FCC Updated Data Breach Notification Rules Go into Effect Despite Challenges

On March 13, 2024, the Federal Communications Commission’s updates to the FCC data breach notification rules (the “Rules”) went into effect. They were adopted in December 2023 pursuant to an FCC Report and Order (the “Order”).

The Rules went into effect despite challenges brought in the United States Court of Appeals for the Sixth Circuit. Two trade groups, the Ohio Telecom Association and the Texas Association of Business, petitioned the United States Court of Appeals for the Sixth Circuit and Fifth Circuit, respectively, to vacate the FCC’s Order modifying the Rules. The Order was published in the Federal Register on February 12, 2024, and the petitions were filed shortly thereafter. The challenges, which the United States Panel on Multidistrict Litigation consolidated to the Sixth Circuit, argue that the Rules exceed the FCC’s authority and are arbitrary and capricious. The Order addresses the argument that the Rules are “substantially the same” as breach rules nullified by Congress in 2017. The challenges, however, have not progressed since the Rules went into effect.

Read our previous blog post to learn more about the Rules.

Listen to this post

U.S. House of Representatives Passes Bill to Ban TikTok Unless Divested from ByteDance

Yesterday, with broad bipartisan support, the U.S. House of Representatives voted overwhelmingly (352-65) to support the Protecting Americans from Foreign Adversary Controlled Applications Act, designed to begin the process of banning TikTok’s use in the United States. This is music to my ears. See a previous blog post on this subject.

The Act would penalize app stores and web hosting services that host TikTok while it is owned by Chinese-based ByteDance. However, if the app is divested from ByteDance, the Act will allow use of TikTok in the U.S.

National security experts have warned legislators and the public about downloading and using TikTok as a national security threat. This threat manifests because the owner of ByteDance is required by Chinese law to share users’ data with the Chinese Communist government. When downloading the app, TikTok obtains access to users’ microphones, cameras, and location services, which is essentially spyware on over 170 million Americans’ every move, (dance or not).

Lawmakers are concerned about the detailed sharing of Americans’ data with one of its top adversaries and the ability of TikTok’s algorithms to influence and launch disinformation campaigns against the American people. The Act will make its way through the Senate, and if passed, President Biden has indicated that he will sign it. This is a big win for privacy and national security.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.
by: Linn F. Freedman of Robinson & Cole LLP

For more news on Social Media Legislation, visit the NLR Communications, Media & Internet section.

CNN, BREAKING NEWS: CNN Targeted In Massive CIPA Case Involving A NEW Theory Under Section 638.51!

CNN is now facing a massive CIPA class action for violating CIPA Section 638.51 by allegedly installing “Trackers” on its website. In  Lesh v. Cable News Network, Inc, filed in the Superior Court of the State of California by Bursor & Fisher, plaintiff accuses the multinational news network of installing 3 tracking software to invade users’ privacy and track their browsing habits in violation of Section 638.51.

More on that in a bit…

As CIPAworld readers know, we predicted the 2023 privacy litigation trends for you.

We warned you of the risky CIPA Chat Box cases.

We broke the news on the evolution of CIPA Web Session recording cases.

We notified you of major CIPA class action lawsuits against some of the world’s largest brands facing millions of dollars in potential exposure.

Now – we are reporting on a lesser-known facet of CIPA – but one that might be even more dangerous for companies using new Internet technologies.

This new focus for plaintiff’s attorneys appears to rely on the theory that website analytic tools are “pen register” or “trap and trace” devices under CIPA §638.51. These allegations also come with a massive $5,000 per violation penalty.

First, let’s delve into the background.

The Evolution of California Invasion of Privacy Act:

We know the California Invasion of Privacy Act is this weird little statute that was enacted decades ago and was designed to prevent ease dropping and wiretapping because — of course back then law enforcements were listening into folks phone calls to find the communist.

638.51 in particular was originally enacted back in the 80s and traditionally, “pen-traps” were employed by law enforcement to record outgoing and/or incoming telephone numbers from a telephone line.

