Search TCPA

With advances in technology and business marketing come changes in the law and new litigation. Many businesses are familiar with the federal Telephone Consumer Protection Act (TCPA) but may be less familiar with Florida’s version, the Florida Telephone Solicitation Act (FTSA). A recent wave of class-action lawsuits stems from a 2021 amendments to the FTSA, largely focusing on businesses utilizing phone calls and text messages to advertise their products and services. The following examines nuances of the FTSA and why the measures businesses may put in place to comply with the TCPA may not pass muster in Florida.

Difference Between the TCPA and FTSA

The critical difference between the TCPA (as currently interpreted by the Supreme Court) and the FTSA is set forth in Fla. Stat. §501.059(8)(a).  Specifically, 8(a) provides: A person may not make or knowingly allow a telephonic sales call to be made if such call involves an automated system for the selection or dialing of telephone numbers or the playing of a recorded message when a connection is completed to a number called without the prior express written consent of the called party.

Under both the TCPA and the FTSA violations require the use of automatic equipment. However, while the Supreme Court has clarified that to qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store or to produce, a telephone number using a random or sequential number generator, the FTSA does not currently include a similarly limited definition. Rather, the FTSA’s lack of a definition has opened the door for plaintiffs to argue that any automated system that dials numbers or selects the order in which numbers are dialed would fit within the statute. In short, if a business’s automatic equipment dials from a list, it will likely not implicate the TCPA but still may create risk under the FTSA.  This is a critical point as in today’s technological environment, it is far more likely for entities to utilize a list for outreach rather than a random or sequential number generator. 

In addition, the FTSA’s 2021 amendments added a requirement to obtain prior express written consent for such telephonic sales calls. The amendment also includes the elements prior express written consent should contain. 

The FTSA’s Critical Components

As noted, the FTSA prohibits all telemarketing sales calls, text messages, and direct-to-voicemail, also known as “ringless voicemail” messages, using an “automated system for selection or dialing of telephone numbers or playing of a recorded message” without prior express written consent.  In other words, it is against the law for a company to utilize automated telephone dialing systems or pre-recorded messages in all telemarketing sales calls, text messages, or direct-to-voicemail messages without the prior express written consent of the individual receiving the call. 

Consumers Covered

The law itself covers only Florida residents. The FTSA contains a rebuttable presumption that a call made to any Florida area code is made to a Florida resident or a person in Florida at the time of the call. The FTSA has been enforced against businesses located and incorporated outside Florida. While there may be legal challenges on this issue, it is imperative that out-of-state businesses ensure their communications to Florida residents comply with the FTSA.

Private Right of Action

Under the FTSA’s private right of action, any violation for automated calls and do-not-call violations allows for a right to recover $500 in statutory damages. The FTSA also provides for up to $1500 in treble damages for willful or knowing violations in damages, plus attorneys’ fees.

Similar to the TCPA, the FTSA’s private right of action is not limited to automated calls but includes other violations such as calls to persons registered on Florida’s do-not-call list or making calls that fail to transmit the caller’s originating telephone number.

Based on the unique structure and provisions of the FTSA, in the past year, businesses have faced a voluminous number of FTSA claims, normally pled on a class basis. This means that an individual who brings an action claiming that he or she did not provide prior written consent to receive an automated text message or phone call brings the action individually and on behalf of all Florida residents who also received texts or calls from the same business dating back to the amendment to the FTSA in 2021. As such, potential damages for a thousand-person putative class can quickly climb to six or seven figures. Thus, compliance is key.

Currently, defendants challenge the amendments to the FTSA by arguing that the Act is unconstitutional, plaintiffs do not have standing or actual harm, the cases should not be treated as class actions, and a myriad of other arguments. While these legal challenges continue, companies across the nation that conduct business and marketing in Florida should ensure their consents and practices comply with this law.

If you have questions regarding FTSA or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

To celebrate Data Privacy Day, we present our top ten data privacy and cybersecurity predictions for 2023.

1. Healthcare and Medical Data Security and Tracking

The healthcare industry has been facing increased scrutiny for the protection of healthcare information both online and on apps.

2023 will see a significant increase in the number of lawsuits and perhaps OCR compliance reviews relating to medical information privacy and HIPAA, including new developments such as pixel and other tracking technologies. We will see more regulation of health apps and websites as the necessities and advantages of remote health care that were brought by the pandemic are considered further. 

Businesses in the healthcare industry should continue to work with counsel to review new ways of delivering healthcare services, including new technologies, with an eye toward the protection of medical information and privacy for patients. Building in protections from the outset can have significant advantages. Of course, medical device and technology companies also will need to consider how their devices and technologies could capture or affect medical information and the corresponding regulatory requirements and best practices.

2. A Patchwork of Legislation and Regulations Pertaining to Privacy and Cybersecurity

Currently, nine states are considering consumer privacy bills; Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee. This is already a complicated arena with California, Colorado, Connecticut, Utah, and Virginia that have laws on the books.

More cities and states will implement cybersecurity regulations with a view toward data protection and privacy, including in specific industries. In 2022, for example, we saw government entities such as the Nevada Gaming Commission issue security regulations for regulated entities in the gaming industry. The  New York State Bar is now requiring its members, lawyers practicing in New York, to have annual continuing legal education in cybersecurity.

The Biden Administration released its regulatory agenda which aimed at new cybersecurity requirements for government contractors, the maritime industry, public companies, and others. The Securities and Exchange Commission has also set goals to enact new cybersecurity regulations.

It will be important in 2023 for businesses to be more aware than ever about the data they are collecting, why it is processed, and how it is stored and safeguarded in order to comply with the myriad of privacy laws around the country.

3. California, California, California

California will continue to be a leader in the privacy data space, with both the implementation of its first-in-the-nation comprehensive consumer privacy law and further enforcement actions under that law. California will be sure to shape both state and national viewpoints on privacy requirements.

The California Privacy Protection Agency (CPPA) continues to work on revisions to regulations for the California Privacy Rights Act (CPRA). These changes are critical for covered organizations with respect to both their commercial activities and when functioning as an employer.

It does not stop there. Another first for California is that it is the first state to adopt a comprehensive law, AB 2273, addressing children’s online privacy.

4. Employee Privacy and Monitoring

As remote working remains mainstream, we will see more regulation on the monitoring of and privacy protections for employees. Last year, the NLRB’s General Counsel issued a memo on the electronic monitoring of employees. In the memo, the General Counsel suggested employers establish “narrowly tailored” practices to address “legitimate business needs” as to whether the practices outweigh employees’ Section 7 interests. If the employer establishes that its narrowly tailored business needs outweigh those rights, the General Counsel nonetheless will “urge the Board to require the employer to disclose to employees the technologies it uses to monitor and manage them, its reasons for doing so, and how it is using the information it obtains,” unless the employer can establish special circumstances.

In some industries, “workplace” monitoring goes beyond the home office. Consider transportation and logistics. An increasing number of states are advancing legislation on digital license plates, which could include related vehicle tracking and related telematics technologies. California’s recent statute on vehicle tracking and fleet management creates significant obligations for employers monitoring their fleets using these technologies.

