Welcome to the fourth issue of The BR Privacy & Security Download, the new digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. The rapid pace at which technology and data privacy and security regulation are evolving can make it a challenge to keep up with worldwide legal events affecting businesses′ use of personal data. The BR Privacy & Security Download keeps you up to date with the important data privacy and security-related news of the past month. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.

Privacy & Security Developments

STATE & LOCAL LAWS & REGULATION

  • Nation’s Second Privacy-Sector Facial Recognition Ban Now in Effect in Baltimore: On September 8, 2021, the nation’s second private-sector facial recognition technology (“FRT”) ban went into effect in Baltimore, Maryland. As noted in this Law360 article by Blank Rome Privacy, Security & Data Protection team member David Oberly, the Baltimore FRT ban goes even further than its Portland, Oregon counterpart by imposing criminal penalties of up to a year in jail on companies and individuals that run afoul of the ban. All companies that conduct operations in Baltimore and use any type of facial recognition-powered software should evaluate the applicability of the new FRT ordinance to its operations and take action if necessary to ensure compliance with the law.
  • New Privacy Legislation Introduced in Oklahoma State Legislature: On September 9, 2021, Oklahoma State Representative Josh West introduced the Oklahoma Computer Data Privacy Act of 2022 (the “Act”). Similar to other state legislative proposals, the Act would provide Oklahoma residents with certain rights, including the right to opt out of personalized advertising and to delete and correct their personal information. The Act would also require covered businesses to provide notice of their data practices and to maintain reasonable administrative, physical, and technical safeguards to protect personal information. The Act would apply to businesses that (1) have annual gross revenues in excess of $10 million; (2) annually buy, receive, share, or disclose the personal information of 25,000 or more consumers, households, or devices; or (3) derive 50% or more of their annual revenue from sharing consumer personal information, subject to certain exceptions. The Oklahoma Attorney General would be solely responsible for enforcement of the Act.
  • Three CCPA Amendments Passed, Await Governor’s Signature: In September 2021, the California Legislature passed three minor amendments to the California Consumer Privacy Act (“CCPA”). AB 335 exempts from the CCPA’s right to opt-out of the sale of personal information vessel-related information retained or shared between a vessel dealer and the vessel’s manufacturer for warranty or a recall purposes. AB 694 makes non-substantive changes to the definitions and exemptions of the CCPA and also amends the deadline for the California Privacy Protection Agency to begin rulemaking to on or after the later (as opposed to the “earlier”) of July 1, 2021, or six months after the agency provides notice to the Attorney General that it is prepared to assume rulemaking responsibilities. AB 825 expands the definition of personal information under California’s data breach notification law to include genetic data, effectively expanding the scope of the CCPA’s private right of action, which is tied to the categories of personal information that trigger a breach notification obligation. AB 335, AB 694, and AB 825 are all currently awaiting Governor Gavin Newsom’s signature.
  • California Legislature Passes Genetic Information Privacy Act, Awaiting Governor’s Signature: On September 13, 2021, the California Legislature passed SB 41, the Genetic Information Privacy Act (“GIPA”). GIPA requires direct-to-consumer genetic testing companies to disclose information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data. GIPA also requires direct-to-consumer genetic testing companies to obtain a consumer’s express consent for the collection, use, and disclosure of the consumer’s genetic data. GIPA exempts certain types of information and entities, such as medical information and health care providers governed by California’s Confidentiality of Medical Information Act and protected health information and covered entities and business associates governed by the Health Insurance Portability and Accountability Act (“HIPAA”). Violations of GIPA can result in civil penalties of up to $10,000 plus court costs, depending on whether negligence or willful conduct is involved. GIPA is currently awaiting Governor Gavin Newsom’s signature. Governor Newsom vetoed a similar bill last year due to concerns that the bill could interfere with laboratories’ mandatory requirement to report COVID-19 test outcomes to local public health departments and the state.
  • CPPA Issues Invitation for Preliminary Comments on Proposed Rulemaking under CPRA: On September 22, 2021, the California Privacy Protection Agency (“Agency”) issued an Invitation for Preliminary Comments on Proposed Rulemaking under the California Privacy Rights Act of 2020. The California Privacy Rights Act (“CPRA”), which amends the CCPA, established the Agency to enforce the CPRA, update CCPA regulations, and adopt new regulations. The Agency seeks comments on a variety of topics, including: processing that presents a significant risk to consumer’s privacy or security requiring annual cybersecurity audits and regular risk assessments; consumers’ access and opt-out rights with respect to automated decision-making technology; and consumers’ rights to correct inaccurate personal information, opt-out of the sharing of personal information, and limit the use and disclosure of sensitive personal information.

