Welcome to this month’s issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security, & Data Protection practice. 

STATE & LOCAL LAWS & REGULATIONS

Montana Comprehensive Privacy Law Takes Effect: The Montana Consumer Data Privacy Act (“MCDPA”) went into effect on October 1, 2024. The MCDPA protects consumers, defined as Montana residents, and like the laws of Colorado, Connecticut, Virginia, and Utah, specifically excludes residents acting in a commercial or employment context. Similar to other state comprehensive privacy laws, the MCDPA obligates data controllers to provide a privacy notice, obtain consent before processing sensitive data, enter into written contracts containing specific clauses with processors, and conduct data protection assessments. The MCDPA also provides consumers the rights to access, data portability, correct, delete, and opt out of targeted advertising, sale of personal data, and profiling. Beginning January 1, 2025, controllers must allow a consumer to opt out of targeted advertising and the sale of personal data through an opt-out preference signal. The MCDPA gives exclusive enforcement authority to the Montana Attorney General with a 60-day cure period that sunsets on April 1, 2026.

FCC and CPPA Sign MOU: The Federal Communications Commission’s (“FCC”) Privacy and Data Protection Task Force and the California Privacy Protection Agency (“CPPA”) have signed a Memorandum of Understanding (“MOU”) to coordinate efforts in conducting investigations to protect consumers, and to allow the agencies to share information, resources, and expertise. The CPPA is the agency charged with enforcing the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”) and has already begun issuing enforcement advisories. The FCC has similar agreements with the attorneys general of other states, such as Connecticut, Delaware, the District of Columbia, Indiana, Illinois, Maine, Massachusetts, New York, Oregon, Pennsylvania, and Vermont.

CPPA Announce Enforcement Sweep of Data Brokers: The CPPA announced that it is conducting a public investigative sweep of data broker registration compliance under California’s Delete Act. The Delete Act requires data brokers to register with the CPPA and pay an annual fee. Additionally, data brokers must disclose the number of consumer deletion requests and average response time to the requests, report if they collect the personal information of minors or reproductive healthcare data and precise geolocation data, as well as provide a link to their website informing consumers of their rights under the CCPA. The CPPA has stated that its enforcement division will be taking appropriate actions against data brokers that have failed to comply with the Delete Act and that consumers can submit a complaint to the CPPA if they know of a data broker who has failed to register as one.

NYDFS Releases AI Cybersecurity Guidance: The New York State Department of Financial Services (“NYDFS”) has issued new guidance to assist regulated entities against cybersecurity risks arising from artificial intelligence (“AI”). While the new guidance does not impose new requirements for regulated entities, it provides an outline to meet existing compliance obligations under previous cybersecurity regulations in light of AI technology advancements. Under the new guidance, regulated entities should incorporate cybersecurity risks such as deepfakes and AI-specific threats into the cybersecurity risk assessments required by NYDFS cybersecurity regulations. These risk assessments should also address the entity’s use of AI, the use of AI by third-party service providers and vendors, and vulnerabilities in AI applications. Finally, the guidance recommends that regulated entities incorporate AI considerations into cybersecurity incident responses, business continuity, and disaster recovery plans.

FEDERAL LAWS & REGULATIONS

CFPB Issue Guidance to Protect Personal Data of Workers: The Consumer Financial Protection Bureau (“CFPB”) has issued guidance designed to protect workers from unchecked digital tracking and opaque decision-making systems. The guidance highlights that companies using third-party consumer reports, including background dossiers and surveillance-based, “black box” AI or algorithmic scores about their workers, must follow the Fair Credit Reporting Act (“FCRA”) rules. This means employers must be transparent about data used in adverse decisions and allow workers to dispute inaccurate information. While background checks have long been regulated under the FCRA, new technologies have emerged and provide reports that expand the scope and depth of worker tracking. These reports often contain sensitive information unknown to workers, which can significantly impact hiring decisions, job assignments, and career advancement. The guidance clarifies that such reports fall under the purview of the FCRA.

