Editor’s Note:The U.S. Marshals Service suffered a data breach, demonstrating that no one is immune from such an occurrence. In regulatory news, government agencies remained focused on privacy, as the SEC proposed amendments to its privacy rule, a subcommittee of the House Energy and Commerce Committee held a hearing to discuss bipartisan efforts at federal privacy legislation, and the FTC announced a new Office of Technology. The FTC also defeated a motion to dismiss filed by Kochava and entered a settlement with mental health app BetterHelp. In U.S. litigation, wiretapping litigation continued to reign with a California court, affirming that chat features can violate CIPA. Christian Dior defeated a BIPA virtual try-on class action by arguing sunglasses serve as a medical device, Zuckerberg was ordered to provide documents in a Texas CUBI enforcement action, and an Illinois federal judge approved a $3.5 million settlement with NFI Industries, while at the same time, raising concerns about its excessive attorneys’ fees. Meanwhile, NetChoice asked a California court to enjoin implementation of California’s new Age-Appropriate Design Code Act, while considering whether the law is unconstitutional, and the Cheesecake Factory became the latest company accused of web surveillance through session replay technology. In international news, the European Data Protection Board adopted its opinion on the draft adequacy decision on the EU-U.S. Data Privacy Framework, and China released standard contractual clauses, governing the transfer of data under China’s PIPL.

U.S. Laws and Regulation

New Year Means New Consumer Privacy Laws.The beginning of each year sees a flood of new legislation, with lawmakers proposing bills they hope will cross the finish line. In February, lawmakers introduced legislation, covering everything from children’s online data to the kinds of notices businesses must provide to consumers, including:

US Marshals Hit by Security Breach.On February 17, the U.S. Marshals Service (USMS) suffered a security breach, affecting sensitive information like administrative information, personal information on the subjects of USMS investigations, third parties, and certain USMS employees. A senior law enforcement official said the incident did not affect the database involving the Witness Security Program, also known as the Witness Protection Program. The investigation remains ongoing.

SEC Proposes Amendments to Privacy Rule. On February 14, the Securities and Exchange Commission (SEC) proposed a rule to revise SEC regulations under the Privacy Act of 1974, which governs the handling of personal information in the federal government. The proposed rule would clarify, update, and streamline several procedural provisions, including creating a process where individuals can receive an accounting of disclosures made by the commission, codifying an existing practice of providing 90 days to file an administrative appeal for a denial, and updating the fee provisions.

House Energy and Commerce Subcommittee Holds Data Privacy Meeting.On March 1, the House Energy and Commerce Subcommittee on Innovation, Data, and Commerce held a “Promoting U.S. Innovation and Individual Liberty Through a National Security for Data Privacy” hearing focused on data privacy and security to ensure America’s global competitive edge against China. The meeting considered what a strong national data privacy standard would mean, especially in protecting children’s data and putting individuals in charge of their own data.

FTC Announces New Office of Technology.On February 17, the Federal Trade Commission (FTC) announced the creation of the Office of Technology led by Chief Technology Officer Stephanie Nguyen. FTC Chair Lina Khan said the office will support FTC investigations and ensure “we have the in-house skills needed to fully grasp evolving technologies and market trends as we continue to tackle unlawful business practices and protect Americans.” The office will also provide technological expertise and engage with public and external stakeholders.

FTC Suit Against Kochava Continues.On February 21, District of Idaho Judge B. Lynn Winmill denied Kochava’s motion to dismiss after the FTC alleged the mobile app analytics provider unlawfully sold sensitive geolocation information. Kochava argued that the FTC failed to adequately plead a claim under the unfairness prong of Section 5 of the FTC Act. The court found that the allegations plausible since they depended on people’s “reasonable behavior.” Based on these fact-driven issues, he held the inquiry was better suited for discovery and should be taken up on summary judgment.

FTC Settles With BetterHelp Over Sharing Mental Health Information.On March 2, the FTC entered into a $7.8 million settlement with BetterHelp over allegations the online counseling service shared consumers’ sensitive data with third parties, such as Facebook and Snapchat, after promising to keep this information private. The settlement banned BetterHelp from sharing consumer’s personal information with certain third parties for targeted advertising, and otherwise limited the ways BetterHelp can share data. The order also required BetterHelp to obtain opt-in consent before disclosing personal information, implement a comprehensive privacy program, direct third parties to delete sensitive personal information disclosed by BetterHelp, and enforce a data retention schedule.