5. Federal Government to Join in Privacy Regulation

We’re going out on a bit of a limb here as there have been predictions year after year that the federal government would enact a national privacy standard. Of course, none of those predictions turned out.  For sure, the federal government is on a much slower path toward joining states in privacy regulation, but we definitely see the federal government continuing its efforts whether via administrative regulations by the Federal Trade Commission or proposed legislation toward national privacy protection. Perhaps this is the year!

6. AI, Automated Decision Systems and Privacy

2022 saw a tremendous uptick in the attention to and use of AI and Automated Decision Systems, along with the potential effects of both in employment and related circumstances. Naturally, this raises significant privacy concerns among many stakeholders, including the Biden Administration. According to the framework issued by the White House in 2022 pertaining to the use of AI, data privacy was one of the five protections that individuals should be entitled to when using AI.

As the use of AI and automated decision systems continues to spread through industries and everyday life, how individuals’ privacy will be safeguarded will be a growing concern.

7. More privacy-related lawsuits

2023 will see more privacy-related lawsuits as privacy laws proliferate across the country.

We will continue to see more litigation under Illinois’ Biometric Information Privacy Act (BIPA) as plaintiff’s attorneys find more places that the law could apply from dash cams to timekeeping. Other states may enact laws that fuel more litigation, as several states including Maryland, Mississippi, and New York are considering biometric privacy laws. The facial recognition ban in the city of Portland a few years ago is beginning to see lawsuits filed under the ordinance.

While BIPA and the Telephone Consumer Protection Act (TCPA) continue to drive a significant amount of litigation, there is an emerging trend in cases seeking to apply newer technologies to privacy statutes such as the California Invasion of Privacy Act (CIPA), the Florida Telephone Solicitation Act (FTSA), the Video Privacy Protection Act (VPPA), and the Genetic Information Privacy Act (GIPA).

8. EU Continued Enforcement of Privacy Laws

Companies transferring personal data from the EEA (European Economic Area) to the U.S. may soon have an opportunity to leverage a new transfer mechanism. In October, President Biden signed Executive Order 14086 as part of the process to implement the EU-U.S. Data Privacy Framework (DPF), successor to the invalidated EU-U.S. Privacy Shield framework. The EU Commission has issued a draft decision that, upon adoption, will enable the DPF to proceed. In the meantime, the U.S. Department of Commerce announced it will help current U.S. Privacy Shield participants prepare to transition to the new framework.

In October, the European Data Protection Board approved Europrivacy, the first European Data Protection Seal. Europrivacy is a certification mechanism designed to help data controllers and processors demonstrate compliance with the GDPR.

Artificial Intelligence and data protection remain a top priority for the U.K. Information Commissioner’s Office. In November, the ICO published How to Use AI and Personal Data Appropriately and Lawfully. Earlier in the year, the EU Commission published an updated proposal for Laying Down Harmonised Rules On Artificial Intelligence (Artificial Intelligence Act). The proposal creates a legal framework and includes principle-based requirements for AI systems, harmonized rules for the development and use of AI systems, and a regulatory system.

9. Ransomware Attacks and Data Breaches Will Continue as Will Secondary Enforcement Actions

We will continue to see a flow of ransomware attacks, business email compromises, and other data breaches stemming from crafty hackers and cybersecurity lapses. In addition to business interruption costs and direct expenses incurred to respond to the incident, organizations will likely face more enforcement actions as states continue to tighten their data breach notification requirements.

Organizations cannot prevent all attacks from happening, but they can redouble their efforts around regulatory compliance, preparedness, and incident response planning. The stronger an organization is in these three areas, the more successful it likely will be in resolving a government agency enforcement action relating to a data breach.

10. More Focus on Critical Infrastructure Sector When it Comes to Cybersecurity and Privacy

In 2022, we saw the passage of federal legislation Cyber Incident Reporting for Critical Infrastructure of 2022 included within the Consolidated Appropriations Act, 2022. In short, the law requires certain entities in the critical infrastructure sector to report to the Department of Homeland Security (DHS):

  1. a covered cyber incident not later than 72 hours after the covered entity reasonably believes the incident occurred, and
  2. any ransom payment within 24 hours of making the payment as a result of a ransomware attack (even if the ransomware attack is not a covered cyber incident to be reported)

Because of the ongoing threats to critical infrastructure, the Cybersecurity Infrastructure Security Agency (CISA) has started to focus more on this sector, as small to medium-sized providers have been under threat. Recently, CISA stated in its review of 2022, that the agency would narrow in on “target-rich, resource-poor entities” such as small water facilities that are part of critical infrastructure but don’t have large security teams.

For these reasons and others, we believe data privacy will continue to be at the forefront of many industries in 2023.

Happy Privacy Day!

In honor of Data Privacy Day, we provide the following “Top 10 for 2022.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2022.

  1. State Consumer Privacy Law Developments

On January 1, 2020, the CCPA ushered into the U.S. a range of new rights for consumers, including:

  • The right to request deletion of personal information;
  • The right to request that a business disclose the categories of personal information collection and the categories of third parties to which the information was sold or disclosed; and
  • The right to opt-out of sale of personal information; and
  • The California consumer’s right to bring a private right of action against a business that experiences a data breach affecting their personal information as a result of the business’s failure to implement “reasonable safeguards.”

In November of 2020, California voters passes the California Privacy Rights Act (CPRA) which amends and supplements the CCPA, expanding compliance obligations for companies and consumer rights. Of particular note, the CPRA extends the employment-related personal information carve-out until January 1, 2023. The CPRA also introduces consumer rights relating to certain sensitive personal information, imposes an affirmative obligation on businesses to implement reasonable safeguards to protect certain consumer personal information, and prevents businesses from retaliating against employees for exercising their rights.  The CPRA’s operative date is January 1, 2023 and draft implementation regulations are expected by July 1, 2022. Businesses should monitor CCPA/CPRA developments and ensure their privacy programs and procedures remain aligned with current CCPA compliance requirements. For practical guidance on navigating compliance, check out our newly updated CCPA/CPRA FAQS.

In addition to California developments, in 2021, Virginia and Colorado also passed consumer privacy laws similar in kind to the CCPA, both effective January 1, 2023 (together with the CPRA). While the three state laws share common principles, including consumer rights of deletion, access, correction and data portability for personal data, they also contain key nuances, which pose challenges for broad compliance.  Moreover at least 26 states have considered or are considering similar consumer privacy laws, which will only further complicate the growing patchwork of state compliance requirements.

In 2022, businesses are strongly urged to prioritize their understanding of what state consumer privacy obligations they may have, and strategize for implementing policies and procedures to comply.

  1. Biometric Technology Related Litigation and Legislation

There was a continued influx of biometric privacy class action litigation in 2021 and this will likely continue in 2022. In early 2019, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois’s Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect beyond a violation of his/her rights under BIPA to qualify as an aggrieved person and be entitled to seek liquidated damages, attorneys’ fees and costs and injunctive relief under the Act.

