With Colorado joining California as the only other state with rules implementing a comprehensive privacy law, businesses and practitioners have been anxiously watching to see whether a California-compliant privacy policy would also be compliant with the Colorado Privacy Act (“CPA”).  And, as the Colorado Attorney General has made clear, interoperability is an important guiding principle in the Colorado rulemaking process.  However, the Colorado Attorney General made equally clear that interoperability is just one principle—when the office believes there is a better way of handling an issue, it will diverge from other states’ practices.  In the initial draft of the Colorado rules, it became clear that privacy policies are one such area.  And while the revised draft of the Colorado rules take steps to try to increase interoperability, a comparison shows that Colorado is still taking a new, “purpose-driven” approach.

For years, most privacy policies followed the same core structure—what information is collected, how it is used, and how it is shared.  These three types of disclosures were not linked to each other, so consumers were not entirely sure whether how a company may be using or sharing their specific information.  For example, a consumer may know that a company collects contact information when they sign up for their newsletter and when they file a customer complaint.  The consumer may also know the company sells information to third parties who will then market to them.  But, the consumer doesn’t know what information is actually sold to those third parties. 

With the advent of the California Consumer Privacy Act (“CCPA”), we saw a new structure begin to emerge that was information-driven.  Under this model, businesses had to disclose to consumers what statutorily-defined categories of personal information it collects, whether they sold each category, and the categories of third parties to whom each category of information is sold.  To comply with these requirements (and to ensure that consumers understood what the statutory categories of information included), many businesses used some version of the “California Chart”:

CategoriesExamplesSoldThird Parties to Whom Sold
IdentifiersReal name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiersYesBusiness Partners

Going back to the original analogy, consumers would now know that the business sells “Identifiers,” which could include name and email address.  But, they still would not know whether the business sells all names and email addresses regardless of whether they were collected for the newsletter or through customer complaints.  The California Privacy Rights Act (“CPRA”) expanded the information needed in the California Chart, but it kept the same information-driven approach.

The draft rules for the Colorado Privacy Act struck a fundamentally different, purpose-driven approach.  Under this approach, for each purpose of collection, companies will need to disclose what types of information are collected, whether that information is used for targeted advertising or sales, and the third parties to whom it is sold.  To satisfy this new approach, businesses would need to use a new “Colorado Chart”:

PurposeCategories of PITargeted Advertising / SalesThird Parties to Whom Sold
NewsletterContact InformationNo / YesBusiness Partners
Customer ServiceContact InformationNo / NoN/A

Again using the same analogy, consumers can now see whether the information they provided for the newsletter is sold, and also whether the information the provided for customer service is processed differently.  This approach is in many ways the crux of the Colorado privacy policy rule.  Indeed, as the Colorado Attorney General has explained, consumers may very well have different expectations based on the context in which they provide their information.  If a consumer provides their name to receive a company’s newsletter, it may be reasonable to expect that the company may use that data for targeted marketing or sales.  But, if the consumer provides the same data to complain about a defective product, their expectation may differ. 

After the initial draft of the Colorado rules were released, it was widely recognized that this purpose-based approach was different from the California information-based approach.  However, when the Colorado Attorney General released revised rules, many commentators seemed to read them as meaning that the California Chart would satisfy Colorado requirements.  But looking at the actual changes, it appears that the Colorado approach is still very much purpose-driven:  the Colorado rules still require businesses to disclose the same set of information (i.e., the categories of information, whether it is used for targeted advertising and sales, and the categories of third parties to whom it is sold), but “linked in a way that gives Consumers a meaningful understanding of how their Personal Data will be used when they provide that Personal Data to the Controller for a specified purpose.”  The California Chart—or any information-driven disclosure—simply does not link the disclosure in this manner because their disclosures are tied to the type of information and not to the purpose.  While a company could theoretically alter the California Chart to break out purposes for each category of information, this exercise would likely be confusing. 

Simply put, unless another revised draft of the Colorado rules change course, privacy policies appear to be one area where companies likely cannot find a “lowest common denominator” for uniform compliance across the board.  Instead, it is an area where the “laboratories of democracy” are testing new approaches in an effort to find what strikes the best balance between protecting consumers and enabling businesses to function without overwhelming compliance costs.  Companies should therefore resist the urge to believe that complying with the CPRA automatically means that they are complying with the CPA.

Many privacy professional may have missed it, but In the run-up to the New Year — while many U.S. companies were focused on complying with the California Privacy Rights Act (CPRA) — Congress passed an appropriations bill that contains significant new cybersecurity requirements for medical device companies.  The  Omnibus Appropriations Bill, which was signed into law on December 29, 2022, contains provisions amending the Federal Food, Drug, and Cosmetic Act to further mandate the implementation of cybersecurity controls for certain internet connected medical devices. Specifically, any ‘device’ (as the term is broadly defined under 21 U.S.C.S. 321(h)) must comply with the new requirements if the device: (1) includes software which is validated, installed, or authorized by the sponsor; (2) has the ability to connect to the internet; and (3) contains any technological characteristics that could be vulnerable to cybersecurity threats.

The new rules go into effect 90 days after the passage of the Bill (or March 22, 2023), Thereafter, any sponsor submitting a cyber device to the FDA must:

  1. Submit to the FDA Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures;
  • Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address: (a) On a reasonably justified regular cycle, known unacceptable vulnerabilities; and (b) As soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks; and
  • Provide to the Secretary of the FDA a software bill of materials, including commercial, open-source, and off-the-shelf software components.

Further, the new amendments authorize the FDA to draft regulations containing additional requirements that “demonstrate reasonable assurance that the device and related systems are cybersecure” or regulations which exempt certain devices or device types from the new requirements. While there are no express timing requirements for the draft regulations, the new amendments do require the FDA to update its existing ‘‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’’ guidance within two years, and additionally, requires the FDA to update its public facing guidance regarding improving cybersecurity of devices within 180 days.

Medical device manufacturers should carefully review their current cybersecurity controls for covered devices and keep a close eye out for the new FDA guidance and regulations. As always in the world of data privacy, if you blink, you may miss a new law or regulation.

2022 proved to be an historic year for privacy and data security.  Connecticut and Utah joined the list of states that have now passed comprehensive data privacy laws, bringing the total to five (5) states.  For the first time, federal privacy legislation advanced to a House Subcommittee, and though the American Data Privacy and Protection Act (ADPPA) hasn’t been passed by the full House yet, there is still a chance it may happen in this Congress.  The Executive Branch flexed its regulatory muscles in 2022, issuing a number of Executive Orders and regulations designed to tame the scourge of ransomware. The FTC continued its focus on corporate surveillance and signaled its intention to focus more closely on dark patterns, data minimization and children’s data. 

