InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Khan outlines FTC’s plans to enforce privacy, data security
On April 11, FTC Chair Lina Khan spoke at the Opening General Session of the IAPP Global Privacy Summit 2022, focusing on the Commission’s’ approach to privacy and data security enforcement strategy. In her remarks, Khan offered observations on “the new political economy” of how American consumers’ data is “tracked, gathered, and used,” and identified how the Commission is adjusting to address these “new market realities.” She also raised broad questions about the current framework for policing “the use and abuse of individuals’ data.” Khan observed that digital technology now allows firms to collect vast amounts of data on a “hyper-granular level,” tracking individuals as they carry out daily tasks. The information collected includes precise personal location, web browsing history, health records, and a complete picture of ones social network of family and friends. This data, analyzed and aggregated at a huge scale, yields “stunningly detailed and comprehensive user profiles that can be used to target individuals with striking precision.” She acknowledged that this data can be put towards adding value for consumers but that consumers are often unaware that companies are monetizing their personal data at huge profits leading to business models that “incentivize endless tracking and vacuuming up of users’ data.” These incentives have rendered today’s digital economy as, quoting a scholar, “probably the most highly surveilled environment in the history of humanity.”
Khan also outlined three key aspects of the FTC’s approach to addressing the above risks to consumers:
- The FTC will focus on “dominant firms” causing “widespread harm.” This includes addressing conduct by the dominant firms themselves as well as “dominant middlemen” facilitating the conduct through unlawful data practices.
- The FTC is taking an interdisciplinary approach by “assessing data practices through both a consumer protection and competition lens” because widescale commercial surveillance and data collection practices have the potential to violate both consumer protection and antitrust laws. The FTC will also increase reliance on technologists such as data scientists, engineers, user design experts, and AI researchers to augment the skills of their lawyers, economists, and investigators.
- The FTC will focus on designing effective remedies “informed by the business strategies that specific markets favor and reward” and that are responsive to the new value that companies place on collected data. Such remedies may include bans from surveillance industries for companies and individuals, disgorgement, requiring updated security measures such as dual-factor authentication, and requiring the deletion of illegally collected data and any algorithms derived from the same.
Khan further indicated that the FTC is considering initiating rulemaking to address commercial surveillance practices and inadequate data security. She concluded by suggesting a paradigmatic shift away from the current framework used to assess unlawful data gathering. Specifically, she stated that “market realities may render the ‘notice and consent’ paradigm outdated and insufficient” – noting that users find privacy policies overwhelming and have no real alternatives to accepting their terms given the increasingly critical reliance on digital tools to navigate daily life. Khan called for new legislation to address these concerns, saying, “[W]e should approach data privacy and security protections by considering substantive limits rather than just procedural protections, which tend to create process requirements while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place. The central role that digital tools will only continue to play invites us to consider whether we want to live in a society where firms can condition access to critical technologies and opportunities on users surrendering to commercial surveillance.”
District Court approves $90 million settlement in data tracking suit
On March 31, the U.S. District Court for the Northern District of California granted final approval to a $90 million class action settlement resolving claims that a social media platform unlawfully tracked consumers’ browsing data. According to the settlement agreement, the defendant obtained and collected data from approximately 124 million platform users in the U.S. who visited websites that displayed the defendant’s “Like” button between April 22, 2010 and September 26, 2011. According to the settlement, in addition to paying a $90 million settlement, the company must delete the data it had collected from users during the class period.
Arizona amends data breach notification requirements
On March 29, the Arizona governor signed HB 2146, amending the Arizona Revised Statutes’ security breach notification requirements. Specifically, if a person conducting business in the state that “owns, maintains or licenses unencrypted and unredacted computerized personal information becomes aware of a security incident” involving more than 1,000 individuals, the person is required to notify the three largest national consumer reporting agencies, the state attorney general, and the director of the Arizona Department of Homeland Security within 45 days. The bill also makes various technical corrections and will take effect 90 days after legislature adjourns.
