Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC proposes changes to Health Breach Notification Rule
On May 18, the FTC issued a notice of proposed rulemaking (NPRM) and request for public comment on changes to its Health Breach Notification Rule (Rule), following a notice issued last September (covered by InfoBytes here) warning health apps and connected devices collecting or using consumers’ health information that they must comply with the Rule and notify consumers and others if a consumer’s health data is breached. The Rule also ensures that entities not covered by HIPPA are held accountable in the event of a security breach. The NPRM proposed several changes to the Rule, including modifying the definition of “[personal health records (PHR)] identifiable health information,” clarifying that a “breach of security” would include the unauthorized acquisition of identifiable health information, and specifying that “only entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—qualify as PHR related entities.” The modifications would also authorize the expanded use of email and other electronic methods for providing notice of a breach to consumers and would expand the required content for notices “to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information.” Comments on the NPRM are due 60 days after publication in the Federal Register.
The same day, the FTC also issued a policy statement warning businesses against making misleading claims about the accuracy or efficacy of biometric technologies like facial recognition. The FTC emphasized that the increased use of consumers’ biometric information and biometric information technologies (including those powered by machine learning) raises significant consumer privacy and data security concerns and increases the potential for bias and discrimination. The FTC stressed that it intends to combat unfair or deceptive acts and practices related to these issues and outlined several factors used to determine potential violations of the FTC Act.
Insurers consider biometric exclusions as privacy cases increase
According to sources, some insurers are considering adding biometric exclusions to their insurance policies as privacy lawsuits increase. An article on the recent evolution of biometric privacy lawsuits noted an apparent increase in class actions claiming violations of the Illinois Biometric Information Privacy Act (BIPA), as “more courts began ruling that individuals need not show actual injury to allege BIPA violations.” The article explained that insurance carriers now “argue that general liability policies, with their lower premiums and face values, don’t insure data privacy lawsuits and can’t support potentially huge BIPA class action awards and settlements.” This issue is poised to become increasingly important to carriers and policyholders as additional states seek to regulate biometric privacy. The article noted that in the first quarter of 2022, seven states (California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York) introduced biometric laws generally based on Illinois’ BIPA. Texas and Washington also have biometric laws, but without a private right of action.
Office of Science and Technology issues RFI on biometric technology
Earlier this month, the Office of Science and Technology (OSTP) issued a request for information (RFI) on the use of biometric technology. Specifically, the RFI seeks to assist OSTP in understanding “the extent and variety of biometric technologies in past, current, or planned use; the domains in which these technologies are being used; the entities making use of them; current principles, practices, or policies governing their use; and the stakeholders that are, or may be, impacted by their use or regulation.” Citing the evolution and use of biometric data, OSTP requests information from stakeholders on data collection and applications using biometric technologies to verify and identify individuals or draw inferences from an individual’s cognitive and/or emotional state. Comments are due January 15, 2022.
Court approves $650 million biometric privacy class action settlement
On February 26, the U.S. District Court for the Northern District of California granted final approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. The settlement resolves consolidated class action claims that the social media company violated the Illinois Biometric Information Privacy Act (BIPA) by allegedly developing a face template that used facial-recognition technology without users’ consent. A lesser $550 million settlement deal filed in May (covered by InfoBytes here), was rejected by the court in August due to “concerns about an unduly steep discount on statutory damages under the BIPA, a conduct remedy that did not appear to require any meaningful changes by [the social media company], over-broad releases by the class, and the sufficiency of notice to class members.” (See InfoBytes coverage here.) The final settlement requires the social media company to pay $650 million in a settlement fund, plus $97.5 million for attorneys’ fees and expenses and $5,000 service awards to each of the three named plaintiffs. The social media company is also required to provide nonmonetary injunctive relief by setting all default face recognition user settings to “off” and by deleting all existing and stored face templates for class members unless class members provide their express consent after receiving a separate disclosure on how the face template will be used. Face templates for class members who have not had any activity on the social media platform will also be deleted. The court called the settlement a “landmark result,” noting it is one of the largest settlements ever for a privacy violation, and will provide each claimant at least $345.
Florida legislature introduces comprehensive privacy bill
On February 15, the Florida legislature filed HB 969, which would, among other things, regulate the sale and sharing of consumers’ personal data. Highlights of the bill include:
- Applicability. The bill will apply to for profit businesses that do business in the state, collect consumers’ personal information (“or is the entity on behalf of which such information is collected”), and (i) have global annual gross revenues exceeding $25 million; (ii) annually buy, receive, sell, or share for commercial purposes, personal information of at least 50,000 consumers, households, or devices; or (iii) derive 50 percent or more of its gross revenue from the sale of personal information. Notably, data governed by certain federal regulations and specified protected health information are exempt from coverage.
