Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice.
STATE & LOCAL LAWS & REGULATIONS
Delaware Poised to Become 12th State with Comprehensive Privacy Law
The Delaware legislature passed the Delaware Personal Data Privacy Act (“DPDPA”). Similar to other state comprehensive privacy laws, the DPDPA provides Delaware residents with personal data rights, including the rights to correct, delete, and obtain a copy of personal data about the resident and to opt out of the processing of personal data for targeted advertising, profiling, and sales of personal data. The DPDPA applies to persons conducting business in Delaware that, in the preceding calendar year, (1) controlled or processed the personal data of 35,000 or more consumers or (2) controlled or processed the personal data of 10,000 or more consumers and derived more than 20 percent of their gross revenue from the sale of personal data. The DPDPA does not provide a private right of action and would be exclusively enforced by the Delaware Department of Justice. The DPDPA will be effective on January 1, 2025, unless its enactment is delayed until after January 1, 2024, in which case it would take effect on January 1, 2026.
California Privacy Protection Agency Creates CPRA Complaint Form
The California Privacy Protection Agency (“CPPA”), which enforces the California Privacy Rights Act (“CPRA”), has launched a complaint form. The complaint form allows California residents and nonresidents to submit a complaint if they believe their rights under the CPRA or someone else’s have been violated. There is also an FAQ page to assist individuals in filling out their complaints. CPPA Special Advisor Elizabeth Allen stated that the new system received thirteen complaints after its soft launch on July 6, 2023. Of the complaints so far, she stated 77 percent were sworn, 54 percent were submitted by California residents, and the right to limit the use of sensitive personal information was the most-alleged violation of the CPRA, while the average user identified four potential CPRA violations in their complaints.
California Attorney General Seeks Information from California Employers on Compliance with the CPRA
The California Attorney General has announced that its Office will commence an investigative sweep, sending inquiry letters to large California employers requesting information on their companies’ compliance with the CPRA. Previously, information collected in the employment and commercial context was exempt from the CPRA. However, beginning on January 1, 2023, businesses subject to the CPRA have been required to comply with the CPRA’s robust privacy protections for employment data, such as providing employees and job applicants with a privacy notice and fulfilling requests to exercise their rights to know, delete, correct, and opt out of the sale and sharing of personal information and to limit the use and/or disclosure of sensitive personal information. The announcement comes on the heels of the Sacramento Superior Court’s decision to delay the enforcement of the CPRA regulations to March 29, 2024, underscoring the fact that the California Attorney General will still continue to enforce the CPRA.
New York Department of Financial Services Updates Proposed Second Amendment to Cyber Regs
The New York Department of Financial Services (“DFS”) published an update to the proposed second amendment to the DFS Cybersecurity Regulation in response to public comments. The updates include several changes, including clarifying the threshold for qualification as a “Class A Company,” removing a proposed requirement that a Class A company uses external experts to conduct risk assessments at least once every three years, adding a requirement that a covered entity’s incident response plan includes procedures to address preparation of a root cause analysis, and expanding multi-factor authentication requirements, among other changes. The DFS provided additional detail and explanation for the changes in an Assessment of Public Comments. The comment period for the proposed amendments will be open until 5 p.m. ET on Monday, August 14, 2023.
Washington State AG Issues FAQ for Comprehensive Health Privacy Law
The Office of the Washington State Attorney General issued an FAQ addressing certain topics related to the Washington State My Health My Data Act (the “Act”). The brief FAQ provides some clarification on the scope of the definition of consumer health data. For example, the FAQ states that records relating to the purchase of toiletry products would not be considered consumer health data, while data tracking digestion or perspiration would be. Likewise, inferences about a consumer’s health status derived from the purchase of products would qualify as consumer health data. Regulated entities that are not small businesses must comply with the Act by March 31, 2024. Small businesses, as defined by the Act, must comply with the Act by June 30, 2024. The Act’s prohibitions related to the use of a geofence around a healthcare entity are already effective.