The last two years, plaintiffs have been using these decades-old statues against companies claiming that the use of internet technologies such as website chat boxes, web session recording tools, java scripts, pixels, cookies and other newfangled technologies constitute “wire tapping” or “eavesdropping” on website users.

And California courts who love to take old statutes and apply it to these new technologies – have basically said internet communications are protected from being ease dropped on.

Now California courts will have to address whether these new fangled technologies are also “pen-trap” “devices or processes” under 638.51. These new 638.51 cases involve technologies such as cookies, web beacons, java scripts, and pixels to obtain information about users and their devices as they browse websites and or mobile applications. The users are then analyzed by the website operator or a third party vendor to gather relevant information users’ online activities.

Section 638.51:

Section 638.51 prohibits the usage or installation of “pen registers” – a device or process that records or decodes dialing, routing, addressing, or signaling information (commonly known as DRAS) and “trap and trace” (pen-traps) – devices or processes traditionally used by law enforcement that allow one to record all numbers dialed on outgoing calls or numbers identifying incoming calls — without first obtaining a court order.

Unlike CIPA’s 631, which prohibits wiretapping — the real-time interception of the content of the communications without consent, CIPA 638.51 prohibits the collection of DRAS.

638.51 has limited exceptions including where a service provider’s customer consents to the device’s use or to protect the rights of a service provider’s property.

Breaking Down the Terminology:

The term “pen register” means a device or process that records or decodes DRAs “transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” §638.50(b).

The term “trap and trace” focuses on incoming, rather than outgoing numbers, and means a “device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.” §638.50(c).

Lesh v. Cable News Network, Inc “CNN” and its precedent:

This new wave of CIPA litigation stems from a single recent decision, Greenley v. Kochava, where the CA court –allowed a “pen register” claim to move pass the motion to dismiss stage. In Kochava, plaintiff challenged the use of these new internet technologies and asserting that the defendant data broker’s software was able to collect a variety of data such as geolocation, search terms, purchase decisions, and spending habits. Applying the plain meaning to the word “process” the Kochava court concluded that “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting’ is a process that falls within CIPA’s pen register definition.”

The Kochava court noted that no other court had interpreted Section 638.51, and while pen registers were traditionally physical machines used by law enforcement to record outbound call from a telephone, “[t]oday pen registers take the form of software.” Accordingly the court held that the plaintiff adequately alleged that the software could collect DRAs and was a “pen register.”

Kochava paved the wave for 638.51 litigation – with hundreds of complaints filed since. The majority of these cases are being filed in Los Angeles Country Superior Court by the Pacific Trial Attorneys in Newport Beach.

In  Lesh v. Cable News Network, Inc, plaintiff accuses the multinational news network of installing 3 tracking software to invade users’ privacy and track their browsing habits in violation of CIPA Section 638.51(a) which proscribes any “person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order.”

Plaintiff alleges CNN uses three “Trackers” (PubMatic, Magnite, and Aniview), on its website which constitute “pen registers.” The complaint alleges to make CNN’s website load on a user’s browser, the browser sends “HTTP request” or “GET” request to CNN’s servers where the data is stored. In response to the request, CNN’s service sends an “HTTP response” back to the browser with a set of instructions how to properly display the website – i.e. what images to load, what text should appear, or what music should play.

These instructions cause the Trackers to be installed on a user’s browsers which then cause the browser to send identifying information – including users’ IP addresses to the Trackers to analyze data, create and analyze the performance of marketing campaigns, and target specific users for advertisements. Accordingly the Trackers are “pen registers” – so the complaint alleges.

On this basis, the Plaintiff is asking the court for an order to certify the class, and statutory damages in addition to attorney fees. The alleged class is as follows:

“Pursuant to Cal. Code Civ. Proc. § 382, Plaintiff seeks to represent a class defined as all California residents who accessed the Website in California and had their IP address collected by the Trackers (the “Class”).

The following people are excluded from the Class: (i) any Judge presiding over this action and members of her or her family; (ii) Defendant, Defendant’s subsidiaries, parents, successors, predecessors, and any entity in which Defendant or their parents have a controlling interest (including current and former employees, officers, or directors); (iii) persons who properly execute and file a timely request for exclusion from the Class; (iv) persons whose claims in this matter have been finally adjudicated on the merits or otherwise released; (v) Plaintiff’s counsel and Defendant’s counsel; and (vi) the legal representatives, successors, and assigns of any such excluded persons.”

