Category: Communication Media & Internet

Top Legal News of 2022: A Review of the Most Notable and Newsworthy Thought Leadership from the National Law Review’s Contributors

Happy New Year from the National Law Review! We hope that the holiday season has been restful and rejuvenating for you and your family. Here at the NLR, we are wrapping up the second season of our legal news podcast, Legal News Reach. Check out episode seven here: Creating A Diverse, Equitable and Inclusive Work Environment with Stacey Sublett Halliday of Beveridge & Diamond! A few weeks ago, we also announced the winners of our 2022 Go-To Thought Leadership Awards! Each year, around 75 recipients are selected for their timely and high-quality contributions to the National Law Review. This year’s slate of winners was particularly competitive – to see the full list, check out our 2022 National Law Review Thought Leadership Awards page.

As we look forward to a bright and busy 2023 for the legal industry, it is more prudent than ever to review the previous year and all that came with it. 2022 was a chaotic and monumental year for not only the legal profession, but for the world at large. The invasion of Ukraine, global supply chain issues, and the ongoing coronavirus pandemic were only some of the many challenges all industries and sectors faced. In the United States, companies and employers dealt with enormous changes at every level, including but not limited to the reversal of Roe v. Wade, shifting attitudes toward cannabis legalization, and ever-changing standards for COVID-19 vaccinations.

Read on below for some thought leadership highlights from this past year, and for a reminder of all that we’ve passed through in 2022:

January

Most prominently in 2022, the US Supreme Court handed down substantial rulings for coronavirus vaccine mandates, which affected not only healthcare workers but all employers across the country. With a 6-3 majority, SCOTUS stayed the Biden Administration’s OSHA Emergency Temporary Standard that applied to all private employers, but simultaneously ruled in a 5-4 majority that issued a 5–4 unsigned majority that vaccine mandates for medical facilities and medical workers can remain.

January also saw noteworthy changes to labor law in the United States, inviting a handful of significant standard changes for all employers. At the end of 2021 and early in 2022, the NLRB considered cases that altered the standard for determining independent contractor status, as well as the standard that established whether a facially neutral work rule violates Section 8(a)(1) of the National Labor Relations Act. These changes also paved the way for briefings on determining appropriate bargaining units.

Read January 2022’s thought leadership focusing on Labor and Employment law and the related Supreme Court rulings  below for more information:

Supreme Court Stays Private Vaccine Mandate; Upholds Requirement for Certain Healthcare Workers

On Again, Off Again Vaccine Mandates: What Should Employers Do Now?

NLRB Rings in the New Year by Inviting Briefing on Multiple, Far-Reaching Standards Impacting Employers

February

On February 24, 2022, Russia launched a large-scale ground invasion of Ukraine, leading to considerable damage and loss of life and throwing the geopolitical landscape into chaos. Both in February and in the months since, the Russia-Ukraine war has placed an extraordinary  strain on the global supply chain and businesses around the world, as the European Union, the United Kingdom, and the United States have continued to enforce sanctions and trade regulations. Companies must be careful to comply with these orders as the political landscape continues to change and learn how to juggle the dual headaches of the lingering COVID crisis and evolving Ukrainian war

Domestically, President Biden nominated Ketanji Brown Jackson to the US Supreme Court. Succeeding Justice Stephen Breyer, Judge Jackson graduated magna cum laude from Harvard University in 1992 and cum laude from Harvard Law in 1996 and has since served as a judge on the U.S. Court of Appeals for the District of Columbia Circuit. She is the first African American woman to serve on the United States’ highest court of law.

Read select thought leadership articles below for more information:

President Biden Nominates D.C. Circuit Judge Ketanji Brown Jackson to U.S. Supreme Court

Russian Invasion of Ukraine Triggers Global Sanctions: What Businesses Need to Know

Consequences from the Ukrainian Conflict

March

March of 2022 saw the long term  impacts from the military conflict in Ukraine emerge locally and around the world. Sanctions continued to affect businesses, leading to global supply chain slowdowns and difficulties in manufacturing and shipping and new immigration changes and challenges. In the US, the Securities and Exchange Commission “SEC” issued new and noteworthy regulations regarding Environmental, Social & Corporate Governance “ESG” and climate change disclosures for public companies. The Supreme Court also heard oral argument for a large slate of cases, perhaps most notably in ZF Auto. US v. Luxshare, Ltd. and AlixPartners v. The Fund for Prot. of Inv. Rights in Foreign States, which interpreted provisions of Title 28 of the US Code’s (“Section 1782”) reach in seeking US-style discovery from a interested party to a foreign proceeding and whether or not ection 1782 can be used to obtain key information for private international arbitrations.

Read key thought leadership articles published in March for more details:

SEC Issues Long-Awaited Proposed Rule on Climate Disclosures

U.S. Supreme Court Hears Oral Argument on Circuit Split Over Scope of 28 U.S.C. § 1782 for Obtaining Discovery in International Arbitrations

The Effects of the Military Conflict in Ukraine on Supply Contracts

April

In April of 2022, the Biden Administration made notable changes to the National Environmental Policy Act, better known as NEPA, which had been substantially altered under the Trump Administration. A number of key provisions were returned to their pre-Trump state in order to better center the administration’s larger focus on environmental justice. Also of note, a US court for the first time contested the Center for Disease Control’s  “CDC’s” travel mask mandate, on the grounds that it exceeded the CDC’s Statutory Authority under the Administrative Procedure Act “the federal APA”. This ultimately led to a vacating of the COVID travel mask mandate on a nationwide basis.

Elon Musk announced his intention to purchase Twitter in April of 2022, as well. Twitter ultimately adopted a shareholder rights plan, known as a poison pill, in hopes of preventingMusk’s hostile takeover. Poison pills are widely regarded as the an effective but a draconian anti-takeover defense available.

Read select  thought leadership articles below for more information:

Biden Administration Walks Back Key Trump Era NEPA Regulation Changes

Twitter Board of Directors Adopts a Poison Pill

Administrative Law Takeaways from the Federal Travel Mask Mandate Decision

May

On May 17th, the first case of Monkeypox in the United States was reported in Massachusetts. In response, the Environmental Protection Agency “EPA” and the federal government implemented a number of policy changes in hopes of preventing a wider spread, including the speedy authorization of anti-Monkeypox claims for certain registered pesticides and disinfectant products.