We expect that 2023 will also be a very busy year for privacy and data security.  Meta Pixel and chatbot litigation, which exploded last year, is likely to expand.  Companies will spend this coming year complying with the California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA), which became effective on January 1, 2023, and preparing for compliance with Colorado, Utah and Connecticut privacy laws.  Many companies will also spend 2023 bracing for new legal and regulatory requirements that will become final later this year or 2024, such as proposed SEC cyber reporting requirements, the new GBLA Safeguards Rule, NY DFS cyber regulations, breach reporting for critical infrastructure, the California Age Appropriate Design Code, and the EU Digital Services Act – while planning for a world without cookies.

We will be releasing a webcast and podcast to discuss these topics in more detail.  But for now, here are our predictions for 2023.

State Privacy Laws’ Time in the Spotlight

While it is hard to predict the future, 2023 may very well be the tipping point for state privacy compliance.  Indeed, in this year alone, five states will have comprehensive privacy laws go into effect, two of those states will finalize detailed regulations, enforcement of the old CCPA provisions already went live without a cure period, and there will almost certainly be new laws passed during state legislative sessions.  In other words, the already complicated patchwork of privacy laws is continuing to grow in importance and size.     

            State Regulators Will Remain Focused on Website and Mobile App Analytics

Website analytical tools—whether used for marketing or obtaining better insight into how users interact with the platform—have already been at the center of regulators’ crosshairs.  For example, in its September 2022 CCPA enforcement action against Sephora, the California Attorney General made clear that it considers both “the trade of personal information for analytics” and “the trade of personal information for an advertising option” to be sales under the CCPA.  What the Attorney General did not make clear is what specific “common analytical tools” it considers to fall within these categories. 

In 2022, there was little incentive for businesses to fight the allegations because there was a cure period.  However, since that cure period expired on January 1—and because “sales” are part of existing CCPA provisions subject to live enforcement—2023 will likely see enforcement actions involving detailed questions of which analytical tools constitute sales.  In doing so, these actions may call into question the legitimacy of positions taken by various tech companies who label themselves as service providers in their terms and conditions.

            Privacy Policies Will Continue to Diverge

With five different privacy laws going into effect in one year, businesses have been looking for a “lowest common denominator” strategy of compliance.  And, as the Colorado Attorney General has made clear, interoperability is an important guiding principle in the Colorado rulemaking process.  However, the Colorado Attorney General made equally clear that interoperability is just one principle—when the office believes there is a better way of handling an issue, it will diverge from other state practices.  Privacy policies are one such area.

In the initial draft of the Colorado Privacy Act rules, privacy policies are purpose driven—that is, the disclosures relating to how a controller processes and shares personal data is tied to the purpose for which it is collected.  By contrast, the CCPA and CPRA rules are driven by the category of information.  And while the revised draft of the Colorado rules do take steps to try to increase interoperability, a comparison of how the disclosures must work in practice shows that they are still very much purpose driven.  We will explore this concept in more detail in a dedicated post, but for this post, we’ll state that the common CCPA/CPRA approach will not comply with the CPA rules.

Prior to 2023, many companies chose to have a separate California privacy policy already.  With the different approaches of California and Colorado, as well as different terminology under the CPRA (e.g., the word “share”), we expect to see the divergence continue.  

            Data Minimization Drives Better Data Mapping and Inventories

All five state laws going into effect in 2023 have express data minimization provisions.  As discussed below, data minimization has become an increasing focus of regulators, including in the data breach litigation and enforcement context. 

We similarly expect to see a focus on data minimization in the state privacy law compliance context, as it is clearly a “common sense” issue that resonates with regulators.  The corollary to this prediction is that companies will create better data maps and inventories to document their compliance.  Indeed, while data maps are critical to fully complying with data subject access requests, in this context, they are essentially an operational tool.  In the data minimization context, they can become evidence of compliance.  Accordingly, we expect to see companies continue to invest in developing strong data maps and inventories throughout 2023.

More States Will Pass Both Comprehensive and Specialized Privacy Laws

For the past several years, we have seen several states introduce comprehensive privacy acts and specialized privacy acts (such as biometric identifier acts).  Only a handful make it across the finish line.

It is almost certain that 2023 will bring another season of privacy bills in state legislatures and assemblies across the country.  It is almost certain that most of these will stall or fail as in other years.  However, it is likely that some states will be able to pass comprehensive privacy laws.

Predicting legislation is rarely advisable.  However, Maryland, Massachusetts, Michigan, and Minnesota all switched in 2023 to a Democratic trifecta of both legislative chambers and the governorship.  So, keep an eye on these states.  Also watch for additional states to pass biometric identifier laws, as the high profile nature of BIPA lawsuits raise the issue across the country.  To the extent these laws have different exclusions for federally regulated industries, they could create huge compliance burdens.

Data Privacy and Breach Litigation Will Expand

Data privacy litigation had been trending upwards for many years.  In 2021, there were roughly 1,200 data privacy or breach class actions filed (not including TCPA or FCRA claims).  In 2022, we saw a marked increase in new privacy class actions driven primarily by favorable court rulings and new technologies.  For a variety of reasons, described in more detail below, we expect this trend to continue in 2023. 

VPPA Litigation Will Continue   

One of the more surprising trends in 2022 was a resurgence in class action litigation under the Video Privacy Protection Act (VPPA). This rarely enforced law was passed in the late 80s, in the wake of Congressional outrage over media reports of Judge Bork’s video rental history, which emerged during his SCOTUS confirmation hearing.  The law has a very specific purpose: it requires consumer consent for the disclosure by videotape service providers of a consumer’s video viewing history, and provides liquidated damages for a violation of the law.  For decades, plaintiff’s attorneys have trying with limited success to apply this antiquated and highly specific law to internet streaming activities.

In 2022 a new variant of VPPA litigation emerged.  The new claims focus on websites’ usage of Meta Pixel, a tracking cookie that enables the sharing of a consumer’s website activity with Meta.   The typical VPPA complaint alleges that a website that shows videos shares the plaintiff’s video viewing history, without consent, with Meta via the Pixel.  As many websites have thousands of daily visitors accessing videos, the potential statutory damages for a class of website subscribers can quickly reach seven and even eight figures. What separates this latest wave of VPPA lawsuits from prior cases is the assertion that Meta Pixel transmits Facebook ID, which plaintiff’s claim personally identifies consumers and is not merely an anonymized number. 

There have been at least 70 VPPA class action lawsuits field in the past eight months.  Media and news organizations – which often embed videos on their websites– have been a particular target for plaintiff’s lawyers.   Defendants have advanced a number of arguments in their dismissal motions, including that Facebook ID is not personally identifiable data within the meaning of the VPPA and that website operators that merely post news-related videos are not video tape service providers.  Most of the recent class actions are still in the pleadings stage, and only a few courts have thus far ruled on motions to dismiss. Until there is a clear consensus among federal courts on the viability of VPPA claims, we can expect to see a continued stream of VPPA litigation in 2023 and beyond.