DoD Finalizes CMMC Program for Contractors: On October 11, 2024, the United States Department of Defense (“DoD”) issued a Final Rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) Program to verify that government contractors have implemented security measures necessary to safeguard Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”). The CMMC contains three separate levels of requirements for contractors depending on the sensitivity of information handled by the contractor. Entities handling FCI will be subject to level one of the CMMC, which requires submission of an annual self-assessment demonstrating compliance with the basic standards in the Federal Acquisition Regulation. Contractors handling CUI must additionally satisfy level two, requiring compliance with Revision Two of the National Institute of Standards and Technology (“NIST”) Special Publication 800-171. Finally, contractors that handle CUI associated with a “critical program or high-value asset” must additionally comply with NIST’s Special Publication 800-172. The rule will become effective on December 16, 2024. 

CFPB Finalizes Privacy Rule: On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) finalized a Rule creating a right of data portability for customers of financial institutions, such as banks and credit unions. The purpose of the rule is to give consumers greater rights, privacy, and security over their personal financial data by allowing them to seamlessly move their data between such institutions. The Bank Policy Institute, a Washington, D.C.-based industry group, has already challenged the Rule, arguing that the CFPB lacks statutory authority to implement the Rule and that the Rule stifles the development of data sharing mechanisms safer than those required under the Rule. Dates for compliance with the Rule—if upheld—begin in 2026 but may be delayed until as late as 2030 for some institutions depending on the size and nature of their business.

Department of Justice Issues Order Regarding Transfer of Data to Countries of Concern: On October 21, the United States Department of Justice issued a Notice of Proposed Rulemaking (“NPRM”) to implement Executive Order 14117. The NPRM would limit or prohibit U.S. persons from engaging in certain classes of transactions that pose an unacceptable risk of giving countries of concern or covered persons access to America’s government-related data or bulk sensitive data. The NPRM designates China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela as countries of concern. Relatedly, covered persons include residents, employees, and contractors related to countries of concern. Restricted transactions include general data brokerage as well as transactions of bulk human genomic data or biospecimens. Importantly, certain transactions are exempt from the NPRM, including corporate group transactions between U.S. persons and their foreign subsidiaries. The Department of Justice is accepting comments on the NPRM for 30 days following its publication in the Federal Register.

FTC Issues Final Negative Option Rule: On October 16, 2024, the Federal Trade Commission (“FTC”) issued a Final Negative Option, or “Click-to-Cancel” Rule, requiring sellers to provide consumers with a “simple cancellation mechanism to immediately halt all recurring charges.” The Rule applies to the marketing and sale of “negative options,” a “category of commercial transactions in which sellers interpret a customer’s failure to take an affirmative action, either to reject an offer or cancel an agreement, as assent to be charged for goods or services.” The Rule prohibits sellers of negative options from misrepresenting material facts; mandates disclosures prior to the collection of consumer billing information; requires sellers to obtain unambiguous affirmative consent to the negative option before charging consumers; and requires a simple cancellation mechanism. The majority of the provisions of the Final Rule will become effective 180 days after publication in the Federal Register. In addition to the FTC Rule, entities offering negative options should ensure compliance with state-level auto-renewal contract regulations. Click here to see a Fact Sheet published by the FTC.

U.S. LITIGATION

Second Circuit Vacates Dismissal of VPPA Claim: The U.S. Court of Appeals for the Second Circuit vacated the dismissal of Salazar et al., v. National Basketball Association, a proposed class action arising under the Video Privacy Protection Act (“VPPA”) involving allegations that the National Basketball Association (“NBA”) unlawfully disclosed the plaintiff’s personally identifiable information and online video viewing information to a third party via pixels without the consumer plaintiff’s consent. The action was remanded to the U.S. District Court for the Southern District of New York as the Court found that a “subscriber of goods or services” from a video tape service provider subject to the VPPA includes an individual who signs up for an online newsletter, and such newsletter falls within the meaning of a “good or service” under the VPPA. For an in-depth analysis of the ruling, see this Blank Rome Client Alert.

