Securities Litigation: An Emerging Strategy to Hold Companies Accountable for Privacy Protections

A California federal judge rejected Zoom Video Communications, Inc.’s motion to dismiss securities fraud claims against it, and its CEO and CFO, for misrepresenting Zoom’s privacy protections. Although there have been a number of cases challenging inadequate privacy protections on consumer protection grounds in recent years, this decision shifts the spotlight to an additional front on which the battles for privacy protection may be fought:  the securities-litigation realm.

At issue were statements made by Zoom relating to the company’s privacy and encryption methods, including Zoom’s 2019 Registration Statement and Prospectus, which told investors the company offered “robust security capabilities, including end-to-end encryption.” Importantly, the prospectus was signed by Zoom’s CEO, Eric Yuan. The plaintiffs, a group of Zoom shareholders, brought suit arguing that end-to-end encryption means that only meeting participants and no other person, not even the platform provider, would be able to access the content. The complaint alleged that contrary to this statement, Zoom maintained access to the cryptographic keys that could allow it to access the unencrypted video and audio content of Zoom meetings.

The plaintiffs’ allegations are based on media reports of security issues relating to Zoom conferences early in the COVID-19 pandemic, as well as an April 2020 Zoom blog post in which Yuan stated that Zoom had “fallen short of the community’s  ̶ ̶  and our own  ̶ ̶  privacy and security expectations.”  In his post, Yuan linked to another Zoom executive’s post, which apologized for “incorrectly suggesting” that Zoom meetings used end-to-end encryption.

In their motion to dismiss, the defendants did not dispute that the company said it used end-to-end encryption.  Instead, they challenged plaintiffs’ falsity, scienter, and loss causation allegations – and all three attempts were rejected by the court.

First, as to falsity, the court did not buy the defendants’ argument that “end-to-end encryption” could have different meanings because a Zoom executive expressly acknowledged that the company had “incorrectly suggest[ed] that Zoom meetings were capable of using end-to-end encryption.”  Thus, the court found that the complaint did, in fact, plead the existence of materially false and misleading statements. The court also rejected the defendants’ argument that Yuan’s understanding of the term “end-to-end encryption” changed in a relevant way from the time he made the challenged representation to his later statements that Zoom’s usage was inconsistent with “the commonly accepted definition.” The court looked to Yuan’s advanced degree in engineering, his status as a “founding engineer” at WebEx, and that he had personally “led the effort to engineer Zoom Meetings’ platform and is named on several patents that specifically concern encryption techniques.”

Lastly, the court rebuffed the defendants’ attempt at undermining loss causation, finding that the plaintiffs had pled facts to plausibly suggest a causal connection between the defendants’ allegedly fraudulent conduct and the plaintiffs’ economic loss. In particular, the court referenced the decline in Zoom’s stock price shortly after defendants’ fraud was revealed to the market via media reports and Yuan’s blog post.

That said, the court dismissed the plaintiffs’ remaining claims, as they related to data privacy statements made by Zoom or, in general, by the “defendants,” unlike the specific encryption-related statement made by Yuan. The court found that the corporate-made statements did not rise to the level of an “exceptional case where a company’s public statements were so important and so dramatically false that they would create a strong inference that at least some corporate officials knew of the falsity upon publication.” Because those statements were not coupled with sufficient allegations of individual scienter, the court granted the defendants’ motion to dismiss those statements from the complaint.

© 2022 Proskauer Rose LLP.
For more articles about business litigation, visit the NLR Litigation section.

GDPR Privacy Rules: The Other Shoe Drops

Four years after GDPR was implemented, we are seeing the pillars of the internet business destroyed. Given two new EU decisions affecting the practical management of data, all companies collecting consumer data in the EU are re-evaluating their business models and will soon be considering wholesale changes.

On one hand, the GDPR is creating the world its drafters intended – a world where personal data is less of a commodity exploited and traded by business. On the other hand, GDPR enforcement has taken the form of a wrecking ball, leading to data localization in Europe and substitution of government meddling for consumer choice.

For years we have watched the EU courts and enforcement agencies apply GDPR text to real-life cases, wondering if the legal application would be more of a nip and tuck operation on ecommerce or something more bloody and brutal. In 2022, we received our answer, and the bodies are dropping.

In January Austrian courts decided that companies can’t use Google Analytics to study their own site’s web traffic. The same conclusion was reached last week by French regulators. While Google doesn’t announce statistics about product usage, website tracker BuiltWith published that 29.3 million websites use Google Analytics, including 69.5 percent of Quantcast’s Top 10,000 sites, and that is more than ten times the next most popular option. So vast numbers of companies operating in Europe will need to change their platform analytics provider – if the Euro-crats will allow them to use site analytics at all.

But these decisions were not based on the functionality of Google Analytics, a tool that does not even capture personally identifiable information – no names, no home or office address, no phone numbers. Instead, these decisions that will harm thousands of businesses were a result of the Schrems II decision, finding fault in the transfer of this non-identifiable data to a company based in the United States. The problem here for European decision-makers is that US law enforcement may have access to this data if courts allow them. I have written before about this illogical conclusion and won’t restate the many arguments here, other than to say that EU law enforcement behaves the same way.

The effects of this decision will be felt far beyond the huge customer base of Google Analytics.  The logic of this decision effectively means that companies collecting data from EU citizens can no longer use US-based cloud services like Amazon Web Services, IBM, Google, Oracle or Microsoft. I would anticipate that huge cloud player Alibaba Cloud could suffer the same proscription if Europe’s privacy panjandrums decide that China’s privacy protection is as threatening as the US.

The Austrians held that all the sophisticated measures taken by Google to encrypt analytic data meant nothing, because if Google could decrypt it, so could the US government. By this logic, no US cloud provider – the world’s primary business data support network – could “safely” hold EU data. Which means that the Euro-crats are preparing to fine any EU company that uses a US cloud provider. Max Schrems saw this decision in stark terms, stating, “The bottom line is: Companies can’t use US cloud services in Europe anymore.”