The SEC and administrative law at large received a considerable blow after the Fifth Circuit’s ruling in Jarkesy v. SEC. The Fifth Circuit Court held that the SEC in-house courts violated a series of constitutional protections, which may result in far-reaching impacts for how administrative bodies are used to regulate in the future. Additionally in May, the Senate confirmed Commissioner Alvaro Bedoya for the Federal Trade Commission “FTC”, shifting the balance of power back at the Commission in favor of the Democratic Party.

Read the following highlighted thought leadership articles published in May  for more information:

EPA Authorizes Anti-Monkeypox Claims for Pre-Designated Disinfectant Products

Fifth Circuit Holds That SEC Administrative Law Courts Are Unconstitutional

Big News at The FTC: Democrats Finally Get the Majority Back

June

In June of 2022, the Supreme Court released its decision in Dobbs v. Jackson, reversing Roe v. Wade’s 50-year precedent of ensuring abortion as a  protected right. Dobb’s is a  momentous decision and has resulted in a myriad of complex issues for employers, healthcare providers and individuals, including the updating of employee policies, healthcare provisions, ethical and criminal considerations for healthcare providers and the protection of personal data, and ultimately represents a massive shift away from women’s bodily autonomy in the United States. And the partial advance leak of the Dobb’s ruling, added to the myriad of concerns about the stability and public perception of the Supreme Court.

Other notable litigation and legislation in June included the passing of the Uyghur Forced Labor Prevention Act, subjecting the importers of raw materials from China to new enforcement provisions. The Supreme Court also ruled in West Virginia v. EPA, limiting the SEC’s ability to enforce ESG requirements on public companies. The West Virginia v. EPA ruling  presents a considerable obstacle for the Biden Administration’s ongoing climate goals.

Read select legal news  articles below for more information:

Employment Law This Week: SCOTUS Overturns Roe v. Wade – What Employers Should Consider [VIDEO]

Uyghur Forced Labor Prevention Act Enforcement Starts on Imports from China and on Imports with China Origin Inputs

Implications of West Virginia v. EPA on Proposed SEC Climate Rules

July

July of 2022 saw a great deal of changes for the Equal Opportunity Commission’s “EEOC’s” COVID testing guidance for employers. The largest change is determining if testing is needed to prevent workplace transmission and interpreting the business necessity standard under the American with Disabilities Act “ADA”.. The labor law landscape around the country also saw an increased focus on pay transparency laws – most notably, New York state passed a bill requiring employers to post salary or wage ranges on all job listings. Notably, this law is quite similar to one already in effect in New York City and Washington state, Colorado, and Jersey City.

Beginning most prominently in July, the cryptocurrency world also found itself under increased scrutiny by the federal government. Of note this month, the SEC filed a complaint against certain Coinbase employees, alleging insider trading and claiming that these employees had tipped off others regarding Coinbase’s listing announcements. This move was one of the more aggressive moves made by the SEC toward the digital asset industry.

Read select legal thought leadership articles published in July for more information:

EEOC Revises COVID-19 Testing Guidance for Employers

SEC v. Wahi: An Enforcement Action that Could Impact the Broader Crypto / Digital Assets Industry

Pay Transparency Laws Are All The Rage: Looks Like New York State Is Joining the Party

August

On August 12, 2022, the Inflation Reduction Act (“IRA”) was passed by Congress, representing enormous changes for industries across the country. Perhaps most notably, the landmark legislation contained new government incentives for the clean energy sector, creating tax incentives for renewable energy projects that previously did not exist. The Act also included 15% alternative minimum corporate tax and a 1% excise tax on stock buybacks to raise government revenue.

The Inflation Reduction Act also provided significant funding for tribal communities, including but not limited to the reduction of drug prices, the lowering of energy costs, and additional federal infrastructure investments. While the funding is not as significant as COVID relief from previous years and there are still some remaining hurdles, the IRA provides groundbreaking new opportunities for Native communities, including those in Alaska and Hawaii.

Read the select legal articles published in August for more information:

The Inflation Reduction Act: How Do Tribal Communities Benefit?

The Inflation Reduction Act: A Tax Overview

Relief Arrives for Renewable Energy Industry – Inflation Reduction Act of 202

September

In September of 2022, Hurricane Ian made landfall in the United States, caused substaintial property damage and loss of life despite preparations ahead of time. After addressing safety concerns, policyholders began reviewing their insurance policies, collecting documentation and filing claims. In addition to filing claims for property damage, corporate policyholders also filed claims for business interruption and loss of business income.

Lawsuits opposing the remaining COVID-19 vaccine mandates also continued throughout the month of September, exceeding 1,000 complaints nationally. Previously, lawsuits had largely targeted the Biden Administration, but additional focus was also directed toward large employers with vaccine mandates.

Of global significance, Queen Elizabeth II, the UK’s longest reigning monarch, passed away at 96 years old. Her funeral was held September 19, 2022, and was a national holiday in the United Kingdom marking the last day of public mourning.

Read following key thought leadership articles on Hurrican Ian, UK Bank Holiday due to the Sovereign’s passing and Employer’s COVID Mandate headaches  for more information:

Hurricane Ian – Navigating Insurance Coverage

Bank Holiday Announced for Her Majesty Queen Elizabeth II’s State Funeral

Challenges Against Employer COVID-19 Vaccine Mandates Show No Sign of Slowing

October

October saw forward movement in environmental justice, cannabis decriminalization, and Artificial Intelligence  “AI” regulation. The EPA launched their new Office of Environmental Justice and External Civil Rights, to work with state, local, and tribal partners providing financial and technical support to underserved communities disproportionately impacted by the ill effects of climate change. The EPA’s new office has 200 staff members across 10 regions and is expected to provide a unifying focus on civil rights and environmental justice for the EPA and federal government as a whole.

President Biden’s pardon of federal marijuana charges and mandate to review the plant’s Schedule I status signaled a shift in cannabis regulation, with the president urging state officials to follow his example and consider the contrast between wealthy cannabis business owners and those imprisoned for possession in the recent past.

Later in the month, the White House Office of Science and Technology Policy addressed the swell of artificial intelligence technology with their Blueprint for an AI Bill of Rights, which provides guidelines to prevent privacy violations, implicit bias, and other forms of foreseeable harm.

Read selected thought leadership articles below for more information:

EPA Launches Their New Office: What Does the Office of Environmental Justice and External Civil Rights Mean for Companies and ESG in the United States?