Data Broker Class Action Settlement Receives Preliminary Approval: Thomson Reuters Corporation (“Thomson Reuters”) received preliminary approval of its agreement to pay $27.5 million to settle claims in Brooks et al. v. Thomson Reuters Co., a certified class action involving the alleged unauthorized collection and sale of U.S. consumers’ personal data by Thomson Reuters to businesses, data-brokers, and government and law enforcement agencies through its CLEAR product, in violation of California’s common-law right of publicity and certain California Business and Professions Code provisions. CLEAR is a searchable database service offered by Thomson Reuters that allegedly enables users “‘to uncover’ personal ‘facts hidden online,’ by licensing ‘real-time information,’” including through chat rooms. Each class member who submits a claim by December 6, 2024, is expected to receive between $19 and $48 under the settlement agreement.

Massachusetts Supreme Court Holds Wiretap Act Does not Apply to Certain Website Tracking Tools: The Massachusetts Supreme Judicial Court ruled that the state’s Wiretap Act does not apply to website tracking tools like Google Analytics and Meta Pixel. In Vita v. New England Baptist Hospital, hospitals faced allegations of using these tools on their websites. The court clarified that the Act targets only the secret interception of direct communications between individuals, not online browsing activities. This ruling overturned a lower court’s refusal to dismiss the case and dismissed claims against hospitals for using tracking without consent. Any legislative changes to include web tracking must come from state lawmakers. A dissenting opinion called for broader protection of electronic communications, highlighting ongoing debates in privacy law. While the decision offers clarity for businesses, it also underscores the need to comply with other privacy laws.

Tech Trade Groups Sue over Florida’s Social Media Law: The Computer and Communications Industry Association (“CCIA”) and NetChoice filed a complaint in Florida federal court challenging a state law that would ban and restrict children from accessing social media. Florida’s House Bill 3 (“H.B. 3”), which was enacted in March 2024 and scheduled to take effect on January 1, 2025, prohibits children 13 and under from creating social media accounts and requires 14- and 15-year-olds to obtain parental permission before joining these sites. CCIA and NetChoice argue that H.B. 3 would unconstitutionally restrict free speech by restricting minors’ access to lawful content while imposing harsh sanctions on social media operators with First Amendment rights to display content. CCIA and NetChoice also argue that by requiring social media operators to collect sensitive data from their users to confirm identities, ages, and parental status, H.B. 3 would create heightened risks for data breaches.

ZoomInfo Settles Class Actions: ZoomInfo Technologies LLC (“ZoomInfo”) has settled a class action brought by residents of California, Illinois, Indiana, and Nevada for $29.55 million. The class action alleged that ZoomInfo, a website that provides directory information about individuals, used plaintiffs’ personal information such as their names, business addresses, work history, job titles, business phone numbers, and work email addresses, without their consent to advertise or promote subscriptions to ZoomInfo’s website in violation of the right of publicity laws in their respective states. The settlement class includes all residents of the four states whose identity was the subject of a directory preview page published by ZoomInfo and viewed for the first time between a designated time period specified for each specific state. Class members are entitled to a pro-rata share of their respective state-specific settlement fund.

U.S. ENFORCEMENT

SEC Brings Enforcement Actions Against Four Companies for Misleading Cyber Disclosures: The Securities and Exchange Commission (“SEC”) announced that it charged four current and former public companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited, with making materially misleading disclosures regarding cybersecurity risks and intrusions. The charges against the companies result from an investigation involving the public companies affected by the SolarWinds data breach. According to the SEC’s orders, the companies learned in 2020 and 2021 that the threat actor likely behind the SolarWinds data breach had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures. As a result, the companies are required to pay civil penalties ranging from $990,000 to $4 million.