Consequently, simply failing to adopt a policy required under BIPA, collecting biometric information without a release or sharing biometric information with a third party without consent could trigger liability under the statute. Potential damages are substantial as BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. There continues to be a flood of BIPA litigation, primarily against employers with biometric timekeeping/access systems that have failed to adequately notify and obtain written releases from their employees for such practices.

Biometric class action litigation has also been impacted by COVID-19. Screening programs in the workplace may involve the collection of biometric data, whether by a thermal scanner, facial recognition scanner or other similar technology. In late 2020, plaintiffs’ lawyers filed a class action lawsuit on behalf of employees concerning their employer’s COVID-19 screening program, which is alleged to have violated the BIPA. According to the complaint, employees were required to undergo facial geometry scans and temperature scans before entering company warehouses, without prior consent from employees as required by law.  This case is still alive and well, at the start of 2022, after significant attempts by the defense, a federal district judge in Illinois declined to dismiss the proposed class action, as the allegations relating to violations regarding “possession” and “collection” of biometric data pass muster at this stage.  Many businesses have been sued under the BIPA for similar COVID related claims in the past year, and 2022 will likely see continued class action litigation in this space.

In 2021, biometric technology-related laws began to evolve at a rapid pace, signaling a continued trend into 2022.  In July 2021, New York City established BIPA-like requirements for retail and hospitality businesses that collect and use “biometric identifier information” from customers.  In September 2021, the City of Baltimore officially banned private use of facial recognition technology. Baltimore’s local ordinance prohibiting persons (including residents, businesses, and most of the city government) from “obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology”.  Other localities have also established prohibitions on use of biometric technology including Portland (Oregon), San Francisco. State legislatures have also increased focus on biometric technology regulation. In addition to Illinois’s BIPA, Washington and Texas have similar laws, and states including Arizona, Florida, Idaho, Massachusetts and New York have also proposed such legislation. The proposed biometric law in New York state would mirror Illinois’ BIPA, including its private right of action provision. In California, the CCPA also broadly defines biometric information as one of the categories of personal information protected by the law.

Additionally, states are increasingly amending their breach notification laws to add biometric information to the categories of personal information that require notification, including 2021 amendment in Connecticut and 2020 amendments in California, D.C., and Vermont. Similar proposals across the U.S. are likely in 2022.

In response to the constantly evolving legislation related to biometric technology, we have created an interactive biometric law state map to help businesses that want to deploy these technologies, which inevitably require the collection, storage, and/or disclosure of biometric information, track their privacy and security compliance obligations.

  1. Ransomware Attacks

Ransomware attacks continued to make headlines in 2021 impacting large organizations, including Colonial Pipeline, Steamship Authority of Massachusetts, the NBA, JBS Foods, the D.C. Metropolitan Police Department and many more. Ransomware attacks are nothing new, but they are increasing in severity. There has been an increase in frequency of attacks and higher ransomware payments, in large part due to increased remote work and the associated security challenges.  The healthcare industry in particular has been substantially impacted by the onset of the COVID-19 pandemic  – a recent study by Comparitech found that ransomware attacks on the healthcare industry has resulted in a financial loss of over $20 billion in impacted revenue, litigation and ransomware payments and growing.

In fact, the FBI jointly with the Cybersecurity and Infrastructure Security Agency (CISA) went so far as to issue a warning to be on high alert for ransomware attacks for holidays in light of numerous targeted attacks over other holidays earlier in the year.

Moreover in 2021, the National Institute of Standards Technology (NIST)  released a preliminary draft of its Cybersecurity Framework Profile for Ransomware Risk Management. The NIST framework provides steps for protecting against ransomware attacks, recovering from ransomware attacks, and determining you organization’s state of readiness to prevent and mitigate ransomware attacks.

Ransomware continues to present a significant threat to organizations as we move into 2022. Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends.

Here are some helpful resources for ransomware attack prevention and response:

  1. Biden Administration Prioritizes Cybersecurity

In large part due to significant threat of ransomware attacks discussed above, the Biden Administration has made clear that cybersecurity protections are a priority. In May of 2021, on the heels of the Colonial Pipeline ransomware attack that snarled the flow of gas on the east coast for days, the Biden Administration issued an Executive Order on “Improving the Nation’s Cybersecurity” (EO). The EO was in the works prior to the Colonial Pipeline cyberattack, however was certainly prioritized as a result. The EO made a clear statement on the policy of the Administration, “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” This EO will mostly impacts the federal government and its agencies. However, several of the requirements in the EO will reach certain federal contractors, and also will influence the private sector.

Shortly after the Biden Administration issued the EO, it followed in August 2021 with the issuance of a National Security Memo (NSM) with the intent of improving cybersecurity for critical infrastructure systems. This NSM established an Industrial Control Systems Cybersecurity Initiative (the “Initiative”) that will be a voluntary, collaborative effort between the federal government and members of the critical infrastructure community aimed at improving voluntary cybersecurity standards for companies that provide critical services.

The primary objective of the Initiative is to encourage, develop, and enable deployment of a baseline of security practices, technologies and systems that can provide threat visibility, indications, detection, and warnings that facilitate response capabilities in the event of a cybersecurity threat.  According to the President’s Memo, “we cannot address threats we cannot see.”

And most recently, in early January 2022, President Biden issued an additional NSM to improve the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.  “Cybersecurity is a national security and economic security imperative for the Biden Administration, and we are prioritizing and elevating cybersecurity like never before…Modernizing our cybersecurity defenses and protecting all federal networks is a priority for the Biden Administration, and this National Security Memorandum raises the bar for the cybersecurity of our most sensitive systems,” stated the White House in its issuance of the latest NSM.

The U.S. government will continue to ramp up efforts to strengthen its cybersecurity as we head into 2022, impacting both the public and private sector. Businesses across all sectors should be evaluating their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

  1. COVID-19 privacy and security considerations

During 2020 and 2021, COVID-19 presented organizations large and small with new and unique data privacy and security considerations. And while we had high hopes that increased vaccination rates would put this pandemic in the rearview mirror, the latest omicron strand showed us otherwise. Most organizations, particularly in their capacity as employers, needed to adopt COVID-19 screening and testing measures resulting in the collection of medical and other personal information from employees and others. While the Supreme Court has stayed OSHA’s ETS mandating that employers with 100+ employees require COVID-199 vaccination and the Biden Administration ultimately withdrew the same, some localities have instituted mandates depending on industry, and many employers have voluntarily decided to institute vaccine requirements for employees.  Ongoing vigilance will be needed to maintain the confidential and secure collection, storage, disclosure, and transmission of medical and COVID-19 related data that may now include tracking data related to vaccinations or the side effects of vaccines.

Several laws apply to data the organizations may collect in this instance. In the case of employees, for example, the Americans with Disability Act (ADA) requires maintaining the confidentiality of employee medical information and this may include COVID-19 related data. Several state laws also have safeguard requirements and other protections for such data that organization should be aware of when they or others on their behalf process that information.

