InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Illinois Supreme Court rules Workers’ Compensation Act does not bar BIPA privacy claims
On February 3, the Illinois Supreme Court unanimously ruled that the Illinois Workers’ Compensation Act (Compensation Act) does not bar claims for statutory damages under the state’s Biometric Information Privacy Act (BIPA). According to the opinion, the plaintiff sued the defendant and several other long-term care facilities in 2017 for violations of BIPA, alleging their timekeeping systems scanned her fingerprints without first notifying her and seeking her consent. The defendant countered that the Compensation Act preempted the plaintiff’s claims, but in 2020 the Illinois Appellate Court, First District, held that it failed to see how the plaintiff’s claim for liquidated damages under BIPA “fits within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury.” As such, the appellate panel concluded that the Compensation Act’s exclusivity provisions “do not bar a claim for statutory, liquidated damages, where an employer is alleged to have violated an employee’s statutory privacy rights under the Privacy Act, as such a claim is simply not compensable under the Compensation Act.”
In affirming the appellate panel’s decision, the Illinois Supreme Court agreed that the “personal and societal injuries caused by violating [BIPA’s] prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act. [BIPA] involves prophylactic measures to prevent compromise of an individual’s biometrics.” Additionally, the Illinois Supreme Court held that the plain language of BIPA supports a conclusion that the state legislature did not intend for it to be preempted by the Compensation Act’s exclusivity provisions. Noting that it is aware of the consequences the legislature intended as a result of BIPA violations, the Illinois Supreme Court wrote that the “General Assembly has tried to head off such problems before they occur by imposing safeguards to ensure that the individuals’ privacy rights in their biometric identifiers and biometric information are properly protected before they can be compromised and by subjecting private entities who fail to follow the statute’s requirements to substantial potential liability . . . whether or not actual damages, beyond violation of the law’s provisions, can be shown.” Moreover, if a “different balance should be struck under [BIPA] given the category of injury,” that is “a question more appropriately addressed to the legislature.”
Colorado releases guidance on data privacy and security in advance of CPA implementation
On January 28, the Colorado attorney general issued prepared remarks and guidance on data security best practices in advance of the implementation of the Colorado Privacy Act (CPA). As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights and provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The Colorado AG has enforcement authority for the CPA, which does not have a private right of action. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024.
AG Phil Weiser stated that, by this fall, his office will post a formal Notice of Proposed Rulemaking, including a proposed set of model rules, with the goal of adopting a final rule roughly a year from now. AG Weiser also outlined best practices that will be weighed in determining whether a company is acting reasonably to safeguard sensitive information. Notably, the AG’s office will first evaluate whether a company has identified the types of data it collects and established a system for storing and managing that data (including disposal procedures). Considerations will then be made as to whether the company has a written information security policy and a written data incident response plan. The AG’s office will also examine a company’s practices for monitoring vendors’ data security measures. AG Weiser also referenced the recently released Data Security Best Practices guidance, which outlines key steps companies should take to protect consumer data, including ways to adopt information security and incident response policies, train employees on mitigating and responding to cybersecurity attacks, and notify appropriate parties in the event of a data breach, among other topics.
French Council of State confirms €100 million fine against tech company
On January 28, the French Council of State confirmed the French data protection agency Commission Nationale de l’Informatique et des Libertés’s (CNIL) jurisdiction to impose sanctions on a multinational technology company and its Irish affiliate related to the companies’ process for managing cookies. The judgment follows an appeal by the companies against a 100 million euro fine imposed by CNIL in December 2020, for failure to obtain users’ consent and provide adequate information before depositing advertising cookies on users’ computers. The 2020 decision cited three violations of Article 82 of the French Data Protection Act (the Act). In confirming the 2020 decision, the Council of State recognized that it is within CNIL’s jurisdiction “to issue sanctions regarding cookies outside the ‘one-stop-shop’ mechanism provided for in the GDPR and therefore confirmed the sanction imposed by the CNIL on the companies[.]” Specifically, the Council of State concluded that the GDPR’s “one-stop-shop” mechanism does not apply to the deposit of cookies, which is covered by the Act. Additionally, because the cookies in question are implemented in the context of the companies’ activities in France, the Council of State determined CNIL had jurisdiction pursuant to the Act, and consequently, did not have to forward the case to the Irish Data Protection Authority (the lead supervisory authority for these companies under the GDPR). Moreover, the Council of State held that the fines imposed by CNIL were “not disproportionate in view of the seriousness [of] the violations, the scope of the processing and the financial capabilities of the companies.”
