InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
U.S., UK enter agreement in principle on data flow
On June 8, President Biden presented an agreement in principle to allow for the free flow of data between the U.S. and the UK. Announced as part of the administration’s “Atlantic Declaration for a Twenty-First Century U.S.-UK Economic Partnership,” the “data bridge” would facilitate data flows between the two countries while ensuring strong, effective privacy protections. “The trusted and secure flow of data across our borders is foundational to efforts to further innovation,” the White House said in the announcement. “We are working to finalize our respective assessments swiftly to implement this framework.” A joint statement issued by the UK Secretary of State for Science, Innovation, and Technology, the Rt. Hon. Chloe Smith MP, and U.S. Secretary of Commerce Gina M. Raimondo reiterated the two countries’ commitment to establishing “a data bridge that would restore a robust and reliable mechanism for UK-US data flows.” The data bridge would also help facilitate data transfers to U.S. organizations that rely on other data transfer mechanisms under UK law, the joint statement said.
Meanwhile, the U.S. and the EU are working to finalize the EU-US Data Privacy Framework (covered by InfoBytes here)—a replacement for the EU-U.S. Privacy Shield, which was annulled by the Court of Justice of the EU in 2020 after the court determined that data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the EU’s General Data Protection Regulation.
Florida enacts privacy legislation; requirements focus on digital industry
On June 6, the Florida governor approved SB 262 to create the Florida Digital Bill of Rights (FDBR) and establish a framework for controlling and processing consumer personal data in the state, applicable only to companies that meet certain criteria and bring in global gross annual revenues of more than $1 billion. Specifically, the FDBR applies to “controllers,” or any person that conducts business in Florida, collects personal data about consumers (or is an entity on behalf of which this information is collected), determines the purposes and means of processing consumers’ personal data (alone or jointly with other entities), meets the revenue minimum, and satisfies at least one of the following criteria: (i) derives at least 50 percent of global gross revenue from the sale of online advertisements (including targeted advertising); (ii) operates a consumer smart speaker and voice command component service; or (iii) operates an app store or a digital distribution platform offering a minimum of 250,000 unique software applications available for download. The FDBR outlines exemptions, including exemptions for financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as certain covered entities governed by the Health Insurance Portability and Accountability Act.
- Consumer rights. Under the FDBR, Florida consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and to access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling. The FDBR also adds biometric data and geolocation information to the definition of personal information.
- Controllers’ responsibilities. Data controllers under the FDBR will be responsible for, among other things, (i) responding to consumers’ requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, up to twice annually for each consumer; (ii) establishing an appeals process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (iv) securing personal data and implementing appropriate data security protection practices; (v) not processing data in violation of state or federal anti-discrimination laws; (vi) obtaining consumer consent in order to process sensitive data (consent may be revoked at any time); (vii) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (viii) providing clear privacy notices. The FDBR also sets forth obligations relating to contracts between a controller and a processor.
- No private cause of action but enforcement by the Florida Department of Legal Affairs. The FDBR explicitly prohibits a private cause of action. Instead, it grants the department exclusive authority to bring actions under the Florida Deceptive and Unfair Trade Practices Act and seek penalties of up to $50,000 per violation, which may be tripled for any violation involving a child under the age of 18 for which the online platform has actual knowledge. The department is also granted authority to adopt rules to implement the FDBR.
- Right to cure. Upon discovering a potential violation of the FDBR, the department must give the controller written notice. The controller then has 45 days to cure the alleged violation before the department can file suit.
Minor children are also afforded specific protections under the FDBR, including prohibiting online platforms that provide services or features to children from processing children’s personal information or from collecting, selling, sharing, or retaining any personal information that is not necessary to provide an online service, product, or feature. Additionally, the FDBR includes provisions addressing political ideology and government-led censorship.
The FDBR takes effect July 1, 2024.
Florida now joins nine other states in enacting comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, and Montana.
Florida tightens restrictions on phone and text solicitations
On May 25, the Florida governor signed HB 761 (the “Act”) to clarify notice requirements relating to telephone and text message solicitations and to outline conditions under which certain civil actions may be brought. Specifically, the amendments provide that “unsolicited” telephone sales calls involving an automated system used to select and dial numbers or one that plays a recorded message cannot be made without the prior express written consent of the called party. Consent may now be obtained by a consumer “checking a box indicating consent or responding affirmatively to receiving text messages, to an advertising campaign, or to an e-mail solicitation.”