Many employees will continue to telework during 2022 (and beyond). A remote workforce creates increased risks and vulnerabilities for employers in the form of sophisticated phishing email attacks or threat actors gaining unauthorized access through unsecured remote access tools. It also presents privacy challenges for organizations trying to balance business needs and productivity with expectations of privacy. These risks and vulnerabilities can be addressed and remediated through periodic risk assessments, robust remote work and bring your own device policies, and routine monitoring.

As organizations continue to work to create safe environments for the in-person return of workers, customers, students, patients and visitors, they may rely on various technologies such as wearables, apps, devices, kiosks, and AI designed to support these efforts. These technologies must be reviewed for potential privacy and security issues and implemented in a manner that minimizes legal risk.

Some reminders and best practices when collecting and processing information referred to above and rolling out these technologies include:

  • Complying with applicable data protection laws when data is collected, shared, secured and stored including the ADA, Genetic Information Nondiscrimination Act, CCPA, GDPR and various state laws. This includes providing required notice at collection under the California Consumer Privacy Act (CCPA), or required notice and a documented lawful basis for processing under the GDPR, if applicable.
  • Complying with contractual agreements regarding data collection; and
  • Contractually ensuring vendors who have has access to or collect data on behalf of the organization implement appropriate measures to safeguard the privacy and security of that data.
  1. “New” EU Standard Contractual Clauses

In July of 2020 the Court of Justice of the European Union (CJUE) published its decision in Schrems II which declared the EU-US Privacy Shield invalid for cross border data transfers and affirmed the validity standard contractual clauses (“SCCs) as an adequate mechanism for transferring person data from the EEA, subject to heightened scrutiny.  However, the original SCCs were unable to adequately address the EU Commission’s concerns about the protection of personal data.

On June 4, 2021, the EU Commission adopted “new” modernized SCCs to replace the 2001, 2004, and 2010 versions in use up to that point – effective since September 27,2021. The EU Commission updated the SCCs to address more complex processing activities, the requirements of the GDPR, and the Schrems II decision. These clauses are modular so they can be tailored to the type of transfer.  if a data exporter transfers data from the EU to a U.S. organization, the U.S. organization must execute the new SCCs unless the parties rely on an alternate transfer mechanism or an exception exists. This applies regardless of whether the U.S. company receives or accesses the data as a data controller or processor. The original SCCs apply to controller-controller and controller-processor transfers of personal data from the EU to countries without a Commission adequacy decision. The updated clauses are expanded to also include processor-processor and processor-controller transfers. While the existing SCCs were designed for two parties, the new clauses can be executed by multiple parties. The clauses also include a “docking clause” so that new parties can be added to the SCCs throughout the life of the contract.

The obligations of the data importer are numerous and include, without limitation:

  • documenting the processing activities it performs on the transferred data,
  • notifying the data exporter if it is unable to comply with the SCCs,
  • returning or securely destroying the transferred data at the end of the contract,
  • applying additional safeguards to “sensitive data,”
  • adhering to purpose limitation, accuracy, minimization, retention, and destruction requirements,
  • notifying the exporter and data subject if it receives a legally binding request from a public authority to access the transferred data, if permitted, and
  • challenging a public authority access request if it reasonably believes the request is unlawful.

The SCCs require the data exporter to warrant there is no reason to believe local laws will prevent the importer from complying with its obligations under the SCCs. In order to make this representation, both parties must conduct and document a risk assessment of the proposed transfer.

If an organization that transfers data cross border has not already done so it should be implementing the new procedures and documents for the SCCs. This is, of course, if they are not relying on an alternate transfer mechanism or an exception exists. Organizations will also need to review any ongoing transfers made in reliance on the old SCCs and take steps to comply. As with new transfers, this will require a documented risk assessment and a comprehensive understanding of the organization’s process for accessing and transferring personal data protected under GDPR. For additional guidance on the new EU SCCs, our comprehensive FAQs are available here.

  1. TCPA

In April 2021, the U.S. Supreme Court issued a monumental decision with significant impact on the future of Telephone Consumer Protection Act (TCPA) class action litigation. The court narrowly ruled to qualify as an “automatic telephone dialing system”, a device must be able to either “store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator”.  The underlying decision of the Ninth Circuit was reversed and remanding.

The Supreme Court unanimously concluded, in a decision written by Justice Sotomayor, that to qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store, or to produce, a telephone number using a random or sequential number generator.

“Expanding the definition of an autodialer to encompass any equipment that merely stores and dials telephone numbers would take a chainsaw to these nuanced problems when Congress meant to use a scalpel,” Justice Sotomayor pointed out in rejecting the Ninth Circuit’s broad interpretation of the law.

Moreover, Sotomayor noted that, “[t]he statutory context confirms that the autodialer definition excludes equipment that does not “us[e] a random or sequential number generator.””  The TCPA’s restrictions on the use of autodialers include, using an autodialer to call certain “emergency telephone lines” and lines “for which the called party is charged for the call”. The TCPA also prohibits the use of an autodialer “in such a way that two or more telephone lines of a multiline business are engaged simultaneously.” The Court narrowly concluded that “these prohibitions target a unique type of telemarketing equipment that risks dialing emergency lines randomly or tying up all the sequentially numbered lines at a single entity.”

The Supreme Court’s decision resolved a growing circuit split, where several circuits had previously interpreted the definition of an ATDS broadly  to encompass any equipment that merely stores and dials telephone numbers, while other circuits provided a narrower interpretation, in line with the Supreme Court’s ruling. It was expected the Supreme Court’s decision would help resolve the ATDS circuit split and provide greater clarity and certainty for parties facing TCPA litigation. In the six months following the Supreme Court’s decision, the Institute of Legal Reform documented a 31% drop in TCPA filings, compared to the six months prior to the ruling.  Nonetheless, many claims based on broad ATDS definitions are still surviving early stages of litigation in the lower courts, and some states have enacting (or are considering) “mini-TCPAs” which include a broader definition of ATDS. While the Supreme Court’s decision was considered a win for defendants facing TCPA litigation, organizations are advised to review and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance, as they move into 2022.

  1. Global Landscape of Data Privacy & Security

2021 was a significant year for the global landscape of data privacy and security.  As discussed above, on June 4th, the European Commission adopted new standard contractual clauses for the transfer of personal data from the EU to “third countries”, including the U.S. On August 20, China passed its first comprehensive privacy law, the Personal Information Protection Law (PIPL), similar in kind to the EU’s GDPR.  The law took effect in November of 2021.  In addition, China published 1) Security Protection Regulations on the Critical Information Infrastructure and 2) the Data Security Law which aim to regulate data activities, implement effective data safeguards, protect individual and entity legitimate rights and interests, and ensure state security – both effective September of 2021.  Finally, Brazil enacted  Lei Geral de Proteção de Dados Pessoais (LGPD), its first comprehensive data protection regulation, again with GDPR-like principles. The LGPD became enforceable in August of 2021.

In 2022, U.S. organizations may face increased data protection obligations as a result of where they have offices, facilities, or employees; whose data they collect; where the data is stored; whether it is received from outside the U.S.; and how it is processed or shared. These factors may trigger country-specific data protection obligations such as notice and consent requirements, vendor contractual obligations, data localization or storage concerns, and safeguarding requirements. Some of these laws may apply to data collection activities in a country regardless of whether the U.S. business is located there.