“Up in Smoke?” President Biden Announces Pardons and Orders Review of Cannabis Classification

The White House’s AI Bill of Rights: Not for the Robots

November

November was dominated by a nail-biting midterm election season, a cryptocurrency catastrophe, and NDA (Non Disclosure Agreement) reform. While the midterms did not result in a Red Wave as expected, Republicans were able to regain a small majority in the House of Representatives, with the Senate remaining in Democratic control.

The digital finance world was considerably less stable, with the second largest cryptocurrency trading platform, FTX, filing for bankruptcy three days after its lawyers and compliance staff abruptly resigned. The collapse brought into stark relief the importance of solidifying the cryptocurrency custody and insurance landscape.

Also of note, President Biden signed the Speak Out Act, rendering unenforceable nondisclosure and nondisparagement agreements signed prior to incidents of sexual harassment or assault. The law’s passage offers employers the opportunity to review their states’ more robust laws in this area and ensure clauses meant to protect trade secrets and proprietary information don’t inadvertently create issues for sexual misconduct claimants.

Read select  thought leadership articles below fora deeper dive:

2022 Midterm Election Guide

The Spectacular Fall of FTX: Considerations about Crypto Custody and Insurance

Nondisclosure and Nondisparagement Agreements in Sexual Harassment and Assault Cases: Speak Out Act Heads to President’s Desk

December

In December, the Federal Trade Commission (FTC) released their hotly anticipated “Green Guides” amendment proposals, intended to combat greenwashing amidst growing demand for environmentally friendly products. The amended Guides for the Use of Environmental Marketing Claims would impose stricter standards for the use of terms such as “recyclable,” “compostable,” “organic,” and “sustainable” in advertising and on packaging.

Meanwhile, Congress narrowly avoided a railroad worker strike by passing Railway Labor Act legislation affirming all tentative agreements between rail carriers and unions. The contracts included a roughly 24% increase in wages over 4-5 years, along with an extra day of leave. Biden promised to address paid leave further in the near future.

The National Labor Relations Board (NLRB) closed out 2022 with a number of impactful decisions favoring workers. Employees have expanded remedies for National Labor Relations Act violations and protection during Section 7 questioning, while employers have the burden of proof when seeking to expand micro-units or deny union protestors.

Read select legal thought leadership pieces below for more details:

Congress Votes to Impose Bargaining Agreement to Avoid Nationwide Railroad Strike

FTC Starts Long-Awaited Green Guides Review

NLRB Issues Flurry of Blockbuster End-of-Year Decisions (With More to Come?) (US)

Thank you to our dedicated readers and as always to our highly regarded contributing authors and our talented NLR editorial staff for working day in and day out to produce one of the most well read and reputable business law publications in the US.  Have a happy 2023!

Copyright ©2023 National Law Forum, LLC

Ankura CTIX FLASH Update – January 3, 2023

Malware Activity

Louisiana’s Largest Medical Complex Discloses Data Breach Associated to October Attack

On December 23rd, 2022, the Lake Charles Memorial Health System (LCMHS) began sending out notifications regarding a newly discovered data breach that is currently impacting approximately 270,000 patients. LCMHS is the largest medical complex in Lake Charles, Louisiana, which contains multiple hospitals and a primary care clinic. The organization discovered unusual activity on their network on October 21, 2022, and determined on October 25, 2022, that an unauthorized actor gained access to the organization’s network as well as “accessed or obtained certain files from [their] systems.” The LCMHS notice listed the following patient information as exposed: patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information, limited clinical information regarding received care, and Social Security numbers (SSNs) in limited instances. While LCMHS has yet to confirm the unauthorized actor responsible for the data breach, the Hive ransomware group listed the organization on their data leak site on November 15, 2022, as well as posted files allegedly exfiltrated after breaching the LCMHS network. The posted files contained “bills of materials, cards, contracts, medical info, papers, medical records, scans, residents, and more.” It is not unusual for Hive to claim responsibility for the associated attack as the threat group has previously targeted hospitals/healthcare organizations. CTIX analysts will continue to monitor the Hive ransomware group into 2023 and provide updates on the Lake Charles Memorial Health System data breach as necessary.

Threat Actor Activity

Kimsuky Threat Actors Target South Korean Policy Experts in New Campaign

Threat actors from the North Korean-backed Kimsuky group recently launched a phishing campaign targeting policy experts throughout South Korea. Kimsuky is a well-aged threat organization that has been in operation since 2013, primarily conducting cyber espionage and occasional financially motivated attacks. Aiming their attacks consistently at entities of South Korea, the group often targets academics, think tanks, and organizations relating to inter-Korea relations. In this recent campaign, Kimsuky threat actors distributed spear-phishing emails to several well-known South Korean policy experts. Within these emails, either an embedded website URL or an attachment was present, both executing malicious code to download malware to the compromised machine. One (1) tactic the threat actors utilized was distributing emails through hacked servers, masking the origin IP address(es). In total, of the 300 hacked servers, eighty-seven (87) of them were located throughout North Korea, with the others from around the globe. This type of social engineering attack is not new for the threat group as similar instances have occurred over the past decade. In January 2022, Kimsuky actors mimicked activities of researchers and think tanks in order to harvest intelligence from associated sources. CTIX continues to urge users to validate the integrity of email correspondence prior to visiting any embedded emails or downloading any attachments to lessen the risk of threat actor compromise.

Vulnerabilities

Netgear Patches Critical Vulnerability Leading to Arbitrary Code Execution

Network device manufacturer Netgear has just patched a high-severity vulnerability impacting multiple WiFi router models. The flaw, tracked as CVE-2022-48196, is described as a pre-authentication buffer overflow security vulnerability, which, if exploited, could allow threat actors to carry out a number of malicious activities. These activities include stealing sensitive information, creating Denial-of-Service (DoS) conditions, as well as downloading malware and executing arbitrary code. In past attacks, threat actors have utilized this type of vulnerability as an initial access vector by which they pivot to other parts of the network. Currently, there is very little technical information regarding the vulnerability and Netgear is temporarily withholding the details to allow as many of their users to update their vulnerable devices to the latest secure firmware. Netgear stated that this is a very low-complexity attack, meaning that unsophisticated attackers may be able to successfully exploit a device. CTIX analysts urge Netgear users with any of the vulnerable devices listed in Netgear’s advisory to patch their device immediately.

