The latest wrinkle in the ever-changing world of data privacy litigation is the recent surge in state wiretap claims. What began as a trickle over the summer of 2020 has grown into a clear wave as plaintiffs have filed dozens of lawsuits against prominent tech, eCommerce, entertainment, and retail companies under state wiretap laws.  These lawsuits seek statutory damages for the alleged interception of consumers’ electronic communications through the defendant’s use of various website analytic tools.  Insofar as the use of website analytics tools is ubiquitous on the internet, privacy litigators are carefully watching the progress of these state wiretap claims. If successful, state wiretap claims could become the next TCPA, threatening virtually every company with a sizable web presence in the U.S. Continue Reading Exploring the Rise in State Wiretap Claims

After a pandemic-related hiatus in 2020, a number of U.S. states have proposed new data privacy laws in 2021 – and several are very close to passage.  Virginia’s proposed data privacy law appears to be the closest and is likely to be signed into law by Governor Northam in the near future.  Washington and Florida’s legislatures also have privacy bills that are making their way through the legislative process, with a good likelihood of becoming law this year.  The following is an overview of some of the similarities and differences among the three bills most likely to become law in the near future.

In general, the Washington Privacy Act (“WAPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and Florida’s proposed bill contain the following key similarities and distinctions:

  WAPA VCDPA FL Proposed Bill
Applicability Thresholds Conducts business in WA and: (i) controls or processes the personal data of 100,000 consumers or more; or (ii) derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

*The WAPA would apply to nonprofit corporations starting July 31, 2026.

Conducts business in VA and: (i) controls or processes the personal data of 100,000 consumers or more; or (ii) processes or controls personal data of 25,000 consumers or more and derives over 50% of gross revenue from the sale of personal data.

*Nonprofits are exempt from the provisions under the VCDPA.

Conducts business in FL and: (i) has global annual gross revenues of more than $25 million; (ii) annually buys, receives for business purposes, or shares for commercial purposes the personal data of 50,000 or more consumers, households, or devices; or (iii) derives 50% or more of its global annual revenues from selling or sharing personal data.

* Nonprofits are exempt from the provisions under Florida’s proposed bill.

Contractual Requirements Imposed Between Data Controllers and Processors? Yes Yes Yes
Consumer Rights Right to access, correct, delete, and opt out of the sale of personal data or certain types of processing of personal data (e.g., targeted advertising, profiling for decisions that have legal consequences). Right to access, correct, delete, and object to the sale of personal data or certain types of processing of personal data (e.g., targeted advertising). Right to access, correct, delete, and opt out of the sale or sharing of personal data.
Risk Assessments (or similar measures) Required Required Not required
Private Cause of Action No No Yes (limited) – private plaintiffs can seek damages of not less than $100 and not more than $750, whichever is greater, if their non-encrypted personal information or email address (together with information that would allow account access) is subject to unauthorized access due to a business’ failure to implement reasonable security measures.
Consent Generally not required except for the processing of sensitive data. Required where a consumer has restricted processing or a risk assessment indicates the risks of processing outweigh the benefits to the consumer. Required before a business may enter a consumer in a financial incentive program.
Opt-Out Required for targeted advertising, sale of personal information, or profiling decisions that have legal effects. Required for targeted advertising, sale of personal information, or profiling. Required for the sale or sharing of personal information.
Exceptions Does not apply to personal data regulated under HIPPA, the FCRA, the GLBA, the DPPA, the FERPA, the Federal Farm Credit Act, clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46), and employment-related data. Does not apply to protected health information under HIPAA, personal data regulated under the GLBA, employment-related data, certain types of data regulated under the FCRA, personal data under the DPPA, and clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46). Does not apply to personal data regulated under HIPPA, the FCRA, the GLBA, the DPPA, the FERPA, clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46), and employment-related data.
Cure Period? Yes – 30 days after receipt of a warning letter from the Attorney General. Yes – 30 days after receipt of notice of alleged noncompliance. Yes – 30 days after being notified in writing of alleged noncompliance.
Damages/Penalties Up to $7,500 per violation. Up to $7,500 per violation. Not less than $100 and not more than $750 per consumer per incident or actual damages, whichever is greater.

Attorney General can seek up to $2,500 for each unintentional violation or $7,500 for each intentional violation.