  1. Federal Consumer Privacy Law

Numerous comprehensive data protection laws were proposed at the federal level in recent years. These laws have generally stalled due to bipartisan debate over federal preemption and a private right of action. And while, every year, we ask ourselves whether this will be the year, 2022 may indeed be the year the U.S. enacts a federal consumer privacy law.  2022 has barely begun and a coalition which includes the U.S. Chamber of Congress together with local business organizations in over 20 states have issued a letter to Congress highlighting the importance of enacting a federal consumer privacy law as soon as possible.

“Data is foundational to America’s economic growth and keeping society safe, healthy and inclusive…Fundamental to the use of data is trust,” the coalition noted. “A national privacy law that is clear and fair to business and empowering to consumers will foster the digital ecosystem necessary for America to compete.”

Moreover, with California, Virginia, and Colorado all with comprehensive consumer privacy laws (as discussed above), and approximately half of U.S. states contemplating similar legislation, there is a growing patchwork of state laws that “threatens innovation and create consumer and business confusion,” as stated in the coalition’s letter to Congress.

Will 2022 be the year the U.S. government enacts a federal consumer privacy law? Only time will tell.  We will continue to update as developments unfold.

  1. Cyber Insurance

Over the past several years, if your organization experienced a cyberattack, such as ransomware or a diversion of funds due to a business email compromise (BEC), and you had cyber insurance, you likely were very thankful. However, if you are renewing that policy (or in the cyber insurance market for the first time), you are probably looking at much steeper rates, higher deductibles, and even co-insurance, compared to just a year or two ago. This is dependent on finding a carrier to provide competitive terms, although there are some steps organizations can take to improve insurability.

Claims paid under cyber insurance policies are significantly up, according to Marc Schein*, CIC, CLCS, National Co-Chair Cyber Center of Excellence for Marsh McLennan Agency who closely tracks cyber insurance trends. Mr. Schein identified the key drivers hardening the cyber insurance market: ransomware and business interruption.

According to Fitch Ratings’ Cyber Report 2020, insurance direct written premiums for the property and casualty industry increased 22% in the past year to over $2.7 billion, representing the demand for cyber coverage. The industry statutory direct loss plus defense and cost containment (DCC) ratio for standalone cyber insurance rose sharply in 2020 to 73% compared with an average of 42% for the previous five years (2015-2019). The average paid loss for a closed standalone cyber claim moved to $358,000 in 2020 from $145,000 in 2019.

The effects of these, other increases in claims, and losses from cyberattacks had a dramatic impact on cyber insurance. Perhaps the most concerning development for organizations in the cyber insurance market is the significantly increased scrutiny carriers are applying to an applicant’s insurability.

There are no silver bullets, but implementing administrative, physical and technical safeguards to protect personal information may dramatically reduce the chances of a cyberattack, and that is music to an underwriter’s ears. As an organization heads into 2022, ensuring such safeguards are instituted and regularly reviewed, can go a long way.

*      *     *     *     *

For these reasons and others, we believe 2022 will be a significant year for privacy and data security.

Happy Privacy Day!

URL

In honor of Data Privacy Day, we provide the following “Top 10 for 2021.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2021.

  1. COVID-19 privacy and security considerations.

During 2020, COVID-19 presented organizations large and small with new and unique data privacy and security considerations. Most organizations, particularly in their capacity as employers, needed to adopt COVID-19 screening and testing measures resulting in the collection of medical and other personal information from employees and others. This will continue in 2021 with the addition of vaccination programs. So, for 2021, ongoing vigilance will be needed to maintain the confidential and secure collection, storage, disclosure, and transmission of medical and COVID-19 related data that may now include tracking data related to vaccinations or the side effects of vaccines.

Several laws apply to data the organizations may collect. In the case of employees, for example, the Americans with Disability Act (ADA) requires maintaining the confidentiality of employee medical information and this may include COVID-19 related data. Several state laws also have safeguard requirements and other protections for such data that organization should be aware of when they or others on their behalf process that information.

Many employees will continue to telework during 2021. A remote workforce creates increased risks and vulnerabilities for employers in the form of sophisticated phishing email attacks or threat actors gaining unauthorized access through unsecured remote access tools. It also presents privacy challenges for organizations trying to balance business needs and productivity with expectations of privacy. These risks and vulnerabilities can be addressed and remediated through periodic risk assessments, robust remote work and bring your own device policies, and routine monitoring.

As organizations work to create safe environments for the return of workers, customers, students, patients and visitors, they may rely on various technologies such as wearables, apps, devices, kiosks, and AI designed to support these efforts. These technologies must be reviewed for potential privacy and security issues and implemented in a manner that minimizes legal risk.

Some reminders and best practices when collecting and processing information referred to above and rolling out these technologies include:

  • Complying with applicable data protection laws when data is collected, shared, secured and stored including the ADA, Genetic Information Nondiscrimination Act, CCPA, GDPR and various state laws. This includes providing required notice at collection under the California Consumer Privacy Act (CCPA), or required notice and a documented lawful basis for processing under the GDPR, if applicable.
  • Complying with contractual agreements regarding data collection; and
  • Contractually ensuring vendors who have has access to or collect data on behalf of the organization implement appropriate measures to safeguard the privacy and security of that data.
  1. The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)

On January 1, 2020, the CCPA ushered in a range of new rights for consumers, including:

  • The right to request deletion of personal information;
  • The right to request that a business disclose the categories of personal information collection and the categories of third parties to which the information was sold or disclosed; and
  • The right to opt-out of sale of personal information; and
  • The California consumer’s right to bring a private right of action against a business that experiences a data breach affecting their personal information as a result of the business’s failure to implement “reasonable safeguards.”

The CCPA carves-out (albeit not entirely) employment-related personal information from the CCPA’s provisions. It limits employee rights to notice of the categories of personal information collected by the business and the purpose for doing so, and the right to bring a private right of action against a business that experiences a data breach affecting their personal information.

In November, California voters passes the California Privacy Rights Act (CPRA) which amends and supplements the CCPA, expanding compliance obligations for companies and consumer rights. Of particular note, the CPRA extends the employment-related personal information carve-out until January 1, 2023. The CPRA also introduces consumer rights relating to certain sensitive personal information, imposes an affirmative obligation on businesses to implement reasonable safeguards to protect certain consumer personal information, and prevents businesses from retaliating against employees for exercising their rights.  The CPRA’s operative date is January 1, 2023 and draft implementation regulations are expected by July 1, 2022. Businesses should monitor CCPA/CPRA developments and ensure their privacy programs and procedures remain aligned with current CCPA compliance requirements.

In 2021, businesses can expect various states, including Washington, New York, and Minnesota to propose or enact CCPA-like legislation.

  1. Biometric Data

There was a continued influx of biometric privacy class action litigation in 2020 and this will likely continue in 2021. In early 2019, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois’s Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect beyond a violation of his/her rights under BIPA to qualify as an aggrieved person and be entitled to seek liquidated damages, attorneys’ fees and costs and injunctive relief under the Act.

