Much has been written about the European General Data Protection Regulation (GDPR). Commentators have touted the EU’s supposedly superior data protection regimen. But don’t lose focus on what is happening within the U.S. and the implications for U.S. companies that may not be focused on GDPR requirements. Even companies that are GDPR focused may not meet the upcoming requirements. At least three significant privacy legislation fronts in the U.S. bear mentioning:
- The 2008 Illinois Biometric Protection Act (BIPA) and the Jan. 25, 2019 ruling in Six Flags. Six Flags was significant because the Illinois Supreme Court ruled that a plaintiff need not allege or prove actual harm to impose statutory penalties on a BIPA violator.
- The California Consumer Privacy Act, as amended, along with other follow-the-leader states, including Massachusetts, New York, North Dakota, Utah and Washington.
- Federal legislative hearings and activity aimed at combating the problem, created by a “patchwork” of separate, individual state privacy laws.
The Illinois Biometric Protection Act
BIPA addresses the use of an individual’s biologically unique identifiers, such as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. The Illinois legislature enacted the law in 2008, finding that biometrics are unique to the individual, and once compromised, the individual has no recourse and is at a heightened risk for identity theft. BIPA prohibits (among other things) a private entity from collecting, capturing, purchasing, receiving, or otherwise obtaining a person’s or customer’s biometric identifier without first:
- Informing the person or the person’s legally authorized representative that a biometric identifier is being collected or stored.
- Disclosing the specific purpose and length of term for which a biometric identifier is being collected, stored and used.
- Receiving a written release executed by the person or the person’s legally authorized representatives.
In the employment context, written release means a release executed by an employee as a condition of employment. Additionally, a private entity in possession of biometric identifiers must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers. It is also prohibited from selling or otherwise profiting from, or disclosing, biometric information without consent.
Any person aggrieved by a violation of BIPA has a private right of action against an offender and may recover for each violation liquidated damages of $1,000 for negligent violations or $5,000 for intentional violations (or actual damages if greater), plus attorney fees and other costs, and injunctive relief. Up until the Illinois Supreme Court’s Six Flags ruling, courts generally found that a plaintiff did not qualify as an “aggrieved” person if he or she failed to allege some actual injury or adverse effect, beyond a “mere” violation of the law by the offender.
The Illinois Appellate Court upheld that pleading requirement, but the Illinois Supreme Court reversed, finding that when a private entity fails to comply with BIPA’s requirements, that violation constitutes an “invasion, impairment or denial of the statutory rights of any person whose biometric identifier or biometric information is subject to the breach,” and that such a person was clearly “aggrieved” and entitled to seek recovery. This ruling is hailed as a significant boost to plaintiffs’ rights and opens the door in Illinois for similar cases to proceed.
In addition, another Illinois law—which was strengthened in 2017—requires companies possessing Illinois residents’ personal information to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
Likewise, contracts for services that include the disclosure of personal information concerning an Illinois resident must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure. (See Section 45 of the Personal Information Protection Act, Data Security).
The California Consumer Privacy Act
On Jan. 1, 2020, the California Consumer Privacy Act (CCPA), as amended, is scheduled to take effect. However, due to the introduction of additional amendments, it’s not yet clear what the final law or implementing regulations will look like. However, there is still significant support for the law, in spite of certain industry-group objections.
In brief and as presently written, CCPA requires companies that meet the jurisdictional thresholds to disclose to consumers the categories of information they collect, along with the purposes for which the information is being collected. The law provides consumers (i.e. California residents) the right to:
- Request what specific personal information a business collects, sells or discloses, the sources from which data is collected, and the purposes for doing so.
- Request that a business delete their personal information.
- Opt out of having their personal information collected or sold. Consumers that opt out are protected against denial of goods and services, price discrimination and discrimination in quality of service.
As currently written, the law applies to for-profit businesses that, do business in California, and collect personal information about California consumers, and that meet at least one of the following three tests:
- Has annual gross revenue in excess of $25 million.
- Buys, receives for commercial purposes, sells or shares for commercial purposes the data of over 50,000 consumers annually.
- Derives over 50 percent of its revenue from selling consumers’ personal information.
The practical meaning of all of this is that if the law applies, a business must create policies that clearly delineate its data collection and use practices as well as create systems to track this information and honor consumers’ rights within the time periods mandated by CCPA. Although companies have long been required to maintain and post privacy policies about their data collection practices and uses—and the sufficiency of those policies have been the subject of enforcement actions by the Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act, Unfair or Deceptive Acts or Practices—CCPA will more specifically set forth the requirements that those policies and practices must meet.
Moreover, CCPA violators face potentially severe penalties. As presently written, any business that violates the law, and fails to cure any alleged violation within 30 days after being notified, is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation, or $7,500 for each intentional violation, which is assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
The law is scheduled to go into effect on Jan. 1, 2020, but may not be enforced until the earlier of the date the California Attorney General issues regulations concerning CCPA, or July 1, 2020. Certain exemptions are written into the law and it does not apply to:
- Medical information governed by California’s Confidentiality of Medical Information Act (CMIA) or protected health information collected by a covered entity or business associate governed by HIPAA regulations.
- Providers of health care governed by CMIA or a covered entity governed by HIPAA.
- Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, and subject to regulatory compliance.
- Sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
- Personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act implementing regulations, if it is in conflict with that law, or the California Financial Information Privacy Act.
- Personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.), if it is in conflict with that act.
Hearings continue at the federal level in the Senate and House to consider establishing a federal privacy law consistent with the intent and purposes behind CCPA. On Feb. 27, 2019, the Senate Committee on Commerce, Science and Transportation held a hearing regarding Policy Principles for a Federal Data Privacy Framework in the United States, and the Senate Judiciary Committee held a hearing on March 12, 2019. At the latter, Google’s Senior Privacy Counsel and Intel’s Director of Security Policy and Global Privacy Officer advocated for a federal regulatory approach. The arguments being made for a federal regulatory approach include that, without a U.S. federal law, individual states will legislate, creating an unworkable patchwork of laws. This approach is confusing for individuals seeking to protect their rights, and for companies seeking to comply with the laws. Today, the patchwork approach already exists with respect to data breach notification laws: the 50 states have 50 different laws.
In January 2019, the United States Government Accountability Office (GAO) issued a Report on Internet Privacy to the Chairman of the House Committee on Energy and Commerce that was released to the public Feb. 15, 2019. GAO notes that it was asked to review federal oversight of Internet privacy due to several events.
In April 2018, Facebook disclosed that a Cambridge University researcher may have improperly shared the data of up to 87 million of its users with a political consulting firm. This disclosure followed other incidents involving the misuse of consumers’ personal information from the Internet, which is used by about three-quarters of Americans. GAO found that there is no comprehensive U.S. Internet privacy law governing private companies’ collection, use, or sale of users’ data, and recommended that Congress consider developing comprehensive Internet privacy legislation to better protect consumers. Appendix II of the GAO’s report lists FTC’s internet privacy enforcement cases filed between July 2008 and June 2018, describing the summary of privacy allegations and the settlements with the FTC.
Although it’s difficult to predict the timing and scope of any federal privacy legislation—outside of the already existing federal laws governing certain industries, such as HIPAA in the health care industry and Gramm-Leach-Bliley in the financial industry—it is easy to see that as time goes on, U.S. privacy regulation will continue to become more and more complex.