InfoBytes Blog

EU and U.S. agree in principle on new Trans-Atlantic Data Privacy Framework

On March 25, the U.S. and the European Commission announced their agreement in principle on a new Trans-Atlantic Data Privacy Framework (Framework) to foster cross-border transfers of personal data from the EU to the U.S. (See also White House and European Commission fact sheets here and here.) Under the Framework, the U.S. has committed to implementing reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement follows negotiations that began after the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.

As previously covered by InfoBytes, the CJEU’s ruling (which could not be appealed) concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. However, the Court invalidated the EU-U.S. Privacy Shield. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR. Specifically, the CJEU held that the surveillance programs used by U.S. authorities are not proportionally equivalent to those allowed under the EU law because they are not “limited to what is strictly necessary,” nor, under certain surveillance programs, does the U.S. “grant data subjects actionable rights before the courts against the U.S. authorities.” 

According to the factsheet released by the White House, the U.S. has made “unprecedented commitments” that build on the safeguards that were in place under the annulled EU-U.S. Privacy Shield with the goal of addressing issues identified in the Schrems II decision. These commitments include (i) strengthening the privacy and civil liberties safeguards governing U.S. signals intelligence activities through measures that would limit U.S. intelligence authorities’ data collection to what is necessary to advance legitimate national security objectives; (ii) establishing a new, multi-layered redress mechanism with independent and binding authority “consist[ing] of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures, as needed”; and (iii) enhancing the U.S.’s existing rigorous and layered oversight of signals intelligence activities, and requiring U.S. intelligence agencies to “adopt procedures to ensure effective oversight of new privacy and civil liberties standards.” The factsheet further stated that participating companies and organizations will continue to be required to adhere to the EU-U.S. Privacy Shield principles, including the requirement of self-certification through the U.S. Department of Commerce. EU individuals will also continue to have access to avenues of recourse to resolve complaints against businesses and organizations participating in the Framework, including through alternative dispute resolution and binding arbitration.

The White House stated that President Biden will issue an executive order outlining the aforementioned commitments “that will form the basis of the Commission’s assessment in its future adequacy decision.” According to the announcement, the U.S. and European Commission “will now continue their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides to put in place this new Trans-Atlantic Data Privacy Framework.”

Privacy/Cyber Risk & Data Security Consumer Protection EU EU-US Privacy Shield GDPR Of Interest to Non-US Persons

Utah becomes fourth state to enact comprehensive privacy legislation

On March 24, the Utah governor enacted the Utah Consumer Privacy Act (UCPA), which establishes a framework for controlling and processing consumers’ personal data in the state. Utah is now the fourth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, and Virginia (covered by Buckley Special Alerts here and here and InfoBytes here). As previously covered by InfoBytes, under the UCPA, consumers will have rights to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data. The UCPA also outlines data controller responsibilities, including a requirement that data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The UCPA also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices. While the UCPA explicitly prohibits its use as the basis for a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. Additionally, upon discovering a potential violation of the UCPA, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The UCPA takes effect December 31, 2023.

Privacy/Cyber Risk & Data Security State Issues State Legislation Utah Consumer Protection

CFPB releases compliance guidance on online consumer reviews

On March 22, the CFPB released a compliance bulletin regarding potentially illegal practices related to consumer reviews. The guidance highlights certain business practices related to consumer reviews that are generally unlawful under the CFPA, which include, among other things: (i) deceiving consumers by using purported contractual restrictions that are unenforceable; (ii) unfairly depriving consumers of information using restrictions on consumer reviews; and (iii) deceiving consumers who read consumer reviews about the nature of those reviews. According to the CFPB, the effort is related to the FTC’s work to counter fake reviews and connected fraud in the digital economy. (Covered by InfoBytes here).

