By Elizabeth Crooks and Deb Gray
Here’s a snapshot of the privacy, security, and data developments tracked by our team over the past few weeks. If you missed our last post, you can find it here.
US STATE LAW
California Privacy Protection Agency asks for Preliminary Comments
The California Privacy Protection Agency issued an Invitation for Preliminary Comments on Cybersecurity Audits, Risk Assessments, and Automated Decision-Making.
Colorado Privacy Regulations
The third draft of the Colorado Privacy Act’s regulations was released on January 27, 2023. The final comments on the draft were due on February 3, 2023, and will be taken into consideration for the final draft. There was also a hearing on February 1, 2023, where many the comments available here were discussed.
Illinois Supreme Court Rules on Biometric Information Privacy Act (BIPA) Statute of Limitations
The Illinois Supreme Court held in a unanimous opinion that individuals have five (5) years after an alleged violation to bring claims under BIPA.
Illinois Supreme Court Rules BIPA Claims Accrue with Each Scan
The Illinois Supreme Court ruled that BIPA claims accrue each time data is unlawfully collected and disclosed, rather than simply the first time.
Apple BIPA Victory Helps to Illustrate Scope of Law
Apple’s recent victory in a proposed class action suit related to BIPA helps companies better understand the scope of the law. The court found that because Apple allowed customers to voluntarily use optional features like Touch ID and Face ID, stored customer data locally on their own devices, and didn’t collect or store that data on separate servers Apple did not trigger state biometric privacy requirements.
State Governments Banning TikTok on Government-Issued Devices
The Louisiana Secretary of State has banned TikTok on all Department of State-issued devices and commends the Louisiana Governor and Education Superintendent for similarly banning TikTok on devices under their jurisdiction.
The Mississippi governor is banning TikTok from all state-issued government devices and networks by January 31, 2023, to protect critical state infrastructure from the Chinese Communist party. Use of TikTok on state-issued devices is allowed for law enforcement and public safety purposes.
North Carolina Governor Cooper issued an executive order banning use of TikTok and WeChat on state issued or owned devices.
Louisiana Class Action Online Tracking Lawsuits
Class action suits were filed against the two largest hospitals in Louisiana, LCMC Health and Willis-Knighton Health. The lawsuits allege that the hospitals' use of the Meta Pixel "potentially analyzed, gathered and shared the sensitive medical data of hundreds of thousands of patients across" the hospital's networks in violation of HIPAA. Specifically, visitors to their websites may have had their "medical conditions, prescriptions, doctors' names and previous appointments" shared after scheduling appointments online.
Massachusetts Gaming Commission Issued Cybersecurity and Privacy Regulations for Gaming and Sports Wagering
The Massachusetts Gaming Commission has issued emergency regulations that are now effective for gaming licensees and sports wagering operators. Sports wagering operators now have obligations around privacy policy requirements, patron data rights, automated decision-making transparency, and data security. Gaming licensees now have obligations around patron data rights, automated decision-making, and data security.
Michigan Information Privacy Class Action Settlement
The Economist will pay $9.5 million to resolve claims it shared Michigan subscriber information with third parties without consent, in violation of the Michigan’s Preservation of Personal Privacy Act. The MI PPPA prohibits anyone engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings from knowingly disclosing to any person, other than the customer, a record or information that personally identifies the customer as having purchased, leased, rented, or borrowed those materials from the person engaged in the business.
NY DCWP Publishes Automated Employment Decision Tools Regulation Draft with Clarified Requirements
On Dec. 23, New York City Dept. of Consumer and Worker Protection (DCWP) published an updated draft of regulations to LL 144 (2021) ("LL 144") intended to clarify the requirements for using automated employment decision tools within New York City. These requirements include notices that must be made available to candidates and employees, when and how a bias audit must be conducted, and requirements for publishing the bias audit results. The DCWP will hold a hearing on the proposed rules at 11AM on Monday, January 23, 2023. In the meantime, LL 144 went into effect on January 1, 2023, but enforcement has been delayed until April 15, 2023.