Consequently, simply failing to adopt a policy required under BIPA, collecting biometric information without a release or sharing biometric information with a third party without consent could trigger liability under the statute. Potential damages are substantial as BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. There continues to be a flood of BIPA litigation, primarily against employers with biometric timekeeping/access systems that have failed to adequately notify and obtain written releases from their employees for such practices.

Like many aspects of 2020, biometric class action litigation has also been impacted by COVID-19. Screening programs in the workplace may involve the collection of biometric data, whether by a thermal scanner, facial recognition scanner or other similar technology. In late 2020, plaintiffs’ lawyers filed a class action lawsuit on behalf of employees concerning their employer’s COVID-19 screening program, which is alleged to have violated the BIPA. According to the complaint, employees were required to undergo facial geometry scans and temperature scans before entering company warehouses, without prior consent from employees as required by law. More class action lawsuits of this nature are likely on the horizon.

The law in this area is still lagging behind the technology but starting to catch up. In addition to Illinois’s BIPA, Washington and Texas have similar laws, and states including Arizona, Florida, Idaho, Massachusetts and New York have also proposed such legislation. The proposed biometric law in New York would mirror Illinois’ BIPA, including its private right of action provision. In California, the CCPA also broadly defines biometric information as one of the categories of personal information protected by the law.

Additionally, states are increasingly amending their breach notification laws to add biometric information to the categories of personal information that require notification, including 2020 amendments in California, D.C., and Vermont. Similar proposals across the U.S. are likely in 2021.

A report released by Global Market Insights, Inc. in November 2020 estimates the global market valuation for voice recognition technology will reach approximately $7 billion by 2026, in main part due to the surge of AI and machine learning across a wide array of devices including smartphones, healthcare apps, banking apps and connected cars, just to name a few. Voice recognition is generally classified as a biometric technology which allows the identification of a unique human characteristic (e.g. voice, speech, gait, fingerprints, iris or retina patterns), and as a result voice related data qualifies biometric information and in turn personal information under various privacy and security laws. For businesses exploring the use of voice recognition technology, whether for use by their employees to access systems or when manufacturing a smart device for consumers or patients, there are a number of privacy and security compliance obligations to consider including the CCPA, GDPR, state data breach notification laws, BIPA, COPPA, vendor contract statutes, statutory and common law safeguarding mandates.

  1. HIPAA

During 2020, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services was active in enforcing HIPAA regulations. The past year saw more than $13.3 million recorded by OCR in total resolution agreements. OCR settlements have impacted a wide array of health industry-related businesses, including hospitals, health insurers, business associates, physician clinics and mental health/substance abuse providers. Twelve of these settlements where under the OCR’s Right to Access Initiative, which enforces patients’ rights to timely access of medical records at reasonable cost. It is likely this level of enforcement activity will continue in 2021.

The past year produced a significant amount of OCR-issued guidance relating to HIPAA. In March OCR issued back-to-back guidance on COVID-19-related issues, first regarding the provision of protected health information (PHI) of COVID-19 exposed individuals to first responders, and next providing FAQs for telehealth providers. In July, the director of the OCR issued advice to HIPAA subject entities in response to the influx of recent OCR enforcement actions: “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” Finally in September, the OCR published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization and improve HIPAA Security Rule compliance, and shortly after it issued updated guidance on HIPAA for mobile health technology.

In December, Congress amended the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determination, and for other purposes. In 2021, businesses will want to review their information security practices in light of applicable recognized security practices in an effort to demonstrate reasonable safeguards and potentially minimize penalties in the event of a cybersecurity incident.

  1. Data Breaches

The past year was marked by an escalation in ransomware attacks, sophisticated phishing emails, and business email compromises. Since many of these attacks were fueled in part by vulnerabilities due to an increased remote workforce, 2021 will likely be more of the same. Continue Reading Top 10 for 2021 – Happy Data Privacy Day!

Co-Author: Eric R. Magnus

The Eleventh Circuit Court of Appeals recently ruled that “incentive” or “service” awards to lead plaintiffs in Rule 23 class actions are unlawful. It is the first circuit court of appeals to expressly invalidate such awards as a matter of law. (Johnson v. NPAS Solutions, LLC, No. 18-12344, September 17, 2020).

In a suit brought under the Telephone Consumer Protection Act (TCPA), a divided circuit panel struck down a $6,000 award to a lead plaintiff and, for this and other reasons, vacated a federal court’s order approving a proposed $1.432 million settlement. (There were 179,642 potential class members, who would have received only $7.97, but only  9,543 class members who submitted claims, bringing their haul to what could have been “a whopping $79.”)

Supreme Court precedent. The U.S. Supreme Court prohibited the award of incentive payments to plaintiffs more than a century ago, calling this particular fee for services “decidedly objectionable,” the Eleventh Circuit noted (citing Trustees v. Greenough, 105 U.S. 527 (1882), along with Central Railroad & Banking Co. v. Pettus, 113 U.S. 116 (1885), issued on the heels of that decision. This controlling precedent precedes Rule 23 by decades, as the plaintiffs pointed out to no avail, in arguing that the decisions were nonbinding here. And these opinions seem to have gone unheeded in the 140 or so years since, the majority acknowledged, conceding that incentive awards are routine features of class settlements today.

“But, so far as we can tell, that state of affairs is a product of inertia and inattention, not adherence to law,” the court said, adding: “Although it’s true that such awards are commonplace in modern class-action litigation, that doesn’t make them lawful, and it doesn’t free us to ignore Supreme Court precedent forbidding them.”

The incentive award in this case is “part fee and part bounty,” according to the majority. Such awards amount to the kind of pay for services disfavored by the Supreme Court. What’s more, such fees are meant “to promote litigation by providing a prize to be won.”

Eleventh Circuit is an outlier. Judge Martin dissented on this point, and noted that the decision “takes our court out of the mainstream.” No other circuit court has barred incentive awards; in fact, “none has even directly addressed its authority to approve incentive awards,” she pointed out. Yet, as the majority countered, the courts appear to have abandoned the inquiry whether there is actually a legal basis for such awards, turning instead to the question whether such awards are fair.

Fee objection before fee petition? The appeals court also was troubled that, in granting preliminary approval to the slapdash settlement (over the objections of the appellant here), the district court effectively required class members to opt out or object to the attorney fee award even before class counsel filed their fee petition. The appeals court found a clear violation of Federal Rule of Civil Procedure 23(h) in setting the objection date prior to the motion for fees.

However, applying the harmless-error doctrine for the first time in the context of Rule 23(h), the court concluded that this error was harmless.

“Boilerplate” approval. In addition, the lower court violated the Federal Rules and circuit precedent more generally by failing to offer a reasoned explanation for its decision to approve the terms of a class settlement and to overrule objections. The appeals court recognized that the district court’s approach to evaluating the settlement was fairly common. Here again, though, as with the court’s approval of the incentive award, it is no answer to say, “That’s just how it’s done.”