Montana Passes Law Regulating Facial Recognition Use by Police
Montana recently passed The Facial Recognition for Government Use Act (“FRGUA”), which permits state and local agencies, including law enforcement, to use facial recognition to look for suspects, victims of, or witnesses to serious crimes. However, FRGUA prohibits the use of “continuous” facial recognition and establishes human review and audit procedures to ensure compliance with the technology. FRGUA requires police to obtain a warrant to use facial recognition absent exigent circumstances. It also restricts the state motor vehicle division to set up facial recognition only with prior approval of the legislature. In terms of disclosure, third-party vendors of facial technology and public agencies must have use and privacy policies for individuals. Finally, FRGUA imposes monetary penalties for negligent violations of the statute and grants the attorney general the authority to initiate enforcement actions.
FEDERAL LAWS & REGULATIONS
SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
The Securities and Exchange Commission adopted final rules requiring public companies to disclose information regarding their cybersecurity risk management, strategy, and governance on an annual basis and to disclose material cybersecurity incidents within four business days of the company’s materiality determination. The final rule will become effective 30 days following publication of the adoption release in the Federal Register. Form 10-K and 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
FTC and HHS Warn Hospital Systems and Telehealth Providers about Online Tracking Technologies
The Federal Trade Commission (“FTC”) and the U.S. Department of Health and Human Services (“HHS”) issued a joint letter to approximately 130 hospital systems and telehealth providers, cautioning them of the risks related to using online tracking technologies on their websites or mobile applications that may impermissibly disclose health information to third parties. According to the letter, recent research has highlighted concerns about the use of technology to track users’ online activities and health information, including health conditions, diagnoses, medications, medical treatments, frequency of visits to healthcare professionals, and where an individual seeks medical treatment. The letter serves as a reminder of HHS’s bulletin regarding how the Health Insurance Portability and Accountability Act (“HIPAA”) applies to the use of online tracking technologies, and how the FTC Act and the FTC Health Breach Notification Rule require protection against impermissible disclosures of health information, even when HIPAA does not apply.
Biden Administration Announces Voluntary Commitments from Companies to Manage AI Risk
The White House announced that Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI made voluntary commitments to manage risks related to the development and use of artificial intelligence. The voluntary commitments cover principles of safety, security, and trust in the development of artificial intelligence. Under these principles, companies have a duty to make sure their products are safe before introducing them to the public, a duty to build systems that put security first, and a duty to earn the public’s trust. The announcement states that voluntary commitments are a first step in developing and enforcing binding obligations regarding the development of artificial intelligence tools.
FCC Announces Voluntary Certification and Labeling Program for Smart Devices
The FCC has announced a voluntary “U.S. Cyber Trust Mark,” which would provide consumers with information about the security of smart devices connected to the Internet of Things. The FCC also intends to use a QR code, which would link to a national registry of certified devices to provide consumers with specific information about smart devices. The Department of Energy will collaborate with National Labs and other partners to develop cybersecurity labeling requirements for smart meters and power inverters, which are essential to future smart power grids. If the FCC accepts the program, it would commence with a proposed rule and a public comment period. The FCC projects that the program could be active by late 2024.
U.S. LITIGATION
$228M Damages Award Vacated in First BIPA Trial
The U.S. District Court of the Northern District of Illinois vacated a $228 million damages award in Rogers v. BNSF Railway Co., the first case tried to a verdict under the Illinois Biometric Information Privacy Act (“BIPA”). In Rogers v. BNSF Railway Co., rail workers alleged that BNSF Railway Co. (“BNSF”) collected their biometric information without informed consent. The jury found that BNSF had recklessly or intentionally violated BIPA 45,600 times (one violation per class member). BIPA provides that intentional or reckless violations of BIPA may result in liquidated damages of $5,000 or actual damages, whichever is greater. The prior award resulted from multiplying the number of BIPA violations by $5,000 to arrive at $228 million. While the court upheld the verdict that the company violated the BIPA, it held that damages were discretionary under BIPA (due to the term “may”) and ordered a new trial limited to the question of damages.
Eighth Circuit Blocks EPA Rule Requiring States to Review Water Systems Cybersecurity Measures
The Eighth Circuit blocked an EPA rule, which required states to review and report cybersecurity threats to public water systems. Three states filed a motion for a stay of the rule’s implementation, with the American Rural Water Association (“AWWA”) and National Rural Water Association (“NRWA”) intervening on the states’ behalf. The AWWA argued that the EPA improperly categorized its rule as “interpretative” and did not follow the Administrative Procedure Act’s procedures that apply to legislative rules. The AWWA also argued that the EPA failed to put the new rule up for public comment. In response, the EPA asserted that the Eighth Circuit had no jurisdiction to review EPA decisions under the Safe Drinking Water Act. Ultimately, the Eighth Circuit agreed with the states but did not explain why it granted the motion to stay.