- Consumer rights. Under the bill consumers will be able to, among other things, access their personal data; have available at least two methods for requesting personal information free of charge within a certain timeframe; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of third-party disclosure of their personal information collected by businesses. Businesses will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances, and will be prohibited from taking certain discriminatory actions against consumers who exercise certain rights. Additionally, the bill will provide that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
- Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information. The definition of “personal information” will also be revised “to include additional specified information to data breach reporting requirements.”
- Private cause of action. The bill will provide “a private right of action for consumers whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access,” and will allow consumers to bring a civil action for injunctive or declaratory relief, as well as damages that must be at least $100 but not more than $750 per consumer per incident or actual damages, whichever is greater. The Department of Legal Affairs is also authorized to seek civil penalties of no more than $2,500 for each unintentional violation or $7,500 for each intentional violation. However, fines may be tripled if a violation involves consumers 16 years of age or younger.
- Right to cure. Upon notification of any alleged violation of the law, businesses have 30 days to cure the alleged violation.
If enacted in its current form, the bill would take effect January 1, 2022. Florida is just one of several states that have recently introduced or advanced privacy legislation (continuing InfoBytes coverage available here).
New York introduces biometric privacy act
On January 6, New York Assembly Bill A 27 was prefiled in the 2021-22 state legislative session, which would establish the Biometric Privacy Act and establish provisions regarding the retention, collection, disclosure and destruction of biometric identifiers or biometric information. Highlights of the bill include:
- Private entities in possession of biometric identifiers or information will be required to develop a written public policy “establishing a retention schedule and guidelines for permanently destroying biometric identifiers and information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.” Further, unless a private entity possesses a valid warrant or court subpoena, it must comply with its established retention schedule and destruction guidelines.
- Prior to obtaining a person’s biometric identifier or information, a private entity must inform the subject (or a subject’s legally authorized representative) in writing that the identifier or information is being collected or stored, the specific purpose and length of term for which it is being collected, stored, and used, and must receive a written release from the subject or legally authorized representative.
- Private entities may not sell, lease, trade, or otherwise profit from a person’s biometric identifier or information.
- Private entities may not disclose, redisclose, or otherwise disseminate such information unless (i) the subject provides consent; (ii) “the disclosure or redisclosure completes a financial transaction requested or authorized by the subject” or the subject’s legally authorized representative; or (iii) the information is required by a valid warrant or court subpoena.
- Private entities must take measures to store, transmit, and protect all biometric identifiers and information from disclosure “using the reasonable standard of care within the private entity’s industry” and “in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”
- The bill provides a private right of action for any person aggrieved by the bill’s provisions, including damages of $5,000 or actual damages (whichever is greater), reasonable attorneys’ fees and costs, and other relief including injunctive relief as deemed appropriate.
Notably, the New York Biometric Privacy Act is a close parallel to the Illinois Biometric Information Privacy Act, which was enacted in 2008.
Federal District Court Allows Discovery in Class Action Concerning Internet Company’s Collection of Biometric Data
In a Memorandum Opinion and Order handed down on February 27, a District Court in the Northern District of Illinois declined to dismiss a putative class action alleging that a cloud-based photographic storage service offered by an Internet company (the Company) violated the Illinois Biometric Information Privacy Act (BIPA) by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent. Specifically, the Court rejected the Company’s argument that application of BIPA to facial geometry scanning by by an internet service located outside of Illinois is an improper extraterritorial application of Illinois law.
The Plaintiffs alleged that the Company failed to both (i) obtain the necessary authorization or consent to the creation and subsequent storing of “faceprints” by the photo storage service, or (ii) make publicly available a data retention and destruction schedule as required under the BIPA. In responding to these claims, the Company argued that the term “biometric identifier,” as defined in the BIPA, does not extend to “in-person scans of facial geometry” and does not cover photographs or information derived from photographs. The Company also sought to dismiss the case on jurisdictional grounds, arguing that under principles of federalism, pre-emption, and the extra-jurisdictional application of state law, the BIPA cannot properly regulate activity – such as the storage of data on the Company’s servers – that does not occur “primarily and substantially” within the state of Illinois.
In analyzing the Company’s argument, the Court looked to the following two definitions set forth in the Illinois law:
- “Biometric identifier,” which is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and explicitly “do[es] not include writing samples, written signatures, photographs. . . .”; and
- “Biometric information,” which is defined as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual,” and explicitly “does not include information derived from items or procedures excluded under the definition of biometric identifiers.”
Ultimately, the Court disagreed with the Company’s reading of “biometric data” because, among other reasons, “nothing in the text of [the BIPA] directly supports this interpretation.” The Court deferred deciding on the Company’s arguments that the claims would require extraterritorial application of the statute and/or would violate the Dormant Commerce Clause by reaching beyond state boundaries, because, among other reasons, “[d]iscovery is needed to determine whether there are legitimate extraterritoriality concerns.”
On March 9, the Company filed a motion seeking permission to file an interlocutory appeal to the Seventh Circuit, with a request for a stay of further proceedings pending the appellate court’s decision on the request for an appeal.