Under this expansive definition of “pen-register,” plaintiffs are alleging that almost any device that can track a user’s web session activity falls within the definition of a pen-register.

We’ll keep an eye out on this one – but until more helpful case law develops, the Kochava decision will keep open the floodgate of these new CIPA suits. Companies should keep in mind that unlike the other CIPA cases under Section 631 and 632.7, 638.51 allows for a cause of action even where no “contents” are being “recorded” – making 638.51 easier to allege.

Additionally, companies should be mindful of CIPA’s consent exceptions and ensure they are obtaining consent to any technologies that may trigger CIPA.

FTC Launches New Office of Technology

On February 17, 2023, the Federal Trade Commission announced the launch of their new Office of Technology. The Office of Technology will assist the FTC by strengthening and supporting law enforcement investigations and actions, advising and engaging with staff and the Commission on policy and research initiatives, and engaging with the public and relevant experts to identify market trends, emerging technologies and best practices. The Office will have dedicated staff and resources and be headed by Chief Technology Officer Stephanie T. Nguyen.

Article By Hunton Andrews Kurth’s Privacy and Cybersecurity Practice Group

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.

SUPERBOWL CIPA SUNDAY: Does Samsung’s Website Chat Feature Violate CIPA?

Happy CIPA and Super Bowl Sunday TCPA World!

So, Samsung is under the spotlight with a new CIPA case brought by a self-proclaimed “tester.” You know like Rosa Parks?? Back to that in a bit.

The California Invasion of Privacy Act (“CIPA”) prohibits both wiretapping and eavesdropping of electronic communications without the consent of all parties to the communication. The Plaintiff’s bar is zoning in to CIPA with the Javier ruling.

If you recall, Javier found that “[T]hough written in terms of wiretapping, Section 631(a) applies to Internet communications. It makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.’ Javier v. Assurance IQ, LLC, 2022 WL 1744107, at *1 (9th Cir. 2022).

Here, Plaintiff Garcia claims that Defendant both wiretaps the conversations of all website visitors and allows a third party to eavesdrop on the conversations in real time during transmission. Garcia v. Samsung Electronics America, Inc.

To enable the wiretapping, Plaintiff claims that Defendant has covertly embedded software code that functions as a device and contrivance into its website that automatically intercepts, records and creates transcripts of all conversations using the website chat feature.

To enable the eavesdropping, Defendant allows at least one independent third-party vendor to secretly intercept (during transmission and in real time), eavesdrop upon, and store transcripts of Defendant’s chat communications with unsuspecting website visitors – even when such conversations are private and deeply personal.

But Plaintiff currently proceeds in an individual action but if Samsung does not take appropriate steps to fully remedy the harm caused by its wrongful conduct, then Garcia will file an amended Complaint on behalf of a class of similarly aggrieved consumers.

Now back to Civil Rights.

According to this Complaint, Garcia is like Rosa Parks, you know, the civil rights activist. Why?

Well, because “Civil rights icon Rosa Parks was acting as a “tester” when she initiated the Montgomery Bus Boycott in 1955, as she voluntarily subjected herself to an illegal practice to obtain standing to challenge the practice in Court.”

Because Wiretapping and civil rights are similar right??

Disgusted.

The Plaintiff’s bar has no problem muddying the waters to appeal to the courts.

Do better.

CIPA is some dangerous stuff. Websites use chat features to engage with consumers all the time. It seems like it is easier to communicate via chat or text than to sit on a call waiting for an agent – assuming you get an agent. But maybe not?

Stay safe out there TCPA World!