“We don’t necessarily fault the district court—it handled the class-action settlement here in pretty much exactly the same way that hundreds of courts before it have handled similar settlements. But familiarity breeds inattention, and it falls to us to correct the errors in the case before us.”

Takeaways. As a practical matter, removing the prospect of service awards for Named Plaintiffs in class actions will impact the resolution of class actions within the Eleventh Circuit, adding further nuance to the negotiation of settlements and the drafting of settlement agreements.

This decision will also further increase judicial scrutiny of class action settlements in the Eleventh Circuit, which is a Circuit that, since its seminal decision in Lynn’s Foods, Inc. v. United States in 1982, has been active in scrutinizing the terms of employment class action settlements, particularly in the area of wage and hour settlements.

A critical question that remains unanswered is whether the majority’s rationale will be applied in the context of collective actions brought under Section 216(b) of the Fair Labor Standards Act (FLSA) or to the settlement of hybrid claims under both Rule 23 and Section 216(b).

It also remains to be seen if other federal circuits will find the Eleventh Circuit’s holding persuasive, and likewise opt to prohibit the use of incentive payments, or whether the Eleventh Circuit has further distanced itself from its sister circuits in closely scrutinizing class action settlement terms.

As they work to combat the surging COVID-19 virus, healthcare providers recently were reminded by legislators and regulators of the importance of data security and privacy protections.

On the data security front, U.S. Senators Richard Blumenthal, Tom Cotton, David Perdue, and Mark Warner recently wrote to the Director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”) and the commanding general of the U.S. Cyber Command to express their “profound concerns” that healthcare providers are “facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic,” which “pose an alarming risk of disrupting or undermining our public health response at this time of crisis.” The Senators urged CISA and the Cyber Command to issue guidance and provide technical resources to deter these threats.

Beyond their general call for action, the Senators offered specific measures CISA and the Cyber Command should adopt to protect healthcare providers’ data security:

  1. Provide private and public cyber threat intelligence information, such as indicators of compromise (IOCs), on attacks against the healthcare, public health, and research sectors, including malware and ransomware.
  2. Coordinate with the Department of Health and Human Services, the Federal Trade Commission, and the Federal Bureau of Investigation on efforts to increase public awareness on cyberespionage, cybercrime, and disinformation targeting employees and consumers, especially as increased telework poses new risks to companies.
  3. Provide threat assessments, resources, and additional guidance to the National Guard Bureau to ensure that personnel supporting state public health departments and other local emergency management agencies are prepared to defend critical infrastructure from cybersecurity breaches.
  4. Convene and consult partners in the healthcare, public health, and research sectors, including its government and private healthcare councils, on what resources and information are needed to reinforce efforts to defend healthcare IT systems, such as vulnerability detection tools and threat hunting.
  5. Consider issuing public statements regarding hacking operations and disinformation related to the coronavirus for public awareness and to put adversaries on notice, similar to the joint statement on election inference issued on March 2nd.
  6. Evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

On the heels of this call for action on data security, the Office for Civil Rights (“OCR”) at the U.S Department of Health and Human Services issued additional guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information will be accessible without the patients’ prior authorization. In this guidance, the OCR reiterated that “it is not sufficient for a covered health care provider to require the media to mask patients’ identities when airing recorded video (such as by blurring, pixelation, or voice alteration), after the fact. Prior, express authorization from the patient is always required.” While this guidance does not break new ground, it serves as a timely reminder as newscasts focus daily on the efforts of healthcare providers to treat COVID-19 patients.

These are difficult times for healthcare providers, but even as they tackle the clinical demands of the COVID-19 pandemic, the developments discussed above demonstrate the importance of continuing to be vigilant in the enforcement of data security and privacy policies.

For more on recent privacy and cybersecurity updates for healthcare providers, check out some of our past blog posts:

2020 may very well be the most impactful year for data privacy and cybersecurity in the United States. In honor of Data Privacy Day, we discuss some of the reasons why that may be the case. In short, as privacy and cybersecurity risks continue to emerge for organizations large and small, the law is beginning to catch up which is prompting a significant uptick in compliance efforts.

The California Consumer Privacy Act and Its Admirers

On January 1, 2020, the long anticipated, hotly debated, and already amended California Consumer Privacy Act (CCPA) went into effect.  According to a survey conducted by ComplianceWeek.com, however, nearly 80% of respondents felt either “somewhat confident,” “uncertain,” or “not confident at all” they would be compliant by the effective date. These results may be due to a variety of reasons: a lack of awareness or resources, reliance on the extended CCPA enforcement date (July 1, 2020), a belief that the California Attorney General enforcement efforts will be directed elsewhere, and/or anticipation of final regulations/further guidance from the California Attorney General.

Nonetheless, many businesses are working on CCPA compliance: mapping consumer data; providing notices at collection to consumers, employees, and applicants; updating websites and privacy policies; building internal procedures to verify and respond to consumer requests; and tightening their safeguards for protecting personal information. These efforts are worthwhile for many businesses as they are likely to yield dividends beyond California.

Following California’s lead, a number of other states have introduced similar measures in 2020 regarding individual privacy rights.  These legislative efforts include: Florida (SB 1670, HB 963); Hawaii (SB 418, SB 2451); Illinois (SB 2330); Maryland (HB 249); Nebraska (LB 746); New Hampshire (HB 1680); New Jersey (S269, S236, A2188); Vermont (H. 899); Virginia (HB 473); Washington HB 2759). Earlier efforts began in 2019: New Mexico (SB 176); New York (A 6351, S 4411); Pennsylvania (HB 1049); Rhode Island (S 234, H 5930); and Texas (HB 4518). All of these measures may fail, but California’s influence on state privacy law is considerable. Remember, the country’s first data breach notification law became effective in 2003 in California, and now all 50 states have such a law, including a number of other countries.

Adoption of Biometric Technology Grows, Along with Regulation

SourceToday.com reports that “by 2025, Zion Market Research expects the global next-generation biometric market to reach $36.8 billion, up from $12.9 billion last year.” The same report cites Deloitte’s 2018 global mobile consumer survey (US edition) which finds that at least one biometric authentication method is used by nearly half of U.S. smartphone owners. The trend for biometrics is on the rise.

Organizations which collect and use biometric identifiers/information (e.g. fingerprints, face scans, etc.) should be mindful of the increasing privacy and data security regulation around biometric technologies and applications.  While biometrics may be helpful in preventing fraud, managing employees’ time, or improving security, these benefits must be considered against the potential legal and compliance risks.

The most critical of these risks exists in Illinois under its Biometric Information Privacy Act (BIPA). Under BIPA a plaintiff is entitled to statutory damages for violations and actual harm is not required in order for an individual to sue.  BIPA is at the heart of hundreds of putative class action lawsuits in Illinois. Compliance steps such as obtaining consent prior to collection or use and establishing a written policy may help mitigate risk.  For more information on the BIPA and biometric information related concerns checkout our FAQs.