NY DFS Announces Penalty Against Coinbase for Compliance Program Failures
New York Department of Financial Services (DFS) announced a $50 million penalty against Coinbase, Inc. based on significant failures in the Coinbase compliance program that violated various virtual currency, money transmitter, transaction monitoring, and cybersecurity regulations making the platform vulnerable to serious criminal misconduct by bad actors. In addition to the penalty, the settlement requires Coinbase to invest $50 million in its compliance program.
Plaintiffs Sue Food Chain for Continued Use of Facial Recognition
A regional food chain is being sued in Portland, OR for failure to comply with a municipal code banning the use of facial recognition algorithms in public.
Pennsylvania and Ohio Attorneys General Settle with DNA Diagnostics Center After Breach
PA announced a settlement with DNA Diagnostics Center, a global leading DNA testing company, concerning a May 2021 data breach of customers' social security numbers. The PA and OH AG claimed that DNA Diagnostics Center failed to properly employ reasonable data security measures (including failure to implement an incident response plan after receiving malware reports and failing to inventory assets containing personal information) in protecting consumers’ sensitive personal information in violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. PA was joined by OH; both investigated alleged state law violations.
Tennessee Property Owners in Tennessee Can Be “Unlisted” in Property Databases
As of January 1, 2023, real-estate property owners in Tennessee can request that their first and last names be listed as "unlisted" in online searchable property databases, per HB2597.
ChatGPT Banned by Seattle Public Schools
Seattle Public Schools bans ChatGPT; district ‘requires original thought and work from students.’ Other schools, universities, and academic conferences have done the same.
US FEDERAL LAW
CFPB Considering Amendments to Regulation V
The CFPB's 2023 regulatory agenda reveals the CFPB is considering amending Regulation V that implements the Fair Credit Reporting Act (FCRA). Potential changes are currently listed as “undetermined.”
Federal Communication Commission (FCC) New Limits on Exempted Calls Under the Telephone Consumer Protection Act (TCPA)
The FCC announced the effective date for the rules for certain calls that are otherwise exempt from TCPA. The new rules will be effective as of July 20, 2023. The rules include call limits and opt-out requirements for artificial or prerecorded voice calls under the exemptions for non-commercial calls to a residence, commercial calls to a residence that do not include an advertisement or constitute telemarketing, tax-exempt nonprofit organization calls to a residence, and HIPAA related calls to a residence.
EEOC Agenda Includes Enforcement Efforts Related to Discrimination Due to Use of AI
The Equal Employment Opportunity Commission (“EEOC”) started 2023 with an announcement that it intends to increase enforcement efforts aimed at discrimination resulting from the use of Artificial Intelligence assisted employment related decision tools. On January 10, 2023, the EEOC published its Draft Strategic Enforcement Plan (“SEP”) in the Federal Register for the fiscal years 2023-2027. For the past decade, the EEOC has issued SEPs to establish “subject matter priorities and strategies to integrate the EEOC’s private, public, and federal sector activities.” For the first time, and at the top of the draft Enforcement Plan’s list for “Eliminating Barriers in Recruitment and Hiring Practices,” is a focus on “the use of automatic systems, including artificial intelligence or machine learning, to target advertisements, recruit applicants, or make or assist in hiring decisions where such systems intentionally exclude or adversely impact protected groups.”
The EEOC held a hearing on January 31st to examine the use of automated systems, including AI, in employment decisions.
Notice in Fed Register: https://www.govinfo.gov/content/pkg/FR-2023-01-10/pdf/2023-00283.pdf
Summary of priorities: https://www.federalregister.gov/documents/2023/01/10/2023-00283/draft-strategic-enforcement-plan
From its summary, the EEOC states that it "can—and will—do more to combat employment discrimination, promote inclusive workplaces, and respond to the national call for racial and economic justice.”