Til next time Countess!! back to the game, GO EAGLES!!! #Phillyproud

© 2023 Troutman Firm

Governor Wolf Signs Act 151 Addressing Data Breaches Within Local Entities

On Thursday, November 3, 2022, Governor Tom Wolf signed PA Senate Bill 696, also known as Act 151 of 2022 or the Breach of Personal Information Notification Act.  Act 151 amends Pennsylvania’s existing Breach of Personal Information Notification Act, strengthening protections for consumers, and imposing stricter requirements for state agencies, state agency contractors, political subdivisions, and certain individuals or businesses doing business in the Commonwealth.  Act 151 expands the definition of “personal information,” and requires Commonwealth entities to implement specific notification procedures in the event that a Commonwealth resident’s unencrypted and unredacted personal information has been, or is reasonably believed to have been, accessed and acquired by an unauthorized person.  The requirements for state-level and local entities differ slightly; this Alert will address the impact of Act 151 on local entities.  While this law does not take effect until May 22, 2023, it is critical that all entities impacted by this law be aware of these changes.

For the purposes of Act 151, the term “local entities” includes municipalities, counties, and public schools.  The term “public school” encompasses all school districts, charter schools, intermediate units, cyber charter schools, and area career and technical schools.  Act 151 requires that, in the event of a security breach of the system used by a local entity to maintain, store, or manage computerized data that includes personal information, the local entity must notify affected individuals within seven business days of the determination of the breach.  In addition, local entities must notify the local district attorney of the breach within three business days.

The definition of “personal information” has been updated, and includes a combination of (1) an individual’s first name or first initial and last name, and (2) one or more of the following items, if unencrypted and unredacted:

  • Social Security number;
  • Driver’s license number;
  • Financial account numbers or credit or debit card numbers, combined with any required security code or password;
  • Medical information;
  • Health insurance information; or
  • A username or password in combination with a password or security question and answer.

The last three items were added by this amendment.  Additionally, the new language provides that “personal information” does not include information that is made publicly available from government records or widely distributed media.

Act 151 defines previously undefined terms, drawing a distinction between “determination” and “discovery” of a breach, and setting forth different obligations relating to each.  “Determination,” under the act, is defined as, “a verification or reasonable certainty that a breach of the security of the system has occurred.”  “Discovery” is defined as, “the knowledge of or reasonable suspicion that a breach of the security of the system has occurred.”  This distinction affords entities the ability to investigate a potential breach before the more onerous notification requirements are triggered.  A local entity’s obligation to notify Commonwealth residents is triggered when the entity has reached a determination that a breach has occurred.  Further, any vendor that maintains, stores, or manages computerized data on behalf of a local entity is responsible for notifying the local entity upon discovery of a breach, but the local entity is ultimately responsible for making the determinations and discharging any remaining duties under Act 151.

Another significant update afforded by Act 151 is the addition of an electronic notification procedure.  Previously, notice could be given: (1) by written letter mailed to the last known home address of the individual; (2) telephonically, if certain requirements are met; (3) by email if a prior business relationship exists and the entity has a valid email address; or (4) by substitute notice if the cost of providing notice would exceed $100,000, the affected class of individuals to be notified exceeds 175,000, or the entity does not have sufficient contact information.  Now, in addition to the email option, entities can provide an electronic notice that directs the individual whose personal information may have been materially compromised to promptly change their password and security question or answer, or to take any other appropriate steps to protect their information.

Act 151 also provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must utilize encryption –  this provision originally applied only to employees and contractors of Commonwealth agencies, but was broadened in Act 151.  Further, the act provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must maintain policies relating to the transmission and storage of personal information – such policies were previously developed by the Governor’s Office of Administration.

Finally, under Act 151, any entity that is subject to and in compliance with certain healthcare and federal privacy laws is deemed to be in compliance with Act 151.  For example, an entity that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed compliant with Act 151.

Although Act 151 is an amendment to prior legislation, the updates create potential exposure for local entities and the vendors that serve them.  For local municipalities, schools, and counties, compliance will require a proactive approach – local entities will have to familiarize themselves with the new requirements, be mindful of the personal information they hold, and ensure that their vendors are aware of their obligations.  Further, local entities will be required to implement encryption protocols, and prepare and maintain storage and transmission policies.

Originally Published by Babst Calland November 29, 2022. Article By Michael T. Korns and Ember K. Holmes of Babst, Calland, Clements & Zomnir, P.C.