For more cybersecurity news, click here to visit the National Law Review.

Copyright © 2023 Ankura Consulting Group, LLC. All rights reserved.

Governor Wolf Signs Act 151 Addressing Data Breaches Within Local Entities

On Thursday, November 3, 2022, Governor Tom Wolf signed PA Senate Bill 696, also known as Act 151 of 2022 or the Breach of Personal Information Notification Act.  Act 151 amends Pennsylvania’s existing Breach of Personal Information Notification Act, strengthening protections for consumers, and imposing stricter requirements for state agencies, state agency contractors, political subdivisions, and certain individuals or businesses doing business in the Commonwealth.  Act 151 expands the definition of “personal information,” and requires Commonwealth entities to implement specific notification procedures in the event that a Commonwealth resident’s unencrypted and unredacted personal information has been, or is reasonably believed to have been, accessed and acquired by an unauthorized person.  The requirements for state-level and local entities differ slightly; this Alert will address the impact of Act 151 on local entities.  While this law does not take effect until May 22, 2023, it is critical that all entities impacted by this law be aware of these changes.

For the purposes of Act 151, the term “local entities” includes municipalities, counties, and public schools.  The term “public school” encompasses all school districts, charter schools, intermediate units, cyber charter schools, and area career and technical schools.  Act 151 requires that, in the event of a security breach of the system used by a local entity to maintain, store, or manage computerized data that includes personal information, the local entity must notify affected individuals within seven business days of the determination of the breach.  In addition, local entities must notify the local district attorney of the breach within three business days.

The definition of “personal information” has been updated, and includes a combination of (1) an individual’s first name or first initial and last name, and (2) one or more of the following items, if unencrypted and unredacted:

  • Social Security number;
  • Driver’s license number;
  • Financial account numbers or credit or debit card numbers, combined with any required security code or password;
  • Medical information;
  • Health insurance information; or
  • A username or password in combination with a password or security question and answer.

The last three items were added by this amendment.  Additionally, the new language provides that “personal information” does not include information that is made publicly available from government records or widely distributed media.

Act 151 defines previously undefined terms, drawing a distinction between “determination” and “discovery” of a breach, and setting forth different obligations relating to each.  “Determination,” under the act, is defined as, “a verification or reasonable certainty that a breach of the security of the system has occurred.”  “Discovery” is defined as, “the knowledge of or reasonable suspicion that a breach of the security of the system has occurred.”  This distinction affords entities the ability to investigate a potential breach before the more onerous notification requirements are triggered.  A local entity’s obligation to notify Commonwealth residents is triggered when the entity has reached a determination that a breach has occurred.  Further, any vendor that maintains, stores, or manages computerized data on behalf of a local entity is responsible for notifying the local entity upon discovery of a breach, but the local entity is ultimately responsible for making the determinations and discharging any remaining duties under Act 151.

Another significant update afforded by Act 151 is the addition of an electronic notification procedure.  Previously, notice could be given: (1) by written letter mailed to the last known home address of the individual; (2) telephonically, if certain requirements are met; (3) by email if a prior business relationship exists and the entity has a valid email address; or (4) by substitute notice if the cost of providing notice would exceed $100,000, the affected class of individuals to be notified exceeds 175,000, or the entity does not have sufficient contact information.  Now, in addition to the email option, entities can provide an electronic notice that directs the individual whose personal information may have been materially compromised to promptly change their password and security question or answer, or to take any other appropriate steps to protect their information.

Act 151 also provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must utilize encryption –  this provision originally applied only to employees and contractors of Commonwealth agencies, but was broadened in Act 151.  Further, the act provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must maintain policies relating to the transmission and storage of personal information – such policies were previously developed by the Governor’s Office of Administration.

Finally, under Act 151, any entity that is subject to and in compliance with certain healthcare and federal privacy laws is deemed to be in compliance with Act 151.  For example, an entity that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed compliant with Act 151.

Although Act 151 is an amendment to prior legislation, the updates create potential exposure for local entities and the vendors that serve them.  For local municipalities, schools, and counties, compliance will require a proactive approach – local entities will have to familiarize themselves with the new requirements, be mindful of the personal information they hold, and ensure that their vendors are aware of their obligations.  Further, local entities will be required to implement encryption protocols, and prepare and maintain storage and transmission policies.

Originally Published by Babst Calland November 29, 2022. Article By Michael T. Korns and Ember K. Holmes of Babst, Calland, Clements & Zomnir, P.C.

Click here to read more legislative news on the National Law Review website.

© Copyright Babst, Calland, Clements and Zomnir, P.C.

Nineteen States Have Banned TikTok on Government-Issued Devices

Governors of numerous states have issued Executive Orders in the past several weeks banning TikTok from government-issued devices and many have already implemented a ban, with others considering similar measures. There is also bi-partisan support of a ban in the Senate, which unanimously approved a bill last week that would ban the app from devices issued by federal agencies. There is already a ban prohibiting military personnel from downloading the app on government-issued devices.

The bans are in response to the national security concerns that TikTok poses to U.S. citizens [View related posts].

To date, 19 states have issued some sort of ban on the use of TikTok on government-issued devices, including some Executive Orders banning the use of TikTok statewide on all government-issued devices. Other state officials have implemented a ban within an individual state department, such as the Louisiana Secretary of State’s Office. In 2020, Nebraska was the first state to issue a ban. Other states that have banned TikTok use in some way are: South Dakota, North Dakota, Maryland, South Carolina, Texas, New Hampshire, Utah, Louisiana, West Virginia, Georgia, Oklahoma, Idaho, Iowa, Tennessee, Alabama, Virginia, and Montana.

Indiana’s Attorney General filed suit against TikTok alleging that the app collects and uses individuals’ sensitive and personal information, but deceives consumers into believing that the information is secure. We anticipate that both the federal government and additional state governments will continue to assess the risk and issue bans on its use in the next few weeks.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.
For more Cybersecurity Legal News, click here to visit the National Law Review.

TCPA Turnstile: 2022 Year in Review (TCPA Case Update Vol. 17)

As 2022 comes to a close, we wanted to look back at the most significant Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) decisions of the year.  While we didn’t see the types of landscape-altering decisions that we saw in 2021, there’s still plenty to take note of.  We summarize here the biggest developments since our last update, listed by issue category in alphabetical order.

