such mechanism available to both users and non-users, and comply with judicial orders to remove violent posts. AB 1628 requires social media platforms to create and post policies on using the platform to illegally distribute a controlled substance and link to a reporting mechanism, if one exists. All three laws take effect on January 1, 2023, but AB 1628 is scheduled to sunset in 2028.
California Expanded Scope of Confidentiality of Medical Information Act
California’s amendments to the state health privacy law add medical information collected through online websites, mobile apps, and mental health digital services to the definition of “medical information” and incorporate mental health apps into its scope. Changes take effect January 1, 2023.
Tech Coalition Sued California to Halt Age-Appropriate Design Code
NetChoice, a group that includes Amazon, Meta, Google, TikTok, and others, filed suit against California to block enforcement of the state’s Age-Appropriate Design Code ahead of its 2024 effective date. NetChoice argues the law unconstitutionally deprives tech companies of its right to make editorial decisions, will result in over-moderation, and hinders minors’ access to free, online, open resources.
Pennsylvania Expanded Data Breach Notification Law
Pennsylvania’s amendments to the state data breach law add certain medical, health insurance, and online account access data to the definition of “personal information” and create a new method of notice for breaches of data permitting access to online accounts. These changes take effect May 2, 2023.
D.C. Restricted Electronic Communications from Debt Collectors
Effective January 1, 2023, a D.C. law will enshrine previous, temporary protections for consumers from unjust debt collection practices. The law requires debt collectors to obtain a consumer’s consent to make electronic communications, limits what information debt collectors may disclose, and expands the private right of action against violations.
Washington Attorney General Published Annual Data Breach Report
The annual publication focused this year on data privacy and protecting consumer data before breaches occur. The report proposes a slate of legislative reforms to protect data privacy, highlighting the office’s focus on transparency and accessibility.
Remote Proctoring BIPA Suit Dismissed
A lawsuit against DePaul University alleged that its remote proctoring tools captured facial geometry without consent in violation of BIPA. The judge dismissed the case under BIPA’s exemption for entities regulated by the Gramm-Leach-Bliley Act which covers post-secondary schools as financial institutions if they have federally authorized financial aid programs.
Florist Wholesaler Settled BIPA Class Action with Employees
Native Wholesale, a flower and florist wholesaler, settled a class action with its Illinois-based employees for $691,000. Native Wholesale allegedly required employees to clock in and out of work via finger- or hand-scanning over a period of six years without obtaining employee consent to collect their biometrics.
Tinder’s Parent Company Faces BIPA Class Action Based on Faceprint Verification
Tinder and its parent company, Match Group, are facing a BIPA class action based on the app’s verification program, which allegedly derives faceprints from users’ video selfies. The complaint alleges Match Group did not properly notify users about the faceprint collection, did not obtain user consent to do so, and failed to publish a retention schedule for the faceprint data.
Colorado Revised Proposed Privacy Act Regulations
Colorado published an updated revision of its proposed Privacy Act regulations, inviting answers to a list of questions that arose during the first round of public comments. The revisions address many points including missing definitions, data subject rights, and data protection assessment content. The comment period will end January 18, 2023, to be included in the next rulemaking hearing, and February 1, 2023, otherwise.
Four States Positioned to Pass Privacy Legislation in 2023
The November 2022 elections saw Michigan, Minnesota, Massachusetts, and Maryland achieve Democratic control of both state chambers, Democratic governors, and Democrat state Attorneys General. Each of these states has seen a privacy bill proposed, or government privacy program started, in recent years.
US FEDERAL LAW
SEC Proposed Cybersecurity Rule for Investment Advisor’s Providers
The proposed rule would require investment advisors to conduct due diligence on a potential service provider’s cybersecurity preparedness, including a digital platform or cloud service provider’s ability to prevent, detect, and respond to cybersecurity threats. The comment period will end December 25, 2022.
FTC Issued Proposed Order Against Chegg Based on Unreasonable Security Practices
The proposed order alleges that EdTech company Chegg failed to implement commercially reasonable security measures to protect user and employee data, then deceptively stated otherwise in their privacy policy, in violation of the FTC act. Read more in our blog post.