The Act also clarifies that before the commencement of a civil action for damages for text message solicitations, the called party must reply “STOP” to the number that sent the message. The called party may bring an action only if consent is not given and the telephone solicitor continues to send text messages 15 days after being told to cease. The new requirements apply to any suit filed on or after the Act’s immediate effective date, as well as to any putative class action not certified on or before the effective date of the Act. The Act became effective immediately.
NYDFS circulates advisory on file transfers
On June 2, NYDFS notified all regulated entities that an identified SQL injection vulnerability found in a web application of a managed file transfer software may allow unauthenticated attackers to gain access to its database. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and others circulated the advisory, which cautioned that this vulnerability is being actively exploited by threat actors to deploy ransomware, steal data, and disrupt operations. NYDFS advised all regulated entities to conduct prompt risks assessments on their organizations, customers, consumers, and third-party service providers to mitigate risk. Regulated entities were also reminded about the requirement to report cybersecurity events as promptly as possible but no later than 72 hours at the latest, and that “evidence of unauthorized access to information systems, such as webshell installation, even if there has been no malware deployed or data exfiltrated,” are considered a reportable cybersecurity event under 23 NYCRR Section 500.17(a)(2).
FTC, DOJ sue e-commerce company over child data
On May 31, the DOJ filed a complaint on behalf of the FTC against a global e-commerce tech company for allegedly violating the Children’s Online Privacy Protection Act Rule (COPPA) relating to its smart voice assistant’s data collection and retention practices. While the company repeatedly assured users that they could delete collected voice recordings and geolocation information, the complaint alleged that the company held onto some of this information for years to improve its voice assistant’s algorithm, thus putting the data at risk of harm from unnecessary access. Additionally, the complaint also contended that, for a significant period of time, the company continued to retain transcripts for recordings even after the voice recordings were deleted. According to the complaint, the company failed to provide complete, truthful notice to parents about its deletion practices and lacked an effective system to ensure users’ data deletion requests were honored.
The proposed court order would require the company to pay a $25 million civil money penalty and would prohibit the company from using geolocation and voice to create or improve any of its data products after a deletion request. The company would also be required to (i) delete any inactive smart voice assistant children’s accounts; (ii) notify users about its data retention and deletion practices and controls; and (iii) implement a privacy program specific to its use of users’ geolocation information, among other things.
New York reaches settlement with medical management company over patient data
On May 23, the New York attorney general announced a settlement with a medical management company, for allegedly failing to protect over 428,000 New Yorkers’ personal and health data from a 2020 ransomware cyberattack affecting roughly 1.2 million consumers nationwide. According to the AG’s investigation, the company implemented a new version of its software in January 2019, but allegedly failed to conduct a series of security tests and scans that could have identified any security problems. Further, the private information maintained by the company was not encrypted. Notably, information for 13 consumers was apparently discovered on the dark web days after the hack. The investigation concluded that the company, amongst the 28 areas where they failed to maintain reasonable data security practices to protect patients’ private and health information, allegedly failed to maintain appropriate patch management processes, conduct regular security testing of its systems, and encrypt the personal information on its servers. Under the terms of the assurance of discontinuance, the company, while neither admitting or denying the allegations, agreed to pay $550,000 in penalties, and will improve its data security practices and offer affected customers free credit monitoring services.
Texas amends breach notification requirements
On May 27, the Texas governor signed SB 768 to amend the state’s data breach notification statutes. The Act requires entities to notify the attorney general “as soon as practicable” and not later than 30 days after the date a computerized security system breach occurs involving at least 250 Texas residents. The Act now details that notification must be submitted electronically using a form accessible through the attorney general’s website. No substantive changes were made to the required information within the form. The Act is effective September 1.
FTC says COPPA does not preempt state privacy claims
The FTC recently filed an amicus brief in a case on appeal before the U.S. Court of Appeals for the Ninth Circuit, arguing that the Children’s Online Privacy Protection Act (COPPA) does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The full 9th Circuit is currently reviewing a case brought against a multinational technology company accused of using persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of COPPA and various state laws.
