InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CPPA continues efforts towards California Privacy Rights Act
The California Privacy Protection Agency board is continuing its efforts to prepare regulations implementing the California Privacy Rights Act (covered by InfoBytes here and here).
Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.
The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.
The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.
7th Circuit affirms dismissal of proposed Driver’s Privacy Protection Act class action
On August 22, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of a proposed class action alleging that defendant insurance companies leaked the plaintiffs’ drivers license numbers, holding that the plaintiffs lacked standing to sue the insurance companies. In a split decision, the majority opinion held that plaintiffs failed to establish standing to bring a lawsuit under the Driver’s Privacy Protection Act (DPPA) based on the unauthorized disclosure of their driver’s license numbers through a form on defendant’s website. The majority held that plaintiffs failed to allege a concrete injury, writing that allegations that plaintiffs are worried about future identity theft stemming from the disclosure are insufficient for standing, focusing on legitimate reasons why driver’s license numbers are commonly exposed to third-parties. The majority further held that plaintiffs failed to allege that false unemployment benefit applications submitted in their name were traceable to the disclosure of their driver’s license number, dooming their standing claim. In a dissent, Judge Kenneth Ripple disagreed with the majority’s conclusion that plaintiffs failed to make sufficient allegations to justify standing, reasoning that the DPPA contemplates a private right of action for the types of harms suffered by the plaintiffs and that plaintiffs adequately alleged that they suffered harm from false unemployment benefit applications submitted as a result of the driver’s license number leak.
District court declines to reconsider BIPA accrual ruling
On August 14, an Illinois District Court denied in part and granted in part a tech company’s motion to dismiss a class-action suit that alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”). The complaint alleged that the tech giant failed to safeguard the facial data in its photo service as closely as it protected other types of data and violated its own policy governing biometric identifier storage. BIPA requires companies to store, transmit, and protect biometric data using the reasonable standard of care within the company’s industry and to protect that data in either the same or more protective manner as it protects other types of confidential data.
In permitting the complaint to move forward, the court noted that the defendant’s internal documents allegedly show that it made minimal investment in its photo service and made no attempt to identify flaws in the system. Further, the court referred to allegations in the complaint that the defendant devotes fewer resources and staffing to protecting the photo service. The court noted that the allegations were sufficient because the lack of protocols made consumers’ critical metadata “vulnerable to attacks.”
In granting the motion related to violation of the defendant’s policies, the court noted that plaintiffs did not show they were personally injured by the alleged violation. The defendant’s policy requires it to delete files for accounts that have been abandoned for two years, for which image recognition was disabled, or where user deleted their photo account. However, the court concluded that the complaint did not allege that plaintiffs did any of these actions.
USDA urges Supreme Court to overturn FCRA 3rd Circuit ruling
On August 15, the USDA filed a brief urging the U.S. Supreme Court to overturn a U.S. Court of Appeals for the Third Circuit decision to reverse its FCRA lawsuit brought by a plaintiff who alleged that the consumer credit reporting agency reported two loans as past due even though he claimed both were closed with a $0 balance. In August 2022, the 3rd Circuit reversed a district court’s decision to grant a student loan servicer, consumer credit reporting agency, and the USDA’s (defendants) motion to dismiss a case finding that Congress unambiguously waived the government’s sovereign immunity in enacting FCRA (covered by InfoBytes here). The USDA argues that the district court was wrong in its decision, and that the FCRA does not waive the U.S.’s sovereign immunity for claims under 15 U.S.C. 1681n and 1681o because, among other things, (i) a waiver of sovereign immunity requires “unmistakably clear” statutory language; (ii) the FCRA does not create a cause of action that “‘expressly authorizes suits against sovereigns,’ and ‘recognizing immunity’ would ‘negate[]’ that express authorization”; (iii) the FCRA uses “persons” in a way that does not distinguish between sovereign and non-sovereign senses; (iv) “inexplicable incongruencies” with the term “person” within the context of §§ 1681n and 1681o includes a sovereign entity, which would not only expose the federal government but also individual states to potential lawsuits seeking monetary damages; and (v) interpreting the FCRA to permit lawsuits against the U.S. would significantly broaden the scope of liability for federal agencies, creating “overlap” already provided by the Privacy Act.
Dubai to facilitate personal data transfers with California-based entities
On August 9, the Dubai International Financial Centre Authority (DIFC) Commissioner of Data Protection issued a “first-of-its-kind” adequacy decision, declaring California’s data protection regime as “substantially equivalent and low risk.” The DIFC deemed the California Consumer Privacy Act (CCPA) of 2018, as amended by the California Privacy Rights Act of 2020, equivalent to DIFC’s DP Law 2020—opening the door to facilitate personal data transfers between DIFC and California-based entities without the need to apply additional contractual measures. The DIFC further noted that CCPA Regulations provide procedures, guidance, and clarity on the requirements of the CCPA and highlighted the key aspects of CCPA, including (i) concepts and definitions; (ii) breach notification requirements; (iii) enforcement authority; (iv) notifications to the commissioner; and (v) commissioner authority and objectives. The DIFC’s decision outlines nine observations regarding California’s data protection regime that informed its adequacy decision. In its press release, the DIFC noted that the CCPA “gives consumers control and protection over personal data collected by businesses” and limits data collection and processing to what is fair, lawful, and necessary. The DIFC added that this adequacy decision sets a precedent for Dubai to build “similar relationships with various US states and the US privacy framework in the future.”
