Will the California Consumer Privacy Act serve as a blueprint for a federal privacy law or for a patchwork quilt of state privacy laws?

As states have been commencing legislative proceedings and as proposals for a federal privacy law are being formulated, the following seem to be principles that most agree should be included in a privacy law in the U.S.:

  • Banning some practices, including using data to discriminate against users.
  • Giving people the right to sue over misuse.
  • Giving people ownership rights in their data including the right to delete it, change it or take it back.
  • Requiring companies to be more transparent about how they use data and collect consumers’ consent, with some exceptions.

A point of contention is whether or not a federal U.S. privacy law should completely preempt (invalidate) state privacy laws (or whether they should continue to be binding if stricter than the federal law).

Details from the San Francisco Chronicle.

New Jersey follows in California’s footsteps with legislative initiatives on privacy.

The main proposed law (bill A-4902), will require commercial websites and online service operators to give customers:

  • a description of the personal information collected
  • a way to prevent the disclosure of personal information to third parties
  • a description of the information
  • an email address or phone number for requesting information
  • upon request from an individual, information on all disclosures of his data within the past year
  • a “Do Not Sell My Personal Information” link to a page that would allow customers to opt out of the disclosure of their personal data

Here’s what the chairman of the state’s Assembly Science, Innovation and Technology Committee has to say about the legislation:

“Should this happen at the federal level? Absolutely. We would want to see these protections at the federal level, but we are not seeing that … Until they do, New Jersey is going to do everything we can to protect New Jersey residents,”  said Assemblyman Andrew Zwicker (D-Middlesex), who chairs the committee and is sponsoring four of the bills on the agenda. Additional bills cover GPS data, student data and cybersecurity.

Details from NJ Spotlight.

If you de-identify end user data, this may be a use compatible with the original purpose for which the data was provided and not require seeking consent from the individual.

So, that’s between you and the end user. What about in b2b contracts? Here, the question of using or commercializing data, even if anonymized, often becomes a point of discussion and negotiation.

Details from the International Association of Privacy Professionals.

The EU General Data Protection Regulation (GDPR) did NOT make all processing of personal data unlawful, though it seems than many think this, says Michael Kaiser, data protection officer at the Hesse Data Protection Authority in Germany.

Per Kaiser, said the DPA has been inundated with complaints and breach notifications — up 1,200 percent since the GDPR went into effect.

The Irish Data Protection Commissioner has a similar experience.

The DPC had 2,795 breach reports come through its portal in 2017.

Since the GDPR went into effect not even one year ago, the number of reported breaches is at 4,136.

Per Cathal Ryan, assistant commissioner at the DPC, the mantra companies seem to be ascribing to: “When in doubt, report it,” might not be the best approach anymore. Companies may need to instead look a little more closely at whether the breach is a reportable one under the letter of the law.

Details from the International Association of Privacy Professionals.

Data monetization coming to California?

“In his first state of the state address on Tuesday, California Gov. Gavin Newsom proposed “a new data dividend” that could allow residents to get paid for providing access to their data” – reports CNBC.

“California’s consumers should also be able to share in the wealth that is created from their data,” Newsom said. Tech companies that “make billions of dollars collecting, curating and monetizing our personal data have a duty to protect it.”

Details from CNBC.

The Romanian Presidency of the Council of the EU has proposed a compromise on issues that are in the way of the EU e-Privacy Regulation.

Highlights:

  • A user’s consent to cookies should NOT be required for technical storage or access necessary and proportionate for the legitimate use of a service requested by the user. This may include:
    • session cookies for tracking input when filling online form
    • authentication session cookies
    • cookies remembering items selected in shopping basket
    • cookies necessary for the provision of information society services requested by the user (eg those used by connected thermostats)
  • Consent SHOULD be required for cookies collecting information for purposes other than is necessary for the provision of the requested service.
  • To avoid cookie consent fatigue companies can implement technical measures to grant consent through transparent and user-friendly settings. E.g. granting consent to a specific provider re: one or multiple specific purposes across one or more services of that provider, or consent to the use of all or certain types of cookies by whitelisting one or several providers.

Read the full proposal.

Data privacy bills are pending in at least eight states, reports Sara Merken at Bloomberg Law.