Wiretap Litigation Will Expand

The use of Meta Pixel also gave rise in 2022 to a number of class action lawsuits under state wiretap laws.  Plaintiffs in these cases allege that Meta Pixel allows Meta to intercept consumer communications with a website while in transit.  A major driver for these claims are favorable decisions by the Third and Ninth Circuits, both of which permitted wiretap claims to go forward against companies based on their usage of certain kinds of third-party website tools.  The Third Circuit case, Popa v. Harriet Carter Gifts, focused on the use of tracking cookies that allegedly enabled a third party digital marketing entity to intercept the plaintiff’s communications with the website operator.  The Ninth Circuit case, Javier v. Assurance IQ, centered on an insurance quote tool operated by a third party.  In both cases, the appellate courts held that the sharing of consumer communications with a third party constituted an interception that required consumer consent under wiretap laws.

The Third and Ninth Circuits’ broad view of what constitutes an interception under state wiretap laws theoretically embrace a wide array of third party tools that integrate with websites.  Not surprisingly, this has led to a surge of wiretap class actions, particularly in California and Pennsylvania.  Both state wiretap laws allow for liquated damages, require two-party consent, and provide for liability against a website operator that aids and abets a third’s party’s interception of a communications.  At least 60 wiretap class actions have been filed since August 2022 in these two states.

As noted, many of these wiretap class actions focus on Meta Pixel.  Recently, however, plaintiff’s lawyers have been asserting wiretap claims based on the usage of “chatbots”, session replay software, and insurance quote tools.  An even more recent variant of wiretap litigation focuses on hospitals’ alleged usage of Meta Pixel on patient portals, which plaintiffs allege results in the unauthorized sharing of ePHI with Meta.  These patient portal cases often assert claims under the Stored Communications Act (SCA), the Electronic Communications Privacy Act (ECPA) as well as state wiretap laws.

As with VPPA litigation, most of the new wiretap class actions are still in the pleadings stage.  Defendants have asserted a number of grounds for dismissal, including that the tools at issue do not capture the “contents” of communications as required under wiretap laws, and that the companies alleged to have intercepted such communications are service providers, not third parties under the law.  Few courts, however, have ruled on these issues to date.

Given the broad way in which courts are reading wiretap laws, it is highly likely that we will continue to see a steady stream of wiretap class action filings in 2023.  We also expect that plaintiffs will expand the focus of wiretap allegations to include other pixels, tracking cookies, and embedded website technologies operated by third parties. 

Data Breach Class Actions Likely to Stay Steady

For at least a half-dozen years, the number of data breach class actions filed each year has slowly trended upwards and we expect that 2023 will follow this pattern.  This is somewhat surprising in the wake of Trans Union v. Ramirez, in which the Supreme Court held that plaintiffs could not establish federal standing for monetary damages based on the mere risk of future harm.  Although courts within some circuits have dismissed putative breach class actions based on TransUnion, a number of courts have held that breach plaintiffs do have federal standing to proceed with their claims.  One line of reasoning used by such courts is that the breach itself gives rise to a present harm—such as emotional distress — separate from the risk of future harm. Plaintiff’s lawyers have also become adept at finding plaintiffs who have suffered out of pocket expenses arising from a data breach.  Given the huge number of data breaches that occur every year in the U.S., we expect that data breach class actions will continue to trend upwards. 

BIPA Class Actions May Be Poised to Expand (or Slow Down)

For many years, plaintiffs have filed upwards of 500 class action lawsuits each year under the Illinois Biometric Protection Act (BIPA), making Illinois one of the epicenters of data privacy litigation on the country.  In 2022, plaintiff’s attorneys continued their recent focus on cosmetic and other companies using “facial try-on” tools as well as companies using voiceprint technologies and ID verification tools. 

There were a number of court rulings in 2022 addressing a wide range of defenses to the BIPA, most going against defendants.  Illinois courts rejected arguments that:

One of the few favorable rulings for BIPA defendants last year involved higher eds that used remote exam proctoring software that allegedly captured biometric data through scans of students’ facial geometry.  Illinois courts agreed with the higher ed defendants that they are covered by the Gramm-Leach-Bliley Act (GBLA) exemption to the law. 

2023 could be a momentous year for BIPA litigation as we await rulings from the Illinois Supreme Court on two significant issues that could expand, or perhaps constrict, BIPA litigation.  In Tims v. Black Horse Carriers, the Court will address whether a one (1) year statute of limitations applies to all BIPA claims—or just BIPA claims involving “publication” of biometric data.  In Cothron v. White Castle Systems, the Illinois Supreme Court will also address whether certain BIPA claims accrue only once upon the initial collection or disclosure of biometric information, or each time a company collects or discloses biometric information.

Look to Federal Regulators For Next Wave of Privacy Litigation

Privacy litigation has often tracked issues of federal regulatory concern.  For example, online tracking litigation began a decade shortly after the FTC and other regulators became focused on the issue of commercial surveillance.  Using federal regulation as a guide to privacy litigation, here are a few areas where we may see increased litigation in 2023.

Children’s Data

Over the past several years the FTC has been very focused on children’s data.  The recent settlement with Epiq Games for $245 mm may give rise to litigation premised on illegal or deceptive practices to collect or share children’s data, particularly in-game. 

Data Minimization

Data minimization has been another recent focus of the FTC, which recently settled a claim against Drizly that required the company to delete unnecessary data.  Look for breach class actions that include allegations that defendant’s failed to delete consumer data in a timely manner. 

Dark Patterns

This is a focus not only of the FTC but state regulators as well.  The CPRA regulations, for example, include very detailed examples of illegal “dark patterns” that may steer consumers into making choices they otherwise would not have made.  We have seen some regulators pursue dark patterns claims as well (see, e.g., the District of Columbia’s settlement with Google for use of dark patterns in connection with location tracking).  It would not be surprising to see plaintiff’s lawyers begin to assert that certain online disclosures and consenting mechanisms wrongfully mislead consumers into purchasing decisions. 

Employee Monitoring

This has been a focus of several recent state laws, most notably New York City. Plaintiff’s lawyers may use this recent focus on employee privacy rights to pursue data sharing claims against third party monitoring companies. 

Artificial Intelligence

The Holy Grail for privacy ligation may be artificial intelligence, which has two of the key hallmarks of data privacy litigations: it operates largely in the dark – “surreptiously” to borrow a favorite allegation – and has the potential to negatively impact consumers.  Thus far, there has not been a lot of regulation concerning AI –apart from the use of AI to make discriminatory housing and credit decisions – but that may be changing.  Many of the new state privacy laws seek to regulate the usage of AI, and we expect to see regulations in California and Colorado that may develop some legal guardrails.  These regulations may provide greater transparency around the operation of certain AI tools and provide the legal basis for consumer fraud or UDAAP claims.

Cyber Security – Preparing for the Coming Wave of New Regulatory Requirements

In the wake of the huge spike in ransomware attacks in 2020 and 2021, the federal government dedicated significant resources in 2022 to hardening security controls and accelerating reporting obligations for critical infrastructure, public companies, and financial institutions. Some states as well as countries also proposed new cyber regulation in 2022 that will become effective in 2023 or 2024.  One of the key challenges for affected industries in 2023 will be planning to meet the enhanced reporting or security requirements of these new regulations.