Federal Issues CFPB CFPA FTC Consumer Protection

Wyoming enacts genetic data privacy provisions

On March 8, the Wyoming governor signed HB 86, which requires businesses that collect genetic data to obtain consent from a consumer or a consumer’s authorized representative before collecting genetic data, performing genetic testing, or retaining or disclosing a consumer’s genetic data. To safeguard the privacy, confidentiality, security, and integrity of a consumer’s genetic data, businesses must, among other things, (i) provide clear, transparent information to consumers about the collection, use, or disclosure of genetic data before collecting it (including providing a publicly available privacy notice); and (ii) obtain express consent from a consumer before collecting genetic data, and receive separate express consent for transferring or disclosing genetic data to persons “other than the company’s vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses,” or for retaining genetic data after the initial testing service is completed. The Act outlines additional requirements and prohibitions on the disclosure and retention of genetic data and requires businesses to implement and maintain a comprehensive security program to protect genetic data from unauthorized access, use, or disclosure. Additionally, the Act provides consumers with the statutory right to access and request deletion of genetic data when it is no longer being used or needed for the purpose for which it was collected and provides consumers with a private right of action to seek damages from businesses who violate the Act. Under the Act, businesses have 60 days from the date of notice to cure any alleged violations. The Wyoming attorney general also has the authority to enforce the Act and may seek penalties of up to $2,500 for each violation, as well as actual damages for harmed consumers on whose behalf the action was brought and attorneys’ fees and costs.

Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the Department of Health and Human Services that collect protected health information under HIPAA are exempt from the Act’s provisions. The Act takes effect July 1.

Privacy/Cyber Risk & Data Security State Issues State Legislation Wyoming Consumer Protection

District Court: Callers cannot rely on prior cell phone user’s consent to place prerecorded calls

On March 9, the U.S. District Court for the Western District of North Carolina granted in part and denied in part a defendant university’s motion for summary judgment on claims that it unlawfully placed prerecorded calls to reassigned phone numbers based on the previous user’s consent. The plaintiff alleged that the defendant violated the TCPA by calling cellphones without first obtaining the current phone number owner’s prior express consent and making a “telephone solicitation” to individuals listed on the National Do-Not-Call-Registry. The plaintiff also contended that the defendant failed to provide a method for opting-out of receiving future calls. The defendant countered that it could not be held liable for the allegedly unlawful prerecorded calls because it had reasonably relied on the consent of the previous phone number’s user and was unaware that the number had been reassigned.

In partially denying the defendant’s motion for summary judgment, the court ruled that there was “no basis” in the text of the TCPA to conclude that callers who contact a phone number whose previous user provided consent but whose current owner did not could use “a reasonable reliance or good faith defense” to avoid liability. “Congress passed the TCPA to protect individuals from receiving invasive and unsolicited calls,” the court wrote. “Thus, adopting a good faith or reasonable reliance defense not only would have no basis in the text but also would contravene the stated purpose of the TCPA.” The court also declined to adopt the defendant’s “intended party” argument, finding that “[n]either the language nor the concept of an ‘intended’ party appears” in the TCPA, and that every circuit court that has opined on this issue “has concluded that the term ‘called party’ refers to the individual that actually receives the calls, as opposed to the ‘intended party’ of those calls.”

However, the court determined that the plaintiff’s allegation that the defendant violated the TCPA’s prohibitions on contacting numbers on the National Do-Not-Call-Registry cannot proceed “because, as a tax-exempt, non-profit organization, [the defendant] is not subject to the provisions regarding the National Do-Not-Call Registry.”

Courts TCPA Consumer Protection Class Action Do Not Call Registry

Biden calls for coordinated approach to digital asset innovation

On March 9, President Biden issued an Executive Order (E.O.) on digital assets outlining the first “whole-of-government” strategy to coordinate a comprehensive approach for ensuring responsible innovation in digital assets policy. (See also White House fact sheet here.) The White House highlighted that “non-state issued digital assets reached a combined market capitalization of $3 trillion” last November (up from $14 billion five years ago) and noted that many countries are currently exploring, or in certain cases introducing, central bank digital currencies (CBDC). The Executive Order on Ensuring Responsible Development of Digital Assets stressed that “we must take strong steps to reduce the risks that digital assets could pose to consumers, investors, and business protections,” and mitigate “illicit finance and national security risks posed by misuse of digital assets,” including money laundering, cybercrime and ransomware, terrorism and proliferation financing, and sanctions evasion. The E.O. cautioned that future digital assets systems must also promote high standards for transparency, privacy, and security.

The E.O. outlined several principal policy objectives, including that:

• Federal agencies are directed to coordinate policy recommendations to address the growth in the digital asset sector.
• Federal agencies are directed to explore the need for a potential U.S. CBDC. Treasury, along with heads of other relevant agencies, are ordered to submit “a report on the future of money and payment systems, including the conditions that drive broad adoption of digital assets; the extent to which technological innovation may influence these outcomes; and the implications for the United States financial system, the modernization of and changes to payment systems, economic growth, financial inclusion, and national security.” The Federal Reserve Board is also encouraged to continue researching, developing, and assessing efforts for a CBDC, including developing a broad government action plan for a potential launch. The E.O. also directed an assessment of whether legislative changes would be necessary in order to issue a CBDC.
• The Secretary of the Treasury will work with relevant agencies to produce a report on the future of money and payment systems, which will include implications for economic growth, financial growth and inclusion, national security, and the extent to which technological innovation may influence these areas. The approach to digital asset innovation must also address the risk of disparate impact, the E.O. stressed, adding that any approach should ensure equitable access to safe and affordable financial services.
• The Attorney General, FTC, and CFPB are “encouraged to consider what, if any, effects the growth of digital assets could have on competition policy.” The agencies are also “encouraged to consider the extent to which privacy or consumer protection measures within their respective jurisdictions may be used to protect users of digital assets and whether additional measures may be needed.” Additional federal agencies are also encouraged to consider the need for investor and market protections.
• The Financial Stability Oversight Council and Treasury are directed to identify and mitigate systemic financial risks posed by digital assets and develop policy recommendations to fill any regulatory gaps.
• Federal agencies are directed to work with allies and partners to ensure international frameworks, capabilities, and partnerships are aligned and responsive to risks posed by the illicit use of digital assets. Agencies should also explore “the extent to which technological innovation may impact such activities,” and explore “opportunities to mitigate these risks through regulation, supervision, public‑private engagement, oversight, and law enforcement.”
• Federal agencies are directed to establish a framework for interagency international engagement with foreign counterparts to adopt global principles and standards for how digital assets are used and transacted, and to promote digital asset and CBDC technology development.

CFPB Director Rohit Chopra and Treasury Secretary Janet Yellen issued statements following Biden’s announcement. “Today’s Executive Order recognizes that the dramatic growth in digital asset markets has created profound implications for financial stability, consumer protection, national security, and energy demand,” Chopra said. “The [CFPB] is committed to working to promote competition and innovation, while also reducing the risks that digital assets could pose to our safety and security. We must make sure Americans in all financial markets are protected against errors, theft, or fraud.” Yellen stated that in addition to partnering with interagency colleagues to produce a report on the future of money and payment systems, Treasury will also work with international partners to promote robust cross-border standards and a level playing field. “As we take on this important work, we’ll be guided by consumer and investor protection groups, market participants, and other leading experts. Treasury will work to promote a fairer, more inclusive, and more efficient financial system, while building on our ongoing work to counter illicit finance, and prevent risks to financial stability and national security,” she said.

Treasury also recently announced that the Financial Literacy and Education Commission (led by Yellen and Chopra and comprised of the heads of 21 federal agencies and entities, including the OCC, Fed, FDIC, SEC, FTC, and HUD, among others) is forming a new subgroup on digital asset financial education to analyze the impact of digital assets on consumer and investor protections. “History has shown that, without adequate safeguards, forms of private money have the potential to pose risks to consumers and the financial system,” U.S. Under Secretary of the Treasury for Domestic Finance Nellie Liang said.

Federal Issues Digital Assets Privacy/Cyber Risk & Data Security Biden Department of Treasury Federal Reserve Bank Regulatory Consumer Protection Central Bank Digital Currency Of Interest to Non-US Persons FSOC Anti-Money Laundering Financial Crimes Fintech

Biden announces National Consumer Protection Week

On March 4, President Biden proclaimed March 6 - 12, 2022, as National Consumer Protection Week. According to the press release, Biden called on government officials, industry leaders, and advocates in the U.S. to share information on consumer protection and to provide citizens with information about their rights as consumers. He noted that during the week, “we recommit ourselves to those basic rights, to protecting consumers, to raising awareness about bad actors and deceptive practices in the marketplace, and to empowering people to make informed financial decisions so that our economy works for everyone.”

Federal Issues Biden Consumer Protection Consumer Finance

Virginia passes additional VCDPA amendments

On March 7, the Virginia House and Senate passed HB 714, which amends Sections 59.1-575 and 59.1-584 and repeals Section 59.1-585 of the Virginia Consumer Data Protection Act (VCDPA). Specifically, the amendments expand the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.

As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor, and if enacted, will take effect January 1, 2023.

Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Virginia VCDPA

Florida house tries again on consumer privacy legislation

On March 2, the Florida house passed HB 9, which would, among other things, regulate the sale and sharing of consumers’ personal data and provide consumers the right to sue over alleged violations. This is the state’s latest attempt to pass comprehensive consumer privacy legislation. Last year, the Florida legislatures failed to reconcile differences in their bills before the session ended. Highlights of the bill (which include changes from last session’s versions) include:

• Applicability. The bill will apply to any entity meeting the definition of a controller, processor, or third party that buys, sells, or shares consumers’ personal information and (i) has global annual gross revenues exceeding $50 million; (ii) annually buys, receives, sells, or shares personal information of at least 50,000 consumers, households, or devices; or (iii) derives 50 percent or more of its global annual revenue from the selling or sharing of personal information. The bill sets forth numerous exemptions from its requirements, including personal information shared “with a financial service provided solely to facilitate short term, transactional payment processing for the purchase of products or services”; deidentified or aggregated personal information; data governed by certain federal, state, or local regulations or used to exercise or defend legal claims; certain personal information collected through a controller’s direct interaction with a consumer that is used to advertise or market products or services that are produced or offered directly by the controller; personal information used in the context of a consumer’s role or former role with the controller; specified protected health information; financial institutions covered by the Gramm-Leach-Bliley Act; personal information disclosed during intentional interactions or disclosed as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller; and personal information used to fulfill the terms of a written warranty, a product recall, or public- or peer-reviewed scientific or statistical research in the public interest.
• Consumer rights. Under the bill, consumers will be able to, among other things, access their personal data; request deletion or make corrections; and opt out of the sale or sharing of personal information to third-parties. Controllers will be required to deliver the requested information free of charge within 45-calendar days (a one-time additional 45-day extension may be granted), but are not required to provide personal information to a consumer more than twice in a 12-month period. Controllers will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances. Additionally, the bill will provide controllers the ability to charge a consumer who exercises any of their rights under the bill “a different price or rate, or provide a different level or quality of goods or services to the consumer” provided the “difference is reasonably related to the value provided to the controller by the consumer’s data or is related to a consumer’s voluntary participation in a financial incentive program, including a bona fide loyalty, rewards, premium features, discounts, or club card program offered by the controller.” Financial incentives that are not unjust, unreasonable, coercive, or usurious may also be offered as long as consumers give prior consent and are allowed to revoke consent at any time. The bill further stipulates that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
• Disclosures. The bill will require controllers that collect consumers’ personal information to disclose certain information regarding data collection and selling practices to consumers at or before the point of collection. This information “may be provided through a general privacy policy or through a notice informing the consumer that additional specific information will be provided upon a certain request.” Additionally, processors or third parties must require any subcontractor to meet the same obligations with respect to personal information. Businesses also will be prohibited from collecting or using additional categories of personal information without first notifying consumers.
• Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information.
• Private cause of action, right to cure. The bill will provide a private right of action to allow consumers to bring a civil action under certain circumstances for injunctive or declaratory relief, and establishes a damage amount of either statutory damages of at least $100 but not more than $750 per consumer per incident, or actual damages, whichever is greater. Consumers may obtain specific relief from businesses with annual gross revenues greater than $50 million. In lawsuits involving businesses with annual gross revenues exceeding $500 million, consumers also are permitted to recover attorneys’ fees and costs. Civil actions must be filed within one year after discovery of the violation. The Department of Legal Affairs is also authorized to take action against a controller, processor, or third party for unfair or deceptive acts or practices. Fines may be tripled if a violation involves consumers 18 years of age or younger, or if a controller, processor, or third party fails to cure the violation upon written notice within 45 calendar days.

If enacted in its current form, the bill would take effect January 1, 2023. The bill must be approved by the Florida senate and any differences reconciled before being sent to the governor.

Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Florida

Utah legislature passes privacy bill

Recently, the Utah legislature passed SB 227, which would enact the Utah Consumer Privacy Act and establish a framework for controlling and processing consumers’ personal data in the state. (See also senate and house approved amendments here.) Highlights of the bill include:

• Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that also “has annual revenue of $25,000,000 or more” and “controls or processes personal data of 100,000 or more consumers” or “derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.” Certain entities are exempt from the bill’s requirements, including governmental entities and third parties under contract with a governmental entity that acts on behalf of that entity; tribes; institutions of higher education; nonprofits; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; financial institutions and affiliates subject to federal privacy disclosure requirements; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
• Consumer rights. Under the bill, consumers will be able to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data.
• Controllers’ and processors’ responsibilities. Under the bill, data controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, “unless the request is the consumer’s second or subsequent request during the same 12-month period.” Data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing deidentified data or pseudonymous data.
• Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it gives the Division of Consumer Protection investigative power and grants the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses.
• Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.

If enacted in its current form, the bill would take effect December 31, 2023. 

Privacy/Cyber Risk & Data Security State Issues State Legislation Consumer Protection Utah