CFPB Began Rulemaking on Personal Financial Data Rights
CFPB rulemaking responds to lessening competition between financial firms.. The proposed rules would give consumers more options, including enabling consumers to easily transfer their financial information to a new company.
NLRB General Counsel Intends to Protect Unions from Workplace Surveillance
The National Labor Relations Board’s general counsel announced her plan to urge the Board to protect self-organizing rights under a new framework. Her advice includes electronic monitoring practices that have a "tendency" to interfere with employees’ organizing rights.
Supreme Court Denied Cert for Appeal of Driver’s Privacy Protection Act Case
In early October, the Supreme Court denied Allen v. Vertafore’s appeal from the 5th Circuit, which arose when Vertafore suffered a security incident that exposed Texas driver’s license data. The denial of cert finalized the Circuit court’s holding that storage of driver’s license data on an unsecured server was not a per se unlawful “disclosure” of the data under the DPPA.
OCR Published HIPAA Guidance on Online Tracking Information as PHI
The OCR published new guidance explaining how information collected on a HIPAA covered entity's website or mobile app, including user visit information, may be PHI. You can read more about the guidance in our previous blog post.
HHS Proposed New Rules to Align Substance Abuse Confidentiality Rules with HIPAA
HHS’s proposed rules would reduce dual obligations and compliance challenges across HIPAA and Confidentiality of Substance Use Disorder Patient Records rules (“Part 2”). For example, the proposed rules would update HIPAA Privacy Rule Notice of Privacy Practices requirements and permit redisclosure of Part 2 records in any manner permitted by the HIPAA Privacy Rule.
OCR Issued HIPAA Enforcement Action Against Small, Florida-Based Practice
The investigation resolution agreement and correction action plan details the covered entity’s failure to timely respond to a proper access request and the OCR’s findings. The covered entity received a $20,000 fine and must revise their policies and training protocols related to HIPAA’s right of access.
OCR Published Guidance Video on Recognized Security Practices
OCR published a video on Recognized Security Practices (RSPs), intended to educate HIPAA-regulated entities on types of RSPs and how entities may demonstrate implementation. The video focuses on the role of RSPs at each step of an OCR audit of Security Rule compliance.
CISA Discouraged Use of SMS and Voice Calls in Multi-Factor Authentication
The national cybersecurity agency published guidance on phishing-resistant multi-factor authentication MFA that recommends against using SMS or voice calls as an authentication method, citing them as especially vulnerable to phishing attacks. CISA instructed government agencies to instead rely on authenticator apps and use SMS or voice MFA only as a hold-over while implementing a stronger method.
NORTH & SOUTH AMERICA
Mexico’s Top Soccer League to Use Identity Verification for Fans
LIGA MX, Mexico’s premiere soccer league, will use Incode Technologies’ identity verification technology nationwide for fans attending games across the country. Incode’s fully automated, encrypted AI, aimed at increasing safety and reducing violence at stadiums, will onboard upwards of five million fans and process 50k people per game..
Mexico’s Supreme Court Found No Absolute “Right to Be Forgotten”
The Court declared unconstitutional a statute granting an absolute right to be forgotten to deceased persons and obligating public and private institutions to comply with an executor’s request to delete the deceased’s personal data. The binding opinion stated Mexico has no absolute right to be forgotten and found the burden on complying institutions was not justified by the deceased’s benefit.
Brazil’s DPA Published Best Practices on Cookies under National Law
The ANPD’s guidance, currently available only in Portuguese, covers legal obligations, best practices, and unrecommended practices for cookie policies and banners under its General Personal Data Protection Law. The ANPD is accepting ongoing comments on the document.
Canadian Parliament Published Report on Facial Recognition, AI
The Standing Committee on Access to Information, Privacy, and Ethics released a report covering recommendations, use cases, benefits and concerns, accountability, and best practices related to facial recognition and artificial intelligence. Notably, the Committee recommends amending the national Privacy Act and imposing a qualified moratorium on use of facial recognition technology in Canada.
Ontario’s Information Privacy Commissioner Published Ransomware Guidance
The Information Privacy Commissioner of Ontario released a guide on protecting against ransomware. The guidance covers types of ransomware, its impact on consumers and businesses, legal obligations to protect against it, and action items for organizations.
