STATE & LOCAL LAWS & REGULATION
Vermont Governor Vetoes Comprehensive Privacy Bill
Vermont Governor Phil Scott has vetoed the Vermont Data Privacy Act (“VDPA”). In his letter to the Vermont General Assembly, Governor Scott outlined his concerns with the VDPA, focusing on the VDPA’s private right of action, age-appropriate design code (“AADC”) requirements, and complexity and unique expansive definitions and provisions that create new burdens and competitive disadvantages for small and mid-sized businesses. The VDPA created a private right of action for consumers harmed by a data broker or larger data holders’ processing of sensitive data without consent, the sale of sensitive data, and violation of confidential obligations relating to consumer health data. The VDPA also included AADC requirements similar to California’s AADC law, which was enjoined for First Amendment concerns. The VDPA had a much lower applicability threshold than other states, which would be further lowered in 2026 and 2027, and broadened the definition of sale to include the exchange of personal information for a business’s commercial or economic interests.
CPA Amendments Impose New Requirements over Biometric Data
Colorado Governor Polis signed into law House Bill 24-1130 (“HB 1130”), amending the Colorado Privacy Act (the “Act”) to impose new obligations over biometric data and entities, including non-profit organizations that process such data. Beginning July 1, 2025, the Act will require entities that control or process biometric data of any Colorado resident to, among other things, provide specific notice and obtain consent prior to collecting or processing “biometric data” or “biometric identifiers,” establish a retention schedule and security response protocol for such data, and make publicly available a written policy for the deletion of biometric data. Although HB 1130 borrows similar language from existing biometric privacy laws, particularly Illinois’ Biometric Information Privacy Act (“BIPA”), the amendments also include modified provisions and introduce new obligations, including new consumer payment rights and permitted “employee” applications. Unlike BIPA, HB 1130 does not provide a private right of action.
Texas AG Launches Data Privacy Team
The Texas Attorney General (“AG”) launched “a major data privacy and security initiative,” creating a team within the Consumer Protection Division of the Office of the AG focused on aggressively enforcing Texas privacy laws, including the Data Privacy and Security Act, the Identify Theft Enforcement and Protection Act, the Data Broker Law, the Biometric Identifier Act, and various federal data privacy laws. The AG’s announcement was followed closely by the Texas Data Privacy and Security Act that took effect on July 1. Under this law, the AG may initiate enforcement actions against businesses that the AG determines have failed to comply with or cure within thirty days of alleged violations of the law, and to impose civil penalties up to $7,5000 per violation as well as injunctive relief following such failure.
New York Governor Signs Child Privacy Protection Bill into Law
On June 20, 2024, New York Governor Kathy Hochel signed the Stop Addictive Feeds Exploitation for Kids Act (the “Act”) into law. The Act will prevent social media companies from using algorithms to provide an addictive feed to users under 18 years old unless they receive parental consent. Under the Act, an “addictive feed” includes online services in which content is recommended, selected, or prioritized for a user based on information associated with the user or user’s device. The Act will prohibit social media platforms from sending notifications regarding an addictive feed to minors from 12:00 a.m. to 6:00 a.m. without parental consent. In addition, the Act calls for the establishment of acceptable age verification and parental consent methods to be determined by the Office of the New York Attorney General (“OAG”). Finally, the Act will authorize the OAG to bring actions to enjoin violations of the Act and seek penalties of up to $5,000 per violation.
New York State Department of Health Publishes Updates to Proposed Cybersecurity Regulations
The New York State Department of Health (the “Department”) published revisions to its proposed cyber regulations for hospital facilities (“Hospital Cyber Regs”). The Hospital Cyber Regs, initially proposed in November 2023, would require New York state-licensed hospitals to establish cybersecurity programs, including identification and assessment of cybersecurity risks, defensive infrastructure, and procedures to respond to identified or detected cybersecurity events to mitigate any negative effects. The revised Hospital Cyber Regs retained most of the initially proposed cyber requirements, such as requiring annual risk assessments and undertaking monitoring and testing in accordance with the assessment, requiring written incident response plans, and maintaining audit trails for six years. One notable change modifies the period within which to notify the Department from two hours to 72 hours after determining that a cybersecurity incident has occurred. If adopted, the Hospital Cyber Regs would be effective one year after finalization, except for the 72-hour security incident reporting requirement, which would take effect immediately.