As previously covered by InfoBytes, last December the 9th Circuit reversed and remanded a district court’s decision to dismiss the suit after reviewing whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulation. At the time, the 9th Circuit examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The opinion further stated that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The defendant asked the full 9th Circuit to review the ruling. The appellate court in turn asked the FTC for its views on the COPPA preemption issue, specifically with respect to “whether the [COPPA] preemption clause preempts fully stand-alone state-law causes of action by private citizens that concern data-collection activities that also violate COPPA but are not predicated on a claim under COPPA.”
In agreeing with the 9th Circuit that plaintiffs’ claims are not preempted in this case, the FTC argued that nothing in COPPA’s text, purpose, or legislative history supports the sweeping preemption that the defendant claimed. According to the defendant, plaintiffs’ state law claims are inconsistent with COPPA and are therefore preempted “because the claims were brought by plaintiffs who were not authorized to directly enforce COPPA, and would result in monetary remedies under state law that COPPA did not make available through direct enforcement.” Moreover, all state law claims relating to children’s online privacy are inconsistent with COPPA’s framework, including those brought by state enforcers, the defendant maintained. The FTC disagreed, writing that the 9th Circuit properly rejected defendant’s interpretation, which would preempt a wide swath of traditional state laws. Moreover, COPPA’s preemption clause only applies to state laws that are “inconsistent” with COPPA so as not to create “field preemption,” the FTC said, adding that plaintiffs’ claims in this case are consistent with the statute.
District Court approves $4.3 million data breach settlement
Earlier this month, the International Organization of Securities Commissions (IOSCO) released draft policy recommendations to support greater regulatory and oversight consistency within the crypto and digital assets markets. According to the global securities watchdog, regulators must strive for consistency in their oversight of crypto-asset activities given the cross-border nature of these markets and the varying approaches taken by individual jurisdictions. Seeking to optimize consistency in the way crypto-asset and securities markets are regulated, the IOSCO advised regulators to enhance cooperation efforts and attempt “to achieve regulatory outcomes for investor protection and market integrity that are the same as, or consistent with, those required in traditional financial markets in order to facilitate a level-playing field between crypto-assets and traditional financial markets and help reduce the risk of regulatory arbitrage.” Encouraging regulators to engage in rulemaking and information sharing, the IOSCO presented a comprehensive strategy for harmonizing the oversight of crypto companies, including standards on conflicts of interest and governance, fraud and market abuse, cross-border cooperation, custody of client monies and assets, and operational and technological risks. The IOSCO also suggested measures for reducing money laundering risks, explaining that crypto assets may be more appealing to criminals who want to avoid traditional financial system oversight. The IOSCO noted that its goal is to finalize its policy recommendations in early Q4 2023. Comments will be received through July 31.
Montana becomes the ninth state to enact comprehensive privacy legislation
On May 19, the Montana governor signed SB 384 to enact the Consumer Data Privacy Act (CDPA) and establish a framework for controlling and processing consumer personal data in the state. Montana is now the ninth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, and Tennessee. The CDPA applies to any person that conducts business in the state or produces products or services targeted to state residents and, during a calendar year, (i) controls or processes personal data of at least 50,000 consumers (“excluding personal data controlled or processed solely for the purpose of completing a payment transaction”), or (ii) controls or processes personal data of at least 25,000 consumers and derives 25 percent of gross revenue from the sale of personal data. The CDPA provides several exemptions, including nonprofit organizations, registered securities associations, financial institutions, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, and covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of the CDPA include:
- Consumers’ rights. Under the CDPA, consumers will be able to access their personal data; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the sale of their data. A consumer may also designate an authorized agent to act on the consumer’s behalf to opt out of the processing of their personal data.
- Data controllers’ responsibilities. Data controllers under the CDPA will be responsible for, among other things, (i) responding to consumer requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, one for each consumer during a 12-month period; (ii) establishing a process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) establishing clear and conspicuous opt-out methods on a website that require consumers to affirmatively and freely choose to opt out of any processing of their personal data (and allowing for a mechanism that lets consumers revoke consent that is at least as easy as the mechanism used to provide consent); (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) processing data in compliance with state and federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) providing clear and meaningful privacy notices; and (ix) conducting data protection assessments and ensuring deidentified data cannot be associated with a consumer. The CDPA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
- No private right of action but enforcement by state attorney general. The CDPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
- Right to cure. Upon discovering a potential violation of the CDPA, the attorney general must give the data controller notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit. The cure provision expires April 1, 2026.
The CDPA takes effect October 1, 2024.