Here’s a snapshot of a few privacy developments from the past few weeks. If you missed our last post, you can find it here.
US STATE LAW
CPRA Will Apply to B2B and Employee Data on January 1, 2023
California ended its legislative session without enacting AB 1102, which would have extended the temporary exceptions for B2B and employee data under the California Privacy Rights Act (“CPRA”). Such data will now be in scope for CPRA on January 1, 2023.
California’s Privacy Protection Agency to Hold Hearing
The California Privacy Protection Agency will hold a public hearing on September 23, 2022, where the agenda indicates that the Board will discuss an update on the course action for the current CPRA rulemaking process.
California’s Age Appropriate Design Code Signed Into Law
Governor Newsom signed the California Age Appropriate Design Code (“CAADC”) into law on September 15, 2022. An in-depth analysis on the CAADC can be found on our blog here.
California Bill to Expand Coverage of the Confidentiality of Medical Information Act Passes
AB2089 passed the CA legislature and is awaiting signature. The bill would revise the definition of medical information to include mental health application information (information related to a consumer's inferred or diagnosed mental health or substance use disorder, as specified, collected by a mental health digital service, as defined) and bring additional providers under the scope of California’s Confidentiality of Medical Information Act.
US FEDERAL
BIPA Lawsuit Filed Against Wal-Mart
New BIPA class action filed in the Northern District of Illinois alleges Wal-Mart’s security systems and its use of technology provided by Clearview AI failed to comply with the Biometric Information Privacy Act in Illinois (“BIPA”).
Snap Settles BIPA Class Action
A BIPA lawsuit against Snap was settled, which alleged that Snap’s filter feature was collecting and storing biometric data without the user’s consent in violation of BIPA. Without admitting wrongdoing, Snap entered into a settlement for $35 million.
Lawsuit Against Maine’s Opt-In Privacy Law Withdrawn
A lawsuit against Maine’s opt-in privacy law, which alleged the rule violated the First Amendment, was withdrawn. Maine’s opt-in privacy law requires internet service providers to obtain opt-in consent before “using, disclosing, selling, or permitting access to customer personal information.”
Investigation Leads to HIPAA Settlement for Improper Disposal of PHI
A $300,640 settlement was reached to resolve an investigation against a dermatology center in Massachusetts. The dermatology center filed a breach report stating empty specimen containers with protected health information on the labels were placed in a parking lot garbage bin. The labels contained names, DOB, dates of sample collection, and the name of the provider.
Executive Order on Advancing the Bioeconomy
The Biden Administration issued an Executive Order (“EO”) outlining goals for biotechnology and biomanufacturing. Among other things, the EO focuses on investment in foundational scientific capabilities while simultaneously reducing biological risks associated with advances, using biotechnology and biomanufacturing in ways that are ethical and responsible, and engaging private industry and the international community to increase technological cooperation.
It also discusses implementing a biological data ecosystem that advances biotechnology and biomanufacturing innovation, while adhering to principles of security, privacy, and responsible conduct of research.
Flo Rolls Out Anonymous Mode
Flo released an Anonymous Mode setting that allows users to access the app without having to associate personal information like name and email address with health information in the app. The feature has launched for iOS users and will be available on Android in October.
NIST Releases Report on Cyber and Enterprise Risk Management and Oversight
On September 14th, NIST released NIST IR 8286C: Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight. This report marks the completion of the cybersecurity risk management and enterprise risk management integration cycle described in the NIST IT 8286 series.
FCC Mobile Carrier Privacy Probe Response
The FCC Chairwoman Rosenworcel published responses from the 15 top U.S. mobile carriers following a request for information about their data retention and data privacy policies and practices.
FTC, CFPB Submit Amicus Brief Over FCRA Duty to Investigate
The brief, filed with the U.S. Court of Appeals for the Third Circuit in Ingram v. Experian, asks the court to overturn a lower court’s decision that could create an exception to the FCRA’s requirement for furnishers of credit information to investigate when a consumer disputes inaccurate information. The brief argues that the holding could undercut a key protection provided by the FCRA that allows consumers to dispute and correct inaccurate information in their credit reports.
New Wiretap Lawsuits Filed
A new class action filed in the Western District of Washington names both Zillow and Microsoft for its use of session replay software, alleging the use of session replay software violates Washington’s wiretapping law and “constitutes an invasion of the privacy rights of website visitors.” A similar lawsuit was filed in the Central District of California, alleging that GameStop “covertly monitors, records, and creates secret transcripts of all communication through the chat feature on its website” in violation of the California Invasion of Privacy Act.