FEDERAL LAWS & REGULATION

  • U.S. House Committee Votes to Create New FTC Privacy Bureau: On September 14, 2021, the U.S. House Energy and Commerce Committee approved a $1 billion appropriation for the Federal Trade Commission (“FTC”) to create a new privacy bureau as part of a proposed $3.5 trillion federal budget reconciliation package. The purpose of the funding is to enable the bureau, over 10 years, to address unfair or deceptive acts or practices relating to privacy, data security, identity theft, data abuses, and related matters. The FTC has historically been the default data privacy and security regulator in the U.S., using its broad authority to investigate “unfair and deceptive acts or practices in or affecting commerce,” in the privacy and data security contexts. The new privacy bureau would presumably enable the FTC to further exercise its authority in privacy and data security-related matters.
  • Senators Request FTC Write New Privacy Rules: Senator Richard Blumenthal and eight other Democratic senators sent a letter on September 20, 2021, calling on the FTC to advance a rulemaking process to strengthen consumer privacy, bolster civil rights, and establish guardrails on the collection and use of consumers’ personal data. The letter states that “consumer privacy has become a consumer crisis,” citing the creation of in-depth profiles about Americans by Big Tech companies with “unchecked access to private personal information.” The senators urge the FTC to undertake a rulemaking process in conjunction with continued efforts to develop national privacy legislation, with the overall goal of protecting consumer data, including creating strong protections for data of members of marginalized communities, prohibiting practices such as exploitative targeting of children and teens, adopting opt-in consent rules on use of personal data, and global opt-out standards.
  • OFAC Blacklists Russian-Based Company SUEX: On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) added SUEX OTC, S.R.O. (“SUEX”), a Russian-based company that enables customers to convert digital currency into cash or other forms of assets, to the government sanctions list for its part in facilitating financial transactions for ransomware actors. According to OFAC, SUEX has facilitated transactions involving illicit proceeds from at least eight ransomware variants. The blacklisting of SUEX is the first sanctions designation against a virtual currency exchange. In a press release, OFAC stated that virtual currency exchanges like SUEX are critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity, and that the U.S. Department of Treasury will continue to hold such entities accountable to reduce the incentive for cybercriminals to continue to conduct ransomware attacks.
  • OFAC Updates Advisory on Sanctions for Facilitating Ransomware Payments: Also on September 21, 2021, OFAC published an updated advisory on potential sanctions risks for facilitating ransomware payments (the “Updated Advisory”). The Updated Advisory follows the initial advisory published on October 1, 2020, which stressed that ransomware payments can be a violation of economic sanctions laws and warned against payments with individuals or entities on the Specially Designated Nationals and Blocked Persons List (“SDN List”), other blocked persons, and those covered by comprehensive country or region embargo (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). The Updated Advisory re-emphasizes these points and also provides that OFAC will consider the following factors when assessing appropriate enforcement action for a violation of U.S. sanctions laws: adopting or improving cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s September 2020 Ransomware Guide; implementing a risk-based compliance program to limit exposure to paying a ransom that may involve an individual or entity on the SDN List; timely reporting ransomware attacks to appropriate U.S. government agencies; and the nature and extent of cooperation with OFAC and other government agencies.

