STATE & LOCAL LAWS & REGULATION
Virginia Legislature Passes Amendment to the Virginia Consumer Data Protection Act (“VCDPA”) on Children’s Privacy
The Virginia Legislature has passed SB361/HB707 (the “Bill”), which amends the VCDPA to prohibit operators of a website, online service, or online or mobile application from processing or allowing a third party to process the personal data of “covered users” (i.e., actually known minors (under 18) or users of a site or service that is directed to minors) unless the processing is permitted under the Children’s Online Privacy Protection Act for covered users 12 and younger, or if the covered user is 13 or older and the processing is strictly necessary or the operator has obtained informed consent. The Bill also prohibits operators from (1) disclosing a covered user’s personal data to a third party without a written agreement containing certain provisions; and (2) knowingly processing a minor’s personal data for purposes of targeted advertising, sale, or profiling. If the Bill becomes law, it will go into effect on January 1, 2025.
Kentucky Nears Adoption of Comprehensive Privacy Law
The Kentucky legislature passed the Kentucky Consumer Data Protection Act (HB 15) (“KCDPA”), which most closely follows the VCDPA. As with most state comprehensive privacy laws, the KCDPA provides consumers (i.e., Kentucky residents not acting in a commercial or employment context) the rights to access, correct, and delete personal data and the right to opt out of the processing of personal data for purposes of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects. Like the VCDPA, “sale” is defined in a limited manner (i.e., the exchange of personal data for monetary consideration). The KCDPA also requires data protection impact assessments for processing activities that present a heightened risk of harm and opt-in consent to process sensitive data, which includes data collected from a known child under 13. Upon signature from the Kentucky Governor, the KCDPA will become effective in January 2026.
New Hampshire Comprehensive Data Privacy Bill Signed into Law
On March 6, 2024, New Hampshire Governor Chris Sununu signed Senate Bill 255 into law. The law, which becomes effective on January 1, 2025, provides comprehensive protections for consumers’ personal data. The law applies to people who, during a one-year period, (a) control or process the personal data of no less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) controlled or processed the personal data of no less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data. The law also contains various consumer rights, including the right to verify if a controller is processing personal data, the right to delete, and the right to opt out of data processing. The law requires businesses to secure a consumer’s opt-in consent before processing personal data. Regarding enforcement, the New Hampshire Attorney General maintains the exclusive authority to enforce violations of the law.
California Privacy Protection Act (“CPPA”) Releases 3-Year Strategic Plan and Moves Forward with Draft Rules
The CPPA, the enforcement authority for the California Privacy Rights Act (“CPRA”), released a 3-year strategic plan, which sets forth the CPPA’s mission and organizational core values, goals, and objectives. The CPPA’s main goals are to: (1) provide resources, tools, and support to consumers and businesses to increase awareness of Californians’ privacy rights and facilitate compliance; (2) enforce privacy laws through engagement with the regulated community, timely investigations, and enforcement actions; (3) ensure that statutes, regulations, policies, and procedures support and further the CPPA’s mandates and mission; and (4) implement policies, programs, and regulations. The CPPA has recently voted in favor of making additional edits to revised draft regulations regarding risk assessments and automated decisionmaking technology, but did not initiate the formal rulemaking process for these regulations, which is anticipated to begin in July 2024.
Proposed California Law would Require Browsers and Devices to Offer Opt-Out Signals
California Assembly Member Lowenthal has introduced a new bill that would require companies that offer internet browsers to include a setting that enables consumers to send “opt-out preference signals” through the browser. This bill is designed to support the California Consumer Privacy Act (“CCPA”), which includes consumer rights to opt out of the sale or sharing of information, such as that collected through online cookies and trackers. See California Attorney General Announces Settlement with Sephora. Currently, the vast majority of popular browsers, including Google Chrome and Microsoft Edge, do not support opt-out mechanisms, such as the Global Privacy Control touted by the California Attorney General and Privacy Protection Agency (“CPPA”). The CPPA announced its support for the proposed bill, which is likely to receive significant pushback from online technology companies.
CPPA Data Broker Registry Is Now Live
The California Privacy Protection Agency launched its Data Broker Registry, which allows users to search for companies that have registered as data brokers under California law. This registry provides users with the business name, contact email address, and relevant website URL for each registered broker. It also identifies whether each broker processes information regarding minors. Data brokers are defined as businesses that knowingly collect and sell personal information to third parties about consumers with whom the business does not have a direct relationship. Under California’s 2023 “DELETE Act,” data brokers are required to register with, pay a fee to, and provide specific disclosures to the CPPA. Beginning in 2026, data brokers will further be required to comply with consumer opt-out requests submitted through the CPPA tool.