Third Circuit Remands Tracking Technology Wiretap Case
In Popa v. Harriet Carter Gifts, the plaintiff argued that tracking technology on the defendant’s website violated Pennsylvania’s wiretapping law, but the district court granted summary judgment on the grounds that the defendant was not a party to the communication. The Third Circuit reversed and remanded the case for the district court to determine whether, by disclosing the tracking in the defendant’s privacy policy, plaintiff provided consent, thereby satisfying Pennsylvania’s all-party consent exception.
FTC Held Hearing Related to its Advanced Notice of Proposed Rulemaking
FTC held a hearing/forum last week on commercial surveillance and data security practices that harm consumers and competition. The forum included panel discussions and included wide ranging conversation on topics such as discrimination, secondary data uses, consumer choice and control.
EUROPE & UK
EC Cyber Resilience Act Proposed Rules Published
On September 15, 2022, the European Commission (“EC”) released the draft Cyber Resilience Act (“CRA”), which would impose cybersecurity requirements for “products with digital elements.” (Defined as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.”) Once entered into force, the CRA allows for a 24 month compliance grace period, with the exception of reporting obligations for security incidents, which will apply 12 months after it is entered into force.
Norwegian Data Protection Authority Conducts Survey on Employee Monitoring
Norwegian data protection authority (“Datatilsynet”) conducted a survey on employee monitoring, which may give some insight into enforcement priorities. The report found that more than half of employees have an inadequate view of what information their employers collect, that the employer has the opportunity to collect large amounts of information, that some employees see signs their employer monitors their online activity, and that many tools used to monitor employees are intrusive.
CNIL Imposed Fine of 250,000 Euros
The French Data Protection Authority (“CNIL”) imposed a fine of 250,000 euros against an economic interest group called INFOGREFFE after an investigation was triggered by a complaint. The CNIL found that the organization’s website noted certain personal information would be kept for 36 months after the last order or service, but found that data for 25% of the service’s users were kept beyond that. It also found that the organization failed to require strong passwords when creating an account and stored passwords and security questions and answers in plain text.
Spanish Data Protection authority fined a 2,000 Euro for Lack of Cookie Banner
The Spanish Data Protection Authority (“AEPD”) published a decision (Spanish language) on September 9, 2022, that a website owned by Preico Jurídicos used cookies but did not provide a cookie banner enabling user choice. A fine of 2,000 euros was imposed.
ASIA-PACIFIC, MIDDLE EAST & AFRICA
China Adopts Provisions of the Internet Pop-Up Information Push Service Regulation
China adopted rules governing pop ups and push notifications, which among other things, tightens rules on push notifications and prohibits non-licensed entities from pushing news through pop-up windows. It also prohibits the use of algorithmic models that encourage users to become addicted or that have a negative impact on the physical and mental health of minors.
China Announced Amendments to its Cybersecurity law ("CSL") and Open Commentary Period
The Cyberspace Administration of China issued draft amendments to its Cybersecurity Law. The amendments, among other things, propose to increase the maximum penalty for violations of the rule. The comment period closes on September 29, 2022.
China Released Standards Supporting its Data Security Law
On the first anniversary following the effective date of China’s data security law, the National Information Security Standardization Technical Committee (TC260) and the Secretariat of the Information Security Standards Committee released technical documents, standards, and practice guidelines to support compliance with the Data Security Law.
China Released Final Security Requirements for Data Exports Under PIPL
China released the “Measures for Security Assessment of Data Exports,” which were passed on May 19, 2022, and became effective on September 1, 2022. The rules require certain entities that transfer data outside of China to engage in self and state run security assessments.
Turkey Released Draft Guidelines on Handling Genetic Data
he Turkish data protection authority, the Kişisel Verileri Koruma Kurumu, released draft guidelines on the handling of genetic data, noting that genetic data is considered “special personal data” and the processing of which requires adherence to rules and procedures, particularly given the impact the data may have on the data subject, their relatives, future generations, national security, and the economy.
Singapore Issues Fine for Failing to Protect Personal Data
Singapore announced issuance of a S$600,000 fine against a local telecommunications provider, MyRepublic, relating to a ransomware attack for failing to protect the data of 80,000 customers.
South Korea Issues Fines Against Google and Meta
South Korea’s Personal Information Protection Commission issued fines against Google ($50 million) and Meta ($22 million) alleging the companies did not clearly inform users and obtain consent to collect and use data for targeted advertising.
NEW ZEALAND AND AUSTRALIA
New Zealand’s Privacy Commissioner Closed its First Compliance Notice
The Office of the Privacy Commissioner announced that it had closed its first compliance notice under the Privacy Act of 2020, which had been issued to the Reserve Bank of New Zealand in 2021 following a data breach in 2020.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.