FEDERAL LAWS & REGULATION
Texas Court Orders HHS to Rescind Tracking Technology Guidance
The U.S. District Court for the Northern District of Texas (the “Court”) ordered the U.S. Department of Health and Human Services (“HHS”) to rescind its guidance on the use of tracking technologies by covered entities and business associates under the Health Insurance Portability and Accountability Act (“HIPAA”). The Guidance suggested that an online tracking technology connecting the IP address of a user’s device or other identifying information with a visit to an unauthenticated webpage addressing specific health conditions would be sufficient to constitute protected health information (“PHI”) under HIPAA, requiring a business associate agreement (“BAAs”) with third-party providers of tracking technologies or valid authorizations from individuals before transmitting the PHI to the tracking technologies’ provider. The Court held that metadata (e.g., IP address) input by website users into a HIPAA-regulated entity’s unauthenticated, publicly facing webpage does not constitute PHI, and the Court vacated the Guidance to this extent.
FTC Publishes Guidance on AI Chatbots
The Federal Trade Commission (“FTC”) published a blog post that provides guidance for companies using AI chatbots. In its guidance, the FTC provides the following dos and don’ts: (i) don’t misrepresent what the AI chatbot services are or can do, and don’t use automated tools to mislead people about what they’re seeing, hearing, or reading; (ii) assess and mitigate risks of reasonably foreseeable harm before and after deploying the AI chatbot, and don’t offer the AI chatbot without adequately mitigating risks of harmful output; (iii) don’t insert ads into a chat interface without clarifying that it is paid content; (iv) don’t use consumer relationships with avatars and bots for commercial manipulation; and (v) don’t violate consumer privacy rights – be honest and transparent about the collection and use of information for the AI services and don’t surreptitiously change privacy policies or relevant terms of service.
Broadband Providers File Suit Challenging FCC Data Breach Rule
Telecommunication industry groups are challenging the Federal Communications Commission’s (“FCC”) data breach notification rules in the Sixth Circuit, alleging that Congress has expressly denied the FCC the power to enact such rules. The FCC enacted the new breach notification rules at issue in late 2023, requiring telecommunications companies to notify both consumers and regulators of data breaches exposing the personally identifiable information of consumers. In 2017, Congress revoked privacy rules passed by the FCC, which included breach notification provisions. The industry groups argue in part that the new provisions are impermissible because they are substantially similar to those already rejected by Congress in 2017.
U.S. Department of the Treasury Releases RFI Regarding AI in Financial Services
The U.S. Department of the Treasury published a request for information ("RFI") on the uses, opportunities, and risks presented by developments and applications of AI tools within the financial sector. The RFI seeks input from a broad range of industry stakeholders to improve the Treasury’s understanding of how financial institutions are already implementing AI in both their daily operations and their service offerings. In line with other regulatory AI initiatives, the RFI seeks to better understand both the risks and benefits associated with AI tools and the Treasury has highlighted that it is open to recommendations regarding regulatory frameworks applicable to AI in financial services.
NIST Releases Program to Assess Risks and Impacts of AI
The National Institute of Standards and Technology (“NIST”) is launching a new testing, evaluation, validation, and verification program designed to help improve the understanding of AI’s capabilities and potential societal impacts. The Assessing Risks and Impacts of AI (“ARIA”) initiative is designed to help organizations conduct risk and impact assessments on AI tools prior to deployment as well as throughout the AI lifecycle. The initiative is intended to review AI functionality in a “real-world” context rather than in a “laboratory setting,” giving a broader, more holistic view of the net effects of the technology. The ARIA initiative may be a valuable tool for entities seeking to implement AI compliance efforts to address new and proposed legislation in states such as California and Colorado.
HHS Updates Change Healthcare Cybersecurity Incident FAQs
The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published an update to its FAQ page regarding the Change Healthcare cybersecurity incident. HHS first published the webpage on April 19, 2024, to provide answers about the impact of the incident on healthcare entities under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Breach Notification Rules. The updates address questions OCR has received about who is responsible for providing notifications regarding the incident. Specifically, the updates confirm that covered entities affected by the incident may delegate the task of providing notifications on their behalf, only one entity needs to complete breach notifications on behalf of a covered entity, and that covered entities would not have additional breach notification obligations if they worked with Change Healthcare to provide notifications in a manner consistent with HIPAA.