This decision will ultimately support the Euro-crats’ goal of data localization as companies try to organize local storage/processing solutions to avoid fines. Readers of this blog have seen coverage of the EU’s tilt toward data localization (for example, here and here) and away from the open internet that European politicians once held as the ideal. The Euro-crats are taking serious steps toward forcing localized data processing and cutting US businesses out of the ecommerce business ecosystem. The Google Analytics decision is likely to be seen as a tipping point in years to come.

In a second major practical online privacy decision, earlier this month the Belgian Data Protection Authority ruled that the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF), a widely-used technical standard built for publishers, advertisers, and technology vendors to obtain user consent for data processing, does not comply with the GDPR. The TCF allows users to accept or reject cookie-based advertising, relieving websites of the need to create their own expensive technical solutions, and creating a consistent experience for consumers. Now the TCF is considered per-se illegal under EU privacy rules, casting thousands of businesses to search for or design their own alternatives, and removing online choices for European residents.

The Belgian privacy authority reached this conclusion by holding that the Interactive Advertising Bureau was a “controller” of all the data managed under its proposed framework. As stated by the Center for Data Innovation, this decision implies “that any good-faith effort to implement a common data protection protocol by an umbrella organization that wants to uphold GDPR makes said organization liable for the data processing that takes place under this protocol.” No industry group will want to put itself in this position, leaving businesses to their own devices and making ecommerce data collection much less consistent and much more expensive – even if that data collection is necessary to fulfill the requests of consumers.

For years companies thought that informed consumer consent would be a way to personalize messaging and keep consumer costs low online, but the EU has thrown all online consent regimes into question. EU regulators have effectively decided that people can’t make their own decisions about allowing data to be collected. If TCF – the consent system used by 80% of the European internet and a system designed specifically to meet the demands of the GDPR – is now illegal, then, for a second time in a month, all online consumer commerce is thrown into confusion. Thousands were operating websites with TCF and Google Analytics, believing they were following the letter of the law.  That confidence has been smashed.

We are finally seeing the practical effects of the GDPR beyond its simple utility for fining US tech companies.  Those effects are leading to a closed-border internet around Europe and a costlier, less customizable internet for EU citizens. The EU is clearly harming businesses around the world and making its internet a more cramped place. I have trouble seeing the logic and benefit of these decisions, but the GDPR was written to shake the system, and privacy benefits may emerge.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles about international privacy, visit the NLR Cybersecurity, Media & FCC section.

Fitness App Agrees to Pay $56 Million to Settle Class Action Alleging Dark Pattern Practices

On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.

The suit was filed in May 2020 when a group of Noom users alleged that Noom “actively misrepresents and/or fails to accurately disclose the true characteristics of its trial period, its automatic enrollment policy, and the actual steps customer need to follow in attempting to cancel a 14-day trial and avoid automatic enrollment.” More specifically, users alleged that Noom engaged in an unlawful auto-renewal subscription business model by luring customers in with the opportunity to “try” its programs, then imposing significant barriers to the cancellation process (e.g., only allowing customers to cancel their subscriptions through their virtual coach), resulting in the customers paying a nonrefundable advance lump-sum payment for up to eight (8) months at a time. According to the proposed settlement, Noom will have to substantially enhance its auto-renewal disclosures, as well as require customers to take a separate action (e.g., check box or digital signature) to accept auto-renewal, and provide customers a button on the customer’s account page for easier cancellation.

Regulators at the federal and state level have recently made clear their focus on enforcement actions against “dark patterns.” We previously summarized the FTC’s enforcement policy statement from October 2021 warning companies against using dark patterns that trick consumers into subscription services. More recently, several state attorneys general (e.g., in Indiana, Texas, the District of Columbia, and Washington State) made announcements regarding their commitment to ramp up enforcement work on “dark patterns” that are used to ascertain consumers’ location data.

Article By: Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Texas AG Sues Meta Over Collection and Use of Biometric Data

On February 14, 2022, Texas Attorney General Ken Paxton brought suit against Meta, the parent company of Facebook and Instagram, over the company’s collection and use of biometric data. The suit alleges that Meta collected and used Texans’ facial geometry data in violation of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) and the Texas Deceptive Trade Practices Act (“DTPA”). The lawsuit is significant because it represents the first time the Texas Attorney General’s Office has brought suit under CUBI.

The suit focuses on Meta’s “tag suggestions” feature, which the company has since retired. The feature scanned faces in users’ photos and videos to suggest “tagging” (i.e., identify by name) users who appeared in the photos and videos. In the complaint, Attorney General Ken Paxton alleged that Meta,  collected and analyzed individuals’ facial geometry data (which constitutes biometric data under CUBI) without their consent, shared the data with third parties, and failed to destroy the data in a timely matter, all in violation of CUBI and the DTPA. CUBI regulates the collection and use of biometric data for commercial purposes, and the DTPA prohibits false, misleading, or deceptive acts or practices in the conduct of any trade or commerce.

Among other forms of relief, the complaint seeks an injunction enjoining Meta from violating these laws, a $25,000 civil penalty for each violation of CUBI, and a $10,000 civil penalty for each violation of the DTPA. The suit follows Facebook’s $650 million class-action settlement over alleged violations of Illinois’ Biometric Privacy Act and the company’s discontinuance of the tag suggestions feature last year.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Is Your School District Ready for the Next Round of Cyber Attacks?

It isn’t if, but when, the next round of cyber-attacks will happen. One common type of cyber-attack that schools face is ransomware, where a hacker takes over a school district’s computer systems and holds the systems “hostage” until the district pays a ransom or can restore the system on its own. Restoration for some districts can be nearly impossible.

Like any other multi-million-dollar organization with sensitive data, schools are unfortunately natural targets for cyber-attacks. Per one leading anti-malware provider, in 2021 alone, 62 school districts and 26 colleges and universities were impacted by ransomware. These attacks disrupted learning at 1,043 individual schools. The recovery costs following an attack can be very significant. For example, Baltimore County Public Schools spent more than $8.1 million on recovery after an attack at the end of 2019.

