Welcome to this month’s issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.

STATE & LOCAL LAWS & REGULATIONS

CPPA Releases Modified Regulations

The California Privacy Protection Agency (“CPPA”) Board (“CPPA Board”) held meetings on October 28 and 29, 2022, to discuss the next steps regarding the modified proposed regulations for the California Privacy Rights Act of 2020 (“CPRA”). CPPA staff will consider additional changes to proposed regulation topics, including: (i) uses of sensitive personal information not subject to consumers’ right to limit, (ii) opt-out preference signals in relation to financial incentive programs and pseudonymous profiles, and (iii) purpose limitations, secondary uses, and data minimization. The newly modified proposed regulations are expected to be published within two weeks of the meeting, and the 15-day public comment period will begin once the new proposed regulations are published and noticed. The CPPA Board hopes to submit the final rulemaking package to the California Office of Administrative Law by the end of the year, meaning such regulations could become effective in late January or early February 2023.

Colorado Privacy Act Draft Regulations Issued

The Colorado Attorney General’s Office (“COAG”) published proposed draft regulations for the Colorado Privacy Act (“CPA”), which takes effect on July 1, 2023. The proposed rules provide new definitions, including “biometric data,” a new category of “sensitive data inferences,” clarity to data controller obligations for consumer requests, “bona fide loyalty program” disclosures, data protection impact assessments, consent regarding sensitive data, and privacy notice updates. The draft rules also provide additional details on the universal opt-out mechanism and the right to opt-out of profiling. The COAG announced three stakeholder meetings to be held on November 10, 15, and 17, 2022, to discuss specific provisions. Written public comments may be submitted to inform the meetings by November 7, 2022, and the public comment period for the proposed draft regulations will conclude with the CPA Rulemaking Hearing on February 1, 2023.

Michigan Introduces Comprehensive Privacy Law

Following in the footsteps of California, Colorado, Connecticut, Virginia, and Utah, Michigan has introduced its own comprehensive privacy law, the Michigan Personal Data Privacy Act (“MPDPA”). The MPDPA provides Michigan consumers with the rights to access and confirm the processing of their personal data and data portability, correct and delete their personal data, and opt-out of the processing of their personal data for purposes of targeted advertising, sale, and profiling in furtherance of decisions that produce legal or similarly significant effects. Interestingly, unlike its predecessors, the MPDPA prohibits the processing of personal data or sensitive personal data without obtaining the consumer’s consent. If passed, the MPDPA would apply to entities doing business in Michigan that either control or process the personal data of: (i) at least 100,000 Michigan consumers; or (ii) at least 25,000 Michigan consumers and derive over 50 percent of gross revenue from the sale of personal data.

California Amends CMIA

California passed Assembly Bill 2089 (“AB 2089”), amending the state’s Confidentiality of Medical Information Act (“CMIA”) to include mental health digital services and related information. The CMIA is a California state law that provides privacy protections for individuals’ health information that in some cases exceed protections under the federal Health Insurance Portability and Accountability Act of 1996, as amended. The AB 2089 revisions expand the definition of “medical information” to include information related to a consumer’s mental health or substance use disorder that is collected by a “mental health digital service,” meaning a mobile-based application or Internet website that markets itself as facilitating mental health services to a consumer and provides such services using the collected information. AB 2089 also creates a new data breach disclosure obligation for businesses that offer a mental health digital service, when partnering with a provider of health care, to provide information about how to find reported data breaches.

Alastair Mactaggart Appointed to the CPPA Board

Attorney General Rob Bonta has appointed Alastair Mactaggart to the CPPA Board. Mactaggart replaces Board Member Angela Sierra, who will be beginning a new role as a member of California’s Racial and Identity Profiling Advisory Board. Mactaggart originally championed the California Consumer Privacy Act (“CCPA”) and was the cause for its hasty passage, as he threatened to otherwise make the CCPA a ballot initiative, requiring any amendments to the act be put to voters. Mactaggart then submitted the California Privacy Rights Act (“CPRA”) as a ballot initiative to make substantive changes to the CCPA.

FEDERAL LAWS & REGULATIONS

White House Issues Executive Order for EU-U.S. Data Privacy Framework

President Joe Biden released an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (“Executive Order”) designed to address criticisms connected to U.S. intelligence-related data collecting cited by the Court of Justice of the European Union (“CJEU”) when the CJEU invalidated the Privacy Shield in 2020. Specifically, the Executive Order obligates all executive agencies involved in signals intelligence activities to conduct such activities only in pursuit of twelve defined “legitimate objectives” and specifically prohibits surveillance designed to suppress criticism or dissent; suppress privacy interests; suppress a right to legal counsel; and disadvantage individuals based on ethnicity, race, gender, gender identity, sexual orientation, or religion. The Executive Order also establishes a redress mechanism where individuals may challenge unlawful surveillance practices by submitting complaints to the Director of National Intelligence’s Civil Liberties Protection Officer. The European Commission will need to assess whether any proposed data transfer framework provides an adequate level of protection—a process that could take several months. The White House has noted that any new data transfer framework is likely to face legal challenges in Europe similar to predecessor frameworks.