Arbitration: In Kelly v. McClatchy Co., LLC, 2022 WL 1693339 (E.D. Cal.  May 26, 2022), the District Court denied the defendant’s motion to compel arbitration because the contractual relationship between the parties had terminated before the unwanted calls were made. Plaintiffs had originally signed defendant’s Terms of Service which bound them to an arbitration provision for all legal disputes. Plaintiffs then cancelled their subscriptions which subsequently ended the enforceability of the Terms of Service against them. However, plaintiffs then received unwanted calls from Defendant seeking service renewals which the court deemed were not covered by the arbitration clause, even under a theory of post-expiration enforcement.

ATDS: Following Facebook v. Duguid, 141 S. Ct. 1163 (2021), courts are still struggling to define an “automatic telephone dialing system,” and the Third Circuit weighed in through Panzarella v. Navient Sols., Inc., 2022 WL 2127220 (3d Cir. June 14, 2022).  The district court granted defendant’s motion for summary judgment on the grounds that plaintiffs failed to show that an ATDS was used to call their phones. The Third Circuit upheld the summary judgment ruling but did not decide whether the dialing equipment used constituted an “ATDS” under the TCPA. Rather, its ruling hinged on the fact that defendant’s dialer pulled phone numbers from its internal database, not computer-generated tables. As such, the Third Circuit found that even though the system may very well be an unlawful ATDS system under the TCPA, if it is not used in that way, defendants could not be held liable.

In an interesting move, the court in Jiminez v. Credit One Bank, N.A., Nco Fin. Sys., 2022 WL 4611924 (S.D.N.Y. Sept. 30, 2022), narrowed the definition of an “ATDS,” choosing to reject the Second Circuit approach in favor of the Third Circuit’s approach in Panzarella. Here, plaintiff alleged that defendant used a dialing system to send numerous calls without consent. The Second Circuit follows the majority view that, if a system used to dial numbers has the ability to store or generate random numbers, the call made violates the TCPA, even if the random dialing function is not actually utilized. But the court in Jiminez found the Third Circuit’s reasoning persuasive and applied it to the case, finding that plaintiff failed to show the dialing system was actually used in a way that violated the TCPA. It granted summary judgment to defendants on the TCPA claims because the evidence showed the numbers used were all taken from a pre-approved customer list, not generated from random dialing.

Similarly, in Borden v. Efinancial, LLC, 2022 WL 16955661 (9th Cir. Nov. 16, 2022), the Ninth Circuit also adopted a narrower definition of an ATDS, finding that to qualify as an ATDS, a dialing system must use its automation function generate and dial random or sequential telephone numbers. This means that a mere ability to generate random or sequential numbers is irrelevant, the generated numbers must actually be telephone numbers. Given the circuit split on this issue, it seems likely that the Supreme Court will eventually have to weigh in.

Notably, in May 2022, the FCC issued a new order which will target unlawful robocalls originating outside the country. The order creates a new classification of service providers called “Gateway Providers” which have traditionally served a transmitters of international robocalls. These providers are domestic intermediaries which are now required to register with the FCC’s Robocall Mitigation database, file a mitigation plan with the agency, and certify compliance with the practices therein.

Class Certification: In Drazen v. Pinto, 41 F. 4th 1354 (11th Cir. July 27, 2022), the Eleventh Circuit considered the issue of standing in a TCPA class action. Plaintiffs’ proposed settlement class included unnamed plaintiffs who had only received one unsolicited text message. Because the court held in an earlier case (Salcedo v. Hanna, 936 F.3d 1162 (11th Cir. 2019)) that just one unwanted message is not sufficient to satisfy Article III standing, it found that some of the class members did not have adequate standing. The district court approved the class with these members in it, finding that those members could remain because they had standing in their respective Circuit and only named plaintiffs needed to have standing. The Eleventh Circuit held otherwise and vacated the class certification and settlement in the case. It remanded, allowing for redefinition of the class giving all members standing.

Consent: Chennette v. Porch, 2022 WL 6884084 (9th Cir. Oct. 12, 2022), involved a defendant who used cell phone numbers posted on publicly available websites, like Yelp and Facebook, to solicit client leads to contractors through unwanted text messages. The court rejected defendant’s argument that plaintiffs consented to the calls because their businesses were advertised through these public posts with the intent of obtaining new business. Beyond that, the court also found that even though these cell phones were used for both personal and business purposes, the numbers still fell within the protection of the TCPA, allowing plaintiffs to satisfy both statutory and Article III standing.

Damages: In Wakefield v. ViSalus, 2022 WL 11530386 (9th Cir. Oct. 20, 2022), the Ninth Circuit adopted a new test to determine the constitutionality of an exceptionally large damages award. Defendant was a marketing company that made unwanted calls to former customers, soliciting them to renew their subscriptions to weigh-loss products. After a multi-day trial, a jury returned a verdict for the plaintiff with a statutory damages award of almost $1 billion. The Ninth Circuit reversed and remanded to the district court to consider the constitutionality of the award. While the district court’s test asked whether the award was “so severe and oppressive” as to violate defendant’s due process rights, the Ninth Circuit instructed it to reassess using a test outlined in a different case, Six Mexican Workers. The Six Mexican Workers test assesses the following factors in determining the constitutionality of the damages award: “1) the amount of award to each plaintiff, 2) the total award, 3) the nature and persistence of the violations, 4) the extent of the defendant’s culpability, 5) damage awards in similar cases, 6) the substantive or technical nature of the violations, and 7) the circumstances of each .” We are still awaiting that determination on remand.

Standing: In Hall v. Smosh Dot Com, Inc., 2022 WL 2704571 (E.D. Cal July 12, 2022), the court addressed whether plaintiff had standing under the TCPA as a cell phone plan subscriber where the text messages were only received by someone else on the plan; in this case, plaintiff was the subscriber and her minor son was the recipient of the unwanted text messages. The court granted defendant’s motion to dismiss for lack of standing because she could not show that status of a subscriber alone could convey adequate standing under Article III.

In Rombough v. State Farm, No. 22-CV-15-CJW-MAR, (N.D. Iowa June 9, 2022), the court evaluated standing under the TCPA based on a plaintiff’s number being listed on the Do Not Call list. It determined that being on the DNC was not an easy ticket into court, plaintiff needed to allege more than just having its number on the list. Rather, the plaintiff need have actually registered their own numbers on the list.

© 2022 Vedder Price
For more Cybersecurity and Privacy Law news, click here to visit the National Law Review.