U.S. ENFORCEMENT
FTC Publishes Blog on Generative AI Raising Competition Concerns
The FTC’s Bureau of Competition and Office of Technology published a blog identifying a few of the essential technical building blocks of generative artificial intelligence (“AI”) and the competition concerns potentially raised by generative AI. The FTC defines “generative AI” as a category of AI that empowers machines to generate new content rather than simply analyze or manipulate existing data. According to the FTC, control over one or more of the key building blocks that generative AI relies on could affect competition in generative AI markets. The FTC specifically is concerned with (1) data – the volume and quality of data required to pre-train a generative AI model from scratch, (2) talent – the difficulty to find, hire, and retain the talent required to develop generative AI, and (3) computational resources – the high entry cost to be able to create a new model from scratch, especially through cloud computing services.
FTC Approves Settlement against BetterHelp
The FTC has finalized an order requiring BetterHelp, Inc. (“BetterHelp”), an online counseling service, to pay the FTC $7.8 million and prohibit it from sharing consumers’ health data for advertising purposes. According to the FTC’s complaint, BetterHelp used and disclosed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes despite promising consumers that it would only use or disclose personal health data for limited purposes. In addition to the prohibition on disclosing health data for advertising purposes, the order, among other things, also requires BetterHelp to obtain affirmative express consent before disclosing personal information to certain third parties, implement a comprehensive privacy program, direct third parties to delete the consumer health and other personal data that BetterHelp shared with them, and limit how long it can retain personal and health information according to a data retention schedule.
Colorado AG Launches Enforcement of the Colorado Privacy Act
On July 12, 2023, Colorado Attorney General Phil Weiser announced that the Colorado Department of Law will begin enforcing the Colorado Privacy Act (“CPA”), which went into effect on July 1, 2023. The AG provided businesses with a series of letters, which will focus on educating companies on their new legal obligations under the CPA. The CPA applies to all entities operating in Colorado or entities targeting Colorado citizens that collect more than 100,000 individuals’ data annually or receive revenue or benefit from the sale of personal data and process the personal data of more than 25,000 individuals. The AG’s letters emphasize obligations related to the collection and use of sensitive data, including the requirement to obtain consumer consent prior to collecting sensitive data and the obligation to provide consumers the ability to opt out of targeted advertising and profiling.
INTERNATIONAL LAWS & REGULATIONS
European Commission Adopts Adequacy Decision for EU-U.S. Data Privacy Framework
The European Commission announced it formally adopted an adequacy decision for the EU-U.S. Data Privacy Framework (the “Framework”). The decision officially makes the Framework a viable legal mechanism for transferring personal data to the U.S.; U.S. companies may self-certify compliance with the principles and obligations of the Framework. Companies that have an up-to-date certification under the EU-U.S. Privacy Shield, which was invalidated by the Court of Justice of the European Union in 2020, will be able to take advantage of a simplified self-certification process. The Department of Commerce’s International Trade Commission recently launched a website for the Framework that provides access to a self-certification portal and information on the Framework for U.S. and European businesses.
China Publishes Rules for Generative AI
The Cyberspace Administration of China announced provisional rules for generative artificial intelligence (“AI”). Rules require generative AI providers to adhere to socialist values. The rules also include registration requirements for AI that may influence public opinion and licensing requirements for generative AI service providers. The rules also state that AI must not result in discrimination based on genera, age, ethnicity, occupation, or health and should not be used for anti-competitive purposes. Regulators have sweeping powers to review generative AI models, including the ability to review training data and algorithms that are used.
EDPB Publishes Recommendations on Binding Corporate Rules
The European Data Protection Board issued recommendations for the application and approval of Binding Corporate Rules (“BCRs”) and the elements and principles they should include. BCRs provide a mechanism for transferring EU personal data to third countries in compliance with the EU General Data Protection Regulation. The EDPB recommends that a standard application for BCRs for controllers be provided and that the required content of BCRs for controllers be clarified, among other things.