Biden-Harris Administration Release Statement on U.S. Cybersecurity

The Biden-Harris Administration released a statement on strengthening the United States’ cybersecurity. The statement addresses: (i) the need to improve the cybersecurity of the U.S.’s critical infrastructure; (ii) ensuring the projects under President Biden’s Bipartisan Infrastructure Law meet modern standards of safety and security; (iii) strengthening the federal government’s cybersecurity requirements and raising the bar through the purchasing power of government (e.g., requiring multifactor authentication); (iv) countering ransomware attacks to protect Americans online; (v) working with allies and partners to deliver a more secure cyberspace; (vi) imposing costs on and strengthening security against malicious actors; (vii) implementing internationally accepted cyber norms; (viii) developing a new label to help Americans know their devices are secure; (ix) building the nation’s cyber workforce and strengthening cyber education; (x) developing quantum-resistant encryption to protect data from within online commerce to national secrets; and (xi) developing technological edge through the National Quantum Initiative and issuing National Security Memorandum-10.

White House Office of Science and Technology Policy (“OSTP”) Releases Blueprint for an AI Bill of Rights

The OSTP released the Blueprint for an AI Bill of Rights (“Blueprint”). While the Blueprint has no binding legal effect, it provides guidance on “the design, use, and deployment of automated systems to protect the American public in the age of artificial intelligence.” The Blueprint provides five key principles: (i) protect individuals from unsafe or ineffective systems by developing automated systems with consultation from diverse communities, stakeholders, and domain experts; (ii) establish safeguards to protect against discrimination by algorithms and design and use systems in an equitable way; (iii) build privacy protections into AI systems as default; (iv) provide notice and explanation of how the automated system functions and the role of automation, the fact that such automated systems are in use, the entity responsible for the system, and explanations of outcomes; and (v) provide the ability to opt-out from automated systems in favor of a human alternative, where appropriate.

Federal Trade Commission (“FTC”) Extends Deadline for Comments on Surveillance and Data Security Advanced Notice of Proposed Rulemaking

The FTC announced that it is extending the deadline by one month to submit comments on its Advance Notice of Proposed Rulemaking (“ANPR”) on commercial surveillance and lax data security practices. The public will now have until November 21, 2022, to submit comments. In August 2022, the FTC launched the ANPR to seek public comment on whether new rules are needed to address potential harms stemming from commercial surveillance and lax data security practices, including through a virtual public forum held in September. According to the FTC, commercial surveillance is considered the business of collecting, analyzing, and profiting from information about people.

Transportation Security Administration (“TSA”) Issues Security Directive for Railroads

The TSA released Security Directive 1580/82-2022-01 (“Security Directive”) to strengthen cybersecurity requirements for designated passenger and freight railroad carriers. More specifically, the Security Directive requires TSA-specified passenger and freight railroad carriers to: (i) develop network segmentation policies and controls so that the operational technology system can continue to operate in the event that an information technology system has been compromised and vice versa; (ii) create access control measures to secure and prevent unauthorized access to critical cyber systems; (iii) build monitoring and detection policies and procedures to detect cybersecurity threats; (iv) apply security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems within appropriate timeframes; (v) establish and execute a TSA-approved cybersecurity implementation plan describing the specific cybersecurity measures use to achieve the security outcomes set forth in the Security Directive; and (vi) establish a cybersecurity assessment program to test and audit the effectiveness of cybersecurity measures.

U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) Director Urges Use of Multifactor Authentication (“MFA”)

In a CISA blog entitled “Next Level MFA: FIDO Authentication,” CISA Director Jen Easterly reiterates the government’s call for “everyone to use more than a password” and urges technology providers to mandate MFA. Easterly states that technology providers should actively, and even aggressively, nudge end users into using MFA rather than offering it as a choice. Easterly explains technology providers should especially nudge system administrators as they are “particularly high-value targets”. Easterly also calls for “radical transparency” for MFA statistics stating that there must be better visibility into MFA adoption. Easterly further urges technology providers to ensure that there are no pricing barriers to organizations adopting MFA. She states, “[e]very user, every customer, from the biggest companies down to the small businesses, schools, hospitals, and local governments in every community deserve to have MFA.”

CFPB Begins Data Rights Rulemaking

The Consumer Financial Protection Bureau (“CFPB”) outlined potential options to strengthen consumers’ access to, and control over, their financial data as a first step before issuing a proposed data rights rule that would implement Section 1033 of the Dodd-Frank Act. The potential rulemaking would aim to facilitate access to consumer-authorized data by nascent firms to encourage competition and allow consumers to switch providers more easily, among other things. The CFPB is also considering proposals regarding the privacy of personal financial data, including limitations that would prevent third parties from reselling data for secondary uses. The CFPB is soliciting feedback on its rulemaking proposals until January 25, 2023.