Ankura CTIX FLASH Update – December 13, 2022

Malware Activity

Uber Discloses New Data Breach Related to Third-Party Vendor

Uber has disclosed a new data breach that is related to the security breach of Teqtivity, a third-party vendor that Uber uses for asset management and tracking services. A threat actor named “UberLeaks” began leaking allegedly stolen data from Uber and Uber Eats on December 10, 2022, on a hacking forum. The exposed data includes Windows domain login names and email addresses, corporate reports, IT asset management information, data destruction reports, multiple archives of apparent source code associated with mobile device management (MDM) platforms, and more. One document in particular contained over 77,000 Uber employee email addresses and Windows Active Directory information. UberLeaks posted the alleged stolen information in four (4) separate postings regarding Uber MDM, Uber Eats MDM, Teqtivity MDM, and TripActions MDM platforms. The actor included one (1) member of the Lapsus$ threat group in each post, but Uber confirmed that Lapsus$ is not related to this December breach despite being previously linked to the company’s cyberattack in September 2022. Uber confirmed that this breach is not related to the security incident that took place in September and that the code identified is not owned by Uber. Teqtivity published a data breach notification on December 12, 2022, that stated the company is aware of “customer data that was compromised due to unauthorized access to our systems by a malicious third party” and that the third-party obtained access to its AWS backup server that housed company code and data files. Teqtivity also noted that its ongoing investigation identified the following exposed information: first name, last name, work email address, work location details, device serial number, device make, device model, and technical specs. The company confirmed that home address, banking information, and government identification numbers are not collected or retained. Uber and Teqtivity are both in the midst of ongoing investigations into this data breach. CTIX analysts will provide updates on the matter once available.

Threat Actor Activity

PLAY Ransomware Claims Responsibility for Antwerp Cyberattack

After last week’s ransomware attack on the city of Antwerp, a threat organization has claimed responsibility and has begun making demands. The threat group, tracked as PLAY ransomware, is an up-and-coming ransomware operation that has been posting leaked information since November 2022, according to an available posting on their leak site. Samples of the threat group’s ransomware variants have shown activity dating back to June 2022, which is around the time PLAY ransomware targeted the Argentina Court of Cordoba (August). While PLAY’s ransomware attack crippled several sectors of Antwerp, it appears to have had a significant impact on residential facilities throughout the city, as stated by officials. According to PLAY NEWS, PLAY’s ransomware leak site, the publication date for the exfiltrated data is Monday, December 19, 2022, if the undisclosed ransom is not paid. PLAY threat actors claim to have 557 gigabytes (GB) worth of Antwerp-related data including but not limited to personal identifiable information, passports, identification cards, and financial documents. CTIX continues to monitor the developing situation and will provide additional updates as more information is released.

Vulnerabilities

Fortinet Patches Critical RCE Vulnerability in FortiOS SSL-VPN Products

After observing active exploitation attempts in-the-wild, the network security solutions manufacturer Fortinet has patched a critical vulnerability affecting their FortiOS SSL-VPN products. The flaw, tracked as CVE-2022-42475, was given a CVSS score of 9.3/10 and is a heap-based buffer overflow, which could allow unauthenticated attackers to perform arbitrary remote code execution (RCE) if successfully exploited. Specifically, the vulnerability exists within the FortiOS sslvpnd product, which enables individual users to safely access an organization’s network, client-server applications, and internal network utilities and directories without the need for specialized software. The vulnerability was first discovered by researchers from the French cybersecurity firm Olympe Cyberdefense who warned users to monitor their logs for suspicious activity until a patch was released. Although very few technical details about the exploitation have been divulged, Fortinet did share lists of suspicious artifacts and IPs. Based on research by Ankura CTIX analysts, the IPs released by Fortinet are located around the globe and are not associated with known threat actors at this time. To prevent exploitation, all Fortinet administrators leveraging FortiOS sslvpnd should ensure that they download and install the latest patch. If organizations cannot immediately patch their systems due to the business interruption it would cause, Olympe Cyberdefense suggests “customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.” A list of the affected products and their solutions, as well as the indicators of compromise can be found in the Fortinet advisory linked below.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. 

Article By Ankura Cyber Threat Investigations and Expert Services

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

How Many Websites Now Have Cookie Banners?

A “cookie banner” refers to a pop-up notice on a website that discusses the site’s use of cookies. There is little standardization concerning how cookie banners are deployed. For example, websites can position them in different places on the screen (e.g., across the top of the screen, across the bottom of the screen, in a corner of the screen, or centered on the screen). Cookie banners also utilize different language to describe what cookies are and use different terms to describe options consumers may have in relation to the deployment of cookies. Some cookie banners require that a consumer interact with the banner (e.g., accept, cancel, or click out of) before the consumer can visit a website; other cookie banners are designed to disappear from view after several seconds.

As of October 2022, 45% of Fortune 500 websites were utilizing a cookie banner.[1] That represents an 11-point increase since 2021.[2]

[1] Greenberg Traurig LLP reviewed the publicly available privacy notices and practices of 555 companies (the Survey Population). The Survey Population comprises companies that had been ranked within the Fortune 500 at some point in the past five years as well as additional companies selected from industries that are underrepresented in the Fortune 500. While the Survey Population does not fully match the current Fortune 500 as a result of industry consolidation and shifts in company capitalization, we believe that the aggregate statistics rendered from the Survey Population are representative of mature companies. Greenberg Traurig’s latest survey was conducted between September and October 2022.

[2] Greenberg Traurig LLP conducted a survey in December 2020 which showed that 34.2% of websites had cookie banners.

Article By David A. Zetoony of Greenberg Traurig, LLP

For more communications, media, and internet legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

Privacy Rights in a Remote Work World: Can My Employer Monitor My Activity?

The rise in remote work has brought with it a rise in employee monitoring.  Between 2019 and 2021, the percentage of employees working primarily from home tripled.  As “productivity paranoia” crept in, employers steadily adopted employee surveillance technologies.  This has raised questions about the legal and ethical implications of enhanced monitoring, in some cases prompting proposed legislation or the expanded use of laws already on the books.

Employee monitoring is nothing new.  Employers have long used supervisors and timeclock programs, among other systems, to monitor employee activity.  What is new, however, is the proliferation of sophisticated monitoring technologies—as well as the expanding number and variety of companies that are employing them.