State lawmakers are aiming to give citizens more control over their personal data. Some of the bills largely follow the lead of California, whose Consumer Privacy Act takes effect Jan. 1, 2020. Others are more narrowly focused on specific business practices.

Some highlights:

  • In North Dakota – a bill would require companies to provide to consumers, upon request, information about the types of personal information the companies collect and possess
  • In New York – one bill addresses biometric privacy and another would govern businesses’ collection and disclosure of personal information
  • In Utah – a bill would require law enforcement to get a warrant from a judge to access electronic information
  • In Washington state – a bill would allow consumers to ask companies for a copy of their personal data and to delete or correct inaccurate data and would also regulate facial recognition technology

Details in Bloomberg Law.

China is in the early stages of setting up a data protection regulatory framework with rules for consent; personal data collection, use and sharing; and user-requested deletion of data.

The intention is to build a Chinese data protection regime that is uniquely suited to China: one that builds consumer trust in a thriving digital economy but does not undermine the government’s ability to maintain control.

Consequently, Chinese companies are increasingly finding that the days of collecting data without public scrutiny are over—and Chinese consumers are vocally standing up for their own privacy in ways not seen before.

Details in Slate.

 

Data rights > data ownership?

That’s the position taken by Privacy International in its response to the recent editorial by artist wil.i.am in The Economist which called for tech giants to pay individuals for their data:

  • Data rights offer a system of control and protection that is much more comprehensive than ownership, and these rights continue to exist even after you share your data with others. They apply to data that others collect about you with or without your knowledge and they also apply to the insights and conclusions that they make about you.
  • Existing data protection laws, like the EU General Data Protection Regulation (GDPR) put a strong data rights system in place. Now is the time to focus efforts on making it easy to use and widely adopted.
  • As powerful as data rights are, they are not a silver bullet. Market dominance and other distortions are a growing concern which should be addressed as well.

Read Privacy International’s Full Argument.

The Illinois Supreme Court’s Ruling

On January 25, 2019, the Illinois Supreme Court issued its long awaited opinion in Rosenbach v. Six Flags Entertainment Corp, ruling that the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) does not require an actual injury for a plaintiff to be considered “aggrieved” under the Act. The ruling, which was widely anticipated based on the court’s comments during oral argument, is widely expected to open the flood gates on class actions brought under BIPA, given the statutory damages available to plaintiffs. Indeed, in the first week since the ruling, at least 10 new BIPA class actions have been filed.

Under BIPA, parties that possess biometric identifiers (i.e. fingerprints, retina scans and voice recognition) are prohibited from (i) selling, leasing, trading or otherwise profiting from such identifiers; and (ii) otherwise disclosing or disseminating such information unless the individual consents to such disclosure. BIPA imposes penalties of $1,000 per negligent violation of the Act and $5,000 (or actual damages, whichever is greater) for intentional or reckless violations. Second, BIPA allows for the recovery of reasonable attorneys’ fees and costs, including expert witness fees.

What Next?

The court’s ruling stands at odds with the Northern District of Illinois’ recent decision in Rivera v. Google, in which that court ruled that, unless a party suffers an actual injury, it does not satisfy the “injury in fact” requirement of Article III standing to pursue a BIPA claim in Federal Court. Consequently, expect all future BIPA cases going forward to be filed in Illinois state courts.

While the Illinois Supreme Court’s ruling opens the door for an onslaught of BIPA litigation, certain defenses to such actions remain untested and will surely be litigated. For one, expect the issue of whether a plaintiff has consented to the use of his or her biometric information to be hotly contested. For plaintiffs who are employees, that likely means arguing over a company’s policies contained in a handbook or employment agreement. Indeed, employers would be well served to review their policies and agreements to specifically address its potential collection of employees’ biometric information.

Another line of defense may rest in a defendant’s ability to remove a case to federal court and then have it dismissed. If successful, a defendant could avoid liability to a plaintiff who does not suffer an actual injury if it can successfully use the parties’ diversity jurisdiction to remove the case and then argue that the plaintiff lacks Article III standing.

One thing is for sure – expect Illinois state courts to become a hotbed of BIPA litigation.