Regulators around the world have been taking more aggressive steps to protect consumer data from unauthorized disclosure. It is important for businesses to be aware of their obligations under these new privacy laws. The following are four key areas to consider:
1. Regulating Biometric Identifier Information
Businesses in the United States should brace themselves for an increasing amount of state and local legislation concerning their collection and use of biometric information. These laws regulate businesses’ collection and use of biometric information about individuals, such as their fingerprints, retinal scans, face scans and the like. Typically, these laws require businesses to provide notices to individuals and obtain consent when they collect, use and share biometric information.
Illinois’ Biometric Information Privacy Act
Businesses are likely to see an uptick under Illinois’ Biometric Information Privacy Act (BIPA) as courts continue to resolve threshold issues under the law. For example, the Illinois Appellate Court for the First District recently decided a case about the BIPA’s statute of limitations (i.e., the length of time for which someone can bring a claim under BIPA). The court determined that individuals will have one year to sue for violations involving the sale or dissemination of biometric data, but will have five years to sue for all other claims. As a result of this decision, this question can no longer serve as a basis for staying BIPA litigation.
Courts may nevertheless continue to stay BIPA proceedings until the Seventh Circuit Court of Appeals decides when claims “accrue” under BIPA. More specifically, the Seventh Circuit is set to determine whether each of an employer’s repeated scans of its employees’ fingerprints constitutes a BIPA claim, or whether only the first scan constitutes a claim. This question is critical to defendants’ potential exposure under BIPA, since a decision that a claim accrues with each scan or violation would greatly increase defendants’ financial liability under BIPA.
New York City’s Biometric Privacy Act
New York City recently enacted the Biometric Privacy Act, which prohibits “commercial establishments” from exchanging biometric data “for anything of value,” and requires them to post a “clear and conspicuous notice” before collecting biometric data. Unlike some other cities’ facial recognition laws, the law provides a private right of action for “aggrieved” individuals to recover statutory damages.
In addition, businesses may soon face a different set of obligations in light of a pending New York state biometric bill, Assembly Bill A27, which would require businesses to obtain both notice and consent before collecting biometric data.
2. The Race for State Consumer Privacy Legislation
In the absence of federal consumer privacy legislation, U.S. states will likely follow the lead of California, Colorado and Virginia, and try to advance their own consumer privacy laws.
State legislation in Colorado, Virginia, and California
In 2020, California voted in the California Privacy Rights Act (CPRA), which amends and expands the California Consumer Privacy Act (CCPA). The CPRA introduces new consumer rights, including the right to limit the use and disclosure of sensitive personal information, the right to opt-out of the sharing of personal information for certain types of advertising, and the right to correct personal information. The CPRA also requires covered businesses to maintain reasonable security procedures, and to audit these practices. The CPRA keeps the CCPA’s private right of action and traditional attorney general enforcement, but also creates a new agency called the California Privacy Protection Agency with authority to pass regulations and enforce the CPRA through administrative proceedings.
In 2021, Colorado passed the Colorado Privacy Act (CPA), and Virginia passed the Virginia Consumer Data Protection Act (VCDPA). The laws apply to businesses that target their services and products to residents in each state, and meet certain data processing or revenue thresholds. Both laws grant certain consumers the right to know and access their personal information, the right to opt-out of certain types of personal information processing, and the right to collect and delete their personal information. Each law will be enforced by the state attorney general, as well as district attorneys in Colorado. Neither law provides for private rights of action.
All three of these laws come in effect in in 2023.
The Uniform Personal Data Protection Act
The Uniform Law Commission is promoting the adoption by states of its Uniform Personal Data Protection Act this year, which has already inspired the District of Columbia to propose Bill 24-451, modeled after it. The Uniform Act broadly applies to any “person” that maintains personal data and conducts business or purposefully directs its services to residents in the particular state. The Uniform Act defines three categories of data practices—compatible, incompatible and prohibited—and restricts data processing based on the category. The Uniform Act dodges the issue of how the law can be enforced by relying on whatever mechanism is included in the state’s existing consumer protection act. However, it contains optional language precluding a private cause of action even if a state’s consumer protection act allows for it.
Pending state efforts
Several states are actively considering their own consumer privacy bills, while several others must start their legislative process again after their bills failed last term. In monitoring these efforts, observers should be mindful of the state attorney general’s stance towards a proposed bill. Indeed, Colorado’s proposed bill did not gain substantial momentum until the state attorney general voiced his support for it. On the other hand, Washington’s attorney general testified against its proposed bill before it ultimately failed.