U.S. LITIGATION
Clearview AI Reaches Unique Settlement for Alleged BIPA Violations
Various plaintiffs have reached a deal with Clearview AI for alleged violations of Illinois’ Biometric Information Privacy Act (“BIPA”). The plaintiffs’ lawsuit alleged that Clearview failed to obtain informed consent before collecting, storing, using, and profiting from the Plaintiffs’ biometric data. Under the settlement, the plaintiffs will receive, as a class, a 23 percent stake in the company, as of its September 2023 capitalization, if it goes public or is sold. The class also has an option to take 17 percent of the company’s revenue from the court’s approval through September 2027. The unique structure of the deal stems from Clearview’s lack of cash to pay fair compensation to the class. Ultimately, the plaintiffs estimate receiving about $31 million after the payment of attorney fees and incentive awards.
Class Action Suit Alleges Clothing Company Used Spy Trackers in Email in Violation of Arizona Law
Apparel Company Patagonia was sued in Arizona federal court for allegedly violating Arizona’s Telephone, Utility, and Communication Service Record Act by placing tracking pixels in marketing emails. The plaintiff alleges that Patagonia captured email subscribers’ location, IP address, device information, the amount of time the email was read, and the place where the email was read, among other things. Arizona’s Telephone, Utility, and Communication Service Record Act prohibits procuring, or conspiring with another to procure a public utility record, telephone record or communication service record without authorization of the customer or by fraudulent, deceptive or false means. The law provides for statutory damages of $1,000 and recovery of attorneys’ fees. Several similar class actions have been filed under the law in recent months.
Six Million Dollar BIPA Settlement Approved
An Illinois U.S. District Judge granted final approval of the $6,075,000 class action settlement agreement in Johnson v. Ralph’s Grocery Co. d/b/a Food 4 Less Midwest, et al., resolving claims that Kroger Co. subsidiary Ralph’s Grocery Co. (“Ralph’s”) violated its workers’ rights over the collection, storage, and use of their biometric data, specifically, fingerprint scans for timekeeping purposes, under the Illinois Biometric Information Privacy Act. Among the class of about 6,000 employees affected from March 25, 2017, to the date of the settlement agreement, only nine individuals opted out of the action. Class members will receive $643 each after court-approved costs, fees, and service awards are deducted, including $2,126,250.50 in class counsel’s attorneys’ fees.
Health System Settles Class Action for Sharing Data with Facebook
Novant Health Inc. (“Novant”) has settled a class action lawsuit alleging Novant improperly disclosed PHI with Meta through the use of Meta Pixels on its website. Novant launched a promotional campaign in May 2020 involving Facebook advertisements and Meta Pixels to connect more patients to its Novant Health MyChart patient portal. However, the pixel was configured incorrectly and allowed certain information (e.g., contact information, appointment details, IP addresses, and information entered into free text boxes, button, and menu selections) to be transmitted to Meta from Novant’s website and MyChart patient portal. The class action lawsuit alleged invasion of privacy, breach of contract, and violations of HIPAA. As part of the settlement, Novant will pay $6.7 million along with $2.2 million in attorneys’ fees. Class members (i.e., individuals who used the MyChart patient portal between May 1, 2020, through August 12, 2022) will be eligible to submit claims for a share of the settlement fund.
U.S. ENFORCEMENT
Texas Attorney General Opens Investigation into Car Manufacturers’ Data Collection
Texas Attorney General Ken Paxton has opened an investigation into how car manufacturers collect and sell drivers’ data to third parties. Paxton’s office instructed several car manufacturers and the parties they do business with to produce documents pertaining to their collection and sharing practices as well as certain customer disclosures. The investigation was sparked by widespread reporting that car manufacturers have secretly collected driver data through their vehicles and subsequently sold that data to insurers and other companies without the customers’ knowledge or consent. The investigation is being conducted under the Texas Deceptive Trade Practices Act, which provides Paxton’s office the authority to pursue companies engaging in false, misleading, or deceptive acts or practices. This investigation into car manufacturers comes as Paxton organizes a team dedicated to enforcing the state’s new comprehensive data privacy law, which became effective on July 1, 2024.