Click here to read more legislative news on the National Law Review website.

© Copyright Babst, Calland, Clements and Zomnir, P.C.

White House Office of Science and Technology Policy Releases “Blueprint for an AI Bill of Rights”

On October 4, 2022, the White House Office of Science and Technology Policy (“OSTP”) unveiled its Blueprint for an AI Bill of Rights, a non-binding set of guidelines for the design, development, and deployment of artificial intelligence (AI) systems.

The Blueprint comprises of five key principles:

  1. The first Principle is to protect individuals from unsafe or ineffective AI systems, and encourages consultation with diverse communities, stakeholders and experts in developing and deploying AI systems, as well as rigorous pre-deployment testing, risk identification and mitigation, and ongoing monitoring of AI systems.

  2. The second Principle seeks to establish safeguards against discriminative results stemming from the use of algorithmic decision-making, and encourages developers of AI systems to take proactive measures to protect individuals and communities from discrimination, including through equity assessments and algorithmic impact assessments in the design and deployment stages.

  3.  The third Principle advocates for building privacy protections into AI systems by default, and encourages AI systems to respect individuals’ decisions regarding the collection, use, access, transfer and deletion of personal information where possible (and where not possible, use default privacy by design safeguards).

  4. The fourth Principle emphasizes the importance of notice and transparency, and encourages developers of AI systems to provide a plain language description of how the system functions and the role of automation in the system, as well as when an algorithmic system is used to make a decision impacting an individual (including when the automated system is not the sole input determining the decision).

  5. The fifth Principle encourages the development of opt-out mechanisms that provide individuals with the option to access a human decisionmaker as an alternative to the use of an AI system.

In 2019, the European Commission published a similar set of automated systems governance principles, called the Ethics Guidelines for Trustworthy AI. The European Parliament currently is in the process of drafting the EU Artificial Intelligence Act, a legally enforceable adaptation of the Commission’s Ethics Guidelines. The current draft of the EU Artificial Intelligence Act requires developers of open-source AI systems to adhere to detailed guidelines on cybersecurity, accuracy, transparency, and data governance, and provides for a private right of action.

For more Technology Legal News, click here to visit the National Law Review.
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

It’s Time To Review Your Online Patient-User Interface: DOJ Issues New Federal Guidance on Telemedicine and Civil Rights Protections

As online digital health services continue to enjoy broader use and appeal, federal regulators are concerned some telemedicine online patient-user interfaces fail to accommodate persons with disabilities and limited English proficiency. Such failures in “product design” can violate federal civil rights laws and the Americans with Disabilities Act (ADA), according to new policy guidance jointly issued by the U.S. Department of Health and Human Services (HHS) and Department of Justice (DOJ).

The document, Nondiscrimination in Telehealth, is specifically directed to companies offering telemedicine services and instructs such covered entities to immediately take specific steps to comply with the various “accessibility duties” under federal civil rights laws. The guidance focuses on ensuring accessibility for two populations of users: 1) people with disabilities and 2) people with Limited English Proficiency (LEP).

Who is Subject to these Rules?

The guidance refers to “covered entities” subject to these rules. Under the rules, “covered entities” are any health programs and activities receiving federal financial assistance (in addition to programs and activities administered by either a federal executive agency or an entity created by Title I of the Affordable Care Act). While the guidance does not define what constitutes “receiving federal financial assistance”, HHS has historically held that providers who receive federal dollars solely under traditional Medicare Part B were not covered entities. However, a recently-proposed rule suggests HHS will significantly expand the scope of covered entities, and soon. Telemedicine providers should be prepared to comply with these federal laws.

People with Disabilities

The guidance explains that no person with a disability shall – because of the disability – be excluded from participation in or be denied the benefits of the services, programs, or activities of a covered entity, or otherwise be subjected to discrimination by a covered entity. The requirements in the guidance is supported by several federal laws, including the Americans With Disabilities Act, the Affordable Care Act Section 1557, and the Rehabilitation Act Section 504.