As noted in the table above, the WAPA, VCDPA, and Florida’s proposed bill contain similarities with one another, such as imposing contractual requirements between data controllers and processors, providing various consumer privacy rights such as the right to access, correct, delete, and opt out of/object to the sale or certain types of processing of personal data, and requiring transparent privacy notices concerning the collection and sharing of personal data.  Further, the WAPA, VCDPA, and Florida’s proposed bill do not impose a fiduciary duty on data controllers, unlike the proposed New York Privacy Act, which is currently pending in the New York state legislature.  One notable difference between the WAPA and the VCDPA and Florida’s proposed bill, however, is that the WAPA and the VCDPA do not include a private right of action whereas Florida’s proposed bill allows consumers to bring a private cause of action for actual or statutory damages.

The VCDPA has passed in both the state House and Senate and its enactment appears imminent.  If enacted, the VCDPA would become effective on January 1, 2023.  The WAPA and Florida’s proposed bill are currently pending review by their respective legislatures, but momentum appears strong for passage in 2021.

The new year began with an unusual amount of activity related to the Health Insurance Portability and Accountability Act (HIPAA). Health care providers, health plans, health care clearinghouses, and business associates subject to HIPAA will need to consider three significant developments—one regulatory, one legislative, and one judicial—relating to the Privacy and Security Rules under HIPAA and the related Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).

Continue Reading A Fast Start: 2021 Begins With Major HIPAA Developments

On February 10, 2021, Phil Yannella, Chair of Ballard’s Privacy & Data Security Group, will join Ankura for a webinar, “2020 Cyber Year in Review”, which will recap cybersecurity events for 2020. Panel members will also offer their predictions for what cybersecurity issues will dominate headlines in 2021. You can register for the event here.

On January 12, 2021, the federal District Court for the Central District of California dismissed a data breach law suit—including a claim filed under the California Consumer Privacy Act (“CCPA”)—against Marriott International, Inc.  The holding, which dismissed the claims for lack of standing, will likely play a role in a number of CCPA cases that have motions to dismiss pending.

The case stems from a cybersecurity breach announced by Marriott on March 31, 2020, in which two employees of a Marriott franchise in Russia allegedly accessed some personal information without authorization.  The class action was filed asserting claims for negligence, breach of express and implied contract, violation of California’s Unfair Competition Law, and violation of the CCPA.  However, at the time the class action was filed, Marriott’s investigation was still ongoing.

Marriott’s investigation concluded that the only personal information that had been accessed was the class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers—it did not involve sensitive personal information such as social security numbers, credit card information, or passwords/access credentials.  Marriott moved to dismiss for lack of Article III standing, and the District Court granted the motion.

The District Court engaged in a fairly standard Article III standing analysis, starting with whether there was injury-in-fact.  The Court relied on established precedent that, for there to be a credible risk of injury sufficient for standing, the data at issue must have a certain level of sensitivity.  Because the investigation revealed that the data at issue was not sensitive in nature, the Court held that the plaintiffs could not establish standing.

The four-page opinion did not specifically address the CCPA claim.  If it had, it likely could have dismissed that claim on separate grounds at the data that had been accessed without authorization did not fall into the subset of information subject to the CCPA’s private right of action.  However, the Marriott case demonstrates that even if plaintiffs could successfully argue that the CCPA is ambiguous with respect to the scope of its private right of action, they would still face standing challenges for data breaches involving non-sensitive personal information.  As there are numerous CCPA cases with motions to dismiss pending, we expect to see additional case law emerging on this front.

The Administrative Office of the U.S. Courts (the “AO”) recently disclosed that it has initiated an investigation into an apparent compromise in security of the Judiciary’s Case Management/Electronic Case Files System (“CM/ECF”) as a result of vulnerabilities associated with SolarWinds Orion products.  The AO noted that it is currently working with the Department of Homeland Security on an audit of security vulnerabilities that may pose a confidentiality risk for non-public documents stored on CM/ECF.  In other words, the AO is auditing whether sealed filings in federal cases have been compromised.

As background, SolarWinds is a vendor that works with the federal government and a range of companies to monitor their IT networks.  On December 31, 2020, SolarWinds issued a security advisory noting that it was a victim of a cyberattack that exploited vulnerabilities with products utilizing its Orion software.  After SolarWinds’ announcement, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive which calls on all federal civil agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.