Tech giant denied summary judgment in private browsing lawsuit
On August 7, the U.S. District Court for the Northern District of California entered an order denying a multinational technology company’s motion for summary judgment on claims that the company invaded consumers’ privacy by tracking the consumers’ browsing history in the company’s private browsing mode. After reviewing the company’s disclosed general terms of service and privacy notices and disclosures, the court found that the company never explicitly told users that it would be collecting their data while browsing in private mode. Without evidence that the company explicitly told users of this practice, the court concluded that it could not “find as a matter of law that users explicitly consented to the at-issue data collection,” and therefore, could not grant the company’s motion for summary judgment.
Plaintiffs, who are account holders (Class 1 for Incognito users and Class 2 for users of other private browsing modes), brought a class action suit against the company for the “surreptitious interception and collection of personal and sensitive user data” while the users were in a “private browsing mode.” Along with invasion of privacy, intrusion upon seclusion, and breach of contract, plaintiffs asserted violations of (i) the Federal Wiretap Act; (ii) The California Invasion of Privacy Act; (iii) Comprehensive Data Access and Fraud Act; and (iv) California’s Unfair Competition Law.
The court previously denied the defendant’s two motions to dismiss.
California Privacy Protection Agency announces its first inquiry
On July 31, the California Privacy Protection Agency (CPPA) announced a review of the data privacy practices of “connected vehicle” manufacturers and related technologies. Executive Director of the CCPA Ashkan Soltani stated in the press release that the agency is “making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.” The vehicles in question contain tracking technology that raised data concerns under the California Consumer Privacy Act. Notably, this is the first action from the agency’s enforcement division.
FCC fines companies $20M for insufficient consumer data security measures
On July 28, the FCC announced a proposed fine of $20 million for two affiliated mobile carrier companies over alleged violations of FCC rules. The Commission alleged that the companies failed to protect the privacy and security of subscribers’ personal data by violating three provisions of section 64.2010 of FCC rules, which requires carriers to authenticate customers’ identity before providing online access to their network information. The alleged violations included relying on readily available information to control access to the network information, failing to establish “reasonable” data security standards. FCC Chairwoman Jessica Rosenworcel cited such failures to protect consumers’ privacy to underpin the importance of the FCC’s newly established Privacy and Data Protection Task Force (covered by InfoBytes here). The proposed sanctions are not final, and the companies will have an opportunity to respond.
FTC, HHS say tracking technology may impermissibly disclose personal health data
On July 20, the FTC and U.S. Department of Health and Human Services for Civil Rights issued a joint letter cautioning hospitals and telehealth providers of the risks related to the use of online tracking technologies within their systems that may impermissibly disclose consumers’ personal data to third parties. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said “when consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties.” According to the letter, recent research has highlighted concerns about the use of technology to track users’ online activities and sensitive data including, health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment. The FTC warned that the impermissible disclosures of personal data can result in identity theft, financial loss, discrimination, and more. The letter included a reminder that under the FTC Act and the FTC Health Breach Notification Rule, even if they are not covered by HIPAA, hospitals and telehealth providers remain obligated to protect against impermissible disclosures of personal health information.
E-commerce company fined $25 million for alleged COPPA violations
On July 19, the DOJ and FTC announced that a global e-commerce tech company has agreed to pay a penalty for alleged privacy violations related to its smart voice assistant’s data collection and retention practices. The agencies sued the company at the end of May for violating the Children’s Online Privacy Protection Act Rule and the FTC Act, alleging it repeatedly assured users that they could delete collected voice recordings and geolocation information but actually held onto some of this information for years to improve its voice assistant’s algorithm, thus putting the data at risk of harm from unnecessary access. (Covered by InfoBytes here.)
The stipulated order requires the company to pay a $25 million civil money penalty. The order also imposes injunctive relief requiring the company to (i) identify and delete any inactive smart voice assistant children’s accounts unless requested to be retained by a parent; (ii) notify parents whose children have accounts about updates made to its data retention and deletion practices and controls; (iii) cease making misrepresentations about its “retention, access to or deletion of geolocation information or voice information, including children’s voice information” and delete this information upon request of the user or parent; and (iii) disclose its geolocation and voice information retention and deletion practices to consumers. The company must also implement a comprehensive privacy program specific to its use of users’ geolocation information.