FCC Reaches $31.5 Million Settlement with Telecommunications Provider over Data Breaches: T-Mobile has settled various data breach cases with the Federal Communications Commission (“FCC”) for $31.5 million. The settlement resolves several investigations of cybersecurity breaches in 2021, 2022, and 2023. The breaches impacted millions of T-Mobile customers and end-user customers of T-Mobile wireless network operators. The attacks involved a 2021 cyberattack, a 2022 platform access incident, and a 2023 sales application and API incident. The terms of the settlement require T-Mobile to pay a civil penalty of $15.75 million and invest another $15.75 million in cybersecurity and data security, including corporate governance, identity and access management controls, data minimization and deletion measures, a critical asset inventory, and independent third-party assessments of its information security practices. 

University Pays $1.25 Million to Resolve False Claims Act Suit: Penn State has settled a False Claims Act (“FCA”) suit for $1.25 million for failing to comply with cybersecurity requirements. The settlement resolves a lawsuit originally filed by a whistleblower in 2023 that alleged Penn State failed to meet contractual cybersecurity requirements on various National Aeronautics and Space Administration (“NASA”) and U.S. Department of Defense contracts and subcontracts between 2018 and 2023. The settlement details Penn State’s compliance failures, including the failure to meet cybersecurity requirements for contractor information systems, the use of external cloud service providers, and NASA’s requirements to secure unclassified information technology resources. The settlement specifically states that Penn State failed to meet all the requirements under the National Institute of Standards and Technology’s SP 800-171 and knowingly misrepresented the dates it expected to comply with the standards.

Texas AG Sues TikTok Under SCOPE Act: Texas Attorney General (“AG”) Ken Paxton announced a lawsuit to sue TikTok Ltd. and its corporate affiliates operating the social media service (collectively, “TikTok”), for doing so in a manner that unlawfully put its minor (under the age of eighteen) users’ online safety and privacy at risk, in violation of the Texas Securing Children Online through Parental Empowerment Act (“SCOPE”) by sharing, disclosing, or selling minors’ personal information to third parties without the consent of the minor user’s parent or guardian. The AG’s complaint alleges that TikTok failed to provide verified parents or guardians with the ability to (1) control or limit TikTok’s sharing, disclosure, and sale of their minor’s personal identifying information, and (2) control what targeted advertisements could be displayed to minor users on the platform. Violators of SCOPE may be subject to penalties of up to $10,000 per violation and injunctive relief.

FTC and Multistate Attorneys General settle with Hotel Operator for Three Data Breaches: The Federal Trade Commission (“FTC”) and all 50 States’ Attorneys General (“Multistate”) entered into settlement with Marriott International, Inc. (“Marriott”) and its subsidiary Starwood Hotels & Resorts Worldwide LLC (“Starwood”) for three data breaches the companies experienced between 2014 and 2020. Prior to Marriott acquiring Starwood in 2016, Starwood experienced two data breaches beginning in 2014 –one that went undetected for months, but for which Starwood provided notice of in 2015, and one that went undetected until 2018. The third data breach impacted Marriott’s network and began in 2018 and went undetected until 2020. These breaches collectively impacted more than 344 million guest records, including passport numbers, mailing addresses, birth dates, loyalty account information, and payment card data. Under the settlement agreement with the FTC and Multistate, Marriott and Starwood must implement certain security safeguards, including data deletion and improved diligence for future acquisitions. Marriott and Starwood must also pay the Multistate $52 million in penalties.

OCR Fines Healthcare Provider over Ransomware Attacks: The United States Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a $240,000 civil monetary penalty against Providence Medical Institute (“Providence”), concerning potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule, following a series of ransomware attacks Providence experienced in 2018. Providence had acquired a physician practice, the Center for Orthopedic Specialists (“COS”), which was in the process of integrating with Providence’s network.The ransomware attacks occurred due to a phishing email and affected the electronic protected health information (“ePHI”) of 85,000 individuals between February and March 2018. OCR found two potential violations of the HIPAA Security Rule, including failure to have a business associate agreement in place with its IT vendor and failure to implement policies and procedures to allow only authorized persons or software programs access to ePHI.