U.S. LITIGATION

  • Seventh Circuit Rules Search Warrant Not Required Prior to Using a Surveillance Device to View IP Addresses Visited by a Criminal Suspect: On September 8, 2021, the U.S. Court of Appeals for the Seventh Circuit upheld a federal court’s decision denying a motion to suppress evidence of IP addresses visited by a suspect in U.S. v. Edward Soybel, 2021 WL 4076759 (7th Cir. Sept. 8, 2021). The government used a “pen register” to identify IP addresses Soybel unlawfully accessed on his former employer’s computer system. The court found the use of this type of device is not a Fourth Amendment “search” that requires a warrant because the connection between the suspect’s IP address and the external IP addresses of external systems the suspect had accessed was routed through a third party Internet service provider. As such, the suspect had no expectation of privacy in the captured routing information.
  • Seventh Circuit Hears Oral Argument in BIPA Class Action Appeal That Could Widen Scope of Biometric Privacy Liability Exposure Even Further: On September 14, 2021, oral argument took place before the Seventh Circuit Court of Appeals in Cothron v. White Castle Sys. Inc., No. 20-3202 (7th Cir.), which is set to clarify when claims accrue for violations of the Illinois Biometric Information Privacy Act (“BIPA”). Specifically, the issue before the Seventh Circuit is whether, when conduct that allegedly violates BIPA is repeated, that conduct gives rise to a single claim under BIPA (i.e., only when the first violation takes place), or multiple claims (i.e., every time a violation takes place). A finding by the Seventh Circuit that separate, independent claims occur each subsequent time that the statute is violated would widen the already-broad scope of BIPA liability exposure even further and could potentially have an even greater impact on the legal landscape of BIPA class action litigation than the Illinois Supreme Court’s seminal 2019 opinion in Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197 (Ill. 2019), where the court held that plaintiffs do not have to suffer any actual injury or harm to pursue claims under Illinois’ biometric privacy statute.
  • DoorDash Files Suit Against New York City Over New Data Sharing Law: New York City enacted an ordinance earlier this year requiring online food order and delivery service companies to share customer information with restaurants if restaurants request this information. The ordinance will take effect on December 27, 2021. On September 15, 2021, DoorDash filed a lawsuit against New York City in the U.S. District Court for the Southern District of New York, case no. 1:21-cv-07695, challenging the law, alleging that the ordinance undermines New York City residents’ privacy as “[m]any customers entrust established, respected technology companies like DoorDash with sensitive personal data that they would not entrust to small businesses that do not have similar robust data safety and security protocols.” The case is in its early stages, but DoorDash has already filed a Motion for Preliminary Injunction seeking to enjoin New York City from enforcing the new law prior to the conclusion of this case.
  • Online Retailers Face Second Wave of Virtual Try-On Face Scan BIPA Class Action Suits: In March 2021, the use of virtual try-on (“VTO”) features by online retailers emerged as the clear new target of bet-the-company BIPA biometric privacy class action litigation. The first wave of BIPA class actions targeting VTO technology this spring focused predominantly on online eyewear and cosmetics retailers. In September, enterprising plaintiff’s attorneys initiated a second wave of BIPA class action filings, this time lasering in almost exclusively on online eyewear brands that have incorporated VTO features into their operations. While no court to date has issued a definitive ruling on whether VTO facial detection technology, in fact, involves the use of biometrics, this second wave of class action filings should nonetheless serve as an important reminder to all companies that collect or otherwise utilize biometric data—especially those that operate online—that they must come into strict compliance with Illinois’ biometric privacy statute immediately if they have not already done so.
  • Illinois Appellate Court Clarifies Applicable Statute of Limitations in BIPA Class Action Litigation: On September 17, 2021, the Illinois Appellate Court First District delivered its much-anticipated decision in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (1st Dist. Sep. 17, 2021), addressing the applicable statute of limitations for causes of action asserted under BIPA. The court held that claims brought under Sections 15(a), (b), and (e)—pertaining to the law’s privacy policy/data destruction, notice/consent, and data security requirements—are subject to a five-year statute of limitations. Conversely, claims asserted under Sections 15(c) and (d)—relating to the law’s ban on profiting from biometric data and disclosure limitations—are subject to a one-year limitations period. Importantly, in finding that BIPA’s two most commonly-asserted provisions, Sections 15(a) and (b), are subject to the longer five-year limitations period, the opinion ensures that the tsunami of class action BIPA filings will continue to flood the courts for the foreseeable future.
  • Seventh Circuit Solidifies Power of BIPA Preemption Defense with Recent Opinion Affirming Dismissal of Class Action: On September 20, 2021, the Seventh Circuit issued its opinion in Fernandez v. Kerry, Inc., 2021 WL 4260667(7th Cir. Sep. 20, 2021), finding that a BIPA class suit was preempted by § 301 of the Labor Management Relations Act because the issue of consent—a key component of BIPA causes of action—was covered by a collective bargaining agreement. The Fernandez opinion solidifies the power of preemption, which has emerged as a vital defense for defendants in BIPA litigation. At the same time, the decision should serve as a reminder for unionized employers to ensure that the proper steps are taken during the collective bargaining process to preserve the ability to assert a preemption challenge in the event the employer’s biometrics practices are tested in court.