3. The U.S. Crackdown on Ransomware Actors
The U.S. government began taking a coordinated and aggressive approach to ransomware attacks in 2021. After creating the Ransomware and Digital Extortion Task Force in April 2021, the Department of Justice (DOJ) started to bring more cases and disruptive actions against the perpetrators of ransomware attacks. This led to the arrest of several foreign nationals for criminal charges related to ransomware incidents. The DOJ also seized assets and recovered payments for ransomware victims on three separate occasions in 2021.
These actions underscore the U.S. government’s focus on disrupting ransomware actors rather than penalizing victims. Nevertheless, potential victims will need to do more to avoid penalization. For example, companies should heed sector-specific cybersecurity standards, as the U.S. Treasury’s Office of Foreign Assets Control (OFAC) released an updated ransomware advisory in September 2021 stating that an affected party’s cybersecurity measures will be a significant mitigating factor in the event of a sanctions violation. Additionally, according to a November 2021 revised advisory from Treasury’s Financial Crimes Enforcement Network (FinCEN), if a victim’s cyber insurance provider plans to facilitate ransomware payments, it should first register as a money services business. Otherwise, “FinCEN will not hesitate to take action against entities” that engage in money transmissions without registering.
The U.S. government also continues to encourage private sector reporting of ransomware attacks. For instance, the September OFAC Advisory notes that a company’s voluntary disclosure of a ransomware incident will also be a significant mitigating factor for a sanctions violation. The State Department further urged private sector reporting by announcing that it would offer a financial incentive of up to $10 million in exchange for information related to two ransomware groups.
Despite these efforts, the government has yet to mandate private sector reporting. Congress attempted to push through sector-specific deadlines for reporting cyber incidents and ransomware payments in the annual funding bill for the U.S. military. These mandates were ultimately excluded from the bill due to apparent disagreement over whether they would apply to all private entities, or only to critical infrastructure entities. It remains to be seen whether lawmakers can muster bipartisan support to pass a reporting mandate into law.
4. The Rise of EU Class Actions
Historically, individuals in the European Union have been limited in their ability to sue a company as a group of similarly situated individuals, as individuals in the United States do when they file class action lawsuits against a company. However, due to the EU Parliament’s recent formal endorsement of the “Collective Redress Directive (Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on Representative Actions for the Protection of the Collective Interests of Consumers and Repealing Directive 2009/22/EC),” this is set to change.
Under the directive, individuals will be able to aggregate certain claims against a company and have them brought against the company by “qualified entities” representing a class of affected people. In reality, it is often the “qualified entity” that motivates these claims and finds individuals to represent. To prevent frivolous litigation, the directive restricts which qualified entities can serve as representatives, and introduces a “loser pays principle,” under which the losing party will bear the costs of the successful party’s proceedings. Though it might reduce the number of representative actions, the loser pays principle may nevertheless have significant financial consequences for defendants who, in addition to facing the prospect of paying another party’s legal expenses, also face fines and damages for their alleged violations, as is the case under many consumer protection laws.
The directive leaves it open to member states to determine whether collective actions will be able to be brought on the basis of “opt-out” or “opt-in,” the difference being whether a representative body will need to obtain prior mandates from its represented class or not. It goes without saying that opt-out class actions present a much lower threshold for representative bodies initiating representative actions because they are brought on behalf of the represented class by default, without any involvement of the represented individuals, leaving individuals in the represented class the right to opt out of the suit.
The directive does not take effect automatically. Instead, EU member states have until December 2022 to enact it into law by December 2022. It remains to be seen which member states will meet this deadline.
Nevertheless, collective dispute resolution is already on the rise in the EU, as several member states have introduced their own class action regimes independently of the directive. For instance, Germany introduced an opt-out representative mechanism in 2018 and, in the Netherlands, the Collective Damages Act has made opt-out actions possible since January 2020. Like the directive, both countries’ laws limit which qualified entities can represent classes of aggrieved parties in these lawsuits. Indeed, the first-ever privacy class action brought under the Dutch law proved unsuccessful just last month, when the district court of Amsterdam dismissed the case after finding that the entity bringing the claims failed to substantiate that it duly represented a putative class of individuals. The body in question had tried to substantiate its represented class through some 75,000 “likes” it had obtained via its website without collecting any further information on the individuals.
Class actions under these laws might also be hindered if they are procedurally inconsistent with collective action rules in certain consumer protection laws—as was the case in the Dutch privacy class action. There, the claim was for alleged violations of the General Data Protection Regulation (GDPR), which contains a provision requiring individuals to opt-in to representative actions when damages are being sought. The Dutch class action law, on the other hand, generally permits collective entities to claim damages on behalf of individuals on an opt-out basis. Although the district court of Amsterdam refrained from deciding the issue, it highlighted the inconsistency between the GDPR and Dutch class action law, indicating that this will be of particular importance for future class actions.