Utah Amends Data Breach Notification Law
Utah’s governor signed Senate Bill 98 into law. The bill amends Utah’s Protection of Personal Information Act and the Utah Technology Governance Act by defining data breaches that must be reported to the Utah Cyber Center and the information that must be provided to the Utah Cyber Center or the Attorney General in the event of a data breach. The bill provides that a “data breach” for the purposes of reporting to the Utah Cyber Center is the unauthorized access, acquisition, disclosure, loss of access, or destruction of (1) personal data affecting 500 or more individuals; or (2) data that comprises the security, confidentiality, availability, or integrity of the computer systems used, or information maintained by, a governmental entity. Under the bill, data breach notifications to the Utah Cyber Center or Attorney General are the date the breach occurred, the date the breach was discovered, the total number of people affected by the breach, including the total number of Utah residents, the type of personal information involved in the breach, and a short description of the breach.
Utah Legislature Repeals and Replaces Social Media Regulation Act
In early March 2024, the Utah legislature passed two bills (SB 194 and HB 464), which repealed and replaced the Utah Social Media Regulation Act (“USMRA”). In 2023, the USMRA was subject to various constitutional challenges under the First Amendment and Due Process Clause of the Fourteenth Amendment. Both HB 464 and SB 194 are legislative responses to these legal challenges. HB 464 explicitly repeals the USMRA and creates a private right of action for harm to minors for an adverse mental health outcome arising from the minor’s excessive use of a social media company’s algorithmically curated social media service. SB 194 enacts the Utah Minor Protection in Social Media Act (“UMPSMA”). The UMPSMA regulates social media companies and requires companies to implement age assurance systems, maximum privacy settings for minors, and supervisory tools for parents. The UMPSMA takes effect on October 1, 2024, and will be enforced by the Utah Division of Consumer Protection.
California Issues Guidelines for Public Sector Procurement of GenAI
On March 22, 2024, California released interim guidelines on the uses, training, and procurement of generative artificial intelligence tools in the public sector. This guidance follows Governor Gavin Newsom’s September 2023 Executive Order and November 2023 Report highlighting the potential risks and benefits of using AI tools in both the public and private sectors. The guidelines are designed to guide California state agencies as they meet the Executive Order’s directive to “consider pilot projects of GenAI applications” by July 2024. Much like the draft CPPA regulations on automated decision-making technologies, this guidance focuses heavily on risk assessment, risk management, and transparency.
FEDERAL LAWS & REGULATION
Biden Administration Issues Executive Order Restricting Personal Data Transfers to Foreign Adversaries
The Biden Administration issued an Executive Order on “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Executive Order requires the U.S. Department of Justice (“DOJ”) to develop regulations that block or place restrictions on transactions with foreign adversaries and their proxies that involve bulk sensitive personal data or United States government data. Countries of concern that will be evaluated by the DOJ as part of the rulemaking process are China, Russia, Iran, North Korea, Cuba, and Venezuela. The rules will regulate data transactions with “covered persons,” which include an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, and foreign persons who are employees or contractors of such entities, among others. “Sensitive personal data” covered by the regulations includes “geolocation and related sensor data, biometric identifiers, genomic data, personal health data, and personal financial data.” The Executive Order also calls for commercial data privacy and security rules providing for minimum privacy and security standards that would need to be met before engaging in certain prohibited transactions.
U.S. Department of Transportation Announces Privacy Review of Airlines
The U.S. Department of Transportation (“DOT”) will conduct a privacy review of the ten largest airlines operating in the United States. The review will focus on the airlines’ collection, handling, maintenance, and use of passengers’ personal information. In addition, the review will examine airlines’ policies and procedures to determine if they are properly safeguarding their passengers' information. DOT will also examine whether passengers’ sensitive personal information is improperly monetized and to what extent the airlines are unfairly sharing this data with third parties. To begin the review process, DOT requested airlines provide information about policies and procedures for handling passengers’ data and complaints received about the mishandling of personal information. If DOT finds evidence of problematic practices, it has the authority to investigate and take enforcement actions against airlines that engage in unfair or deceptive practices involving passenger information.