 While surveillance was once largely confined to lower-wage industries, white-collar employers are increasingly using surveillance technologies to track their employees’ activity and productivity.  Since the COVID-19 pandemic started in March 2020, one in three medium-to-large companies has adopted some form of employee monitoring, with the total fraction of employers using surveillance technologies closer to two in three.  Workers who are now subject to monitoring technologies include doctors, lawyers, academics, and even hospice chaplains.  Employee monitoring technologies can track a range of information, including:

  • Internet use (e.g., which websites and apps an employee has visited and for how long);

  • How long a computer sits idle;

  • How many keystrokes an employee types per hour;

  • Emails that are sent or received from a work or personal email address (if the employee is logged into a personal account on a work computer);

  • Screenshots of a computer’s display; and

  • Webcam photos of the employee throughout the day.

These new technologies, coupled with the shift to remote work, have blurred the line between the professional and the personal, the public and the private.  In the face of increased monitoring, this blog explores federal and state privacy regulations and protections for employees.

What are the legal limitations on employee monitoring?

 There are two primary sources of restrictions on employee monitoring: (1) the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2510 et seq.; and (2) common-law protections against invasions of privacy.  The ECPA is the only federal law that regulates the monitoring of electronic communications in the workplace.  It extends the Federal Wiretap Act’s prohibition on the unauthorized interception of communications, which was initially limited to oral and wire communications, to cover electronic communications like email.  As relevant here, the ECPA contains two major exceptions.  The first exception, known as the business purpose exception, allows employers to monitor employee communications if they can show that there is a legitimate business purpose for doing so.  The second exception, known as the consent exception, permits employers to monitor employee communications so long as they have consent to do so.  Notably, this exception is not limited to business communications, allowing employers to monitor employees’ personal communications if they have the requisite consent.  Together, the business purpose and consent exceptions significantly limit the force of the ECPA, such that, standing alone, it permits most forms of employee monitoring.

In addition to the ECPA’s limited protections from surveillance, however, some states have adopted additional protections of employee privacy.  Several state constitutions, including those of California, South Carolina, Florida, and Louisiana, guarantee citizens a right to privacy.  While these provisions do not directly regulate employers’ activity, they may bolster employees’ claims to an expectation of privacy.  Other states have enacted legislation that limits an employer’s ability to monitor employees’ social media accounts.  Virginia, for example, prohibits employers from requiring employees to disclose their social media usernames or passwords.  And a few states have enacted laws to bolster employees’ access to their data.  For example, the California Privacy Rights Act (CPRA), which comes into full effect on January 1, 2023, and replaces the California Consumer Privacy Act (CCPA), will provide employees with the right to access, delete, or opt-out of the sale of their personal information, including data collected through employee monitoring programs.  Employees will also have the right to know where, when, and how employers are using their data.  The CPRA’s protections are limited, however.  Employers will still be able to use surveillance technologies, and to make employment decisions based on the data these technologies gather.

Finally, several states require employers to provide notice to employees before monitoring or intercepting electronic communications.  New York recently adopted a law,  Senate Bill (SB) S2628, that requires all private-sector employers to provide notice of any electronic monitoring to employees (1) upon hiring, via written or electronic employee acknowledgment; and (2) in general, in a “conspicuous place” in the workplace viewable to all employees.  The new law is aimed at the forms of monitoring that have proliferated since the shift to remote work, and covers surveillance technologies that target the activities or communications of individual employees.  Delaware and Connecticut also have privacy laws that predate SB S2628.  Delaware requires notice to employees upon hire that they will be monitored, but does not require notice within the workplace.  Meanwhile, Connecticut requires notice of monitoring to be conspicuously displayed in the workplace but does not require written notice to employees upon hire.  Accordingly, in many states, employee privacy protections exceed the minimum standard of the ECPA, though they still are not robust.

How does employee monitoring intersect with other legal rights?

Other legal protections further limit employee monitoring.

First, in at least some jurisdictions, employees who access personal emails on their work computer, or conduct other business that would be protected under attorney-client privilege, maintain their right to privacy for those communications.  In Stengart v. Loving Care Agency, Inc., 408 N.J. Super. 54 (App. Div. 2009), the Superior Court of New Jersey, Appellate Division, considered a case in which an employee had accessed her personal email account on her employer’s computer and exchanged emails from that account with her attorney regarding a possible employment case against her employer.  The employer, who had installed an employee monitoring program, was able to access and read the employee’s emails.  The Court held that the employee still had a reasonable expectation of privacy and that sending and receiving emails on a company-issued laptop did not waive the attorney-client privilege.  The Court thus required the employer to turn over all emails between the employee and her attorney that were in its possession and directed the employer to delete all of these emails from its hard drives.  Moving forward, the Court instructed that, while “an employer may trespass to some degree into an employee’s privacy when buttressed by a legitimate business interest,” such a business interest held “little force . . . when offered as the basis for an intrusion into communications otherwise shielded by the attorney-client privilege.”  Stengart, 408 N.J. Super. at 74.

Second, employee monitoring can run afoul of protections related to union and other concerted activity.  The General Counsel for the National Labor Relations Board (NLRB) recently announced a plan to curtail workplace surveillance technologies.  Existing law prohibits employers from using surveillance technologies to monitor or record union activity, such as by recording employees engaged in picketing, or otherwise interfering with employees’ rights to engage in concerted activity.  The General Counsel’s plan outlines a new, formal framework for analyzing whether employee monitoring interferes with union or concerted activity.  Under this framework, an employer presumptively violates Section 7 or Section 8 of the National Labor Relations Act (NLRA) where their “surveillance and management practices, viewed as a whole, would tend to interfere with or prevent a reasonable employee from engaging in” protected activities.  Examples of technologies that are presumptively violative include key loggers, webcam photos, and audio recordings.

Do I have a claim against my employer?