Healthcare Provider Settles with New York AG Following Major Data Breaches: Albany ENT & Allergy Services (“Albany ENT”) agreed to a $500,000 fine and committed to a $2.25 million investment in cybersecurity after two ransomware attacks in 2023 compromised the data of over 213,000 patients. The New York Attorney General’s investigation found serious lapses in data protection, such as failing to report the exposure of over 80,000 driver’s license numbers, data continued to be stored without proper security, and inadequate oversight of third-party IT vendors. As part of the settlement, Albany ENT must enhance security measures, such as implementing encryption and multi-factor authentication, and provide one year of free credit monitoring to those affected. A $1 million penalty was imposed, with $500,000 suspended if the new security measures are implemented.

INTERNATIONAL LAWS & REGULATIONS

China Issues Sensitive Personal Information Guidelines: China’s National Technical Committee 260 on Cybersecurity Standardization Administration released its Sensitive Personal Information Identification Guidelines (the “Guidelines”). The Guidelines are intended to clarify the scope of sensitive personal information under Chinese law. The Guidelines state that personal information is sensitive personal information if, once disclosed or used illegally, it can easily lead to the infringement of the human dignity, personal safety, or safety or property of natural persons. The Guidelines also provide specific examples of sensitive personal information, including biometric information, religious belief information, health information, financial account information, personal information of minors under 14 years old, precise location information, identity card photos, sexual orientation, sex life, credit information, criminal record information, and other information falling into the rules for identification of sensitive personal information.

EU NIS2 Directive Enters Into Force: Directive (EU) 2022/2555, on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”) entered into force on October 18, 2024. The NIS2 Directive repeals the former Network and Information Security (“NIS”) Directive and is intended to create a broader and more consistent set of rules on cybersecurity for organizations operating in the European Union. Under the NIS2 Directive, “essential” and “important” entities are required to implement technical and organizational measures to manage cyber security risks and prevent or minimize the impact of incidents by adopting measures that cover incident handling, business continuity, encryption, secure authentication, and training and awareness, among other things. Essential and important entities must notify, without undue delay the national computer security incident response teams (“CSIRT”) or, where relevant, the competent data protection authority, of any incident having a significant impact on the provision of their services, including an early warning notice within 24 hours after becoming aware of the incident and an incident notification within 72 hours after becoming aware of the incident. 

European Data Protection Board Issues Opinion on Processors and Guidelines on Legitimate Interests: The European Data Protection Board (“EDPB”) announced that it had adopted Opinion 22/2024 on certain obligations following the reliance on processor(s) and sub-processor(s) (the “Opinion”), and Guidelines 1/2024 on the processing of personal data based on legitimate interest (the “Legitimate Interest Guidelines”) for public consultation at its latest plenary meeting. The Opinion covers situations where controllers rely on one or more processors and sub-processors. The Opinion addresses eight questions on the interpretation of certain duties of controllers relying on processors and sub-processors, as well as the wording of controller-processor contracts. The Legitimate Interest Guidelines analyze the GDPR criteria that controllers must meet to lawfully process personal data on the basis of legitimate interest, taking into account an October 2024 ruling by the Court of Justice of the European Union. The Legitimate Interest Guidelines are subject to public consultation until November 20, 2024.