U.S. Litigation and Enforcement

Christian Dior’s Virtual Eyewear Qualifies for BIPA Health Exemption. On February 10, Judge Elaine Bucklo of the Northern District Court of Illinois ruled that Christian Dior, Inc.’s virtual sunglasses try-on tool qualified for the health exemption under the Illinois Biometric Information Privacy Act (BIPA) because it “facilitates the provision of a medical device that protects vision.” BIPA excludes “information captured from a patient in a health care setting” from its definitions of “biometric identifiers” and “biometric information.” Although the plaintiff alleged she “tried on” only nonprescription sunglasses, the court found that “sunglasses, even if non-prescription, protect one’s eyes from the sun and are Class I medical devices under the Food & Drug Administration’s regulations.” Accordingly, the court dismissed the plaintiff’s claims.

Meta’s Zuckerberg Pulled Into Texas’ Biometric Privacy Suit.In a February 23 order, a Texas state judge granted the state’s motion to compel Mark Zuckerberg and Meta Chief Product Officer Chris Cox to produce custodial files in a lawsuit, accusing Meta of unlawfully collecting users’ biometric information under Texas’ Capture or Use of Biometric Identifier Act (CUBI) and its Deceptive Trade Practices Act (DTPA). Attorney General Ken Paxton stated he expected the documents to show that Meta captured the biometric identifiers of Texans without their informed consent for over a decade for Meta’s own commercial gain. Filed in February 2022 in Harrison County District Court, the lawsuit accused Meta of (1) failing to obtain users’ consent to collect their biometric data, (2) unlawfully disclosing the data to third parties, and (3) neglecting to dispose the data per the statute’s prescribed time frame. Meta contended that the state should not be permitted to pursue the claim on behalf of residents not signed up for Facebook or Instagram because civil penalties are available only for alleged wrongdoings committed against a business’ own consumers, and this application of CUBI violated the Constitution’s due process clause. Texas’ lawsuit seeks to enjoin Meta from using facial recognition technology to prevent future violations of Texans’ biometric privacy rights.

NetChoice Seeks to Enjoin California’s Children’s Internet Safety Law. On February 17, trade association and tech industry advocate NetChoice LLC asked the U.S. District Court for the Northern District of California to enjoin implementation of California’s new Age-Appropriate Design Code Act (AB 2273), while it considered NetChoice’s underlying case that argued the unconstitutionality of the law. In December 2022, NetChoice — whose members include Amazon, Google, Meta, TikTok, and Twitter — filed suit to invalidate California’s new online privacy statute for children, challenging the statute as a violation of companies’ rights under the First and Fourth Amendments and other U.S. law. The statute, which Governor Gavin Newsom signed into law in September 2022, directed online businesses to set their default privacy settings to the highest possible level and provide privacy information in terms children can understand. The statute also required companies to determine if a new service or product may expose children to harmful or potentially harmful content, as well as to share their findings with state regulatory authorities. NetChoice argued that the law forces companies to serve as free speech censors and impose subjective restrictions on free speech that could potentially result in financial harm if regulatory authorities find the companies did not properly apply the subjective standard. AB 2273 goes into effect July 1, 2024.

Illinois Judge Approves $3.5M BIPA Settlement. On February 17, Judge Durkin approved a $3.5 million settlement against logistics company NFI Industries for class allegations that NFI Industries’ finger-scan time-tracking practices violated BIPA. In granting final approval, Judge Durkin remarked that the settlement provided “significant recovery,” given a lack of evidence that employees’ data was misused. He also expressed concern, however, that the $1.1 million slotted for attorneys’ fees, “seem[ed] excessive” since BIPA cases “are not extremely difficult.” For this reason, he asked for more context behind the attorneys’ fees before entering it in the record.

Cheesecake Factory Faces Website Surveillance Suit.As one of the latest companies accused of website surveillance due to session replay software, the Cheesecake Factory confronted a February 21 class-action complaint, alleging Maryland Wiretap Act and invasion of privacy violations. Specifically, the plaintiff claimed that the Cheesecake Factory hired third-party vendors to embed snippets of JavaScript computer code in the company’s website, which then deployed on each visitor’s internet browser to intercept and record — in real time — the visitor’s electronic activities, including their mouse movements, clicks, keystrokes, visited web page URLs, and/or other electronic movements. The plaintiff also asserted that she and the class members did not consent, authorize, or know about the alleged collection or disclosure of their web activities.