Applying these federal civil rights protections to telemedicine services, the guidance states companies must make reasonable changes to their policies, practices, or procedures in order to provide “additional support to patients when needed before, during, and after a virtual visit.”

DOJ and HHS provided the following as examples of such “additional support” obligations:

  • A dermatology practice that typically limits telehealth appointments to 30 minutes may need to schedule a longer appointment for a patient who needs additional time to communicate because of their disability.

  • A doctor’s office that does not allow anyone but the patient to attend telehealth appointments would have to make reasonable changes to that policy to allow a person with a disability to bring a support person and/or family member to the appointment where needed to meaningfully access the health care appointment.

  • A mental health provider who uses telehealth to provide remote counseling to individuals may need to ensure that the telehealth platform it uses can support effective real-time captioning for a patient who is hard of hearing. The provider may not require patients to bring their own real-time captioner.

  • A sports medicine practice that uses videos to show patients how to do physical therapy exercises may need to make sure that the videos have audio descriptions for patients with visual disabilities.

People with LEP

The second area of the guidance is protections for LEP individuals under Title VI of the Civil Rights Act of 1964 (Title VI). Under Title VI, no person shall be discriminated against or excluded from participation in or be denied the benefits of services, programs, or activities receiving federal financial assistance on the basis of race, color, or national origin.

For telemedicine services, the guidance states that the prohibition against national origin discrimination extends to LEP persons. Namely, telemedicine companies must take reasonable steps to ensure meaningful access for LEP persons. Such “meaningful access” includes providing information about the availability of telehealth services, the process for scheduling telehealth appointments, and the appointment itself. In many instances, HHS states, language assistance services are necessary to provide meaningful access and comply with federal law.

These language assistance services can include such measures as oral language assistance performed by a qualified interpreter; in-language communication with a bilingual employee; or written translation of documents performed by a qualified translator

DOJ and HHS provided the following as examples of such “meaningful access” obligations:

  • In emails to patients or social media postings about the opportunity to schedule telehealth appointments, a federally assisted health care provider includes a short non-English statement that explains to LEP persons how to obtain, in a language they understand, the information contained in the email or social media posting.

  • An OBGYN who receives federal financial assistance and legally provides reproductive health services, using telehealth to provide remote appointments to patients, provides a qualified language interpreter for an LEP patient. The provider makes sure that their telehealth platform allows the interpreter to join the session. Due to issues of confidentiality and potential conflicts of interest (such as in matters involving domestic violence) providers should avoid relying on patients to bring their own interpreter.

What if Making These Changes is Expensive?

While not directly addressed in the guidance, the cost for implementing accessibility measures generally falls on the company itself. Federal ADA regulations prohibit charging patients extra for the cost of providing American Sign Language (ASL) interpreters or similar accommodations. In fact, a covered entity may be required to provide an ASL interpreter even if the cost of the interpreter is greater than the fee received for the telemedicine service itself. With respect to LEP interpreters, HHS issued separate guidance stating it is not sufficient to use “low-quality video remote interpreting services” or “rely on unqualified staff” as translators.

However, companies are not required to offer an aid or service that results in either an undue burden on the company or requires a fundamental alteration in the nature of the services offered by the company. This is an important counterbalance in the law. Yet, the threshold for what constitutes an “undue burden” on a company or a “fundamental alteration” to the nature of the services is not bright line and requires a fact-specific assessment under the legal requirements.

Conclusion

Telemedicine companies subject to the guidance should heed the government’s warning and look inward on patient-facing elements. The first step is to simply have the website and app platform reviewed (most particularly the patient online user interface) by a qualified third party to determine if its design and features are sufficiently accessible for people with disabilities, as well as LEP persons. That time is also a prudent opportunity to review the user interface to confirm it complies with state telemedicine practice standards, e-commerce rules, electronic signatures or click-sign laws, and privacy/security requirements. Because these laws have undergone rapid and extensive changes during the Public Health Emergency, it is recommended to conduct these assessments on a periodic/annual basis.

If a company believes the expense of making these product design changes to ensure accessibility would be prohibitively expensive, it should check with experienced advisors to determine if the changes would constitute an “undue burden” or “fundamental alteration.” Otherwise, federal guidance is clear that refusing to make reasonable changes can be a violation of federal civil rights laws.