Here is a run-down on the status these new cyber regulations and laws:

SEC Disclosure Requirements

On March 9, 2022, the SEC proposed a new rule to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance.  If approved, public companies will be required to disclose material cybersecurity incidents within four (4) days of identifying that a material event has occurred.

The proposed rule also would require public companies to provide updated disclosures relating to previously disclosed cybersecurity incidents. Further, the proposed rule will require disclosures regarding the company’s cyber risk management program.

If finalized in 2023 in its current form, the new SEC reporting requirements will have a significant impact on how public companies manage and disclose cyber incidents.

GLBA Safeguards

On Nov. 15, 2022, the Federal Trade Commission (“FTC”) announced that it was delaying the compliance deadline for eight of the amendments to the Safeguards Rule until June 9, 2023, citing Small Business Administration’s Office of advocacy and a shortage of qualified personal to implement information security programs.

The new Safeguards Rule was originally set to take effect on December 9, 2022.  Covered financial institutions will now have a six month extensions to address certain provisions.

While the extension of the effective date was certainly welcome news, covered financial institutions that have not begun their compliance efforts should not wait any longer.  Indeed, with new operational requirements (such as encryption at rest and multifactor authentication) and contractual issues (such as possible amendments to existing vendor contracts) may require significant ramp-up time.

Cyber Incident Reporting for Critical Infrastructure Act of 2022

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was signed into law on March 15, 2022, and requires entities in critical infrastructure sectors to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) not later than 72 hours after the covered entity reasonably believes that the cover cyber incident has occurred.  CIRCA will also require any federal entity receiving a report on a cyber incident to share that report with CISA within 24 hours. CISA will subsequently have to make information received under CIRCIA available to certain federal agencies within 24 hours.

As a first step toward a Notice of Proposed Rulemaking, on September 12, 2022, CISA published a Request for Information, which sought public comments (which closed on November 14, 2022) on a wide range of aspects of the CIRCIA regulations.

NYDFS Updated Cybersecurity Regulation

On November 9, 2022, New York Department of Financial Services (“NYDFS”) officially released revised proposed amendments to the cybersecurity regulation, which address cybersecurity requirements for financial services companies, along with a 60-day comment period (which expired on January 9, 2023). The original amendments were released on July 29, 2022, but after a 60-day comment period, the NYDFS determined additional edits were warranted.

In addition to new federal and state cyber regulations, there are a number of international cyber regulations affecting multinational corporations that are pending or may become final in 2023. 

DORA

The EU has endeavored to strengthen the IT security of financial institutions to ensure the financial sector in Europe remains resilient through a severe operation disruption by passing the Digital Operational Resilience Act (“DORA”). DORA sets requirements for financial institutions for cyber/ICT risk management, incident reporting, resilience testing, and third-party outsourcing.

GDPR Updates for Breach Reporting by Controllers Not Established in the EU

In late 2022, the European Data Protection Board (“EDPB”) opened a comment period for the first post-GDPR update to its 2018 data breach notification guidelines. The proposed updates to the guidelines impose more onerous personal data breach notification obligations on controllers who are not established in the EU, but are subject to the extra-territorial provisions of the GDPR. Under the proposed updates, such controllers must report breaches to every single authority for which affected data subjects reside in their Member State within the 72-hour time limit. Such a requirement will be a heavy burden. In 2023, the EDPB will review the comments and possibly revise the proposed guidelines.

European Union—More Fines and More Data Regulation

2023 is likely to be another year of large fines for U.S. tech companies operating in Europe. In addition to the more traditional actions brought under the GDPR, operators of online platforms, hosting services, and providers of network infrastructure will have to comply with the new requirements of the EU’s Digital Services Act.  The requirements of this Act vary depending on the size and business practices of the organization, but generally include new transparency and disclosure requirements as well as new controls on the dissemination of illegal content. With fines reaching as high as 6% of annual worldwide turnover, large US tech companies are sure to be a continued lightning rod for new enforcement actions.

Despite this new addition, international businesses of all sizes must continue to be wary of the compliance obligations of the GDPR.  The Irish Data Protection Authority’s recent action against Microsoft for violations, including use of an asymmetric cookie banner, demonstrate the need for continued caution.

Turning to brighter news, 2023 may carry with it a finalized US adequacy decision through an updated version of the Privacy Shield framework. Following the Biden administration’s October Executive Order and release of regulations implementing the Data Protection Review Court, the European Commission published a draft adequacy decision reflecting a positive assessment of the US privacy framework. While the new framework will certainly be subject to challenges, it was designed specifically to avoid being invalidated by a ‘Schrems III.’  Assuming a best-case scenario, we may see a finalized framework and adequacy decision in the next six to eight months.  Further, in the event of an EU-US adequacy determination, the UK-US determination would likely follow swiftly behind. 

Ad Tech—It’s All About Consent

With the California Privacy Rights Act (CPRA) operational as of January 1, 2023 and Google announcing its shift towards eliminating cookie tracking in Chrome starting mid-year, it is likely we will see contextual advertising become increasingly important for companies looking for ways to access their customers. While it is unlikely the cookie will disappear entirely, we may see it become irrelevant as replacement forms of tracking—such as MAID device identifiers, which reach mobile devices based on device ID, and other tracking technologies that comply with the slate of privacy laws now in effect —become the norm.

That being said, consent is likely going to be—and should be—first on companies’ minds. Companies should be cognizant of their tracking activities and those that continue to engage in targeted advertising will need to incorporate consent and opt-outs into their business practices or incorporate alternative tracking technologies to satisfy their advertisers as well as any applicable legal requirements.

A Deep Dive Into FinCEN’s Latest Proposals Under the CTA

On December 16, the Financial Crimes Enforcement Network (“FinCEN”) issued a 54-page notice of proposed rulemaking (“NPRM”) regarding access by authorized recipients to beneficial ownership information (“BOI”) that will be reported to FinCEN under the Corporate Transparency Act (“CTA”).  The CTA requires covered entities – including most domestic corporations and foreign entities registered to do business in the U.S. – to report BOI and company applicant information to a database created and run by FinCEN upon the entities’ creation or registration within the U.S.  This database will be accessible by U.S. and foreign law enforcement and regulators, and to U.S. financial institutions (“FIs”) seeking to comply with their own Customer Due Diligence (“CDD”) compliance obligations, which requires covered FIs to obtain BOI from many entity customers when they open up new accounts.

In regards to this NPRM, FinCEN’s declared goal is to ensure that

(1) only authorized recipients have access to BOI; (2) authorized recipients use that access only for purposes permitted by the CTA; and (3) authorized recipients only redisclose BOI in ways that balance protection of the security and confidentiality of the BOI with furtherance of the CTA’s objective of making BOI available to a range of users for purposes specified in the CTA.

Further, FinCEN has indicated that, “[c]oincident with the protocols described in this NPRM, FinCEN is working to develop a secure, non-public database in which to store BOI, using rigorous information security methods and controls typically used in the Federal government to protect non-classified yet sensitive information systems at the highest security levels.”