Canadian DPA Called for Greater Privacy in Digital ID Technology
Canada’s DPA and other Canadian privacy regulators issued a resolution outlining privacy considerations in digital ID technology. The resolution warns against specific privacy harms presented by digital ID ecosystems and focuses on security, transparency, and accountability principles.
DAAC Published Updated AdChoices Principles
The DAA of Canada’s new principles officially adopt the term “interest-based advertising,” rather than online behavioral advertising, and incorporate recent privacy laws and other DAAC guidance. The new principles take effect January 1, 2023.
EUROPE & UK
Dutch DPA Discussed Cloud Storage Privacy Risks
In response to the Dutch government’s interest in using commercial cloud services, the AP laid out the general privacy and security risks involved in cloud storage. In particular, the AP highlights the risks of storing personal data in countries outside of Europe and encourages storage with a Europe-based company subject to GDPR.
Dutch Court Ruled Webcam Policy Violated Employee’s Human Rights
A Dutch national employed by a Florida-based company was fired when he refused to keep his webcam on for nine hours per day, per company policy. The Dutch court held the policy violated the employee’s right to respect for private life under the European Convention on Human Rights, and awarded the employee a total of €75,000.
Spanish DPA Launched Data Breach Notification Tool
This free tool will help entities determine if they need to notify the AEPD of a data breach under GDPR. Any information the user provides is deleted after each use, so the AEPD will not see it.
Norway’s Consumer Protection Authority Scrutinized Deceptive Design Practices Online
The Norwegian Consumer Council (NCC) analyzed several companies’ websites and found deceptive design and information practices that manipulated consumer choices. While the analysis is not formal enforcement, it provides insight into specific examples of design the Norwegian government considers suspect.
Finnish DPA Launched Project on Children’s Data Protection
Finland’s DPA announced “GDPR4CHLDRN,” a project designed to increase data protection understanding in children and parents. The project will also support application of current privacy laws to hobbies, sports, and other leisure activities targeted toward children.
German DPA Found Microsoft 365 Unsuitable for German Schools, Government
A working group within Germany's DPA found Microsoft 365 remains in breach of GDPR following a two-year effort to bring the product into compliance. The report states Microsoft must access unencrypted and non-pseudonymized data to provide some services within the product, making it ineligible for public sector uses in Germany.
EU Digital Services Act Entered into Force
The EU Digital Services Act (DSA) took effect on November 16, 2022, and covers intermediary services offered in the EU, regardless of where the provider is based. “Intermediary services” includes mere conduit services such as VPNs, caching services such as reverse proxies, and hosting services such as cloud computing. The DSA’s regulations cover online dark patterns, advertising transparency, ad profiling of sensitive data and children’s data and other requirements such as obligations to retain ads for inspection and requirements on large online platforms to assess ad systems that manipulate the public and contribute to societal risks.
European Court Barred GDPR Damages for Mere Upset
The Court of Justice of the European Union (CJEU) issued an opinion holding that more than "mere upset" is required to receive damages based on a GDPR violation. The CJEU leaves it to each country to decide when an injury passes "mere upset" into something compensable under Article 82.
European Commission Shared Draft EU-U.S. Adequacy Decision
The European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework, concluding the United States ensure adequate personal data protection. The decision must now be approved by the European Data Protection Board and a committee of EU Member State representatives.
UK ICO Published Draft Employee Monitoring Guidance
The UK ICO published draft guidance for employers interested in employee monitoring. The draft covers acceptable purposes, methods, notice, biometrics, and other details. The comment period closes January 11, 2023.
UK ICO Fined Construction Company £4.4 Million
Interserve, a construction company based in the UK, received a £4.4 million fine under GDPR for alleged cybersecurity weaknesses claimed to result in the breach of 113,000 employees’ data. The ICO cited Interserve’s use of unsupported operating systems and other technical security failures under industry best practices.
UK ICO Warned Companies Against Using Emotion Recognition
The warning covers “gaze tracking, sentiment analysis, facial movements, gait analysis, heartbeats, facial expressions and skin moisture.” More detailed guidance is expected in Spring 2023, but in the meantime the ICO will scrutinize all uses of emotion recognition.