UK ICO Announces Launch of Data Protection Audit Framework: The United Kingdom’s Information Commissioner’s Office (“ICO”) announced the launch of a new audit framework designed to help organizations assess compliance with key requirements under data protection law. The framework is designed to provide practical tools for building and maintaining strong privacy management. The framework is an extension of the ICO’s existing Accountability Framework and has nine toolkits covering areas the ICO states it is likely to look at during an audit: (1) accountability, (2) records management, (3) information and cyber security, (4) training and awareness, (5) data sharing, (6) requests for data, (7) personal data breach management, (8) artificial intelligence, and (9) age-appropriate design. Each toolkit has examples of control measures that organizations should have in place to manage identified risks, a slit of ways that organizations can meet the ICO’s expectations in relation to each control measure, and additional options to consider based on examples of good practices.

European Data Protection Board Adopts ePrivacy Directive Guidelines: The European Data Protection Board Adopts adopted Guidelines on the Technical Scope of Article 5(3) of the ePrivacy Directive (“ePrivacy Guidelines”). The ePrivacy Guidelines address the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions, with a focus on non-cookie tracking technologies. The ePrivacy Guidelines discuss use cases related to URL and pixel tracking, local processing, tracking based on IP only, intermittent and mediated Internet of Things reporting, and tracking of unique identifiers. The ePrivacy Guidelines also clarify that the definition of “terminal equipment,” which must be involved for Article 5(3) to apply, may include any device with a network interface that makes it eligible for connection regardless of whether it is currently connected or not. This can include televisions and connected cars, among other things.

Council of the European Union Adopts Cyber Resilience Act: The Council of the European Union (the “Council”) announced that it adopted the Cyber Resilience Act (the “Act”), a new law on cybersecurity requirements for products with digital elements to ensure that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market. The Act introduces EU-wide cybersecurity requirements for hardware and software products. The Act will apply to all products that are connected either directly or indirectly to another device or network, with limited exceptions for products for which cybersecurity requirements are already set out in existing EU rules, for example, medical devices, aeronautical products, and cars. The Act will enter into force twenty days after publication in the EU’s official journal and will apply 36 months after it enters into force with some provisions applying earlier.

Irish Data Protection Commissioner Issues Fine for Storing Passwords in Plaintext: The Irish Data Protection Commissioner (“DPC”) announced that it has fined Meta €91 million for GDPR violations for storing certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption). The passwords were not made available to external parties. The DPC found that Meta infringed the General Data Protection Regulation (“GDPR”) by failing to notify the DPC of a personal data breach concerning the storage of user passwords in plaintext, failing to document the event as a personal data breach, failing to use appropriate technical or organizational measures to ensure appropriate security of user passwords against unauthorized processing, or to ensure a level of security appropriate to the risk. The DPC submitted its draft decision to other European Union supervisory authorities as required under Article 60 of the GDPR. No objections were raised by other authorities.

Irish Data Protection Commission Fines LinkedIn €310 million: The DPC announced a final decision in its enforcement inquiry against LinkedIn. The inquiry was launched following a complaint that was initially made by the French Data Protection Authority. The inquiry focused on LinkedIn’s processing of personal data for purposes of behavioral analysis and targeted advertising of LinkedIn users. The DPC found that LinkedIn violated the General Data Protection Regulation (“GDPR”) by processing personal data without an appropriate legal basis. Specifically, the DPC found that LinkedIn (1) could not rely on consent to process third-party data of its members for the purpose of behavioral analysis and targeted advertising because the consent obtained by LinkedIn was not freely given, sufficiently informed, specific, or unambiguous, (2) could not rely on its legitimate interests to process first-party personal data for the purpose of behavioral analysis and targeted advertising processing because LinkedIn’s interests were overridden by the fundamental rights and freedoms of data subjects, and (3) could not rely on contractual necessity to process first-party data for the purpose of behavioral analysis and targeted advertising processing. The DPC also found that the notices provided to users by LinkedIn that cited such bases for processing were insufficient and that the processing violated the principle of fairness required by the GDPR.

Daniel R. Saeedi, Rachel L. Schaller, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Gabrielle N. Ganze, Jason C. Hirsch, Tianmei Ann Huang, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin also contributed to this article.