The comment period for the NPRM is 60 days.  The NPRM proposes an effective date of January 1, 2024, consistent with when the final BOI reporting rule at 31 C.F.R. § 1010.380 becomes effective.  The proposed BOI access regulations will be set forth separately at 31 C.F.R. § 1010.955, rather than existing 31 C.F.R. § 1010.950, which governs the disclosure of other Bank Secrecy Act (“BSA”) information.

This NPRM relates to the second of three sets of regulations which FinCEN ultimately will issue under the CTA.  As we have blogged (here and here), FinCEN already has issued regulations regarding the BOI reporting obligation itself.  FinCEN still must issue proposed regulations on “reconciling” the new BOI reporting regulations and the existing CDD regulations applicable to covered FIs for obtaining BOI from their own entity customers.

As we discuss, the lengthy NPRM suggests answers to some questions, but it of course also raises other questions.  Although domestic and even foreign government agencies will have generally broad access to the BOI database, assuming that they satisfy various requirements, the NPRM’s proposed access for FIs to the BOI database is relatively limited.

Access to the BOI Database

The CTA authorizes FinCEN to disclose BOI to five categories of recipients:

  • Federal, State, local and Tribal government agencies;
  • Foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities;
  • FIs using BOI to facilitate compliance with their own CDD requirements and who have received the reporting company’s prior consent;
  • Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing FIs for compliance with CDD requirements; and
  • U.S. Department of Treasury, which has “relatively unique access” to BOI tied to an officer or employee’s official duties requiring BOI inspection or disclosure, including – importantly – for tax administration.

Generally, the CTA expressly restricts access to BOI to only those authorized users at a requesting agency: (1) who are directly engaged in an authorized investigation or activity; (2) whose duties or responsibilities require access to BOI; (3) who have undergone appropriate training or use staff to access the system who have undergone appropriate training; (4) who use appropriate identity verification to obtain access to the information; and (5) who are authorized by agreement with the Secretary to access BOI.  The CTA also requires each requesting agency to establish and maintain a secure system to store BOI, establish privacy and data security protocols, certify compliance to FinCEN on an initial and then semi-annual basis, and conduct an annual audit, available to FinCEN on request, as to proper access, use and maintenance of BOI. (To read our blog post on a recent European Union court decision striking down public access to BOI, see here.)

FinCEN will retain sole discretion to decline to provide BOI to any requesting agency or FI that fails to comply with any requirement under the proposed regulations, or if the information is being requested for an “unlawful purpose,” or if “other good cause exists to deny the request.”  FinCEN also may suspend or debar requesters.  The NPRM reiterates the statutory penalties for violating the CTA, which include up to $500 a day for each civil violation, as well as up to five years in prison for a criminal violation, or up to 10 years in prison for an “aggravated” violation.

Federal, State, Local and Tribal government agencies

The NPRM provides that FinCEN may disclose BOI to agencies engaged in national security, intelligence or law enforcement if the BOI is for use in furtherance of such activities.  These agencies will have broad access to the BOI database and will be able to conduct searches using multiple search fields.

Federal agency access will be “activity-based.”  Accordingly, the NPRM proposes that an agency that is not traditionally understood as a “law enforcement” agency, such as a Federal functional regulator, nonetheless may receive BOI because “law enforcement activity” may encompass civil law enforcement by the agency, including civil forfeiture and administrative proceedings.  Such agencies would include the Securities and Exchange Commission and other regulatory agencies.

FinCEN also may disclose BOI to State, local and Tribal law enforcement agencies if “a court of competent jurisdiction” has authorized the law enforcement agency to seek the BOI in a criminal or civil investigation.  The NPRM does not define what it means for a court to “authorize” such disclosure, and seeks input on whether it should include state or local grand jury subpoenas, which sometimes, depending on the jurisdiction, can be signed by a prosecutor, not a court.

Federal government agencies requesting access to the BOI database will have to submit brief justifications to FinCEN for their searches, and these justifications will be subject to oversight and audit by FinCEN under future guidance that FinCEN will issue.  State, local and Tribal and law enforcement agencies will be required to upload the court document authorizing the agency to seek BOI from FinCEN, which will review the authorization for sufficiency before approving.  Every domestic agency seeking BOI will need to enter into a memorandum of understanding, or MOU, with FinCEN before being allowed to access the database.

Foreign law enforcement agencies

Foreign requesters will not have direct access to the BOI database. Instead, they will submit their requests for BOI to Federal intermediary agencies, which will need to be identified.  If the foreign request is approved, then the Federal agency intermediary will retrieve the BOI from the system and transmit it to the foreign requester.  Federal agency intermediaries will need to ensure that they have secure systems for BOI storage and enter into MOUs with FinCEN.  However, the NPRM proposes that FinCEN will directly receive, evaluate, and respond to BOI requests from foreign financial intelligence units.

The NPRM provides that a BOI request from a foreign requester would have to derive from a law enforcement investigation or prosecution, or from national security or intelligence activity, authorized under the foreign country’s laws.  Foreign requests for BOI will need to be either requests made pursuant to an international treaty, agreement, or convention, or official requests by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country where there is no international treaty, agreement, or convention that governs.  The NPRM does not propose imposing any audit requirements on foreign requesters, but invites comments on that proposal.

FIs using BOI to comply with the CDD Rule

Access by FIs is more limited.  The CTA authorizes FinCEN to disclose a reporting company’s BOI to an FI only to the extent that such disclosure facilitates the FI’s compliance with the CDD Rule, and only if the reporting company first consents.  Each BOI request by a FI must be in writing and must certify that the request seeks to facilitate compliance with the CDD Rule, is made with the consent of the customer, and that the FI otherwise has complied with the CTA.

The NPRM interprets the phrase “financial institution subject to customer due diligence requirements under applicable law,” to mean that FIs may request access to the BOI database only when attempting to comply with the CDD rule.  Although FinCEN is requesting comment on this proposal, this would mean that FIs may not request BOI access for other efforts to comply with the BSA, such as compliance with the related Customer Identification Program, or CIP, requirements – or, presumably, determining whether to file a Suspicious Activity Report. Likewise, this would mean that the many FIs subject to the BSA but not subject to the CDD Rule – such as money services businesses – never will have access to the BOI database.

Another important limitation on BOI access by FIs is that a FI, when attempting to comply with the CDD rule, may search only the consenting entity customer.  Unlike government agencies, FIs cannot do multiple searches, such as searches building off of the results of prior searches.  Moreover, FIs cannot do searches tied to individual beneficial owners – only to an entity.  So, although an FI may be able to determine that X, Y and Z are the beneficial owners of Company A, a FI will not be able to determine if X is the beneficial owner of Companies A, B and C.

The NPRM contains another proposal that likely will frustrate FIs:  BOI information can only be accessed by, or shared with, FI directors, officers, employees, contractors and agents physically within the U.S.  This means that the offshore compliance teams maintained by many FIs will be rendered useless for CDD compliance if this proposal is included in the final regulations.