District Court refuses to enforce choice-of-law provision, allows individual state data privacy claims to proceed
On March 30, the U.S. District Court for the Northern District of Illinois denied a global tech company’s bid to dismiss class action Illinois Biometric Information Privacy Act (BIPA) claims. Plaintiffs (Illinois residents) sued the company alleging it violated BIPA by applying image recognition technology to photos uploaded to subscribers’ account without receiving informed written consent. Plaintiffs also claimed the company failed to establish a file retention schedule and deletion guidelines as required by state law. The company argued that the terms of use agreed to by the subscribers contain a choice-of-law provision stating that the laws of Washington State govern the conditions of use and any disputes. The court disagreed, stating that Washington’s biometric protection statute does not provide for a private cause of action and is therefore contrary to Illinois’ fundamental public policy. “The fact that BIPA creates a private cause of action underscores the importance Illinois places on an individual’s right to control their biometric information,” the court said. “Applying Washington law would rob plaintiffs of control over their individual biometric information, instead leaving it to Washington’s attorney general to bring suit.” The court also held that Illinois has a greater material interest in the dispute than Washington. The court allowed the plaintiffs’ claims regarding consent to proceed in federal court but remanded the other claims to the Cook County Circuit Court.
EU and U.S. agree in principle on new Trans-Atlantic Data Privacy Framework
On March 25, the U.S. and the European Commission announced their agreement in principle on a new Trans-Atlantic Data Privacy Framework (Framework) to foster cross-border transfers of personal data from the EU to the U.S. (See also White House and European Commission fact sheets here and here.) Under the Framework, the U.S. has committed to implementing reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement follows negotiations that began after the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.
As previously covered by InfoBytes, the CJEU’s ruling (which could not be appealed) concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. However, the Court invalidated the EU-U.S. Privacy Shield. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR. Specifically, the CJEU held that the surveillance programs used by U.S. authorities are not proportionally equivalent to those allowed under the EU law because they are not “limited to what is strictly necessary,” nor, under certain surveillance programs, does the U.S. “grant data subjects actionable rights before the courts against the U.S. authorities.”
According to the factsheet released by the White House, the U.S. has made “unprecedented commitments” that build on the safeguards that were in place under the annulled EU-U.S. Privacy Shield with the goal of addressing issues identified in the Schrems II decision. These commitments include (i) strengthening the privacy and civil liberties safeguards governing U.S. signals intelligence activities through measures that would limit U.S. intelligence authorities’ data collection to what is necessary to advance legitimate national security objectives; (ii) establishing a new, multi-layered redress mechanism with independent and binding authority “consist[ing] of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures, as needed”; and (iii) enhancing the U.S.’s existing rigorous and layered oversight of signals intelligence activities, and requiring U.S. intelligence agencies to “adopt procedures to ensure effective oversight of new privacy and civil liberties standards.” The factsheet further stated that participating companies and organizations will continue to be required to adhere to the EU-U.S. Privacy Shield principles, including the requirement of self-certification through the U.S. Department of Commerce. EU individuals will also continue to have access to avenues of recourse to resolve complaints against businesses and organizations participating in the Framework, including through alternative dispute resolution and binding arbitration.
The White House stated that President Biden will issue an executive order outlining the aforementioned commitments “that will form the basis of the Commission’s assessment in its future adequacy decision.” According to the announcement, the U.S. and European Commission “will now continue their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides to put in place this new Trans-Atlantic Data Privacy Framework.”
Social networking apps settle minors' data claims for $1.1 million
On March 25, the U.S. District Court for the Northern District of Illinois granted final approval to a $1.1 million class action settlement resolving claims that the operators of two video social networking apps (defendants) “‘surreptitiously tracked, collected, and disclosed the personally identifiable information and/or viewing data of children under the age of 13,’ ‘without parental consent’” in violation of federal and California privacy law. Specifically, plaintiffs asserted violations of the Video Privacy Protection Act (VPPA), the California constitutional right to privacy, the California Consumers Legal Remedies Act (CLRA), and the Illinois Consumer Fraud and Deceptive Businesses Practices Act. Defendants countered that plaintiffs’ state-law claims were preempted by the Children’s Online Privacy Protection Act, and that, furthermore, the “alleged conduct is not within the scope of VPPA or the cited state consumer protection laws” and “does not amount to a common law invasion of privacy or a violation of Plaintiffs’ rights under the California Constitution.” Moreover, defendants argued that plaintiffs could not recover actual damages. According to plaintiffs’ supplemental motion for final approval, following months-long negotiations, the parties agreed to settle the action on a class-wide basis.