And it isn’t just the ransom amounts that can be frightening. Public concern over compromised data security, feelings of invasion of privacy, and negative public perception can also pose real and significant consequences for school districts. Imagine the response of a guardian or parent who receives notice that his or her student’s personal information has been compromised. The inability to access necessary computer or network systems may also require schools to close and disrupt both short- and long-term operations. In 2021, on average, a school in the United States experienced seven days of downtime following a cyber-attack before resuming educational operations, and significant additional time was required to fully recover from the attack.

Why Are Schools Attractive Targets?

School districts are appealing targets for two main reasons: (1) school districts often have one of the largest budgets in the community, making them an appealing financial target; and (2) the data school districts store includes highly-sensitive student and employee personal information, including Social Security numbers, health information, and other pupil data. This information can be a gold mine to cyber criminals who are interested in identify theft or simply extorting money from a school district.

What Should School Districts Do?

School district administration should embrace cybersecurity best practices to protect their schools from cyber-attacks. This requires administrators to review current practices and thereafter remain vigilant in conducting an ongoing review of such practices. Here are a few things school districts can do to help protect themselves:

  • Develop a communication plan. Time is critical when a cyber-attack occurs. It is essential that you are ready to address guardians and parents, the media, and the community, and to work with your insurers and law enforcement immediately when an attack happens. Different laws require notice to individuals affected by privacy breaches. Your district should pre-emptively develop a communication plan so it is immediately ready to address required stakeholders. This communication plan should be routinely discussed with relevant administrators and employees.
  • Update Systems. Network users should apply software patches and updates as soon as possible. Hackers often exploit systems that don’t timely install patches and updates.
  • Create a strong password policy. Password policies must require users to update in regular intervals and integrate best practices, including passphrases, sequences and having different passwords for multiple accounts.
  • Purge outdated technology. Schools may hang on to older devices due to budget constraints. However, older devices may not be as secure as newer systems.
  • Implement multi-factor authentication to protect network access.

Some tips to help districts recover more quickly include:

  • Back up essential data frequently. The ability to restore data is a significant factor in determining whether a school district should pay a ransom.
  • Train employees. Train staff to recognize phishing emails and other types of cyber-attacks.
  • Develop a cyber-attack response plan. Schools should work with their IT staff, IT providers and legal counsel to pre-emptively develop a plan to handle varying cyber-attacks and return to normal operations.
  • Evaluate cyber liability insurance coverage. Based on publicly available information, ransom demands vary dramatically: as low as $10,000 to millions of dollars.
  • Stay in close contact with experienced legal counsel. To the extent protected personal information was accessed or taken, notification to the victims and, in some states, notification to data protection authorities may be required. Legal counsel familiar with these situations help coordinate communication with law enforcement and communication with staff, students, and the public. Legal counsel also communicates with the threat actors, coordinates with your insurance company, and assists with records requests that may come in post-attack.

Most importantly, school districts should engage with their insurance agent, legal counsel and IT staff now to develop and gain a mutual understanding of the process that will be followed at the time of a cyber-attack, as well as best practices that are to currently be utilized by district employees and officials. These pre-emptive, relationship-building opportunities may expose vulnerabilities and will best prepare your district for a cyber-attack. A proactive approach may also help your district avoid an attack altogether or, at a minimum, reduce the damage.

©2022 von Briesen & Roper, s.c
For more about education, visit the NLR Public Education & Services section.

White House Focuses on Improving the Cybersecurity of National Security Systems

President Biden recently signed a National Security Memorandum on cybersecurity. This memorandum was required by an earlier executive order, which we previously have discussed here.  The new memorandum (NSM) requires certain network cybersecurity measures for any government information system that is used for highly sensitive national security purposes. The requirements go into effect on a rolling basis over the next 6 months.

Systems covered include those used for intelligence activities, command and control of military forces, or weapons systems (dubbed, “National Security Systems” or “NSS”). Requirements will include use of multifactor authentication, encryption, cloud technologies, and endpoint detection services.  Notably, the NSM:

  1. requires agencies to identify their National Security Systems and report cyber incidents to the National Security Agency (NSA) (the agency tasked with responsibilities over NSS);
  2. authorizes the NSA to create Binding Operational Directives requiring agencies to take specific actions against known or suspected cybersecurity threats and vulnerabilities; and
  3. requires agencies to secure cross domain solutions (i.e., tools that transfer data between classified and unclassified systems).

The NSM also outlines how the cybersecurity requirements will be implemented.

Putting it into Practice: At this point, the NSM is directed only at requirements for agencies (rather than contractors or vendors). But, as we’ve seen in the past, once agencies have new policies and processes in place, these requirements are likely to impact or flow-down to contractors that support National Security Systems.

This article was written by Townsend Bourne and Nikole Snyder of Sheppard Mullin law firm. For more articles on cybersecurity, please see here.

Crossing the Wires of Energy and Cryptocurrency Policy: U.S. Congress Investigates the Environmental Impact of Crypto Mining

The rapid adoption of cryptocurrency and other popular blockchain applications has captured our global economy’s attention. Even as the value of cryptocurrencies slid from their all-time highs, the promise of these digital assets and the infrastructure being developed to support them has been transformative.

As with most emerging technologies, policymakers are still exploring the best approaches to regulating these new digital assets and business models. Questions about consumer protection, security, and the applicability of existing laws are to be expected; however, the environmental impact of these energy-intensive business practices has prompted considerable study and regulatory activity across the globe, including attention in the United States.

To understand the increasing energy demands associated with major cryptocurrencies – predominantly, Bitcoin and Ethereum – it is important to understand how many cryptocurrencies are generated in the first instance. Many countries, including China, have banned cryptocurrency mining, and, with the United States becoming the largest source of cryptocurrency mining activity, Congress began active investigations and hearings into the energy demands and environmental impacts in January 2022.

Proof of What? Why certain cryptocurrencies create high energy demands. 