Each FI must develop and implement safeguards reasonably designed to protect the security, confidentiality and integrity of BOI received from FinCEN, consistent with procedures that the FI already has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act (“GLBA”) in regards to protecting its customers nonpublic personal information.  If the FI is not covered by the GLBA, then it must apply safeguards required under applicable Federal or State law and which are at least as protective as procedures that satisfy section 501 of the GLBA.

The NPRM does not address several other important questions involving FIs, such as: is a FI obligated to access the BOI database for purposes of CDD Rule compliance, or may it choose to do so?  If the FI may choose, are there any rules regarding how that choice should be made?  Further, what should an FI do if there is a discrepancy between the BOI it received from an entity customer under the CDD Rule and the BOI it receives from FinCEN under the CTA? As noted, FinCEN will issuing a third set of proposed regulations under the CTA regarding reconciling the CTA regulations and the existing CDD Rule, which presumably will involve expanding the obligations of the CDD Rule.  Regardless, FinCEN may address these questions at that time.

Finally, there may be some contradictions between state law disclosure requirements for FIs in regards to individuals whose BOI has been submitted under the CDD Rule, and the prohibitions in the CTA and the NPRM regarding disclosure of BOI.  This is a complex issue turning on the particulars of state law and potential exemptions, so we merely note the potential issue here.

Federal functional regulators supervising FIs for CDD Rule compliance

Federal functional regulators generally will have limited access to the database if requesting BOI for the purpose of ascertaining CDD compliance by a supervised FI.  The NPRM identifies these regulators as the Securities and Exchange Commission, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Federal Reserve System, the National Credit Union Administration, and the Commodities Futures Trading Commission.

The NPRM states that FinCEN is still developing this access model and accompanying functionality, but expects federal functional regulators to be able to retrieve any BOI that the FIs they supervise received from FinCEN during a particular period, but not BOI that might reflect subsequent updates. Thus, regulators would receive the same BOI that FIs received for purposes of their CDD reviews. FinCEN expects that Federal functional regulators responsible for bringing civil enforcement actions also will be able to obtain BOI under the “activity-based” access permitted for “law enforcement,” described above.  Finally, the NPRM proposes that financial self-regulatory organizations that are registered with or designated by a federal functional regulator pursuant to Federal statute – such as the Financial Industry Regulatory Authority, or FINRA – may obtain BOI not directly from FinCEN, but instead from the FIs they supervise.  The NPRM states that, “[w]ithout this level of access, these organizations would not be able to effectively evaluate an FI’s CDD compliance.”  The NPRM refers to such organizations as SROs, and provides that they also may receive BOI from a Federal functional regulator for examination of CDD compliance by a supervised FI.

U.S. Department of Treasury

The NPRM states that “FinCEN envisions Treasury components using BOI for appropriate purposes, such as tax administration, enforcement actions, intelligence and analytical purposes, use in sanctions designation investigations, and identifying property blocked pursuant to sanctions, as well as for administration of the BOI framework, such as for audits, enforcement, and oversight.” Further, “FinCEN will work with other Treasury components to establish internal policies and procedures governing Treasury officer and employee access to BOI.” 

The NPRM invites comments on the proposed scope of the term “tax administration.”  This likely will be an important and controversial question, given the potential scope of IRS activity.

Verification of BOI

Verification of BOI is an important and thorny issue.  FinCEN states that it “continues to evaluate options for verifying reported BOI.  ‘Verification,’ as that term is used here, means confirming that the reported BOI submitted to FinCEN is actually associated with a particular individual.”  This means that FinCEN is focusing on weeding out mismatches – intentional or unintentional – and fabricated persons.  What FinCEN is not focusing on is ensuring that a listed, real person is actually a beneficial owner of the reporting entity (or, conversely, identifying true beneficial owners who have not been reported).  Such a level of verification presumably would be incredibly resource-intensive and likely impossible on a broad scale. 

This level of verification is equivalent to the verification obligations of FIs obtaining BOI from entity customers under the CDD rule:  FIs do not have to verify that a listed person is in fact a beneficial owner of the entity, and instead may rely on the customer’s reporting form listing beneficial owners in the absence of any red flags to the contrary.

The fact that FinCEN will not undertake to verify BO status confirms that one of the primary functions of the CTA and the BOI database – and probably the primary function – is to serve as a source of information for downstream law enforcement and regulatory inquiries.  That is, the database will not serve as a source of leads to initiate investigations, but instead will provide information once an investigation or inquiry into specific persons and entities already has begun.

FinCEN Identifiers for Entities

A FinCEN identifier is a unique identifying number that FinCEN will issue to individuals who have provided FinCEN with their BOI and to reporting companies that have filed initial BOI reports.  The NPRM observes that the use of an intermediate company’s FinCEN identifier can create issues if a reporting company’s ownership structure involves multiple beneficial owners and/or intermediate entities. Thus, the NPRM proposes to permit a reporting company to use an intermediate entity’s FinCEN identifier only if the two entities have the same beneficial owners.

Specific Requests for Comment

The NPRM sets forth 30 specific requests for comment, under the six subheadings of (i) Understanding the Rule; (ii) Disclosure of Information; (iii) Use of Information; (iv) Security and Confidentiality Requirements; (v) Outreach; and (vi) FinCEN Identifiers. 

Of particular interest, and consistent with the above discussion, the NPRM requests comments regarding the following issues:

  • [C]omments discussing how State, local, and Tribal law enforcement agencies are authorized by courts to seek information in criminal and civil investigations . . . [and] whether there are any evidence-gathering mechanisms through which State, local, or Tribal law enforcement agencies should be able to request BOI from FinCEN, but that do not require any kind of court?
  • Is requiring a foreign central authority or foreign competent authority to be identified as such in an applicable international treaty, agreement, or convention overly restrictive? If so, what is a more appropriate means of identification?
  • Should FinCEN expressly define “customer due diligence requirements under applicable law” as a larger category of requirements that includes more than identifying and verifying beneficial owners of legal entity customers? . . . . It appears to FinCEN that the consequences of a broader definition of this phrase would include making BOI available to more FIs for a wider range of specific compliance purposes, possibly making BOI available to more regulatory agencies for a wider range of specific examination and oversight purposes, and putting greater pressure on the demand for the security and confidentiality of BOI.
  • Could a State regulatory agency qualify as a “State, local, or Tribal law enforcement agency” under the definition in proposed 31 CFR 1010.955(b)(2)(ii)? If so, please describe the investigation or enforcement activities involving potential civil or criminal violations of law that such agencies may undertake that would require access to BOI.
  • Because security protocol details may vary based on each agency’s particular circumstances and capabilities, FinCEN believes individual MOUs are preferable to a one-size-fits all approach of specifying particular requirements by regulation. FinCEN invites comment on this MOU-based approach, and on whether additional requirements should be incorporated into the regulations or into FinCEN’s MOUs.
  • Are the procedures FIs use to protect non-public customer personal information in compliance with section 501 of Gramm-Leach-Bliley sufficient for the purpose of securing BOI disclosed by FinCEN under the CTA? If not, is there another set of security standards FinCEN should require FIs to apply to BOI?

