On August 13, 2024, the Texas Attorney General’s Office (Texas AGO) filed a claim under Texas’s Deceptive Trade Practices-Consumer Protection Act challenging General Motors’ collection and use of data collected from consumers regarding their driving history. The Texas AGO’s complaint implicates thorny issues regarding how companies prepare and roll out privacy disclosures to consumers. The complaint also reiterates the importance of implementing clear, informed written consent processes when collecting and using consumer data.Continue Reading Texas Attorney General Challenges General Motors’s Collection and Sale of Driving Data
Privacy
Texas and Meta Settle Biometric Data Litigation for $1.4 Billion
On July 30, 2024, the Texas Attorney General’s Office announced a $1.4 billion settlement of biometric privacy claims brought against Meta arising from Meta’s historical use of facial recognition technology on photographs posted to Facebook’s social media platform.Continue Reading Texas and Meta Settle Biometric Data Litigation for $1.4 Billion
FTC Finalizes Broader Changes to the Health Breach Notification Rule
On April 26, 2024, the Federal Trade Commission (FTC) announced that it had finalized changes to the Health Breach Notification Rule (HBNR). These changes, which go into effect on June 25, 2024, are intended to modernize aspects of the HBNR such that the HBNR applies to entities not covered under the Health Insurance Portability and Accountability Act (HIPAA). The updated HBNR follows the FTC’s previously stated intention in a 2021 policy statement to broaden the interpretation of the HBNR to address the growing number of digital health applications, websites, and consumer-facing technology that were not subject to HIPAA. The scope of the finalized rule therefore aims to apply the HBNR to health care technology and digital health companies that obtain personal health records (PHR) and PHR identifiable health information.Continue Reading FTC Finalizes Broader Changes to the Health Breach Notification Rule
BIPA Bellwether: General Assembly provides relief from “per scan” damages
In a welcome change for defendants, a recent amendment to the Biometric Information Privacy Act (“BIPA”) is expected to significantly curtail potential damages under the statute. SB 2979, which passed the General Assembly on May 16, 2024, clarifies that damages are per individual, rather than per violation, for violations of the collection provision under Section 15(b) and the disclosure provision under Section 15(d). Continue Reading BIPA Bellwether: General Assembly provides relief from “per scan” damages
SEC Joins Chorus of Regulators Requiring Data Breach Notifications
Last week, the U.S. Securities and Exchange Commission (“SEC”) became the latest federal regulator to implement a data breach notification law. The commissioners unanimously voted to approve amendments to Regulation S-P (the “Final Rule”)—the regulation governing the use of consumers’ personal information and records—to require certain financial institutions to adopt and maintain data incident response procedures and to require notification to consumers of the potential compromise of their data within 30 days of discovery.Continue Reading SEC Joins Chorus of Regulators Requiring Data Breach Notifications
Breach Response: Is 72 hours the new 30 days?
For years, we were able to tell most clients experiencing a potential data security incident that they likely had at least 30 days to notify any third parties about the incident – if they concluded it was a breach. There were, of course, exceptions in certain regulated industries, but most companies fell within the scope of the general state data breach notification statutes, none of which required a response sooner than 30 days. And for many years, we didn’t have to worry about more urgent deadlines created by federal authorities. Continue Reading Breach Response: Is 72 hours the new 30 days?
Delay Lifted in CCPA Regulations Enforcement
Back in July, we shared some good news out of California when a state court judge ruled that the newest regulations under the California Consumer Privacy Act (“CCPA”) could not be enforced until March 2024. But last week, the agency charged with enforcing the CCPA – the California Privacy Protection Agency (with the confusingly similar abbreviation of the “CPPA”) – won reversal of that opinion on appeal. The ruling now gives the CPPA the authority to begin enforcing immediately the regulations that it enacted in March 2023.Continue Reading Delay Lifted in CCPA Regulations Enforcement
TCPA Turnstile: TCPA cases in a post-Facebook world (TCPA Case Update Vol. 15)
The first half of 2021 saw one of the most significant TCPA rulings in many years as Facebook v. Duguid, 141 S. Ct. 1163 (2021), appeared to settle the long-debated question of what constitutes an automatic telephone dialing system (“ATDS”). But while the Supreme Court’s April ruling was extremely positive for the TCPA defense bar, it by no means brought an end to TCPA claims. Significant cases have continued to yield decisions, including cases that have sought to interpret Facebook. And the state of Florida stepped into the abyss in passing a “mini-TCPA” statute that went into effect earlier this month that regulates telemarketing at the state level, with a much broader definition of the relevant technology. Thus, the TCPA (and related statute) litigation landscape, while upended to some degree, remains unsettled, and we’ll continue to provide our insights. We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: TCPA cases in a post-Facebook world (TCPA Case Update Vol. 15)
Supreme Court Slashes CFAA Claims Involving Authorized Access for an Illicit Purpose
The U.S. Supreme Court dealt a blow last week to litigants—both criminal and civil—who have attempted to use the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030, to hold former employees, competitors and others accountable for inappropriately utilizing electronic information. In its 6-3 decision in Van Buren v. United States, the Court resolved a long-standing split on the scope of Section 1030(a)(2), providing a narrow answer to the question of whether an individual “exceeds authorized access” to electronic information in violation of the CFAA if he or she is authorized to access the information but does so for an improper purpose. The holding will make it more difficult for prosecutors and civil litigants to wield the CFAA in some scenarios where data is misused, but not necessarily stolen.
Continue Reading Supreme Court Slashes CFAA Claims Involving Authorized Access for an Illicit Purpose
GDPR in the USA? New State Legislation Is Making This Closer to Reality
The European Union’s General Data Protection Regulation (“GDPR”) is well known as the toughest privacy and security law in the world, as it has a wide reach and imposes heavy fines against those who violate its privacy and security standards (which are quite broad). The impact of the GDPR has already been felt in the United States since it went into effect in 2018, and now U.S. lawmakers in numerous states are moving to enact similar legislations. The California Consumer Protection Act (“CCPA”) was the first instance of the GDPR’s impact in the United States, as California put in place a statute and regulations that mirrored the GDPR in several respects. Now Virginia has set in motion what could be a year-long string of states enacting similar legislation. In particular, Washington and New York have proposed legislation following the framework of the CCPA. This article will compare the CCPA to the newly enacted and proposed privacy laws in the United States.
Continue Reading GDPR in the USA? New State Legislation Is Making This Closer to Reality