New Civil Penalty Amounts from the FTC
The Federal Trade Commission (FTC) published inflation-adjusted civil penalty amounts, which became effective on January 11, 2023. The maximum civil penalty amount has increased from $46,517 to $50,120 for violations of Section 5 of the FTC Act.
FTC Actions against Drizly Include Obligations for CEO
FTC actions against alcohol-marketplace Drizly and its current CEO restrict not only the company’s current and future data practices, but also include requirements and obligations that will follow CEO Rellas if he moves to another business that meets certain thresholds.
Epic Games FTC Enforcement Action
The FTC has submitted an enforcement action against Epic Games, Inc. for violations of COPPA and the FTC Act.
FTC Takes Action Against Digital Health Platform GoodRx
The FTC issued a proposed order against GoodRx, a digital health platform, for allegedly violating Section 5 of the FTC Act by making deceptive statements about its sharing of health data. In addition, in its first enforcement action under a decade-old Health Breach Notification Rule, the FTC alleged that GoodRx failed to notify its users of the unauthorized disclosure of their health data to advertising platforms.
For an in-depth look at this action, see the blog post written by our own Sheila Sokolowski, Kate Black, and Mason Fitch.
HHS Office of Civil Rights (OCR) Settles HIPAA Investigation with Arizona Hospital System
Banner Health paid $1.25 million to settle cybersecurity breach that affected nearly 3 million people. OCR’s investigation found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity.
Life Hope Labs Settles with OCR
The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) announced a settlement with diagnostic laboratory, Life Hope Labs, related to a potential violation of the HIPAA Right of Access Initiative. Life Hope Labs will implement a corrective action plan, in addition to paying $16,500.
NIST Selects ‘Lightweight Cryptography’ Algorithms to Protect Small Devices
NIST announced a group of cryptographic algorithms called Ascon will be published as NIST’s lightweight cryptography standard later in 2023, and are designed to protection information created and transmitted by Internet of Things (IoT) devices.
NIST Preparing to Draft CSF 2.0
NIST (National Institute of Standards and Technology) published a concept paper on the current Cybersecurity Framework (CSF) prior to beginning a draft of CSF 2.0.
Cybersecurity Risk Governance Rulemaking on SEC Agenda for 2023
The Securities and Exchange Commission (SEC) updated its Reg Flex agenda, SEC’s rulemaking agenda for 2023. The agenda includes rulemaking on cybersecurity risk governance for public companies and funds and investment advisors.
SEC Division of Examinations Announces 2023 Priorities
SEC Division of Examinations announced their 2023 priorities, which includes review of information security practices in general, cybersecurity issues associated with the use of third-party vendors, and usage of crypto-asset and other emerging financial technologies.
White House Executive Order Regarding Algorithmic Discrimination
The White House issued an Executive Order on racial equity, instructing federal agencies to affirmatively address emerging civil rights risks, and to “prevent and remedy discrimination, including by protecting the public from algorithmic discrimination.”
Explosion of Federal Wiretap Act Litigation
TikTok is facing nearly a dozen proposed class actions alleging that the in-app browser illegally tracks users’ clicks and keystrokes in violation of a federal wiretap law. Other companies facing similar actions are Ring, Carnival, and Home Depot.
CANADA
Home Depot eReceipt Sharing with Meta
The Office of the Privacy Commissioner (OPC) announced the results of its investigation, and the agreed remedial measures Home Depot will take, about Home Depot's sharing of in-store e-receipts with Facebook for its Offline Conversion Program: Though the customer email address was "encoded" and not readable in plain text, Meta was able to match it to individual email addresses it had. The OPC found that this required consent of customers, and the "implied" consent approach with Home Depot's privacy policy was insufficient (it said in relevant part that it uses "de-identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” including “with third parties.").
PIA Tips from Canadian OPC
The Office of the Privacy Commissioner (OPC) released 5 tips based on its investigations for improving privacy impact assessment (PIA) processes.
