Search biometric

Welcome to Utah - Life Elevated - Welcome Signs on Waymarking.comJust as businesses are preparing to ensure compliance with similar laws in California, Colorado, and Virginia, they soon will need to consider a fourth jurisdiction, Utah. On March 24, 2022, Governor Spencer Cox signed a measure enacting the Utah Consumer Privacy Act (UCPA). The UCPA is set to take effect December 31, 2023. Note, Georgia and Massachusetts may be the next states to enact similar laws.

Key Elements

Again, as with the Colorado Privacy Act (CPA) and the Virginia Consumer Data Privacy Act (VCDPA), UCPA was modeled in part on the CCPA, CPRA, and the EU General Data Protection Regulation (GDPR). But there are some variations. Key elements of the UCPA include:

  • Jurisdictional Scope. The UCPA apples to controllers or processors that
    • conduct business in Utah or produce a product or service that is targeted to consumers who reside in Utah; and
    • have annual revenue of $25 million or more; and
    • satisfy one or more of the following: (i) during a calendar year, control or process personal data of at least 100,000 consumers, or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Notably, as indicated above, it is not required that a controller be located in Utah to be subject to the UCPA.

 

  • Exemptions. The UCPA has a long line of entities and data to which the law does not apply. Although not an exhaustive list, some examples of excluded entities include governmental entities and their contractors when working on their behalf, tribes, non-profit corporations, institutions of higher education, HIPAA covered entities and business associates, and financial institutions. The UCPA also excludes certain categories of personal information, such as protected health information under HIPAA, identifiable private information involved in certain human subject research, deidentified information, and personal data regulated by FERPA. The UCPA also exempts personal data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that collection and use of the data are related to the individual’s role. This last exemption generally includes employee and applicant data, including the administration of benefits for individuals relating to employees.

 

  • Personal Data. Using a simpler definition than the CCPA/CPRA, the UCPA defines personal data to mean, “information that is linked or reasonably linkable to an identified individual or an identifiable individual.”

 

  • Sensitive Data. Like both the GDPR and the CPRA, the UCPA addresses a subset of personal data referred to as “sensitive data.” This is defined as personal data that reveals such items as racial or ethnic origin (unless processed by a video communication service); religious beliefs; medical history, mental or physical health, and medical treatment (unless processed by certain health care providers); sexual orientation, or citizenship or immigration status. This category of personal data also includes genetic and biometric data, as well as geolocation data. In general, controllers may not process sensitive data without providing clear notice and an opportunity to opt-out.

 

  • Consumer. A “consumer” under the UCPA is “an individual who is a resident of Utah acting in an individual or household context.” Like the VCDPA, Utah’s law states a consumer does not include a “natural person acting in a commercial or employment context.”

 

  • Consumer Rights. Subject to the exemptions and other limitations set forth under the law, Utah residents will be afforded the following rights with respect to their personal data:
    • To confirm whether or not a controller is processing their personal data and to access such personal data;
    • To delete personal data that the consumer provided to the controller. It is unclear whether this includes data provided to a processor or other third party with respect to the controller;
    • To obtain a copy of their personal data that they previously provided to the controller in a portable and readily usable format that allows them to transmit the data to another controller without impediment, where the processing is carried out by automated means; and
    • To opt out of the processing of the personal data for purposes of (i) targeted advertising, or (ii) sale.

 

  • Controllers. Similar to the CCPA/CPRA, CPA, and VCDPA, controllers must provide an accessible and clear privacy notice that includes, among other things, the categories of personal data collected by the controller and how consumers may exercise a right with respect to their personal data. As with the CPRA, controllers are required to establish, implement, and maintain reasonable administrative, physical, and technical safeguards.

 

  • ProcessorsProcessors are persons that “process” (collect, use, store, disclose analyze, delete, or modify) personal information on behalf of controllers. Before processors may do so, they must enter into a contract that (i) clearly sets forth instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties’ rights and obligations; (ii) requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and (iii) requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data. Businesses with consumers in multiple states will have to compare these required provisions against those required under the CPRA, CPA, and VCDPA, as well as other privacy and security frameworks that may be applicable.

 

  • Enforcement. The Utah Attorney General’s office has exclusive enforcement over the UCPA. In addition, a controller or processor must be provided 30 days’ written notice of any violation, allowing the entity the opportunity to cure the violation. Failure to cure the violation allows the Attorney General to recover actual damages to the consumer and a fine of up to $7,500 per violation. A private right of action is not available under the UCPA.

Takeaway

States across the country are contemplating ways to enhance their data privacy and security protections. Accordingly, organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.

The Massachusetts Information Privacy and Security Act (MIPSA) continues to advance through the state legislative process, and is now before the full legislature. While the Act has several hurdles to clear before becoming law, its notable for two reasons. First, the comprehensive nature of the MIPSA exemplifies the direction state data protection laws are heading in the absence of a comprehensive federal consumer data protection law. Second, given the borderless nature of e-commerce, the most robust state consumer data protection law will likely become the de facto national consumer data protection law, and the MIPSA may take that title. This post highlights significant portions of the current version of the Act.