U.S. ENFORCEMENT

  • OCR Announces 20th HIPAA Right of Access Action: The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services announced on September 10, 2021, that it had resolved its 20th investigation in its HIPAA Right of Access Initiative. The initiative seeks to support individuals’ right to access their health records at a reasonable cost and within the timeframes dictated by the HIPAA Privacy Rule. The investigation stemmed from a complaint filed by a parent alleging that Children’s Hospital and Medical Center of Omaha, Nebraska, had failed to provide her with timely access to her daughter’s medical records. The provider agreed to take corrective actions and pay $80,000 to settle potential violations of the Privacy Rule’s access requirements.
  • President Biden Nominates Alvaor Bedoya to FTC: On September 13, 2021, President Biden nominated Alvaor Bedoya to serve as a member of the Federal Trade Commission (“FTC”). If confirmed by the Senate, Bedoya is to succeed Commissioner Rohit Chopra. Bedoya currently acts as the founding director of the Center on Privacy & Technology at Georgetown Law, where he is also a visiting professor. Bedoya’s scholarship has focused on the racial biases of government surveillance and facial recognition technology. Bedoya has also previously served as chief counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law. Bedoya is viewed as a privacy advocate that will help enable the aggressive enforcement agenda laid out by the FTC.
  • Massachusetts Attorney General Opens Investigation of T-Mobile: On September 14, 2021, Massachusetts Attorney General Maura Healey announced the launch of an investigation into T-Mobile’s most recent data breach. The personal information of at least 13.1 million current customers and 40 million former and prospective customers were compromised after T-Mobile’s computer network was breached in July 2021. The affected information included names, drivers’ license information, government identification numbers, Social Security numbers, addresses, and dates of birth. For some customers, T-Mobile prepaid pins, phone numbers, International Mobile Equipment Identity (IMEI) numbers, and International Mobile Subscriber Identity (IMSI) numbers were also illegally accessed. The Massachusetts Attorney General’s Office has launched an investigation into the circumstances of the data breach and the steps T-Mobile is taking to address it and notify consumers, and to determine whether T-Mobile had proper safeguards in place to protect consumer and mobile device information.
  • SEC Announces Settlement with Alternative Data Provider: On September 14, 2021, the Securities and Exchange Commission (“SEC”) announced a settlement with App Annie Inc. for securities fraud relating to deceptive practices and material misrepresentations about how the company derived its market data on mobile app performance, including estimates on the number of times a particular company's app is downloaded, how often it's used, and the amount of revenue the app generates for the company. Such data is commonly referred to “alternative data” by securities trading firms because it is not contained within the companies’ financial statements or other traditional data sources. The SEC order found that, to obtain data from mobile app providers, App Annie promised the mobile app providers that it would only disclose such data if it was aggregated and anonymized prior to being used to develop models of app performance. However, App Annie used non-aggregated and non-anonymized data and misrepresented to trading firms that it was using the data consistent with the consent it received from companies regarding sharing their confidential data. App Annie then encouraged trading firms to trade on such data.
  • FTC Reminds Digital Health Companies to Comply with Health Breach Notification Rule: On September 15, 2021, the FTC issued a policy statement clarifying the FTC’s view of entities that must comply with the Health Breach Notification Rule (“Rule”). The Rule, issued in 2009, requires vendors of personal health records, related entities, and their third party service providers to notify consumers and the FTC when data is disclosed or acquired without the consumers’ authorization. The Rule does not apply to covered entities or business associates acting in their capacity as business associates. In the policy statement, the FTC stated its position that developers of mobile health apps or connected devices are healthcare providers for purposes of the Rule because they furnish healthcare services or supplies by offering the app or connected device. Because the Rule defines individually identifiable health information by cross-reference to the HIPAA definition—which in relevant part defines individually identifiable health information as information created or received by a healthcare provider, health plan, or healthcare clearinghouse—this means that any mobile health app is covered by the Rule if it is capable of drawing information from multiple sources, even if health information is collected only from one source, regardless of whether one of those sources is a traditional covered entity under HIPAA. Mobile health app developers should inventory data sharing practices, including sharing with third party vendors, to evaluate whether sharing without a consumer’s authorization would trigger the breach notification provision of the Rule under the FTC’s expansive interpretation.