Court Partially Denies Patreon’s Motion to Dismiss.On February 17, Chief Magistrate Judge Joseph Spero partially denied Patreon’s motion to dismiss a class-action complaint, alleging that Patreon, a popular membership platform that allows digital creators to provide subscriptions for their creations, provided video-watching data to Meta. The plaintiffs contended that Patreon transmitted video titles they viewed and viewers’ Facebook IDs to Meta via Meta’s Pixel. Judge Spero dismissed the fraud claims due to the lack of allegations, asserting that the plaintiffs “actually read the terms of use and other documents containing purportedly misleading partial representations.” The court declined to grant Patreon’s motion to dismiss based on the argument that the VPPA was unconstitutional, holding that the motion as “premature” without a factual record.

Privacy Suit Against Goodyear Survives Motion to Dismiss. On February 3, Central District of California Judge Sykes denied Goodyear Tire and Rubber Company’s motion to dismiss for failure to state a claim and failure to transfer venue under the forum selection clause in its terms of service. The plaintiff alleged Goodyear violated the California Invasion of Privacy Act (CIPA) by using a third-party vendor to record and transcribe users’ communications with Goodyear through its website chat function. The court found the plaintiff alleged sufficient facts that Goodyear captured the contents of communications and intercepted the messages in transit as required by CIPA. Judge Sykes also rejected Goodyear’s argument that the plaintiff’s claim failed because she could not establish that Goodyear communicated via a telephonic device as CIPA required; though the chat at issue occurred through a website, the court held the plaintiff need not allege the type of telephonic device Goodyear used to participate in the conversation. Judge Sykes also denied Goodyear’s motion to transfer venue, holding its website failed to establish constructive notice of its terms of service and failed to put a reasonably prudent user on notice of its forum selection clause.

Plasma Centers Seek Preliminary Approval of $17M Settlement for BIPA Violations.Blood plasma donors in Illinois sought preliminary approval of a $16.75 million class-action settlement, resolving claims that companies operating plasma donation centers in the state unlawfully collected and stored plasma donors’ biometric fingerprint information. The suit began in 2020, alleging the three plasma donation companies violated plasma donors’ rights under the Illinois BIPA. To track their donors, the companies required donors to scan their fingerprints into their biometric systems each time they donated plasma. This practice violated BIPA since the companies collected the data without first obtaining donors’ informed consent, and they failed to make proper disclosures about their data collection and retention policies. A class of 66,822 blood plasma donors will receive the $16.75 million.

Fourth Circuit Finds No Article III Standing in Privacy Case. On February 21, a Fourth Circuit decision dismissed allegations that TrustedID violated South Carolina’s Financial Identity Fraud and Identity Theft Protection Act. The case ensued after a TrustedID’s recent data breach, which required the plaintiff to enter six digits of his Social Security number to access TrustedID’s website to learn if the breach impacted his personal information. The plaintiff argued that entering six digits of his Social Security number increased his risk of identity theft. The Fourth Circuit disagreed, holding his claim alleged only a bare statutory violation.

McAlister’s Faces Privacy Suit Over Workers’ Finger Scans.On February 22, an Illinois federal judge upheld claims that fast food chain McAlister’s Deli and its parent company Focus Brands violated BIPA by collecting, storing, and using workers’ fingerprints for timekeeping purposes without obtaining consent or providing mandated disclosures. McAlister’s and Focus Brands, which also owns Cinnabon, Auntie Anne’s, and Jamba among others, moved to dismiss the claims, alleging the plaintiffs failed to establish their liability for improper data collection since a franchisee collected the data. The judge disagreed with the defendants’ narrow view of who may be liable under BIPA and denied the defendants’ motion to dismiss.

International Regulation and Enforcement

EDPB Adopts Draft Adequacy Decision Opinion on EU-U.S. Data Privacy Framework. On February 28, the European Data Protection Board (EDPB) adopted its opinion on the draft adequacy decision on the EU-U.S. Data Privacy Framework. The EDPB welcomed the improvements made, such as introducing requirements embodying the principles of necessity and proportionality. However, the EDPB also expressed concern and requested clarification on several points, including on certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data, and the practical function of the redress mechanisms. The EDPA further conditioned the decision’s adoption on all U.S. intelligence agencies’ adopting updated policies and procedures.

China’s Cyberspace Administration Releases Standard Contractual Clauses.On February 24, the Chinese Cyberspace Administration released standard contractual clauses (SCCs), governing the transfer of data under China’s Personal Information Protection Law (PIPL). PIPL came into effect in November 2021. Similar to the GDPR SCCs, the new PIPL SSCs, which become effective on June 1, can be used to legally transfer data out of China without a security assessment under China’s PIPL.