According to public reporting, the SolarWinds hack may have included unauthorized access to the federal court’s electronic filing system, meaning that the hackers may have had access to documents filed under seal.  As a result, the compromise has put “at risk a range of highly sensitive competitive and financial information and trade secrets, including companies’ sales figures, contracts, and product plans” that companies have filed with the courts in connection with litigation.

The Judiciary has now suspended all national and local use of its Orion IT networking monitoring and management tool.  In addition, under newly announced procedures, highly sensitive documents (“HSDs”) filed with federal courts will now be accepted in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system, rather than uploaded to CM/ECF.

The AO anticipates each court will issue a standing order to address the types of filings that it does and does not consider to be HSDs.  The AO memorandum suggests most documents similar to and including presentence reports, pretrial release reports, pleadings related to cooperation in most criminal cases, Social Security records, and administrative immigration records will likely not be sufficiently sensitive to require HSD treatment and can continue to be sealed in CM/EFC as necessary.

In the meantime, companies and firms should start taking inventory of what sensitive information has been filed under seal, whether as part of a civil or criminal federal case, and consider whether any preventive or protective measures may be possible to mitigate harms in the event that the information was compromised.

On December 18, 2020, the United States Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued guidance specific to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the COVID-19 public health emergency. The guidance addresses permitted HIPAA disclosures of Protected Health Information (“PHI”) by covered entities and business associates via health information exchanges (“HIEs”) for certain public health purposes. Continue Reading OCR Issues Guidance Related to PHI Disclosures During COVID

On January 6, 2021, a bipartisan group of New York state lawmakers released a copy of Assembly Bill 27 (AB 27), the  New York Biometric Privacy Act.  If New York passes AB 27, it will join Illinois, Texas, and Washington as states that have adopted laws that strictly regulate the notice, collection, and handling of biometric information.  Significantly, however, it would join Illinois as only the second state to provide a private right of action with statutory damages for violations.

The proposed bill is similar to the three other states with biometric-specific bills in that it would prohibit businesses from collecting biometric identifiers or information—defined to include retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and any information derived therefrom—without first receiving written consent from the individual or their authorized representative.  AB 27 would also prohibit businesses from selling, leasing, trading, or otherwise profiting from a person’s biometric information, as well as require businesses to develop a publicly available written retention and destruction policy.  Notably, AB 27 follows the Illinois model of enforcement by affording individuals a private of action with statutory damages of up to $1,000 for negligent violations and $5,000 for intentional or reckless violations, as well as reasonable attorneys’ fees.  As we have discussed in other posts involving lawsuits under the Illinois law, these types of statutory damages can lead to significant amounts quickly when violations involve large numbers of individuals.

This is not the first time New York lawmakers have attempted to pass a biometric privacy bill.  Indeed, there have been no fewer than three attempts since 2018, none of which have succeeded.  There is therefore reason to believe that AB 27 will face similar fate.  However, businesses should pay close attention, as its passage would have serious consequences.

On December 14, 2020, the Federal Trade Commission (FTC) announced in a press release that it is issuing orders under the FTC’s authority in Section 6(b) of the FTC Act to the following nine social media and video streaming companies: Amazon.com, Inc., ByteDance Ltd. (which operates the short video service TikTok), Discord Inc., Facebook, Inc., Reddit, Inc., Snap Inc., Twitter, Inc., WhatsApp Inc., and You Tube LLC.

The FTC made publicly available samples of the letter and order sent to each company. Specifically, the FTC is seeking privacy policies, procedures, and practices related to:

  • how social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;
  • how they determine which ads and other content are shown to consumers;
  • whether they apply algorithms or data analytics to personal information;
  • how they measure, promote, and research user engagement; and
  • how their practices affect children and teens.

The FTC voted 4-1 to issue the orders with a majority of the commissioners releasing a joint statement saying that the FTC’s study is timely and important as “concerns mount regarding the impact of the tech companies on Americans’ privacy and behavior.” However, Commissioner Noah Joshua Phillips issued a dissenting statement, stating that “[t]he breadth of the inquiry, the tangential relationship of its parts, and the dissimilarity of the recipients combine to render these orders unlikely to produce the kind of information the public needs, and certain to divert scarce Commission resources better directed elsewhere.”