Amendments to British Columbia Freedom of Information and Protection of Privacy Act
The Office of the Information & Privacy Commissioner for British Columbia released new requirements for mandatory breach reporting and privacy program management that are now in effect for public bodies.
Quebec Health Privacy
The Quebec data protection authority presented detailed recommendations for proposed legislative updates to better protect health and social services data.
EUROPE & UK
CJEU Judgment on Search Engine Information Removal
A recent judgment from the Court of Justice of the European Union (CJEU) says that a search engine must remove information about data subjects from search results if "manifestly inaccurate.” The burden is on the data subject to produce evidence of same, but search engine must review.
DORA Regulation Introduces Rules for Financial Entities
DORA - Digital Operations Resilience Act (a Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022), is designed to strengthen the financial sector’s resilience to IT-related incidents and introduces prescriptive requirements that are intended to be homogenous across the EU. A wide range of entities are in scope, including banks, credit and investment firms, trading venues and repositories, and credit ratings agencies and electronic money institutions. The Regulation introduces common targeted rules for financial entities on Information and Communication Technology (ICT) risk management, incident reporting, digital operational resilience testing, information sharing and ICT third-party risk monitoring.
Draft Motion for Resolution on EU-US Data Privacy Framework
On February 14, 2023, the European Parliament issued a draft motion for resolution urging the European Commission not to adopt the proposed Framework. Citing several reasons, including that there is no federal privacy law in the U.S., there are no limits to U.S. intelligence activities, and there are insufficient remedies for “commercial matters,” the Framework “fails to create actual equivalence in the level of protection.” The European Parliament further “calls on the Commission to continue negotiations with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU.”
For more information on the process in adopting the Framework, see the European Commission’s FAQs.
NIS2 Directive Broadens Scope of Previous Directive
NIS2 replaces the previous iteration of the Network and Information Systems (NIS) Directive, which took effect in May 2018 but has largely been overshadowed by the GDPR for businesses, individuals, and regulators. NIS2 requires that entities abide by rules of the member state where the cybersecurity risk-management decisions are made by the entity. NIS2 broadens scope of the previous Directive, including by applying to a wider range of “critical entity” organizations, such as a broader range of entities in the life sciences, medical devices, and healthcare space, tightens incident reporting obligations, and requires in-scope entities to flow down security obligations to their supply chains.
Belgian DPA Approves IAB Europe’s Compliance Action Plan
Following the February 2022 Belgian DPA ruling against the IAB Europe's Transparency and Consent Framework for not having a lawful basis for processing individual data in connection with real time bidding activities, the Belgian DPA has approved IAB Europe's proposed action plan to bring the personal data processing into compliance with the GDPR. IAB Europe has six months to implement the proposed measure (which are not detailed).
Czech Republic Investigation Priorities
The Czech Republic’s DPA announced its plans for investigation priorities in 2023. The DPA notes it will focus “on the processing of personal data in attendance systems, when using social networks, in large-scale camera systems and on large processors or bailiffs.” (translated on page from Czech to English). It will also focus on telecommunications companies and their compliance with applicable obligations including whether they meet transparency requirements.
Croatia Imposes Fines Related to Inadequate Notice for Video Surveillance
Croatia’s data protection authority (AZOP) imposed ten administrative fines, focusing on video surveillance by data controllers in the gambling and betting, and hospitality and trade industries. The violations were around failures to post adequate notice of surveillance.
Data Protection Ombudsman of Finland Fines Collection Agency
Finland’s Office of the Data Protection Ombudsman imposed an administrative fine on collection agency, Alektum Oy, related to the right of access.
Finland’s Deputy Data Protection Commissioner Issues Warning to Cities
The Finnish Deputy Data Protection Commissioner issued a notice to the cities of Helsinki, Espoo, Vantaa, and Kauniainen regarding the processing of personal data in violation of data protection legislation. The notice was issued regarding the website of the capital region’s libraries, which were using cookies and other tracking technologies. The personal data collected on the website was transferred to the United States without adequate additional protection measures. Website registrants were also not properly informed about the data transfers.