While federal and state restrictions on employee monitoring are limited, you may have a legal claim against your employer if its monitoring is overly intrusive or it mishandles your personal data.  First, an invasion-of-privacy claim, for the tort of intrusion upon seclusion, could exist if your employer monitors your activity in a way that would be highly offensive to a reasonable person, such as by accessing your work laptop’s webcam or internal microphone and listening in on private affairs in your home.  Second, you may have a claim against your employer for violating its legal duty to protect your personal information if data it collects in the course of monitoring your work activity is compromised.  In Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018), employees at the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, UPMC) filed a class-action complaint alleging that UPMC breached its legal duty of reasonable care when it failed to protect employees’ data, which was stolen from UPMC computers.  The Pennsylvania Supreme Court found for the plaintiffs, holding that employers have an affirmative duty to protect the personal information of their employees.  Because the Pennsylvania Supreme Court’s holding was grounded in tort principles that are recognized by many states (i.e., duty of care and negligence), it may pave a path for future cases in other jurisdictions.  Third, if any medical information is accessed and improperly used by your employer, you may have a claim under the Americans with Disabilities Act, which requires that employers keep all employee medical information confidential and separate from all other personnel information.  See 42 U.S.C. § 12112(d)(3)(B)-(C), (4)(B)-(C).

Conclusion

Employees are monitored more consistently and in more ways than ever before. By and large, employee monitoring is legal.  Employers can monitor your keystrokes, emails, and internet activity, among other metrics.  While federal regulation of employee monitoring is limited, some states offer additional protections of employee privacy.  Most notably, employers are increasingly required to inform employees that their activity will be monitored.  Moreover, other legal rights, such as the right to engage in concerted activity and to have your medical information kept confidential, provide checks on employee surveillance.  As employee monitoring becomes more commonplace, restrictions on surveillance technologies and avenues for legal recourse may also grow.

Article By Bonnie Henry of Katz Banks Kumin LLP

For more labor and employment legal news, click here to visit the National Law Review.

Katz Banks Kumin LLP Copyright ©

New York Enacts Crypto Mining Moratorium

On November 22, 2022, New York Governor Kathy Hochul signed into law a two-year moratorium against granting permits to crypto mining operations that “are operated through electric generating facilities that use a carbon-based fuel.” Renewable sources of energy are not impacted.

The legislation, among the first of its kind in the nation, prohibits the state’s Department of Environmental Conservation from issuing any new or renewal permits to electricity generating facilities reliant on carbon-based fuel supporting crypto mining operations that use proof-of-work authentication methods to validate blockchain transactions. The law applies to all permits and renewal applications filed after its effective date, and therefore grandfathers certain businesses that held permits prior to the date of enactment. The Department of Environmental Conservation and the Department of Public Service are also tasked under the legislation with preparing an environmental impact statement on cryptocurrency mining operations that use proof-of-work authentication techniques.

For more Environmental Law news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

ANOTHER TRILLION DOLLAR CASE:? TikTok Hit in MASSIVE CIPA Suit Over Its Business Model of Profiting from Advertising by Collecting and Monetizing User Data

Data privacy lawsuits are EXPLODING and one of our country’s most popular mobile app — TikTok’s privacy issues keep piling up.

Following its recent $92 million class-action data privacy settlement for its alleged violation of Illinois Biometric Information Privacy Act (BIPA), TikTok is now facing a CIPA and Federal Wire Tap class action for collecting users’ data via its in-app browser without Plaintiff and class member’s consent.

The complaint alleges “[n]owhere in [Tik Tok’s] Terms of Service or the privacy policies is it disclosed that Defendants compel their users to use an in-app browser that installs JavaScipt code into the external websites that users visit from the TikTok app which then provides TikTok with a complete record of every keystroke, every tap on any button, link, image or other component on any website, and details about the elements the users clicked. “

Despite being a free app, TikTok makes billions in revenue by collecting users’ data without their consent.

The world’s most valuable resource is no longer oil, but data.”

While we’ve discussed before, many companies do collect data for legitimate purposes with consent. However this new complaint alleges a very specific type of data collection practice without the TikTok user’s OR the third party website operator’s consent.

TikTok allegedly relies on selling digital advertising spots for income and the algorithm used to determine what advertisements to display on a user’s home page, utilizes tracking software to understand a users’ interest and habits. In order to drive this business, TikTok presents users with links to third-party websites in TikTok’s in-app browser without a user  (or the third party website operator) knowing this is occurring via TikTok’s in-app browser. The user’s keystrokes is simultaneously being intercepted and recorded.

Specifically, when a user attempts to access a website, by clicking a link while using the TikTok app, the website does not open via the default browser.  Instead, unbeknownst to the user, the link is opened inside the TikTok app, in [Tik Tok’s] in-app browser.  Thus, the user views the third-party website without leaving the TikTok app. “

The Tik-Tok in-app browser does not just track purchase information, it allegedly tracks detailed private and sensitive information – including information about  a person’s physical and mental health.

For example, health providers and pharmacies, such as Planned Parenthood, have a digital presence on TikTok, with videos that appear on users’ feeds.

Once a user clicks on this link, they are directed to Planned Parenthood’s main webpage via TikTok’s in-app browser. While the user is assured that his or her information is “privacy and anonymous,” TikTok is allegedly intercepting it and monetizing it to send targeted advertisements to the user – without the user’s or Planned Parenthood’s consent.

The complaint not only details out the global privacy concerns regarding TikTok’s privacy practices (including FTC investigations, outright ban preventing U.S. military from using it, TikTok’s BIPA lawsuit, and an uptick in privacy advocate concerns) it also specifically calls out the concerns around collecting reproductive health information after the demise of Roe v. Wade this year:

TikTok’s acquisition of this sensitive information is especially concerning given the Supreme Court’s recent reversal of Roe v. Wade and the subsequent criminalization of abortion in several states.  Almost immediately after the precedent-overturning decision was issued, anxieties arose regarding data privacy in the context of commonly used period and ovulation tracking apps.  The potential of governments to acquire digital data to support prosecution cases for abortions was quickly flagged as a well-founded concern.”

Esh. The allegations are alarming and the 76 page complaint can be read here: TikTok.

In any event, the class is alleged as:

“Nationwide Class: All natural persons in the United State whose used the TikTok app to visit websites external to the app, via the in-app browser.

California Subclass: All natural persons residing in California whose used the TikTok app to visit websites external to the app, via the in-app browser.”

The complaint alleges California law applies to all class members – like the Meta CIPA complaint we will have to wait and see how a nationwide class can be brought related to a CA statute.

On the CIPA claim, the Plaintiff – Austin Recht – seeks an unspecific amount of damages for the class but the demand is $5,000 per violation or 3x the amount of damages sustained by Plaintiff and the class in an amount to be proven at trial.

We’ll obviously continue to keep an eye out on this.

Article By Puja J. Amin of Troutman Firm

For more communications and media legal news, click here to visit the National Law Review.

© 2022 Troutman Firm