Of course, BIPA does not present the only compliance concern. In California, for example, the CCPA includes biometric information as a specific category of personal information, and following a change in 2019, a breach of biometric information could trigger a notification requirement. Other states regulating biometric information in one for or another include without limitation Arkansas, Colorado, Florida, Massachusetts, Nebraska, New York, Texas, and Washington.

Organizations’ Websites Provide a Window Into Compliance

Websites facilitate communication with consumers, constituents, patients, employees, and the general public. They project an organization’s image and promote goodwill, provide information about products and services and allow for their purchase. Websites also inform investors about performance, enable job seekers to view and apply for open positions, and accept questions and comments from visitors to the site or app, among many other activities and functionalities. Because of this vital role, websites have become an increasing subject of regulation making them a growing compliance concern, particularly as they are open to inspection by the public.

CCPA privacy policies, ADA accessibility, HIPAA notice of privacy practices, and COPPA consent mandates are just a few of the compliance requirements affecting websites and online applications or services. In 2020 and beyond, organizations will need to take a closer look at these and other compliance issues concerning their websites and online services.

Telephone Consumer Protection Act (TCPA)

While the Supreme Court did not choose to address whether the Hobbs Act (also known as the Administrative Orders Review Act) requires a district court to accept the Federal Communications Commission (FCC) interpretation of the TCPA (PDR Network, LLC v. Carlton & Harris Chiropractic, Inc., No. 17-1705) there have been a number of other developments impacting the TCPA.  In December 2019, the FCC ruled that online faxes are TCPA exempt and the Supreme Court recently accepted certiorari of a petition to rule on the constitutionality of the TCPA.  In granting certiorari, the Court agreed to review a ruling of the Fourth Circuit which held that a TCPA exemption for government debt collectors was in violation of the First Amendment.   The case could have a significant impact on TCPA claims.  Further, Congress recently proposed the TRACED Act, to combat the increasing number of robocall scams and other intentional violations of telemarketing laws. The TRACED Act, if passed, broadens FCC authority to levy civil penalties and extends the time period for the FCC to catch and take civil enforcement action against intentional violations.  Needless to say, 2020 should be an interesting year for the TCPA.

Cybersecurity, Cybersecurity, and Cybersecurity

A rundown of anticipated, critical cybersecurity risks vying for attention at the upcoming RSA Conference in 2020 (the world’s biggest conference for CISOs) should provide reason enough for organizations to redouble their efforts at tightening security. But that is not all.

Less than two months from now, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) becomes effective, imposing expansive data security requirements on companies. Among other things, and similar to data security frameworks in other states such as California, Colorado, Massachusetts, and Oregon, the SHIELD Act requires that any person or business, including a small business, that owns or licenses computerized data which includes private information of a resident of New York must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

Examples of practices considered reasonable administrative safeguards under the law include risk assessments, employee training, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and disposal of private information within a reasonable time period.

Similar frameworks already exist in other states. For example, in 2018, Colorado enacted HB 1128, creating obligations for businesses to maintain “reasonable security procedures and practices” for protecting personal identifying information. Similar rules have been in place since 2010 in Massachusetts. Requirements for reasonable safeguards to protect personal information also exist in numerous other states such as Alabama, Florida, Nevada, Illinois, Indiana, and Utah.

But, we will end where we began, the CCPA. We believe it will be an important driver of “reasonable safeguards” for personal information. This is because similar to BIPA, the CCPA authorizes a private cause of action against a covered business if a failure to implement reasonable security safeguards results in a data breach. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.  As the CCPA provides for statutory damages, Plaintiffs in these lawsuits may not have to show actual harm or injury to recover.

*      *     *     *     *

For these reasons and others, we believe 2020 will be a significant year for privacy and data security.

Happy Privacy Day!

In the final days of 2019, the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (“TRACED Act”) was signed into law to combat the increasing number of illegal robocall practices and other intentional violations of telemarketing laws. The TRACED Act, a bipartisan bill, first introduced in Congress in 2018, broadens FCC authority to levy Telephone Consumer Protection Act (“TCPA”) civil penalties and extends the time period for the FCC to catch and take civil enforcement action against intentional violations. The new law will not put an immediate end to improper robocalling practices, which have been exacerbated in recent years due to the growing industry of “spoofing” technology, but will certainly cause individuals to think twice before engaging in illegal robocalling activity.

It is important to note that not all robocalling practices are illegal – generally robocalls are permissible if the company has received written consent from a consumer to call in that manner. There are also a few types of robocalls that are permissible without written consent: purely informational calls (e.g. flight cancellation, appointment reminders, schools delays), messages from certain healthcare providers, political calls, messages from charities and debt collection calls (excluding services that offer to reduce your debt).

Below are several key provisions of the TRACED Act likely to be impactful in curbing improper robocall activity:

  • Requires the FCC to promulgate rules to help protect consumers from receiving unwanted calls or text messages from a caller with an unauthenticated numbered. Note: The FCC’s rulemaking process for this provision has already been underway.
  • Requires the FCC to promulgate rules establishing when a provider may block a call based on information provided by a call authentication framework, and establishing a process to permit a calling party adversely affected by the authentication framework to verify the authenticity of their calls.
  • Requires the FCC and Department of Justice to assemble an interagency working group to study and report to Congress on the enforcement of the prohibition on certain robocalls – specifically looking into how to better enforce against robocalls by examining issues such as the types of policies, laws and constraints that may be inhibiting enforcement.
  • Requires the FCC to initiate a proceeding to determine whether its policies regarding access to numbers resources could be modified to aid in reducing access to numbers by potential robocall violators.
  • Requires voice service providers to develop call authentication technologies. Providers may not charge for these services, and are given a safe harbor from liability for making reasonable efforts to effectively implement such technology.
  • Implements a forfeiture penalty for violations (with or without intent) of the prohibition on certain robocalls.
  • Increases the TCPA fines for robocall violations and extends the FCC’s statute of limitations on such violations. A violator can be fined up to $10,000 per call.

Much praise has been directed towards the recently enacted TRACED Act, including Senator Chuck Schumer who highlighted on Twitter that “Americans were battered by 48 billion robocalls last year (2019)…I’m so proud I fought for the #TRACEDact” and FCC Chairman Ajit Pai in a statement on behalf of the FCC, “I applaud Congress for working in a bipartisan manner to combat illegal robocalls and malicious caller ID spoofing”. Nonetheless, only time will tell how effective the new law will be in deterring the practice of illegal robocalls, which only seems to be getting worse.

The recently enacted TRACED Act comes together with other areas of attention on the TCPA generally of late. In June 2019, the U.S. Supreme Court issued its long awaited decision in PDR Network LLC v. Carlton, addressing the issue of whether the Hobbs Act requires the district court to accept the 2006 FCC Order 2006, which provides the legal interpretation for the TCPA. Unfortunately, the Court dodged the issue, instead ruling anonymously that the lower court failed to consider two preliminary issues. A final decision in this case had been long-awaited, and the wait continues. There is also a growing circuit split over the definition of Automatic Telephone Dialing System (ATDS) under the TCPA, and the FCC recently sought comments from the public on the scope of the TCPA, including the ATDS definition. Needless to say 2020 should be an interesting year for the TCPA.