U.S. LITIGATION

Jury Returns First Ever Verdict in BIPA Trial

A federal jury in the first Illinois Biometric Information Privacy Act (“BIPA”) jury verdict awarded the plaintiff class of truck drivers $228 million in Rogers v. BNSF Railway Company. Although BNSF never directly collected any fingerprints, the jury determined BNSF was vicariously liable under BIPA for fingerprints Remprex LLC, a third-party vendor BNSF hired to control gate access, collected without prior notice or consent. Damages were calculated by applying the statutory damages provision for reckless or intentional violations, the maximum available under BIPA, to the estimated number of truck drivers whose fingerprints were scanned, meaning each of the estimated 45,600 drivers represented one “violation.” Other cases currently pending in the Illinois Supreme Court will result in the consideration of when “violations” of BIPA accrue and the statute of limitations on BIPA provisions, respectively, and will likely impact future BIPA litigation.

Dickey’s BBQ Data Breach Settlement Receives Preliminary Approval with Enhanced Amounts Available for California Consumer Sub-Class

U.S. Magistrate Judge Rutherford issued her recommendation to District Judge Kinkeade in Kostka v. Dickey’s Barbecue Restaurant Inc. (“Dickey’s BBQ”), endorsing the preliminary approval for a nationwide $2.35 million settlement agreement arising from a 2021 payment card data breach that exposed the personal information of 3 million consumers across 30 states, including California. Two plaintiffs, who did not attend settlement negotiations, argued the inadequacy of both the settlement amount and the cybersecurity improvements Dickey’s BBQ agreed to, especially for California residents. Judge Rutherford acknowledged that it would be inequitable to ignore the relative strength of the claims of the California subclass under the CCPA, and she explicitly endorsed a carve-out provision for California class members without out-of-pocket losses to recover $100 from the Dickey’s BBQ fund, double the $50 recovery for non-California counterparts.

U.S. ENFORCEMENT

New York Attorney General Brings Enforcement Action Against SHEIN and ROMWE Owner Zoetop

Zoetop Business Company, Ltd., which owns e-commerce retail brands SHEIN and ROMWE, must pay a $1.9 million penalty for failing to appropriately safeguard personal information or notify more than 800,000 New York residents affected in a 2018 cyberattack that resulted in 39 million stolen SHEIN accounts and 7 million stolen ROMWE accounts worldwide. An investigation by the New York Attorney General’s Office concluded that Zoetop publicly downplayed the breach and failed to alert the vast majority of affected consumers that their personal information, including login credentials and payment information, was stolen. In addition to the $1.9 million in penalties and costs, Zoetop must also maintain a comprehensive information security program that will address inadequacies that contributed to the breach.

FTC Brings Action Against Drizly, CEO

The FTC issued a proposed order against the online alcohol marketplace, Drizly, LLC (“Drizly”), and Drizly’s CEO, James Cory Rellas, over allegations regarding a 2019 data breach that exposed the personal information of 2.5 million consumers. The proposed order imposes several data security requirements on Drizly, including destroying unnecessary data, restricting data collection and storage, and other security measures. Notably, the order also imposes personal liability on Rellas, requiring him to implement an information security program for any business for which he becomes a majority owner, CEO, or senior officer with information security responsibilities, if the business collects information from more than 25,000 consumers. The enforcement action may foreshadow that more executives, particularly chief information and security officers, may be held personally liable for company practices that result in a data breach or security incident in the future.

INTERNATIONAL LAWS & REGULATIONS

UK Notes Progress Toward Adequacy Agreement with U.S.

The Secretary of State for the UK Department for Digital, Culture, Media, and Sport highlighted “excellent progress” made by the United Kingdom and the United States toward a UK adequacy assessment that would allow for transfers of personal data between the UK and the U.S. The Secretary welcomed the safeguards accounted as part of the White House’s Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities and announced the UK’s intention to promptly review the Executive Order’s safeguards and continue to work toward an adequacy assessment. Adequacy regulations could be presented to the UK Parliament in early 2023.

EDPB Approves First GDPR Certification Mechanism

The European Data Protection Board (“EDPB”) approved the first ever European Data Protection seal, Europrivacy. Article 42 of the General Data Protection Regulation (“GDPR”) provides that EU stakeholders should encourage the establishment of data protection certification mechanisms for demonstrating compliance with the GDPR. The certification criteria for the Europrivacy seal are intended to allow controllers and processors to assess the compliance of their data processing activities, select data processors, assess the adequacy of cross-border data transfers, and signal to the public the adequacy of a certified company’s data protection program.

Australia Introduces Privacy Law Amendments to Increase Penalties for Serious Violations

In the wake of several high-profile data breaches in the telecommunications and healthcare sectors, legislation had been introduced in Australia to amend its national privacy law, the Australian Privacy Act of 1988 (the “Privacy Act”). The proposed amendments would increase maximum penalties for violations. Currently, the maximum civil penalty under the Privacy Act for “serious or repeated” violations is AUD $2.22 million. The proposed amendment would increase the penalty for incorporated entities to the greater of (a) AUD $50 million, (b) three times the value of the benefit obtained through the misuse of information, or (c) 30perecent of a company’s adjusted turnover during the period of non-compliance with the Privacy Act. The proposed legislation comes amidst an existing review of the Privacy Act by the Australian government. A report presenting the results of the review is expected before the end of the year and is expected to recommend consideration of far-reaching amendments.