Not all cryptocurrencies – or blockchain platforms, for that matter – are created equal in their energy demands. The goal of most major cryptocurrency platforms is to create a decentralized, distributed ledger, meaning that there is no one authority to verify the authenticity of transactions and ensure that assets are not spent twice, for example. There needs to be a trustworthy mechanism – a consensus system – to verify new transactions, add those transactions to the blockchain, and to confirm the creation of new tokens. Bitcoin alone has well over 200,000 transactions per day,[1] so it should not come as a surprise that these platforms take an enormous amount of processing power to maintain.

There are currently two primary ways that network participants lend their processing power, which are framing part of the modern energy policy debates around cryptocurrency. The first form is “proof of work,” which is the original method that Bitcoin and Ethereum 1.0 employ. When a group of transactions (a block) needs to be verified, all of the “mining” computers race to solve a complex math puzzle, and whoever wins gets to add the block to the chain and is rewarded in coins. The competitive nature of proof of work consensus systems has led to substantial increases in computing power provided by institutional cryptocurrency mining operations and, with that, higher energy demands.

The second form is “proof of stake,” which newer platforms like Cardano and ETH2 use, promises to require considerably less energy to operate. With this method, validators “stake” their currency for a chance at verifying new transactions and updating the blockchain. This method rewards long-term investment in a particular blockchain, rather than raw computing power. A validator is picked based on how much currency they have staked and how long it has been staked for. Once the block is verified, other validators must review and accept the data before it’s added to the blockchain. Then, everyone who participated in validating the block is rewarded with coins.

While proof of stake consensus systems are becoming more common, the dominant – and most valuable – cryptocurrencies are still generated through energy-intensive proof of work systems.

Turning out the lights on Crypto: China bans domestic mining and other countries follow.

China has been incredibly influential in the modern cryptocurrency debate around energy use. For several years, China was the cryptocurrency mining capital of the world, providing an average of two-thirds of the world’s processing power dedicated to Bitcoin mining through early 2021.[2] In June 2021, however, China banned all domestic cryptocurrency mining operations, citing the environmental impacts of Bitcoin mining energy demands among its concerns.[3]

As Bitcoin miners fled China, many relocated to neighboring countries, such as Kazakhstan, and the United States became the largest source of mining activity – an estimated 35.1% of global mining power.[4] The surge in Bitcoin mining activity in Kazakhstan has not been without its controversy. Many Kazakhstan-based crypto mining operations are powered by coal plants, and there has been considerable unrest sparked by rising fuel costs.[5]

With some countries experiencing negative impacts from cryptocurrency mining operations, several countries have followed China’s lead in banning cryptocurrencies. According to a 2021 report prepared by the Law Library of Congress, at least eight other countries – Egypt, Iraq, Qatar, Oman, Morocco, Algeria, Tunisia, and Bangladesh – have banned cryptocurrencies.[6] Many other countries have impliedly banned cryptocurrency or cryptocurrency exchanges, as well.[7]

U.S. Congress shines its spotlight on the energy demands of cryptocurrency mining.

Now home to over a third of the global computing power dedicated to mining bitcoin, the United States has turned its attention to domestic miners and their impacts on the environment and local economies.

In June 2021, U.S. policymakers were still predominantly focused on the consumer protection and security concerns raised by digital currencies; however, Senator Elizabeth Warren alluded to her growing concerns about the environmental costs of, particularly, proof of work mining.[8] On December 2, 2021, Senator Warren sent a letter requesting information on the environmental footprint of New York-based Bitcoin miner Greenridge Generation.[9] The letter observed that, “[g]iven the extraordinarily high energy usage and carbon emissions associated with Bitcoin mining, mining operations at Greenridge and other plants raise concerns about their impacts on the global environment, on local ecosystems, and on consumer electricity costs.”[10] Senator Warren’s concerns sparked several rounds of congressional oversight and inquiries into the environmental impacts of, particularly, proof of work cryptocurrencies, over the past month.

Committee Hearing on “Cleaning up Cryptocurrency” begins oversight and investigation into the energy impacts of blockchains.

On January 20, 2022, the U.S. House of Representatives Committee on Energy and Commerce’s Subcommittee on Oversight and Investigations held a hearing, where the externalities of cryptocurrency mining were the focus of the agenda. An early indicator of the Subcommittee’s views on the issue, the title for the hearing was “Cleaning up Cryptocurrency: The Energy Impacts of Blockchains.”[11]

The hearing focused heavily on the amount of energy used to power proof of work cryptocurrency mining. Bitcoin Mining has been widely criticized for the massive amounts of power it consumes – globally, more than 204 terawatt-hours as of January 2022. Although some operations are attempting to utilize renewable energy, the machines executing these algorithms consume enormous amounts of energy primarily sourced from fossil fuels.

The five industry experts testifying before the House Energy and Commerce Oversight Subcommittee had competing views on how regulators should address the energy consumption of cryptocurrencies—with some experts opining that the computational demands were a “feature, not a bug.”[12] Two of the experts – Brian Brooks, CEO of Bitfury Group, and Professor Ari Juels, Faculty member at Cornell Tech – debated the technical merits between proof of work and proof of stake systems, described earlier in this article.[13] Similarly, Gregory Zerzan, an attorney with Jordan Ramis, P.C. who previously held senior positions in the United States Government, encouraged the Subcommittee not to lose sight of the fact that cryptocurrencies are but “one aspect of a larger innovation, blockchain.”[14] Although the viewpoints of the experts varied considerably, there was a clear consensus among the experts: energy-efficient alternatives should guide the path forward.

John Belizaire, the founder and CEO of Soluna Computing, said that cryptocurrency mining could further accelerate the transition to renewable energy sources from an energy perspective.[15] Renewables currently suffer from one significant deficiency – intermittency. An example of this challenge is the so-called “duck curve,” which illustrates major differences between the demands for electricity as compared to the amount of renewable energy sources available throughout the day. For example, when the sun is shining, there is significantly more power than consumers need for a few hours per day; however, solar energy does not provide nearly enough energy when demand spikes in the late afternoon and evening.[16] While there has been progress in the development of lithium battery storage – a critical piece in solving the issues mentioned above– for the time being, deploying these batteries at scale is still too expensive.