NIST Releases Version 2.0 of Its Core Cybersecurity Framework
On February 26, The National Institute of Standards and Technology (“NIST") announced the release of its updated Cybersecurity Framework, expanding the framework to “help all organizations – not just those in critical infrastructure, its original target audience – to manage and reduce risks.” The new Framework places a heightened focus on governance, emphasizing the importance of making informed decisions on cybersecurity strategy. It also includes a wide variety of tools designed to simply use of the framework for smaller businesses, including quick start guides, searchable information catalogs, and reference tools. NIST intends to publish the new framework in 13 languages and continue to work with international organizations to improve and maintain the new framework.
U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) Updates Guidance on Online Tracking Technologies
OCR issued updated guidance for entities regulated by the Health Insurance Portability and Accountability Act (“HIPAA”) on the use of online tracking technologies. The previous guidance required covered entities to enter into business associate agreements (“BAAs”) with the third-party providers of such tracking technologies or to obtain valid authorizations from individuals before transmitting the protected health information (“PHI”) from the tracking technologies to the tracking technologies’ provider. The updated guidance clarifies that the nature of the visit determines whether HIPAA applies. For instance, if a student is visiting webpages to research the availability of oncology services pre- and post-pandemic, the collection and transmission of their IP address and other personal information would not require a BAA or authorization because no PHI is involved, whereas if a patient is visiting the same pages to receive a second opinion about their diagnosis/treatment, a BAA or authorization would be required.
FCC Creates Cybersecurity Labeling Program for Smart Products
The Federal Communications Commission (“FCC”) voted to create a voluntary cybersecurity labeling program for wireless Internet of Things (“IoT”) products, including home security cameras, internet-connected appliances, fitness trackers, and baby monitors. The program will qualify consumer smart products that meet cybersecurity standards by adding a label to help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and incentivize manufacturers to meet higher cybersecurity standards. Other features of the program include the inclusion of a new “U.S. Cyber Trust Mark” logo that will appear on the IoT products, accompanied by a QR code that consumers can scan for details about the security of the product. Under the program, the FCC will provide oversight, and third-party label administrators will evaluate product applications and authorize use of the label.
FCC Chair Calls for Agency to Take Steps to Prevent Smart Car Services from Being Used to Harass and Intimidate
Federal Communications Commission (“FCC”) Chairwoman Jessica Rosenworcel announced a proposal for a Notice of Proposed Rulemaking seeking comment on the types and frequency of use of connected car services that are available in the market. The proposal asks whether changes to the FCC’s rules are needed to address the impact of connected car services on domestic violence survivors and seeks comment on what steps connected car service providers can proactively take to protect victims from misuse of connected car services. Chairwoman Rosenworcel wrote to auto manufacturers and wireless service providers in January to seek their help in protecting domestic abuse survivors from misuse of connected car tools.
CISA Releases Proposed Rules on Data Breach Reporting
The U.S. Cybersecurity and Infrastructure Agency (“CISA”) released an unpublished notice of proposed rulemaking relating to data breach reporting by critical infrastructure entities. CISA has identified the following critical infrastructure industries: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; state, local, tribal, and territorial government coordinating council; transportation systems; and water and wastewater. Under the proposed rule, covered entities would be required to report within 72 hours any “qualifying cyber incidents” or ransomware payments. Covered entities would also be required to report any substantially new or different information than was provided in previous reports submitted to CISA. The proposed rule defines qualifying cyber incidents as “substantial” cyber incidents that result in a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network, among other defined impacts, and include cyber incidents affecting data managed by a third-party provider.
U.S. LITIGATION
BNSF Railway Co. (“BNSF”) to Pay $75M to Resolve Biometric Privacy Class Action
BNSF has agreed to pay $75 million to resolve a class action accusing BNSF of violating the Illinois Biometric Information Privacy Act (“BIPA”). The class action of 45,600 truck drivers alleged that BNSF unlawfully collected fingerprint scans without the consent of the drivers using the automated gate systems at the company’s four facilities in Illinois. The settlement is pending court approval and BNSF notedly does not admit any liability. Last year, BNSF lost the jury trial on this class action, with the jury finding that BNSF had recklessly or intentionally violated BIPA 45,600 times resulting in damages of $228 million (BIPA provides that intentional or reckless violations of BIPA may result in liquidated damages of $5,000 or actual damages, whichever is greater). However, the U.S. District Court of the Northern District of Illinois vacated and ordered a new trial limited to the question of damages.