California investigating loyalty programs for CCPA compliance
On January 28, the California attorney general announced an “investigative sweep” of businesses operating loyalty programs in the state. The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, requires businesses that offer financial incentives in exchange for personal information, including loyalty programs, to provide consumers with a notice that clearly describes the material terms of the financial incentive program before consumers opt-in. (See InfoBytes coverage of the CCPA here.) Notices of noncompliance were sent to several businesses whose loyalty programs allegedly violated the CCPA, including data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers. Businesses have 30 days to cure or fix the alleged violation and come into compliance with the law before the initiation of an enforcement action. “I urge all businesses in California to take note and be transparent about how you’re using your customer’s data,” Attorney General Rob Bonta stated in the announcement. “My office continues to fight to protect consumer privacy, and we will enforce the law.”
District Court grants motion to dismiss in CIPA class action
On January 25, the U.S. District Court for the Northern District of California granted a motion to dismiss a class action suit, in which plaintiffs alleged that the defendant continued to monitor mobile users’ browsing history even after being asked to cease and desist. In their third amended complaint, the plaintiffs alleged that the defendant violated the California Invasion of Privacy Act (CIPA) because, among other things, although “developers and consumers consented to [the defendant] uploading data to its servers for the developers’ use, … [the defendant] also retained a copy for its own use.” The defendant argued that the plaintiffs’ “conclusory statement that communications are intercepted is not enough to make out a § 631 claim [of the CIPA].”
The CIPA claims against the defendant were previously dismissed because they “failed to aver simultaneous interception.” The plaintiffs also attempted to revitalize their breach of contract claim by arguing it was a unilateral contract, but the district court noted that “[u]nder this theory, a contract was created by [the defendant’s] provision of a button to adjust privacy settings, text describing what the button supposedly did, and [the plaintiffs’] clicking of that button.” The district court further noted that it is not enough to create a unilateral contract, and that “[the defendant] was not asking [the plaintiffs’] to click the button, let alone bargain for such performance, and [the plaintiffs’] could not have reasonably expected they were entering into a contract simply by adjusting their account settings.”
District Court finalizes BIPA class action settlement
On January 24, the U.S. District Court for the Northern District of Illinois granted final approval to a nearly $877,000 class action settlement to resolve allegations that a food manufacturer’s fingerprint-based timekeeping system violated Illinois’ Biometric Information Privacy Act (BIPA). Class members (both direct employees and temporary staffing workers who worked for the defendant between June 2015 and the date of preliminary approval) alleged that the defendant (i) collected biometric fingerprint identifiers and information without receiving informed written consent from employees; (ii) processed these identifiers and information “without establishing and following a publicly available data retention schedule and destruction policy”; and (iii) disclosed the employees’ identifiers and information to its timekeeping vendor without consent. The defendant contended that since 2020 it has maintained BIPA consents and compliance policies, and “does not retain any finger scan data for separated Illinois employees.” While denying all liability and wrongdoing, the defendant has agreed to pay $876,750 to cover class member payments, attorney fees and costs, settlement administrator costs, and the class representative’s service award.