Who is protected? 

The MIPSA protects the personal information of Massachusetts residents.

Who is subject to the MIPSA?

The Act applies to an entity that has annual global gross revenue in excess of 25 million dollars; determines the purposes and means of processing of the personal information of not less than 100,000 individuals; or is a data broker. In addition, the entity conducts business in the state, or if not physically present in the state, processes personal information in the context of offering of goods or services targeted at state residents or monitors the in-state behavior of residents. Where an entity does not otherwise meet these criteria, it may voluntarily certify to the state Attorney General that it is in compliance with and agrees to be bound by the MIPSA.

Are any entities exempt?

Massachusetts state agencies and government bodies, national securities associations and registered futures associations are exempt.

What data is protected?

MIPSA applies to the personal information of a Massachusetts resident, which is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual. Personal information does not include de-identified information or publicly available information. For the limited purposes of a sale, personal information also includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable household.

Does the Act include special protections for Sensitive Information?

The Act carves out heightened protections for sensitive information. These include the right to notice of collection and use, and the right to limit use and disclosure to purposes necessary to perform the services or provide the goods requested, and for other controller internal uses as authorized by the Act.

Sensitive information is personal information that reveals an individual’s racial or ethnic origin, religious beliefs, philosophical beliefs, union membership, citizenship, or immigration status. It also includes biometric information or genetic information that is processed for the purpose of uniquely identifying an individual; personal information concerning a resident’s mental or physical health diagnosis or treatment, sex life or sexual orientation; specific geolocation information; personal information from a child; a Social Security Number, driver’s license number, military identification number, passport number, or state-issued identification card number; and a financial account number, credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account.

Is any personal information exempt from the Act?

Protected health information under HIPAA is exempt as is certain data, information, and health records created under HIPAA and Massachusetts state law. Exempt data also includes data collected, processed, or regulated with respect to clinical trials, the Health Care Quality Improvement Act of 1986, the Patient Safety and Quality Improvement Act, FCRA, Driver’s Privacy Protection Act, FERPA, the Farm Credit Act, GLBA, COPPA, the Massachusetts Health Insurance Connector and Preferred Provider Arrangements.

Does the MIPSA apply to employee personal information or information collected in the B2B context?

The Act also exempts personal information collected and processed in the context of an individual acting as a job applicant to, an employee of, or an agent or independent contractor of a controller, processor, or third-party including emergency contact information and information used to administer benefits for another person relating to the individual.

Information collected and used in the course of an individual acting in a commercial context is exempt.

What are the controller’s obligations under the MIPSA?

The Act creates an affirmative obligation to implement appropriate technical and organizational safeguards to ensure the security of the information. In addition, the controller must have a lawful basis to process the personal information. Processing must be done in a fair and transparent manner, which includes providing appropriate privacy notices at or before the point of collection. The controller must collect personal information for an identified and legitimate purpose and processing should be limited to what is necessary to achieve the purpose. The information must be accurate and retained only as long as necessary to achieve the purpose for which it was collected. For processing that may involve a high risk of harm to individuals, the controller may be obligated to conduct a risk assessment. When engaging a processor, the controller must enter into a data processing agreement with the processor that contains mandated provisions designed to ensure the privacy and security of personal information.

What rights do protected individuals have?

Massachusetts residents have the right to know, access, port, delete and correct their personal information, subject to certain limitations. The Act also provides for the right to opt out of the sale of personal information and limit the use and disclosure of sensitive information in particular with respect to targeted advertising. The data controller is prohibited from discriminating against the individual for exercising any of these rights.

Can my organization be sued for violations of the law?

The MIPSA does not include a private cause of action for violations of the Act. However, the proposed bill also amends the state data breach notification law to provide residents with a private right of action where their personal information was subject to a data breach resulting from the entity’s failure to implement reasonable safeguards.

How will the law be enforced?

The state Attorney General is authorized to commence a civil investigation when there is reasonable cause to believe an entity has engaged in, is engaging in, or is about to engage in a violation of the Act. After notice, the entity will have 30 days to cure the violation. In the event the entity fails to cure, the Attorney General may seek a temporary restraining order, preliminary injunction, or permanent injunction to restrain any violations r and may seek civil penalties of up to $7,500 for each violation.

Next steps?

The MIPSA sets a high bar for data protection practices. Whether enacted in whole or part, the Act provides a road map for where data protection laws are headed. Many of the 2022 proposed state laws follow or surpass the protections introduced by the CCPA. Preparing to meet each more comprehensive law will require continued data mapping, ongoing evaluation and development of written information security programs, heightened scrutiny of vendor relationships and agreements, risk assessments, and updated employee data protection and security awareness training.

We will continue monitor the progress of this bill.