California AG Settles Third CCPA Enforcement for $500K
The California Attorney General (“AG”) and Los Angeles City Attorney jointly announced Tilting Point Media LLC (“Tilting Point”) has agreed to pay $500,000 in civil penalties and comply with additional injunctive terms to resolve alleged violations of the California Consumer Privacy Act (“CCPA”) and the federal Children’s Online Privacy Protection Act (“COPPA”) arising from the company’s collection and disclosure of children’s data obtained through its popular mobile game, “SpongeBob: Krusty Cook-Off.” Tilting Point allegedly failed to employ a “neutral” age screen on the app, thereby directing the game and its targeted advertising and in-app purchase features to users, including children under the age of thirteen, and inadvertently misconfigured third-party software development kits, resulting in the collection and sale of children’s data without parental consent or, in the case of users ages thirteen to fifteen, users’ affirmative consent. This marks the California AG’s first joint CCPA compliance enforcement with another enforcement agency.
RR Donnely to Pay $2.1M Settlement to SEC
The SEC announced that R.R. Donnelley & Sons Company (“RRD”) has agreed to pay $2,125,000 and adopt new cybersecurity technology and controls to settle claims that the business communications and marketing services company failed to maintain adequate “internal accounting controls” and effective “disclosure controls and procedures” required under the Securities Exchange Act of 1934 (the “Act”) following a 2021 cybersecurity incident. The incident involved a phishing campaign that installed encryption malware on certain RRD computers. RRD allegedly lacked the appropriate internal controls to timely review and respond to cybersecurity alerts identified and escalated by its third-party managed security services provider, resulting in the exfiltration of data of 29 RRD clients. This marks the first use of the Act’s internal accounting controls provision to penalize a victim of a cyberattack, and some commissioners warn that such enforcement actions could inappropriately amplify a company’s harm from a cyberattack.
California AG Seeks Assurances Regarding New Health Information Protections
California Attorney General Rob Bonta sent letters to eight major pharmacy chains and five health data companies seeking information regarding their compliance efforts under California’s Confidentiality of Medical Information Act (“CMIA”), including the new requirements under Assembly Bill 352 (AB352), which limits access to records concerning patients’ reproductive health or gender-affirming care. AG Bonta also reminded the pharmacies that California law prohibits the disclosure of individuals’ medical information to law enforcement without a warrant in most circumstances. Effective July 1, 2024, AB352 strengthens the CMIA by prohibiting pharmacies and health data companies from providing protected health information to anyone from another state unless authorized by the patient or an exception within the CMIA. AB352 applies to information of California residents, as well as individuals being treated in California. It also requires entities to enable data security features to segregate and protect health information related to abortion, contraception, and gender-affirming care so that it is not readily accessible across state lines.
FCC Settles with Telecoms Provider over Data Breach Notification Requirements
The FCC announced that Liberty Latin America Limited, through its subsidiaries Liberty Mobile Puerto Rico Inc. and Liberty Mobile USVI Inc. (collectively, “Liberty”), will pay $100,000 and implement a compliance plan to resolve claims that the Bermuda telecommunications carrier failed to timely report a data breach that affected over 130,000 Liberty customers, as required of foreign carriers under FCC rules and a Letter of Agreement (“LOA”). Liberty entered into the LOA as part of its 2020 acquisition of, and conditional license to operate, U.S. communications infrastructure acquired from another carrier. Liberty allegedly learned that a third-party vendor of the other carrier experienced a breach involving customer data shared by the predecessor prior to Liberty’s acquisition but failed to report the incident within 72 hours and, instead, spent weeks negotiating with the other carrier about reporting obligations with respect to those affected customers acquired by Liberty.
Texas AG & Meta Settle Biometric Privacy Suit
Ending a spat that began in February 2022, Meta Platforms Inc. and Texas Attorney General Ken Paxton filed a joint motion with the Harrison County District Court on May 31, 2024, to stay all deadlines and settle the suit. Paxton had accused Meta of collecting Facebook users’ biometric data via facial recognition technology without the users’ consent, in violation of Texas’ Capture or Use of Biometric Identifier Act (“CUBI”) and its Deceptive Trade Practices-Consumer Protection Act (“DTPA”). Paxton also claimed Meta disclosed users’ biometric data to third parties without notice and failed to dispose of it within the timeframe outlined in CUBI. He sought an injunction to stop the alleged practices. Meta denied all allegations relating to its notice or use practices and contended Paxton applied CUBI in a way that violated the U.S. Constitution’s commerce and due process clauses, as well as the Texas Constitution’s due process clause. The joint motion provided no specifics regarding the terms of the settlement.