The settlement requires defendants to pay $1.1 million into a non-reversionary settlement fund, to be dispersed pro rata to class members (anyone in the U.S. who, prior to the settlement’s effective date and while under the age of 13, registered for or used the apps) who submit a valid claim after the payment of settlement administration expenses, taxes, fees, and service awards. The court’s order, however, declined to award an objector’s counsel any attorneys’ fees for his efforts to negotiate modified relief because the agreement was negotiated in a separate proceeding in related multidistrict litigation. The court also denied plaintiffs’ motion for sanctions against the objector’s law firm.
Insurers obligated to indemnify retailer’s payment card claims following data breach
On March 22, the U.S. District Court for the District of Minnesota ordered two insurance companies to cover a major retailer’s 2013 data breach settlement liability under commercial general liability policies. As previously covered by InfoBytes, in 2018 the retailer reached a $17 million class action settlement to resolve consumer claims related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. The banks that issued the payment cards compromised in the data breach sought compensation from the retailer for costs associated with the cancellation and replacement of the payment cards. The retailer settled the issuing banks’ claims and later sued the insurers in 2019 for refusing to cover the costs, arguing that under the general liability policies, the insurers are obligated to indemnify the retailer with respect to the settlements reached with the issuing banks. The retailer moved for partial summary judgment, seeking a declaration that the general liability policies (which “provide coverage for losses resulting from property damage, including ‘loss of use of tangible property that is not physically injured’”) covered the costs incurred by the retailer when settling the claims for replacing the payment cards. According to the retailer, the insurers’ “refusal to provide coverage for these claims lacked any basis in either the Policies’ language or Minnesota law.” The court reviewed whether the cancellation of the payment cards following the data breach counted as a “loss of use” under the general liability policies. Although the court had previously dismissed the retailer’s coverage claims, the court now determined that the “expense that [the retailer] incurred to settle claims brought by the [i]ssuing [b]anks for the costs of replacing the compromised payment cards was a cost incurred due to the loss of use of the payment cards” because being cancelled “rendered the payment cards inoperable.”
Utah becomes fourth state to enact comprehensive privacy legislation
On March 24, the Utah governor enacted the Utah Consumer Privacy Act (UCPA), which establishes a framework for controlling and processing consumers’ personal data in the state. Utah is now the fourth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, and Virginia (covered by Buckley Special Alerts here and here and InfoBytes here). As previously covered by InfoBytes, under the UCPA, consumers will have rights to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data. The UCPA also outlines data controller responsibilities, including a requirement that data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The UCPA also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices. While the UCPA explicitly prohibits its use as the basis for a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. Additionally, upon discovering a potential violation of the UCPA, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The UCPA takes effect December 31, 2023.
Biden urges private-sector businesses to strengthen cyber defenses
On March 21, President Biden issued a fact sheet warning private-sector businesses of potential retaliatory Russian cyberattacks. Biden reiterated previous “warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks” against the U.S. in “response to the unprecedented economic costs [] imposed on Russia alongside our allies and partners.” The fact sheet urges companies to execute specific measures to strengthen their cyber defenses such as (i) mandating multi-factor authentication to make it harder for attackers to access systems; (ii) deploying modern security tools on computers and devices to continuously look for and mitigate threats; (iii) patching and protecting systems against known vulnerabilities and changing passwords so previously stolen credentials cannot be used by malicious actors; (iv) backing up and encrypting data so it cannot be used if stolen; (v) educating employees on common tactics used by attackers and encouraging the reporting of “unusual behavior”; and (vi) engaging proactively with the FBI or the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) “to establish relationships in advance of any cyber incidents” (see CISA’s “Shields Up” guidance here). “I urge our private-sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year,” Biden stated. “You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely.”
Indiana enacts data breach disclosure requirements
On March 18, the Indiana governor signed HB 1351, which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides for specific reasonable delays, including circumstances that are “necessary to restore the integrity of the computer system” or “to discover the scope of the breach,” or in certain instances where the attorney general or a law enforcement agency states that disclosure of the breach will impede a criminal or civil investigation or jeopardize national security. The statute amends an existing provision of Indiana law, IC-24-4.9.3-3, by making clear that notification must be within 45 days. HB 1351 takes effect July 1.