Impact of the NPRM and Number of Entities with Access to the Database

The NPRM contains over 27 pages, under the heading of “Regulatory Analysis,” devoted to FinCEN’s analysis of the anticipated impact of the NPRM in regards to costs and benefits.  This section contains a lot of numbers, purported cost/benefit discussions, and among other things, estimates of hours (of potentially dubious accuracy) that FIs will need to spend to establish the institutional safeguards, customer consents, written certificates and training necessary to comply with the regulations in order to access the BOI database as part of the FIs’ CDD rule compliance.  This section is beyond the scope of this blog post.  Instead, we simply will set forth two tables contained in the NPRM, which provide some clear and interesting statistics regarding the estimated number of private and public entities which will be accessing the database.

Here is Table 1, entitled “Affected Financial Institutions.”  Recall that this table only pertains to FIs covered by the CDD rule, rather than all FIs subject to the BSA.  The column entitled “Small Count” refers to FinCEN’s determination that most FIs are “small” entities, defined as having total annual receipts less than the Small Business Association (“SBA”) small entity size standard for the FI’s particular industry.  For example, the SBA currently defines a commercial bank, savings institution or credit union as “small” if it has less than $750 million in total assets.

Here is Table 2, entitled “Affected Entities,” which includes government entities:

These tables underscore the paramount need for FinCEN to maintain very strong cybersecurity protections for the BOI database, which surely will be the target of would-be data breaches by bad actors (some of whom may perceive themselves as whistleblowers and white knights seeking information for global publication).  There will be many points of access – i.e., points of potential vulnerability – for the database.  As we previously blogged, the database will contain an enormous amount of information:  FinCEN estimates that over 32 million initial BOI reports will be filed in the first year of the final regulations taking effect, and that approximately 5 million initial BOI reports and over 14 million updated reports will be filed every year thereafter.

These tables also underscore the daunting logistical hurdles facing FinCEN, a small agency, in the establishment and maintenance of the BOI database.  As context, FinCEN notes in the NPRM that it currently fields approximately 13,000 inquiries a year through its Regulatory Support Section.  But if only 10 percent of reporting companies have questions for FinCEN in the first year of the reporting requirement, FinCEN will face over three million inquiries.

On December 22, 2022, France’s National Commission for Technology and Freedoms (“CNIL”) fined Microsoft’s Irish subsidiary 60 million euro for failure to comply with Article 82 of the French Data Protection Law (known as the “Loi Informatique et Libertés”). Article 82 is France’s implementation of the EU’s ePrivacy Directive, and it generally requires that any subscriber or user of an electronic communications service be informed in a clear and complete manner by the website operator of two things: (1) The purpose of any action tending to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment (aka, in part, “cookies”); and (2)The means at the user’s disposal to oppose it.

In response to consumer complaints, CNIL conducted investigations which concluded that when users visited “bing.com” in 2020 and 2021, cookies were deposited on their terminal without their consent, and that the cookies were then used by Microsoft for advertising purposes. Additionally, the CNIL alleged that Microsoft failed to provide a compliant means of refusing cookies. While Microsoft provide a button for users to accept cookies, it did not offer an equivalent solution to allow the Internet user to refuse cookies just as easily. The CNIL found that two clicks were needed to refuse all cookies, while only one was needed to accept them. In its press release, the CNIL noted that “making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to prefer the ease of the consent button in the first window. [CNIL] considered that such a procedure infringed the freedom of consent of Internet users.”

This “equivalent solution” interpretation was at the heart of a fines levied by CNIL on Facebook and Google earlier this year, and is based upon the CNIL’s 2019 guidance that consent for cookies must be “freely given.” These fines are a reflection of the CNIL’s position that making it more difficult to refuse cookies than to accept them ‘nudges’ the user toward acceptance, and therefore is not considered to be freely given consent. In the case of Microsoft, even a single additional click was enough to trigger a violation, however, the CNIL noted that this issue was eventually rectified by the implementation of a “Refuse All” button on March 29, 2022.

In settling on a 60 million euro fine, the CNIL states it reviewed the scope of the processing, the number of data subjects, and the profits the company made from advertising profits indirectly generated from the data collected via cookies. In addition to the administrative fine, Microsoft was ordered to become compliant with Article 82 within three months, otherwise the company may be required to pay a penalty of 60,000 euros per day thereafter.

The CNIL action is a reminder that analytical tools remain in the crosshairs, and companies should carefully weigh the risks and value when setting up their consent and notice mechanisms.

On December 21, the Colorado Attorney General released a revised draft of the Colorado Privacy Act Rules. 

We will be providing in-depth analysis in coming days and weeks, but at first review, the revised rules appear to represent a fine-tuning as opposed to a complete overhaul.  Some of these changes – such as additional flexibility on Data Protection Assessments – will likely be welcome news to businesses.  Others – such as the definitions of commercial product or service and noncommercial purpose – may be less welcome by non-profit and governmental entities hoping to avoid the CPA’s application.

The Colorado Attorney General will now accept another round of comments from the public before the February 1, 2023 formal rulemaking hearing.

In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information.  The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements.  Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with HIPAA’s privacy and security standards.  Pennsylvania’s addition of the HIPAA exemption brings the state’s framework in line with the majority of U.S. state data breach notification laws.

The amendment also adds a third new data element: “username or email address in combination with password or security question and answer that would permit access to an online account.” This amendment also brings Pennsylvania law into alignment with other states, such as California, that have a similar definition of personal information.

In practice, this will not significantly affect companies who already maintain incident response programs that address U.S.-wide requirements.  The changes are effective in May of 2023.  

With its draft rules, Colorado has set forth a new model for state privacy laws.  While there are many areas that are interoperable with the California model, the Colorado draft rules include important differences, as well as rules on topics that have been notably absent from California’s draft rules.  Ballard partners Phil Yannella and Greg Szewczyk discuss the highlights of the Colorado draft rules, differences with California, and practical steps for developing a comprehensive compliance plan for all of the upcoming 2023 laws.

Ruling Could Influence FinCEN in Forthcoming Regulations Under the CTA

On November 22nd, an appeals court in Luxembourg issued a decision that highlights the tensions between anti-money laundering (“AML”) goals and privacy concerns, and could impact impending beneficial ownership regulations to be issued under the U.S. Corporate Transparency Act (“CTA”).  Specifically, the appeals court decided that the general public’s access to beneficial ownership information (“BOI”) interfered with the fundamental right of privacy granted under the Charter of Fundamental Rights of the European Union (“EU”).

Luxembourg Court Strikes Down Public Access to BO Database

In 2019, pursuant to an AML Directive to Member States of the EU, Luxembourg established a Register of Beneficial Ownership (“Register”) for information on beneficial owners of corporate entities. BOI provided by a corporate entity is generally available to regulators, law enforcement and financial institutions conducting due diligence on the corporate entity.  Further, some BOI from the Register is available publicly, including through the internet – but upon request from a beneficial owner, the administrator of the Register could place restrictions on the broad access of certain information of that beneficial owner.  To restrict public access, the beneficial owner must show that “access to [BOI] would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable.”