In addressing gaps in battery storage, Belizaire testified that “Computing is a better battery.”[17] Computing, he states, “is an immediately deployable solution that can allow renewables to scale to their full potential today.”[18] Belizaire highlighted that, unlike other industrial consumers, cryptocurrency miners can turn their systems off when necessary, giving miners the ability to absorb excess energy from a given area’s electrical grid rather than straining it. This ability to start and stop or pause computing processes can increase grid resilience by absorbing excess energy from renewable resources that provide more power than the grid can handle. Brooks shared similar hopes for how Bitcoin mining could help stabilize electric grids, support the viability of renewable energy projects, and drive innovation in computing and cooling technology.[19]

Steve Wright, the former general manager of the Chelan County Public Utility District in Washington, testified that “the portability of cryptocurrency operations could be a benefit in terms of locating operations based on underutilized transmission and distribution capacity availability.”[20] Still, with ambitious goals to expand transmission and increase and integrate large amounts of carbon-free emitting generation, Wright testified that “substantial collaboration and coordination will be necessary to avoid cryptocurrency mining exacerbating an already very difficult problem.”[21]

Congressional Democrats continue the investigation into domestic mining operations and the Cryptomining Industry response.

The January 20, 2022 Hearing made clear that policymakers are doing their due diligence into the impact that the United States could experience as the number of domestic cryptocurrency mining operations increase. Commentary from the Hearing forecasted that scrutinizing the sources and costs of energy used in cryptocurrency mining would be a priority for Democrat members of Congress.

To that end, on January 27, 2022, eight Democrat members of Congress led by Senator Elizabeth Warren “sent letters to six cryptomining companies raising concerns over their extraordinarily high energy uses.”[22] Citing the same concerns raised in her December 2021 letter to Greenridge, Senator Warren and her colleagues observed that “Bitcoin mining’s power consumption has more than tripled from 2019 to 2021, rivaling the energy consumption of Washington state, and of entire countries like Denmark, Chile, and Argentina.”[23] To assist Congress in its investigation, Riot Blockchain, Marathon Digital Holdings, Stronghold Digital Mining, Bitdeer, Bitfury Group, and Bit Digital were all asked for information related to their mining operations, energy consumption, possible impacts on the climate and local environments, and the impact of electricity costs for American consumers.[24] Senator Warren and her colleagues requested written responses by no later than February 10, 2022, so this increased oversight will likely continue.

Even with increased oversight, current trends in crypto mining and renewables could soon make such inquiries a moot point. Amid the heated debate over the environmental impact of cryptocurrencies, miners are increasingly committed to changing the negative reputation that it has built over the years – especially as these operations move to the United States. In November of last year, Houston-based tech company Lancium announced that it raised $150 million to build bitcoin mines across Texas that will run on renewable energy.[25] In 2022, the company plans to launch over 2,000 megawatts of capacity across its multiple sites.[26] Bitcoin mining company Argo Blockchain, a company listed on the London Stock Exchange, secured a $25 million loan to fund its “green” mining operation.[27] The 320-acre site will only use renewable energy, the majority being hydroelectric.[28] This deal is set to transform Argo’s mining capacity and is expected to be completed in the first half of 2022.[29]

Capital Markets also appear to have a growing appetite for the development of green crypto mining. In April of last year, Gryphon Digital Mining raised $14 Million Series A to launch a zero-carbon footprint Bitcoin mining operation powered exclusively by renewables.[30] In a raise that closed in just over two weeks, institutional investors – who were significantly oversubscribed – accounted for over thirty percent of the round.[31]

As congressional, social, and economic pressures grow, it is evident that there is going to be a big focus on the sustainability of Bitcoin mining. As such, we may very well see announcements, like the deals mentioned above, well into 2022 and beyond.

FOOTNOTES

[1] Bitcoin Transactions Per Day, YCharts, https://ycharts.com/indicators/bitcoin_transactions_per_day (last visited Jan. 29, 2022).

[2] Bitcoin Mining Map, Cambridge Centre for Alternative Finance, https://ccaf.io/cbeci/mining_map (last visited Jan. 29, 2022) [“Bitcoin Mining Map”].

[3] Samuel Shen & Andrew Galbraith, China’s ban forces some bitcoin miners to flee overseas, others sell out, Reuters, June 25, 2021, https://www.reuters.com/technology/chinas-ban-forces-some-bitcoin-miners-flee-overseas-others-sell-out-2021-06-25/ (last visited Jan. 29, 2022).

[4] See Bitcoin Mining Map.

[5] Tom Wilson, Bitcoin network power slumps as Kazakhstan crackdown hits crypto miners, Reuters, Jan. 7, 2022, https://www.reuters.com/markets/europe/bitcoin-network-power-slumps-kazakhstan-crackdown-hits-crypto-miners-2022-01-06/ (last visited Jan. 29, 2022).

[6] Regulation of Cryptocurrency Around the World: November 2021 Update, Global Legal Research Directorate, The Law Library of Congress, available at https://tile.loc.gov/storage-services/service/ll/llglrd/2021687419/2021687419.pdf (last visited Jan. 29, 2022).

[7] Id.

[8] Press Release, United States Senate Committee on Banking, Housing, and Urban Affairs, At Hearing, Warren Delivers Remarks on Digital Currencies (June 9, 2021), https://www.banking.senate.gov/newsroom/majority/at-hearing-warren-delivers-remarks-on-digital-currency (last visited Jan. 29, 2022).

[9] Elizabeth Warren, Letter to Greenridge Generation on Crypto, Dec. 2, 2021, available at https://www.warren.senate.gov/imo/media/doc/2021.12.2.%20Letter%20to%20Greenidge%20Generation%20on%20Crypto.pdf (last visited Jan. 29, 2022).

[10] Id. at p.2.