© 2022 Foley & Lardner LLP

FTC Commercial Surveillance and Data Security Forum Highlights Industry and Consumer Perspectives

On September 8, 2022, the Federal Trade Commission hosted a virtual public forum on its Advanced Notice of Proposed Rulemaking (“ANPR”) concerning “commercial surveillance and lax data security.” The forum featured remarks from FTC Chair Lina Kahn, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro Bedoya, as well as panels with industry leaders and consumer advocates.

Remarks from Chair Khan and Commissioners Slaughter and Bedoya focused on the need for public participation in the rulemaking process and the FTC’s role in privacy regulation in the absence of comprehensive federal legislation. Commissioner Slaughter noted that, until such federal legislation is passed, the FTC will continue to use its Section 5 authority to regulate unfair and deceptive practices related to privacy and data security.

The industry panel was moderated by FTC Senior Advisor Olivier Sylvain and focused in part on how the FTC should structure a potential rule. Multiple industry panelists emphasized the need for rules that limit out-of-context data use or tracking, while still allowing in-context use to as consumers expect. Industry panelists also highlighted the need for heightened rules for “dominant” industry players and financial penalties for bad behaviors.

The consumer advocate panel focused on issues surrounding meaningful consumer consent and the negative effects of commercial surveillance on consumers, such as one-click background checks and demographic-tailored advertising that disproportionately affects minority groups in negative ways. Similar to the industry panel, consumer advocate panelists also highlighted out-of-context data use and dominant industry actors as some of the major issues the FTC should address in its rulemaking.  The FTC will receive public comments on the ANPR until October 21, 2022.

For more antitrust and FTC legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

What’s in the American Data Privacy and Protection Act?

Congress is considering omnibus privacy legislation, and it reportedly has bipartisan support. If passed, this would be a massive shake-up for American consumer privacy, which has been left to the states up to this point. So, how does the American Data Privacy and Protection Act (ADPPA) stack up against existing privacy legislation such as the California Consumer Privacy Act and the Virginia Consumer Data Protection Act?

The ADPPA includes a much broader definition of sensitive data than we’ve seen in state-level laws. Some notable inclusions are income level, voicemails and text messages, calendar information, data relating to a known child under the age of 17, and depictions of an individual’s “undergarment-clad” private area. These enumerated categories go much further than recent state laws, which tend to focus on health and demographic information. One asterisk though – unlike other state laws, the ADPPA only considers sexual orientation information to be sensitive when it is “inconsistent with the individual’s reasonable expectation” of disclosure. It’s unclear at this point, for example, if a member of the LGBTQ+ community who is out to friends would have a “reasonable expectation” not to be outed to their employer.

Like the European Union’s General Data Protection Regulation, the ADPPA includes a duty of data minimization on covered entities (the ADPPA borrows the term “covered entity” from HIPAA). There is a laundry list of exceptions to this rule, including one for using data collected prior to passage “to conduct internal research.” Companies used to kitchen-sink analytics practices may appreciate this savings clause as they adjust to making do with less access to consumer data.

Another innovation is a tiered applicability, in which all commercial entities are “covered entities,” but “large data holders” – those making over $250,000,000 gross revenue and that process either 5,000,000 individuals’ data or 200,000 individuals’ sensitive data – are subject to additional requirements and limitations, while “small businesses” enjoy additional exemptions. Until now, state consumer privacy laws have made applicability an all-or-nothing proposition. All covered entities, though, would be required to comply with browser opt-out signals, following a trend started by the California Privacy Protection Agency’s recent draft regulations. Additionally, individuals have a private right of action against covered entities to seek monetary and injunctive relief.

Finally, and controversially, the ADPPA explicitly preempts all state privacy laws. It makes sense – the globalized nature of the internet means that any less-stringent state law would become the exception that kills the rule. Still, companies that only recently finalized CCPA- and CPRA-compliance programs won’t appreciate being sent back to the drawing board.

Read the bill for yourself here.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.