SEC Updates Cyber Incident Disclosure Guidance
The U.S. Securities and Exchange Commission (“SEC”) issued new Compliance and Disclosure Interpretations (“C&DIs”) related to Item 1.05 of Form 8-K. Item 1.05 requires public companies to disclose material aspects of the nature, scope, and timing of a cybersecurity incident that the company determined to be material, as well as the incident’s material impact, or reasonably likely material impact on the company, including its financial condition and results of operations. Among other things, the C&DIs discuss materiality determinations under certain specific cybersecurity incident scenarios involving a ransomware attack resulting in a disruption in the company’s operations or the exfiltration of data.
Arkansas Attorney General Files Lawsuit against Chinese Online Marketplace Company
Arkansas Attorney General Tim Griffin has filed a lawsuit against PDD Holdings Inc. and WhaleCo, Inc. – the parent companies of Temu – for violations of the Arkansas Deceptive Trade Practices Act and the Arkansas Personal Information Protection Act. In a press release, Griffin stated that Temu “is a data-theft business . . . that is functionally malware and spyware.” In the complaint, Griffin alleges that the Temu app is purposely designed to lurk in users’ phone operating systems, gaining access to users’ cameras, microphones, contacts, and real-time location with an accuracy of at least ten feet. Temu, which has ties to China, was recently banned in Montana and temporarily suspended from the Apple app store for misrepresentations of data collected from users. Griffin’s lawsuit seeks injunctive relief and civil penalties, including a request to find that Temu’s parent companies were unjustly enriched by using and monetizing the personally identifiable information of Arkansas residents.
Blackbaud Settles with California Attorney General
Blackbaud Inc. (“Blackbaud”), represented by Blank Rome, reached a settlement with the California Attorney General related to a ransomware attack the company suffered in 2020. With this resolution, Blackbaud has agreed to pay a total of $6.75 million. In addition, Blackbaud has agreed to comply with applicable laws, not make misleading statements related to its data protection, privacy, security, confidentiality, integrity, breach notification requirements, and similar matters, and implement and improve certain cybersecurity programs and tools.
Texas Attorney General Sends Companies Notification of Failure to Comply with Data Broker Law
The Office of the Texas Attorney General announced that it has issued letters notifying over one hundred companies of their apparent failure to register as data brokers with the Texas Secretary of State as required by Texas’s newly effective Data Broker Law. As of March 1, 2024, Chapter 509 of the Texas Business and Commerce Code requires data brokers to publicly register with the Texas Secretary of State and imposes penalties on entities that fail to do so. The Code defines data brokers as businesses whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” Data brokers are required to register in multiple states, including Texas and California. The Texas Attorney General recently established a “specialized team dedicated to aggressively enforcing the full slate of Texas privacy laws” as part of the Consumer Protection Division of the Texas Office of the Attorney General.
INTERNATIONAL LAWS & REGULATION
NOYB Files 11 Complaints Relating to Meta’s Privacy Policy and AI Models
NOYB, a privacy and digital rights organization founded by Max Schrems, announced it has filed complaints with the data protection authorities of 11 European Union countries, including France, Germany, Ireland, Italy, and Spain, requesting that the data protection authorities take action to stop Meta’s use of personal information to train artificial intelligence models. Recent changes to Meta’s privacy policy would allow the company to collect users’ posts to train generative AI models. NOYB has argued that users are not provided with appropriate choices and that it is difficult to opt-out, among other things.
CNIL Publishes New AI System Development Guidance
France’s data protection authority, the Commission Nationale de l'Informatique et des Libertés (“CNIL”), announced the release of the final version of its guidelines on complying with data privacy requirements in the development of AI systems. The guidelines are organized into seven “how-to sheets” that provide guidance on AI development in compliance with the GDPR. The how-to sheets provide guidance on determining the applicable law, defining purpose, determining the processing role of an AI system provider, determining the lawfulness of data processing, data protection impact assessments, data protection by design, and taking into account data protection in data collection and management activities.
Daniel R. Saeedi, Rachel L. Schaller, Ana Tagvoryan, Timothy W. Dickens, Gabrielle N. Ganze, Jason C. Hirsch, Tianmei Ann Huang, Amanda M. Noonan, and Karen H. Shin contributed to this artcle