CNIL Fines Game Publisher Related to Use of Advertising Identifiers
France’s data protection authority (CNIL) has imposed an administrative fine of 3 million euros on game publisher VOODOO for a breach of the French Data Protection Act related to use of mobile advertising identifiers without user consent.
German Constitutional Court Strikes Down Predictive Policing Algorithms
The German Constitutional Court delivered a groundbreaking decision: legal acts authorizing the use of predictive algorithms for policing are unconstitutional because they breach the right to informational self-determination.
EDPB Releases Irish DPC Decisions Against Meta
Irish Data Protection Commission (DPC) announced that Meta would be fined roughly $414 million USD for breaches of the GDPR. A week later, the European Data Protection Board (EDPB) released the DPC’s final binding decisions, one related to Facebook and one related to Instagram.
Meta cannot rely on “performance of a contract” as a legal basis to process personal data for behavioral advertising, as behavioral advertising is not a core element of the services.
Breach of Transparency Requirements.
Abstract lists of personal data, processing purposes, and legal bases are out. Clear linkage from personal data→ processing operations → purposes → legal basis is in.
“Layered” notices are still OK, but not if the layers are repetitive, generalized, circular, or disjointed.
Using open-ended language like “such as” or “things like” to describe processing is out.
Italy Issues Order to Replika to Stop Processing Personal Data of Italian Residents
Italy’s data protection authority ordered the app, Replika, to immediately stop all processing of the personal data of Italian residents following news articles about the app’s activities. Replika, which is marketed as a “virtual friend,” was reportedly engaging in sexually inappropriate activity that could be dangerous to minors and emotionally vulnerable individuals. The DPA was particularly concerned that the app does not age gate its users and noted several alleged GDPR violations. Failure to adhere to the order could result in fines and criminal punishment.
Italian DPA Fines Lazio Region for Non-Compliant Employee Monitoring Activities
In December, the Italian Data Protection Authority (DPA), Garante, imposed a fine of €100,000 on the Lazio Region claiming that its employee monitoring activities violated several sections of GDPR. The Lazio Region was allegedly used a third-party technology to collect metadata related to staff on duty at the offices of a regional lawyer. Among the data claimed to be collected was metadata related to the times, recipients, and subject of the email communications and size of the attachments. The Garante found that that the metadata was also collected relating to private email communications. Among the reported violations, the Garante noted that it did not receive evidence that employees were provided adequate notice of the monitoring activities required under Article 13, failure to conduct a DPIA. In addition to the fine, the Lazio Region had to cease processing metadata that it collected relating to the employees’ emails and delete the allegedly unlawfully collected data. In a separate action, the Garante also fined Amazon Italy €20,000 in January 2023 for claimed failure to properly respond to a former employee's data access request.
Clubhouse Fined by Italian DPA
Italian data protection authority, Garante, fined Clubhouse €2M alleging the app gave users the ability to store and share audio without others’ consent, that it profiled and shared account information without identifying a proper legal basis, and that it had indefinite retention periods of the recordings made by the social network. They ordered the app to give notice before entering a chat room that the chat might be recorded, and to introduce a mechanism to inform those who are not yet users of what will be done with their personal data. The company will also need to update its privacy notice, including specifying what the data retention periods are.
Safe City Malta Project Ended Due to Privacy Concerns
The Maltese government has ended the Safe City Malta project, which included a controversial facial-recognition system, due to privacy concerns.
Dutch DPA Fines Police for COVID Compliance Camera Use
The Dutch DPA has imposed a fine of €50,000 on the police for using cameras on cars in Rotterdam to monitor compliance with coronavirus measures without first assessing the privacy risks. The DPA found that there was both a failure to assess risks properly beforehand, and the collection of images was disproportionate and unnecessary.