Slovenia Adopted GDPR Into National Law
Slovenia adopted the Personal Data Protection Act as part of its mandate to implement GDPR. The press release calls attention to the special data processing cases of video surveillance in public areas and government infrastructure, such as the country's central population register.
CNIL Sanction Body Recommended €6 Million Fine Against Apple
The €6 million fine is based on a complaint by a French digital issues lobby alleging that iOS 14.6 failed to obtain prior consent from users to collect their personal data, in violation of the EU’s ePrivacy directive. Apple contests the amount as the failure was corrected in subsequent iOS versions.
CNIL Fined Discord €800,000
CNIL’s investigation found the popular VoIP and instant messaging platform violated GDPR through failure to have a written data retention policy, ensure privacy by default, require secure user passwords, and conduct appropriate data protection impact assessments. The investigation emphasized how Discord failed to mitigate the risk of misleading users caused by unique features of its technology.
Italian DPA Bans Facial Recognition, Except for Law Enforcement
The GPDP placed a moratorium on public and private facial recognition using biometric data outside of law enforcement applications until a specific law regulating it is passed or until the end of 2023, whichever occurs second. Local governments may be able to receive an exception if they obtain an “urban security pact” with central government representatives.
Italian Supreme Court Finds Jurisdiction to Issue Global Delisting Order
Italy’s highest court held that an Italian court or competent DPA has jurisdiction to issue a global delisting order, which requires a search engine to remove results concerning a specific person. Previous EU decisions held that while EU law itself did not authorize global delisting orders, a national judicial body or DPA was not likewise prohibited.
ASIA-PACIFIC, MIDDLE EAST & AFRICA
New Turkish “Fake News” Law Burdens Tech Companies
Free press advocates argue that a new law in Turkey punishing spreaders of "fake news" online is being enforced as a censorship law. Tech companies may face large fines if they do not comply with the law by removing offending content or providing the Turkish government with user data.
NEW ZEALAND & AUSTRALIA
Australia Passed Tougher Penalties for Serious Privacy Breaches Under Privacy Act
Australian parliament passed the Privacy Legislation Amendment, which increases the maximum penalty for serious or repeated privacy breaches from $2.2 million to at least $50 million and provides Australia’s ICO with expanded powers to act on and publicly discuss privacy breaches. The law took effect December 13, 2022.
Australian eSafety Commissioner Criticized Tech Companies’ Anti-CSAM Practices
Australia’s eSafety Commissioner published a report finding that big tech companies are not doing enough to combat CSAM online. The report includes descriptions of major tech companies’ inadequate CSAM practices, collected from inquiries the Commissioner made in August.
New Zealand to Explore Biometric Rulemaking
New Zealand’s Privacy Commissioner is considering a code on biometric privacy to be released for feedback in 2023. Input on the August 2022 consultation paper has closed, and the Privacy Commissioner stated whether he will proceed with the rulemaking depends on the next round of stakeholder feedback.
OTHER UPDATES
ISO Updated ISO/IEC 27001
ISO issued an updated version of ISO 27001 to address increasingly sophisticated cybercrime. The new standard promises to increase an organization’s resilience to cyberattacks and modernize the entire organization’s practices, rather than just IT’s.
Apple Introduced New Security Features
Apple announced new security features claiming to protect user data. Like WhatsApp and Signal, Apple will offer Contact Key Verification for a user to further verify who they are communicating with. Users will also be able to rely on hardware-based Security Keys in their MFA process. Lastly, Apple will provide opt-in, end-to-end encryption for iCloud, securing 23 total categories of iCloud data. These features will be available globally as soon as early 2023.
DAA Delays Enforcement of Compliance Warning on Consent
DAA’s compliance warning, which requires an organization obtain consent for interest-based advertising beyond the user merely using their product or service, was updated to reflect the new April 3, 2023, compliance date. Previously, the warning took effect in January 2023.
IAB Published Brand Guidance for Metaverse
IAB published a paper providing brands with a framework for developing a Metaverse advertising strategy. Several companies with Metaverse experience, including Meta itself, contributed.
Cameron Cantrell is an Associate at Hintze Law with expertise in AI privacy and ethics, data security breach law, and biometric and surveillance technologies.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.