INTERNATIONAL LAWS & REGULATION

  • Irish Data Protection Authority Releases Guidance on Data Protection Officers: The Irish data protection authority, the Data Protection Commission (“DPC”), released guidance on September 14, 2021, on the appropriate qualifications for a Data Protection Officer (“DPO”) under the EU General Data Protection Regulation (“GDPR”). Article 37 of the GDPR requires controllers and processors of personal data to appoint a DPO, where their core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals, which includes all forms of tracking and profiling on the Internet, including for the purposes of behavioral advertising. While the GDPR requires the DPO to be designated based on professional qualities and expert knowledge of data protection law and practices, it does not specify any other requirements. The DPC’s guidance recommends that the appropriate level of qualification and expert knowledge be determined according to the personal data processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed, and the protection required for the data being processed.
  • UK ICO Fines Four Companies for Sending Electronic Marketing Messages Without Permission: On September 15, 2021, the UK Information Commissioner’s Office (“ICO”) announced it had issued a total of £495,000 in fines against four companies that between them sent more than 354 million marketing e-mails and texts without permission. We Buy Any Car was fined £200,000 for sending 191 million e-mails and 3.6 million text messages to individuals who had requested an online evaluation of their vehicles. While the ICO found initial responses to these requests were lawful, the company did not obtain consent for the millions of follow up marketing e-mails. Saga Services Ltd. and Saga Personal Finance (collectively, “Saga”) were fined £225,000 for sending 128 million e-mails to individuals on a list purchased from a third party that had not provided permission to Saga to contact them. Sports Direct was fined £70,000 for sending 2.5 million e-mails to individuals it had not contacted for some time as part of a re-engagement campaign. Sports Direct could not show evidence those individuals consented to receiving the e-mails.
  • Quebec Passes New Privacy Law: Quebec adopted Bill 64, “An Act to modernize legislative provisions as regards the protection of personal information,” on September 21, 2021. Bill 64 introduces new standards for individual privacy rights, including a new right to data portability and a “right to be forgotten” similar to the GDPR. Bill 64 also enhances transparency and consent requirements and will require covered organizations to conduct privacy impact assessments for information system or electronic service delivery projects involving personal information, transfers of personal information outside of Quebec, and communication of personal information for study, research, or statistical purposes without consent. The provisions of Bill 64 take effect on a rolling basis over three years. Bill 64 provides that Québec’s privacy regulator, the Commission d’accès à l’information, can impose administrative penalties on organizations of up to the greater of CA$10 million or 2% of global turnover.
  • EDPB Adopts Opinion on Draft South Korea Adequacy Decision: On September 27, 2021, the European Data Protection Board (“EDPB”) issued its opinion on the European Commission’s draft adequacy decision for the Republic of Korea. The EDPB noted key areas of alignment between EU and South Korean data protection laws, including with respect to grounds for lawful processing, purpose limitation, data retention, security and confidentiality, and transparency. The EDPB asked the European Commission to provide additional information with respect to several areas of the adequacy decision, including the independence of the members of the South Korean supervisory authority, the staff and financial resources available to the South Korean supervisory authority, and remedies and rights of redress under South Korean data protection law.