Dutch DPA Advises that Central Passport Database Plans be Withdrawn
The Dutch DPA said that a proposal to create a central database containing passport application information (including fingerprints, signatures, and passport photos) “entails major privacy risks.” The DPA recommended that the proposal be “thoroughly amended or otherwise withdrawn.”
Dutch DPA to Monitor Algorithms that Process Personal Data
The Netherlands’ Minister for Digitalization announced that the Dutch Data Protection Authority (DPA) will monitor algorithms that process personal data, for transparency, discrimination, and arbitrariness. This will include identifying and analyzing the risks of these algorithms.
Dutch Hacker Obtains Personal Data of Austrian Citizens
The national police of Austria announced that a 25-year-old Dutch hacker, arrested in November, had obtained the full name, address, and birthdate of almost 9 million Austrian residents. (Austria's population is about 9.1 million.) This information is "registration data," basic information that residents must provide to authorities. While the data was offered for sale in 2020, authorities delayed this announcement so the investigation wouldn't be compromised.
Norway’s Datatilsynet Publishes AI Notice Report
Norway’s data protection authority (DPA), Datatilsynet, published a report intended to help organizations provide notice to users about the use of artificial intelligence (AI).
Norway’s DPA Announces Supervisory Activities in Spring 2023
Norway’s Datatilsynet announced that a number of inspections in both the public and private sectors will be carried out in the spring of 2023 to check general fulfillment of privacy principles, privacy by design standards, establishment of data protection representatives, data subject right fulfillment, and processing responsibilities. There will also be supervision of solutions and systems that use algorithms or artificial intelligence, and a particular focus on the processing responsibility of those who manage the personal data of children and young people.
Spanish AEPD Discusses Brain-Computer Interfaces and Neurodata
A blog post published by the Spanish data protection authority (AEPD) discusses brain-computer interfaces and the brain activity data recorded by such interfaces. The neurological data (neurodata) collected by these interfaces are considered personal data under the GDPR.
NEW ZEALAND & AUSTRALIA
Attorney General Releases Review of Australian Privacy Laws
Australia is updating its privacy laws, and the attorney general has committed to a range of modernizations that could include the right to be forgotten and a right to sue for privacy breaches. The Australian Attorney General released the review of the Privacy Act, with more than 100 recommendations for proposed reforms, including new limits of targeted advertising, implementing individual privacy rights, an abolishment of the small business exception, and enhancing enforcement abilities of the OAIC.
New Zealand Privacy Commissioner Reports Increase in Data Breaches
The Privacy Commissioner of New Zealand reports a significant increase in data breaches (financial year over year). The industries with the most serious breaches are Health Care & Social Assistance, Public Administration & Safety, Services, Education & Training, Finance & Insurance.
OTHER UPDATES
Digital Advertising Alliance (DAA) Releases Tech Specifications for AdChoices Program
The DAA has released tech specifications that allow brands and publishers participating in the AdChoices program to integrate the AdChoices icon with third party consent management platforms that they use (like TrustArc and CrownPeak).
Privacy by Design Standard Being Adopted by ISO
On February 8, 2023, the International Organization for Standardization (ISO) adopted Privacy by Design (ISO 31700).
Public Interest Privacy Center Focuses on Student Data Collection
The non-profit Public Interest Privacy Center can help school district leaders respond to data privacy questions from students and parents, consider the privacy impacts of new technologies, and understand proposed and enacted privacy legislation that will have an impact on schools and students.
Buying Mental Health Data on People from Data Brokers is Surprisingly Easy
A Duke University report found 11 data brokers agreed to sell information that identified people by issues, including depression, anxiety and bipolar disorder, and often sorted them by demographic information. US STATE LAW
Elizabeth Crooks is Senior Privacy Analyst at Hintze. Elizabeth has a Masters of Science in Information Management and guides global companies on privacy, cybersecurity, and data protection matters.
Deb Gray is a Senior Privacy Analyst at Hintze, with over two decades of wide-ranging experience in privacy and data protection matters, including in-house experience at Nordstrom and HP.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.