SBA rolls out small business cybersecurity pilot program
On January 21, the SBA announced $3 million in funding for the agency’s Cybersecurity for Small Business Pilot Program. The funding is intended to help state governments assist emerging small businesses develop their cybersecurity infrastructures to combat increasing and evolving threats. Applications will be accepted from January 26 through March 3. “Throughout the COVID-19 pandemic, small businesses have adopted technology at high rates to survive, operate, and grow their businesses. As a result, cybersecurity has become increasingly important as now, more than ever before, small business owners face cyber risks and challenges that could disrupt their operations and competitive advantages. As we seek to build a stronger and more inclusive entrepreneurial ecosystem, we must innovate and provide resources to meet the evolving needs of the growing number of small businesses. With this new funding opportunity, the SBA intends on leveraging the strengths across our state governments, territories, and tribal governments to provide services to help small businesses get cyber ready and, in the process, fortify our nation’s supply chains,” SBA Administrator Isabella Casillas Guzman said in the announcement.
FCC proposes new reporting on telecom data breaches
On January 12, the FCC announced that it shared, among the FCC staff, a notice of proposed rulemaking (NPRM) to strengthen the rules for notifying consumers and federal law enforcement of breaches of customer proprietary network information. According to the FCC, the NPRM “would better align the Commission’s rules with recent developments in federal and state data breach laws covering other sectors,” and “further advances the FCC’s efforts to ensure its rules keep pace with evolving cybersecurity threats and to protect consumers in the face of today’s challenges.” The NPRM outlines certain updates to current FCC rules that address telecommunications carriers’ breach notification requirements, including: (i) “[e]liminating the current seven business day mandatory waiting period for notifying customers of a breach”; (ii) “[e]xpanding customer protections by requiring notification of inadvertent breaches”; and (iii) “[r]equiring carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service.” The NPRM solicits feedback regarding whether the FCC should require customer breach notices to include specific categories of information “to help ensure they contain actionable information useful to the consumer.” According to FCC Chairwoman Jessica Rosenworcel, current laws “need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.”
French data protection agency issues privacy fines over cookies
On January 6, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a multinational technology company 150 million euros and a global social media company 60 million euros (approximately $170 and $68 million USD respectively) for failure to comply with the French Data Protection Act related to the companies’ process for managing cookies. (See additional press releases here and here.) According to the CNIL, the companies provide a button allowing users to immediately accept cookies but do not provide an equivalent option to allow users to easily refuse the cookies through a single click. This process, CNIL stated, “influences [a user’s] choice in favor of consent” since a user “cannot refuse the cookies as easily as they can accept them,” and constitutes an infringement of Article 82 of the French Data Protection Act. In addition to the fines, the CNIL gave the companies three months “to provide […] users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent.” Failure to comply will come with the risk of an additional daily fine of 100,000 euros per day of delay.
District Court temporarily halts enforcement of New York’s user data-sharing ordinances
On December 27, the U.S. District Court for the Southern District of New York issued a stipulation and order in a consolidated action, temporarily reprieving three delivery app companies from complying with New York City’s Administrative Code §§ 20-847.3 and 20-563.7 (collectively, “the ordinances”). The amended complaint contends that the ordinances “create an unconstitutional, privacy-infringing, data-disclosure requirement pursuant to which third-party food-ordering and delivery platforms. . . must divulge, against their will, sensitive, proprietary customer information,” including full names, phone numbers, email addresses, delivery addresses, and order contents to New York City restaurants “regardless of whether that restaurant maintains any security infrastructure, and regardless of whether the customer has expressly consented to their personal information being so shared.” According to the plaintiffs, the ordinances “state that customers are presumed to have consented to this dangerous flow of their information unless they specifically opt out for each and every order they place, contrary to the common view that opt-out requests should be valid for at least several months.” The plaintiffs allege, among other things, that the ordinances are preempted by New York State’s Right of Privacy and violate delivery app companies’ First Amendment rights.
Notably, while New York City “has agreed to stay enforcement of the Challenged Laws pending final determination by this Court resolving, or disposing of, this action in exchange for Plaintiff’s agreement not to file a motion for a preliminary injunction,” the stipulation and order is not an indefinite agreement to stop enforcement of the ordinances.