[11] Hearing Notice, United States House Committee on Energy & Commerce, Hearing on “Cleaning Up Cryptocurrency: The Energy Impacts of Blockchains” (Jan. 20, 2022), https://energycommerce.house.gov/committee-activity/hearings/hearing-on-cleaning-up-cryptocurrency-the-energy-impacts-of-blockchains (last visited Jan. 29, 2022) [the “January 20 Hearing”].

[12] January 20 Hearing Testimony. See also Statement of Brian P. Brooks before House Committee (Jan. 20, 2022), available at https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/Witness%20Testimony_Brooks_OI_2022.01.20_0.pdf  (last visited Jan. 29, 2022) [the “Brooks Statement”].

[13] See, e.g., Brooks Statement; Statement of Prof. Ari Juels before House Committee (Jan. 20, 2022), available at https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/Witness%20Testimony_Juels_OI_2022.01.20.pdf (last visited Jan. 29, 2022) [the “Juels Statement”].

[14] Statement of Gregory Zerzan before House Committee (Jan. 20, 2022), available at https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/Witness%20Testimony_Zerzan_OI_2022.01.20.pdf (last visited Jan. 29, 2022).

[15] See, e.g., Statement of John Belizaire before House Committee (Jan. 20, 2022), available at https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/Witness%20Testimony_Belizaire_OI_2022.01.20_0.pdf (last visited Jan. 29, 2022) [the “Belizaire Statement”].

[16] Office of Energy Efficiency & Renewable Energy, Confronting the Duck Curve: How to Address Over-Generation of Solar Energy (October 12, 2017)

https://www.energy.gov/eere/articles/confronting-duck-curve-how-address-over-generation-solar-energy (last visited Jan. 29, 2022).

[17] See, e.g., Belizaire Statement, p.4.

[18] Id.

[19] See generally Brooks Statement, pp.8-10.

[20] See, e.g., Statement of Steve Wright before House Committee, p.5 (January 20, 2022) available at https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/Witness%20Testimony_Wright_OI_2022.01.20.pdf (last visited Jan. 29, 2022) [the “Wright Statement”].

[21] Id. p.9.

[22] Press Release, Office of Senator Elizabeth Warren, Warren, Colleagues Press Six Cryptomining Companies on Extraordinarily High Energy Use and Climate Impacts (Jan. 27, 2022), available at https://www.warren.senate.gov/newsroom/press-releases/warren-colleagues-press-six-cryptomining-companies-on-extraordinarily-high-energy-use-and-climate-impacts (last visited Jan. 29, 2022).

[23] Id.

[24] Id.

[25] MacKenzie Sigalos, This Houston Tech Company wants to build renewable energy-run bitcoin mines across Texas CNBC (November 23, 2021), https://www.cnbc.com/2021/11/23/lancium-raises-150-million-for-renewable-run-bitcoin-mines-in-texas.html (last visited Jan 31, 2022).

[26] Id.

[27] Namcios Bitcoin Magazine, Argo blockchain buys Hydro data centers to realize Green Bitcoin Mining Vision, (May 13, 2021), https://www.nasdaq.com/articles/argo-blockchain-buys-hydro-data-centers-to-realize-green-bitcoin-mining-vision-2021-05-13 (last visited Jan 31, 2022).

[28] Id.

[29] Id.

[30] GlobeNewswire News Room, Gryphon Digital Mining raises $14 million to launch bitcoin mining operation with zero carbon footprint, (April 13, 2021), https://www.globenewswire.com/newsrelease/2021/04/13/2209346/0/en/Gryphon-Digital-Mining-Raises-14-Million-to-Launch-Bitcoin-Mining-Operation-with-Zero-Carbon-Footprint.html (last visited Jan 31, 2022).

[31] Id.

Copyright ©2022 Nelson Mullins Riley & Scarborough LLP
For more articles about cryptocurrency, visit the NLR Financial Securities & Banking section.

As the California Attorney General Focuses on Loyalty Programs, What Do Companies Need to Remember?

The California attorney general (AG) celebrated data privacy day by doing an “investigative sweep” of the loyalty programs of retailers, supermarkets, home improvement stores, travel companies, and food service companies, and sending out notices of non-compliance to businesses that the AG’s office believes might not be fully compliant with the CCPA. As the AG focuses its attention on loyalty programs, the following provides a reminder of the requirements under the CCPA.

What is a loyalty program?

Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers; others track products purchased. Some programs are free to participate in; others require consumers to purchase membership. Some programs offer consumers additional products; other programs offer prizes, money, or products from third parties. Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program,” as a practical matter most, if not all, loyalty programs have two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.[1]

What are the general obligations under the CCPA?

Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, then its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:

Right Applicability to Loyalty Program
Notice at collection A loyalty program that collects personal information from its members should provide a notice at the point where information is being collected regarding the categories of personal information that will be collected and how that information will be used.[2]
Privacy notice A loyalty program that collects personal information of its members should make a privacy notice available to its members.[3]
Access to information A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.[5]
Deletion of information A member of a loyalty program may request that a business delete the personal information collected about them. That said, a company may be able to deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten.
Opt-out of sale A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner) it would not be considered a “sale” of information.
Notice of financial incentive To the extent that a loyalty program qualifies as a “financial incentive” under the regulations implementing the CCPA (discussed below), a business should provide a “notice of financial incentive.”[4]

Are loyalty programs always financial incentive programs?