Illinois Judge Approves Settlement in Database Privacy Lawsuit
Illinois Circuit Judge Clare Quish ordered a preliminary approval to a $870,000 settlement between Apollo.io and a class of Illinois residents. The lawsuit filed by class representatives claims a database operated by Apollo.io is collecting personal information of individuals employed by companies contained in the database without their knowledge or awareness. The class includes 20,730 individuals, who are individuals with a primary Illinois residential address and whose profile on Apollo.io was, according to the company’s records, added to a free user’s account within 15 minutes of a subscription purchase between May 2022 and October 2023. Each class member stands to recover between $127 and $254 under the preliminary approval. In addition to the settlement, Apollo.io agreed to not display the name of any Illinois class member in connection with a direct solicitation on its website for five years.
Recent Court Decision Addresses Coverage for Cyber-Related Business Interruption
Cyber insurance policies typically cover business interruption and additional expenses. A recent case clarifies the broad scope of this coverage. In Southwest Airlines Co. v. Liberty Insurance Underwriters, Inc., 90 F.4th 847 (5th Cir. 2024), an airline experienced a massive computer failure, which caused flight cancellations and delays that affected more than 450,000 customers. To assuage customers caught in the disruption, the airline provided discounts and travel vouchers and paid for alternative travel arrangements. The cyber insurer denied coverage for such costs on the ground that the costs were not solely the result of the computer outage. Instead, the insurer characterized the costs as discretionary because they were caused by the airline’s decision to incur them, as opposed to the outage itself. The U.S. Court of Appeals for the Fifth Circuit took a broader view of causation than the insurer. It explained that the airline’s decision to provide discounts and pay travel costs were not independent causes of the losses. Rather, the airlines’ decision to incur them were “links in a causal chain that led back to the system failure.” Also, under basic insurance principles, mitigation costs may be recoverable, the court explained. Although cyber insurance business interruption/extra expense claims involve an array of complex issues, the Fifth Circuit’s decision should help policyholders show causation for the various costs they incur to preserve their businesses in the wake of a cyber incident.
U.S. Court of Appeals Rejects Meta’s Request to Stop Federal Trade Commission (“FTC”) Hearing
The U.S. Court of Appeals for the District of Columbia Circuit rejected Meta’s request to stop a Federal Trade Commission (“FTC”) administrative hearing concerning Meta’s practice of serving targeted advertisements to minors. The court held that Meta did not meet the standards for an injunction for several reasons, including that an administrative hearing by the FTC would not cause “irreparable injury” to Meta because the company could appeal the outcome to a federal court. Relatedly, the U.S. District Court of the District of Columbia also rejected Meta’s claim that the FTC’s administrative hearing was unconstitutional and denied Meta’s request for an injunction to halt the FTC’s administrative hearing. Meta has since filed an emergency petition to stop the FTC’s administrative hearing from occurring while the Court of Appeals hears Meta’s case for an injunction. These cases mark the latest development in a battle that began last May, when the FTC proposed modifying a 2020 settlement to prohibit Meta from using minors’ data to fuel ad targeting or algorithms and to ban Meta from launching new products or service unless an assessor has confirmed that Meta’s privacy program has no weaknesses.
U.S. ENFORCEMENT
HHS Office Opens Investigation into Change Healthcare Cyberattack
The US Department of Health and Human Services (“HHS”) has opened an investigation into a cyberattack on Change Healthcare, a unit of UnitedHealth Group. The cyberattack was operated by the “Blackcat” ransomware group, which took out Change Healthcare’s information technology systems and services. Blackcat is believed to be behind global cyberattacks of more than 1,000 entities, with the healthcare sector most targeted since December 2023. The HHS’s investigation will determine whether the cyberattack exposed patients’ confidential data or violated other privacy protections. In addition, the investigation will examine whether Change Healthcare complied with federal health privacy requirements. The US Department of State has issued rewards of up to $15 million for information that would lead to the identification of the leaders behind Blackcat and the arrest of group members.
FTC Releases Data Privacy and Security Enforcement Update
The Federal Trade Commission (“FTC”) released its 2023 Privacy and Data Security Update highlighting the FTC’s privacy and data security-related work on enforcement, rulemaking, and policy relating to data privacy and security. The document highlights actions taken by the FTC in recent years relating to artificial intelligence, health privacy, children’s privacy, geolocation data, and data security, among other areas.
Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) Sanctions Spyware Company
OFAC announced its first-ever set of sanctions against two individuals and five entities associated with the commercial spyware entity, Intellexa Consortium (“Intellexa”), for their role in developing, operating, and distributing commercial spyware technology used to target Americans, including U.S. government officials, journalists, and policy experts. Intellexa acted as a marketing label for a variety of companies that offer commercial spyware and surveillance tools, which are packaged as a suite of tools under the brand name “Predator”. Once a device is infected by the Predator spyware, it can be leveraged for a variety of information stealing and surveillance capabilities, including the unauthorized extraction of data, geolocation tracking, and access to a variety of applications and personal information on the compromised device. The sanctions effectively freeze any U.S. assets of the two individuals and five entities associated with Intellexa and generally prohibit Americans from dealing with them.
INTERNATIONAL LAWS & REGULATION
European Parliament Approves EU AI Act
The European Parliament voted to approve the EU AI Act. The AI Act will now be sent to the European Council for formal endorsement as the final step for official adoption of the AI Act. Following European Council approval, the AI Act will be published in the Official Journal of the EU and will enter into force 20 days following publication. The AI Act provides between six and 36 months to comply with its provisions, with the timing dependent upon the risk classification of the AI system at issue. Entities must comply with requirements related to prohibited AI systems within six months and general-purpose AI systems within 12 months. Most other obligations, including requirements for high-risk systems listed in Annex III apply within 24 months, and obligations related to high-risk systems in products covered by European Union harmonization legislation listed in Annex II apply within 36 months.
CJEU Rules That Oral Disclosure Constitutes Processing under the GDPR
On March 7, 2024, the Court of Justice of the European Union issued a Judgement in response to a request for a preliminary ruling, holding that the oral disclosure of personal information can constitute processing under the GDPR. In this matter, a company asked a Finnish court to disclose information regarding the criminal record of a person competing in a competition organized by the company. The Finnish court refused to communicate the data orally, asserting that it did not have a valid lawful basis to process under the GDPR. The CJEU agreed, finding that the term “processing” should be interpreted broadly to include oral disclosures. The Court stated that the “possibility of circumventing the application of [the GDPR] by disclosing personal data orally rather than in writing would be manifestly incompatible with” the purpose of ensuring a high level of protection of the fundamental rights and freedoms of natural persons. While the oral disclosure of information that is not part of a “structured set of personal data... accessible according to specific criteria” may fall outside the scope of the GDPR, the CJEU found that the information sought was contained within the court’s records, a “filing system” as defined by Article 4. Therefore, this exception did not apply.
European Data Protection Supervisor Rules European Commission's use of Microsoft 365 Violates the GDPR
On March 8, 2024, the European Data Protection Supervisor (“EDPS”) issued a Decision, finding that the European Commission’s use of Microsoft 365 violates the GDPR. The EDPS stated that the Commission “failed to provide appropriate safeguards” to ensure the protection of information transferred outside of the EU/EEA and “did not sufficiently specify what types of personal data are to be collected” when using Microsoft 365. The EDPS has therefore required the Commission to “suspend all data flows” resulting from its use of the Microsoft product to its affiliates and sub-processors outside the EU/EEA and not otherwise subject to an adequacy determination. It has also outlined a list of corrective measures that the Commission will need to complete prior to reimplementing these data flows. These include (1) carrying out a transfer-mapping exercise; (2) ensuring that all transfers to third countries take place solely to allow tasks within the competence of the Commission; and (3) ensuring that appropriate contractual controls are in place that specify, among other topics, the specific purpose of data collection and limitation of Microsoft’s use of the data received as part of the Commission’s use of the product. This decision follows decisions against Microsoft in the past two years from Member State regulators and highlights the complexity of cross-border data transfers even following the establishment of the EU-US Framework in July 2023.
Garante Notifies OpenAI of Data Protection Violations
The Garante Per La Protezione Dei Dati Personali (“Garante”), the Italian data protection authority, issued a notice to OpenAI of breaches of data protection law relating to its ChatGPT tool. The notification follows a temporary ban on processing by OpenAI issued by the Garante last year and its subsequent investigation of OpenAI data processing. OpenAI may submit a response to the Garante as part of the enforcement process.
Ana Tagvoryan, Timothy W. Dickens, Jason C. Hirsch, Tianmei Ann Huang, Amanda M. Noonan, and Karen H. Shin contributed to this article.