A case was brought by two companies and their beneficial owners after the beneficial owners unsuccessfully requested that the administrator of the Register prevent public access to information concerning them. The Luxembourg district court found that the beneficial owners’ claims of privacy violations raised issues of fundamental rights under European law and sent questions to the appeals court for a preliminary ruling. As noted, the appeals court ruled that the general public’s access to BOI through the Register constituted a “serious interference” with the fundamental right of privacy granted under the Charter of Fundamental Rights of the European Union:

[I]n so far as the information made available to the general public relates to the identity of the beneficial owner as well as to the nature and extent of the beneficial interest held in corporate or other legal entities, that information is capable of enabling a profile to be drawn up concerning certain personal identifying data more or less extensive in nature depending on the configuration of national law, the state of the person’s wealth and the economic sectors, countries and specific undertakings in which he or she has invested.

In addition, it is inherent in making that information available to the general public in such a manner that it is then accessible to a potentially unlimited number of persons, with the result that such processing of personal data is liable to enable that information to be freely accessed also by persons who, for reasons unrelated to the [AML] objective pursued by that measure, seek to find out about, inter alia, the material and financial situation of a beneficial owner . . . . That possibility is all the easier when, as is the case in Luxembourg, the data in question can be consulted on the internet.

Furthermore, the potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated and that, in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.

Importantly, when the appeals court balanced the right of privacy against the AML objectives of the Directive, it found that the AML objectives were critical enough to justify “even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter.” Nonetheless, the appeals court found the public nature of the Register to reach beyond the AML objectives and tip the scale in favor of privacy rights. Luxembourg’s method of storing BOI, which required a person or entity to be able to demonstrate a legitimate interest in the information before it was disclosed, did not run afoul of European privacy rights. However, the appeals court found that there was insufficient AML benefit derived from allowing public access to the Register to justify such access.  Specifically, the appeals court noted that although “the general public’s access to information on beneficial ownership ‘can contribute’ to combating the misuse of corporate and other legal entities and [public access] ‘would also help’ criminal investigations, it must be found that such considerations are also not such as to demonstrate that [public access] is strictly necessary to prevent money laundering and terrorist financing.”

Privacy Implications for FinCEN and the CTA

As we have blogged, the Financial Crimes Enforcement Network (“FinCEN”) has issued a final rule regarding the BOI reporting requirements pursuant to the CTA. The Final Rule will require millions of corporate entities registered to do business in the United States to report their BOI to FinCEN. While FinCEN and AML watchdog groups view this development as a “historic step in support of U.S. government efforts to crack down on illicit finance and enhance transparency,” there are also those who are concerned with the privacy risks involved in housing BOI in a government database.  FinCEN still needs to issue further regulations under the CTA, including as to how the BOI data base will be maintained and accessed.

The CTA itself addresses privacy concerns in several ways, and does so in a manner that is dramatically different than the AML Directive.  For example, BOI is only available to government agencies that send a written request, including a basis for the request, and is not generally available to the public. Within the Department of the Treasury specifically, access to beneficial ownership information is limited to officers and employees whose official duties require them to inspect the information and who have been appropriately trained and authorized. Overall, the CTA requires that FinCEN “maintain information security protections, including encryption, for information reported to FinCEN . . . . and ensure that the protections . . . prevent the loss of confidentiality, integrity, or availability of information that may have a severe or catastrophic adverse effect.”

One of the most telling aspects of the CTA’s intent to protect privacy are the penalties for unauthorized disclosure of information: up to $500 per day for each day the violation continues, and/or imprisonment for up to five years. These penalties actually outweigh the penalties under the CTA for not registering as a beneficial owner, or for providing false BOI: up to $500 per day for each day the violation continues, and/or imprisonment for up to two years.

As noted, FinCEN still must issue regulations on the creation and mechanics of the BOI database. Given the privacy protections baked into the CTA by Congress, FinCEN already will be required to craft regulations that strongly protect BOI and restrict access.  Even so, the recent decision in Luxembourg should put even more pressure on FinCEN to be careful.  Certainly, the decision will provide industry commentators to the forthcoming regulations with more ammunition.

New York Considers an Alternative Approach

In March 2022, New York proposed legislation that would require limited liability companies registered in the state to disclose the names and addresses of their beneficial owners to the New York Department of State. Contra the CTA, and more akin to the EU AML Directive, the proposed legislation contemplates a public database to house BOI – although the information available to the greater public would be limited to which LLCs share common ownership. The public database would not contain names or addresses of beneficial owners; rather, if someone wanted to request that information, they would need to submit a formal request to law enforcement, similar to the federal Freedom of Information Act (FOIA).

New York is the only state to propose this type of BOI database at the state level, and the legislative intent offers insight into why New York has a particular focus on BOI. One of the Democratic Senators who proposed the bill said that “[m]oney laundering, tax avoidance, evasion of sanctions, and systemic code violations have been protected for too long in New York by the veil of LLC anonymity. Sometimes tenants don’t even know who their landlord actually is.” Thus, while AML objectives are certainly relevant at the state level, the New York legislation also seeks to address non-AML concerns, such as providing information to tenants and watchdog groups on otherwise unknown landlords who may be contributing to the deterioration of neighborhoods.

Conclusion

In the three approaches reflected by the EU AML Directive, the CTA and the proposed New York legislation, there is a balancing act between collecting and allowing access to BOI in order to fight money laundering and terrorist financing, and protecting privacy rights enshrined in our foundational legal texts like the EU Charter or U.S. Constitution. Beyond those considerations, this spectrum of privacy approaches raises the question of how global AML programs and requirements can be implemented with maximum consistency.  Finally, looming over all of the government-maintained BOI databases is the specter of data breaches and cyber attacks, which threaten not only the individuals whose BOI is affected, but the government agencies themselves.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On November 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some portions of the updated Safeguards Rule. The extension comes as a welcome relief to companies racing to meet the rapidly nearing effective date.

The FTC approved changes to the longstanding Safeguards Rule in October 2021.  The updated rule includes several components that could require significant operational modifications, such as encryption at rest and multifactor authentication whenever nonpublic personal information is accessed.  While some components went into effect 30 days after publication, the most substantive changes were set to go into effect on December 9, 2022. 

The FTC voted unanimously to extend that December 9 date to June 9, 2023.  Accordingly, subject companies will have an additional six months to:

  • Designate a qualified individual to oversee their information security program;
  • Develop a written risk assessment;
  • Limit and monitor who can access customer information;
  • Encrypt information in transit and at rest;
  • Train security personnel;
  • Develop a written incident response plan; and
  • Implement multifactor authentication whenever anyone accesses customer information.

While the new deadline certainly provides breathing room, companies should not take it as an opportunity to delay.  Indeed, between the holidays and state law compliance initiatives, the new deadline will also soon be rapidly approaching.