Whether a loyalty program constitutes a “financial incentive” program as that term is defined by the regulations implementing the CCPA depends on the extent to which the loyalty program’s benefits “relate to” the collection, retention, or sale of personal information.”[6] While the California Attorney General has implied that all loyalty programs “however defined, should receive the same treatment as other financial incentives,” a strong argument may exist that for many loyalty programs the benefits provided are directly related to consumer purchasing patterns (i.e., repeat or volume purchases) and are not “related” to the collection of personal information.[7] If a particular loyalty program qualifies as a financial incentive program, a business should consider the following steps (in addition to the compliance obligations identified above):

  • Notify the consumer of the financial incentive.[8] The regulations implementing the CCPA specify that the financial incentive notice should contain the following information:
    • A summary of the financial incentive offered.[11] In the context of a loyalty program a description of the benefits that the consumer will receive as part of the program would likely provide a sufficient summary of the financial incentive.
    • A description of the material terms of the financial incentive. [12] The regulation specifies that the description should include the categories of personal information that are implicated by the financial incentive program and the “value of the consumer’s data.”[13]
    • How the consumer can opt-in to the financial incentive.[14] Information about how a consumer can opt-in (or join) a financial incentive program is typically conveyed when a consumer reviews an application to join or sign-up with the program.
    • How the consumer can opt-out, or withdraw, from the program. [15] This is an explanation as to how the consumer can invoke their right to withdraw from the program.[16]
    • An explanation of how the financial incentive is “reasonably related” to the value of the consumer’s data.[17] While the regulations state that a notice of financial incentive should provide an explanation as to how the financial incentive “reasonably relates” to the value of the consumer’s data, the CCPA requires only that a reasonable relationship exists if a business intends to discriminate against a consumer “because the consumer exercised any of the consumer’s rights” under the Act.[18] Where a business does not intend to use its loyalty program to discriminate against consumers that exercise CCPA-conferred privacy rights, it’s not clear whether this requirement applies. In the event that a reasonable relationship must be shown, however, the regulations require that a company provide a “good-faith estimate of the value of the consumer’s data that forms the basis” for the financial incentive and that the business provide a “description of the method” used to calculate that value.[19]
  • Obtain the consumer’s “opt in consent” to the “material terms” of the financial incentive,[9] and
  • Permit the consumer to revoke their consent “at any time.”[10]

FOOTNOTES

[1] FSOR Appendix A at 273 (Response 814) (including recognition from the AG that “loyalty programs” are not defined under the CCPA, and declining invitations to provide a definition through regulation).

[2] Cal. Civ. Code § 1798.100(a) (West 2021); Cal. Code Regs. tit. 11, 999.304(b), 305(a)(1) (2021).

[3] Cal. Code Regs. tit. 11, 999.304(a) (2021).

[5] Cal. Civ. Code § 1798.100(a).

[4] CAL. CODE REGS. tit. 11, 999.301(n); 304(d); 307(a), (b).

[6] CAL. CODE REGS. tit. 11, 999.301(j) (2021).

[7] FSOR Appendix A at 75 (Response 254).

[8] Cal. Civ. Code § 1798.125(b)(2) (West 2021).

[11] CAL. CODE REGS. tit. 11, 999.307(b)(1) (2021).

[12] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).

[13] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).

[14] CAL. CODE REGS. tit. 11, 999.307(b)(3) (2021).

[15] CAL. CODE REGS. tit. 11, 999.307(b)(4) (2021).

[16] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

[17] CAL. CODE REGS. tit. 11, 999.307(b)(5) (2021).

[18] Cal. Civ. Code § 1798.125(a)(1), (2) (West 2021).

[19] CAL. CODE REGS. tit. 11, 999.307(b)(5)(a), (b) (2021).

[9] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

[10] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

©2022 Greenberg Traurig, LLP. All rights reserved.
For more articles about data privacy, visit the NLR Cybersecurity, Media & FCC section.

New Poll Underscores Growing Support for National Data Privacy Legislation

Over half of all Americans would support a federal data privacy law, according to a recent poll from Politico and Morning Consult. The poll found that 56 percent of registered voters would either strongly or somewhat support a proposal to “make it illegal for social media companies to use personal data to recommend content via algorithms.” Democrats were most likely to support the proposal at 62 percent, compared to 54 percent of Republicans and 50 percent of Independents. Still, the numbers may show that bipartisan action is possible.

The poll is indicative of American’s increasing data privacy awareness and concerns. Colorado, Virginia, and California all passed or updated data privacy laws within the last year, and nearly every state is considering similar legislation. Additionally, Congress held several high-profile hearings last year soliciting testimony from several tech industry leaders and whistleblower Frances Haugen. In the private sector, Meta CEO Mark Zuckerberg has come out in favor of a national data privacy standard similar to the EU’s General Data Protection Regulation (GDPR).

Politico and Morning Consult released the poll results days after Senator Ron Wyden (D-OR) accepted a 24,000-signature petition calling for Congress to pass a federal data protection law. Senator Wyden, who recently introduced his own data privacy proposal called the “Mind Your Own Business Act,” said it was “past time” for Congress to act.

He may be right: U.S./EU data flows have been on borrowed time since 2020. The GDPR prohibits data flows from the EU to countries with inadequate data protection laws, including the United States. The U.S. Privacy Shield regulations allowed the United States to circumvent the rule, but an EU court invalidated the agreement in 2020, and data flows between the US and the EU have been in legal limbo ever since. Eventually, Congress and the EU will need to address the situation and a federal data protection law would be a long-term solution.

This post was authored by C. Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law. Click here to read more about the Data Privacy and Cybersecurity practice at Robinson & Cole LLP.

For more data privacy and cybersecurity news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Two Recent Developments Promise to Shed Light on Accrual of BIPA Claims

In the aftermath of two recent appellate court decisions addressing when claims under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) accrue, it appears likely that the Illinois Supreme Court will need to provide clarity on this critical question. First, the Appellate Court of Illinois, First District, found in Watson v. Legacy Healthcare Financial Services, LLC, et al.  that claims under sections 15(a) and (b) of the Act accrue with each and every capture and use of a plaintiff’s biometric identifier or information. Second, in Cothron v. White Castle System, Inc. the Seventh Circuit Court of Appeals declined to directly address the issue of when a claim under BIPA accrues, and instead has certified the question for review by the Illinois Supreme Court. While the holding in Watson provides some clarity as to when certain BIPA claims accrue, it leaves open critical questions regarding how to calculate: (i) the number of BIPA violations; and (ii) monetary damages under the Act.

The Watson v. Legacy Healthcare Financial Services, LLC, et al. Decision

Plaintiff Brandon Watson sued Legacy Healthcare Financial Services, LLC, Lincoln Park Skilled Nursing Facility, LLC, and South Loop Skilled Nursing Facility, LLC (collectively, the “Defendants”) in March 2019, alleging that the Defendants violated BIPA by scanning the fingers or hands of their respective employees, including plaintiff, for timekeeping purposes. Plaintiff alleged that the scanning violated sections 15(a) and (b) of the Act, which place both restrictions and affirmative obligations on private entities related to biometric identifiers (such as fingerprints, voiceprints, retinal scans and facial geometry) and biometric information (e.g., information based on biometric identifiers to the extent used to identify an individual):

  • Private entities in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for destroying the information.  740 ILCS 14/15(a).
  • Private entities which collect, capture, purchase, receive or otherwise obtain biometrics must first inform the subject of that fact in writing, as well as the specific purpose and length of time for which the information will be retained, and must obtain a written release executed by the subject.  740 ILCS 14/15(b).

Plaintiff alleged that he began working for at least one of the Defendants in December 2012. Because the Act contains no provision as to when claims accrue or the applicable limitations period, Defendants moved to dismiss, arguing that Plaintiff’s claims accrued on the first day the Defendants allegedly collected his biometric information and Plaintiff’s claims were thus time-barred. In response, Plaintiff argued that his suit was not time-barred because his claims accrued with each alleged capture of his biometric information that Defendants obtained without providing notice and obtaining consent. The trial court granted the Defendants’ motion to dismiss, finding  that Plaintiff’s claims accrued with the initial scan of his finger or hand  in December 2012. Thereafter, the trial court granted Plaintiff’s Rule 304(a) motion for an interlocutory appeal.

The Appellate Court reversed and remanded, finding that a claim under the Act accrues after “each and every capture and use of plaintiff’s fingerprint or hand scan.” In reaching this result the Appellate Court analyzed the plain language of the Act and the legislative history of the Act, and accepted as true that the Defendants captured Plaintiff’s biometric information twice per day when he clocked in and out of work.

The Cothron v. White Castle System, Inc. Decision

Plaintiff Latrina Cothron sued White Castle System, Inc. (“White Castle”) alleging that White Castle violated BIPA when it required plaintiff to scan her finger in order to access work computers. Moreover, plaintiff alleged that White Castle disclosed the scans of her fingers to its third-party vendor as part of process to authenticate the finger scan and ultimately grant access to the work computers. Based on these allegations, plaintiff asserted claims under sections 15(b) and (d) of the Act. In addition to the obligations of section 15(b), outlined above, section 15(d) prohibits a private entity from disclosing, redisclosing or otherwise disseminating biometric information without consent.  740 ILCS 14/15(d).

White Castle moved for judgment on the pleadings, arguing that the suit was untimely since plaintiff’s claims accrued in 2008 when BIPA was enacted. The trial court denied White Castle’s motion, but certified its order for immediate appeal to the Seventh Circuit. In turn, the Seventh Circuit examined the arguments of both parties and ultimately concluded that the question of when a claim accrues under BIPA is a novel question which has not yet been addressed by the Illinois Supreme Court. As a result, the Seventh Circuit stayed proceedings in the Cothron matter and certified the question of when claims accrue under BIPA to the Illinois Supreme Court.

The Rulings’ Impact on Your Business

It is likely that it will take a ruling from the Illinois Supreme Court to provide further clarity on when claims under the Act accrue. In the interim, the Watson decision will obviously impact early BIPA case evaluations. It also, however, raises at least two unrelated issues that will likely be the subject of debate and litigation going forward.

First, Watson was based on the allegations in the complaint, without the benefit of discovery and additional information regarding the operation of the finger/hand scanning device(s) utilized by the Defendants.  Key to the decision is the Watson court’s conclusion that every use of the scanning device(s) results in the capture of Plaintiff’s biometric information, and the Court’s description of that capture as resulting in a permanent record. While that statement is likely based on allegations made in the complaint, it is possible, or even probable, that it is not factually accurate. Although variations exist, the scanning technology used in many biometric timekeeping devices creates only a single permanent record — from the very first scan of the individual’s finger or hand. Commonly, the later scans do not collect or store information, but only exist fleetingly as comparisons of the permanent, initial scan data. As a result, the applicability of the Watson decision may vary based on the actual operation of the scanning devices at issue in any single case.

Second, in response to Defendants’ concerns about the “ruinous” monetary damage awards that may result from the ruling in Watson, the Appellate Court went out of its way to note “that damages are discretionary[,] not mandatory” under BIPA. In so holding, the Appellate Court found that Section 20 of BIPA provides a list of possible damages, but notes that list constitutes what a “prevailing party may recover.” 740 ILCS 14/20 (emphasis added). The Appellate Court’s decision to highlight the discretionary nature of an award of monetary damages under BIPA stands in stark contrast to the position often taken by the plaintiffs’ bar. Indeed, the plaintiffs’ bar consistently asserts that the right to recover liquidated damages under BIPA is absolute given the Illinois Supreme Court’s 2019 decision in Rosenbach v. Six Flags Entm’t Corp. However, the Rosenbach decision merely found that once a plaintiff meets the basic statutory requirement of being “aggrieved,” he or she is merely “entitled to seek recovery” under Section 20. The Watson Court’s emphasis that monetary damages are discretionary under BIPA is likely to open new lines of discovery and argument regarding the calculation of damages, if any, sustained by a particular BIPA plaintiff and whether or not those damages justify the imposition of discretionary liquidated damages set forth in the Act.

Ultimately, every business should perform a critical analysis as to any business practice that potentially concerns biometrics (including employee timekeeping, identification procedures or security protocols). The failure to fully comply with BIPA, even when such a failure results in no actual injury to an individual, may lead to significant liability. Vedder Price attorneys are at the forefront in defending BIPA claims and counseling clients on BIPA-related policy and disclosure language.

© 2022 Vedder Price

For more articles on BIPA, visit the NLR section Cybersecurity, Media & FCC section.