Facial recognition, voiceprint, and other biometric-related technology are booming, and they continue to infiltrate different facets of everyday life. The technology brings countless potential benefits, as well as significant data privacy and cybersecurity risks.

Whether it is facial recognition technology being used with COVID-19 screening tools and in law enforcement, continued use of fingerprint-based time management systems, or the use of various biometric identifiers such as voiceprint for physical security and access management, applications in the public and private sectors involving biometric identifiers and information continue to grow … so do concerns about the privacy and security of that information and civil liberties. Over the past few years, significant compliance and litigation risks have emerged that factor heavily into the deployment of biometric technologies, particularly facial recognition. This is particularly the case in Illinois under the Biometric Information Privacy Act (BIPA).

Read our Special Report which discusses these concerns and the growing legislating activity. You can also access our Biometric Law Map

In honor of Data Privacy Day, we provide the following “Top 10 for 2022.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2022.

  1. State Consumer Privacy Law Developments

On January 1, 2020, the CCPA ushered into the U.S. a range of new rights for consumers, including:

  • The right to request deletion of personal information;
  • The right to request that a business disclose the categories of personal information collection and the categories of third parties to which the information was sold or disclosed; and
  • The right to opt-out of sale of personal information; and
  • The California consumer’s right to bring a private right of action against a business that experiences a data breach affecting their personal information as a result of the business’s failure to implement “reasonable safeguards.”

In November of 2020, California voters passes the California Privacy Rights Act (CPRA) which amends and supplements the CCPA, expanding compliance obligations for companies and consumer rights. Of particular note, the CPRA extends the employment-related personal information carve-out until January 1, 2023. The CPRA also introduces consumer rights relating to certain sensitive personal information, imposes an affirmative obligation on businesses to implement reasonable safeguards to protect certain consumer personal information, and prevents businesses from retaliating against employees for exercising their rights.  The CPRA’s operative date is January 1, 2023 and draft implementation regulations are expected by July 1, 2022. Businesses should monitor CCPA/CPRA developments and ensure their privacy programs and procedures remain aligned with current CCPA compliance requirements. For practical guidance on navigating compliance, check out our newly updated CCPA/CPRA FAQS.

In addition to California developments, in 2021, Virginia and Colorado also passed consumer privacy laws similar in kind to the CCPA, both effective January 1, 2023 (together with the CPRA). While the three state laws share common principles, including consumer rights of deletion, access, correction and data portability for personal data, they also contain key nuances, which pose challenges for broad compliance.  Moreover at least 26 states have considered or are considering similar consumer privacy laws, which will only further complicate the growing patchwork of state compliance requirements.

In 2022, businesses are strongly urged to prioritize their understanding of what state consumer privacy obligations they may have, and strategize for implementing policies and procedures to comply.

  1. Biometric Technology Related Litigation and Legislation

There was a continued influx of biometric privacy class action litigation in 2021 and this will likely continue in 2022. In early 2019, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois’s Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect beyond a violation of his/her rights under BIPA to qualify as an aggrieved person and be entitled to seek liquidated damages, attorneys’ fees and costs and injunctive relief under the Act.

Consequently, simply failing to adopt a policy required under BIPA, collecting biometric information without a release or sharing biometric information with a third party without consent could trigger liability under the statute. Potential damages are substantial as BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. There continues to be a flood of BIPA litigation, primarily against employers with biometric timekeeping/access systems that have failed to adequately notify and obtain written releases from their employees for such practices.

Biometric class action litigation has also been impacted by COVID-19. Screening programs in the workplace may involve the collection of biometric data, whether by a thermal scanner, facial recognition scanner or other similar technology. In late 2020, plaintiffs’ lawyers filed a class action lawsuit on behalf of employees concerning their employer’s COVID-19 screening program, which is alleged to have violated the BIPA. According to the complaint, employees were required to undergo facial geometry scans and temperature scans before entering company warehouses, without prior consent from employees as required by law.  This case is still alive and well, at the start of 2022, after significant attempts by the defense, a federal district judge in Illinois declined to dismiss the proposed class action, as the allegations relating to violations regarding “possession” and “collection” of biometric data pass muster at this stage.  Many businesses have been sued under the BIPA for similar COVID related claims in the past year, and 2022 will likely see continued class action litigation in this space.

In 2021, biometric technology-related laws began to evolve at a rapid pace, signaling a continued trend into 2022.  In July 2021, New York City established BIPA-like requirements for retail and hospitality businesses that collect and use “biometric identifier information” from customers.  In September 2021, the City of Baltimore officially banned private use of facial recognition technology. Baltimore’s local ordinance prohibiting persons (including residents, businesses, and most of the city government) from “obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology”.  Other localities have also established prohibitions on use of biometric technology including Portland (Oregon), San Francisco. State legislatures have also increased focus on biometric technology regulation. In addition to Illinois’s BIPA, Washington and Texas have similar laws, and states including Arizona, Florida, Idaho, Massachusetts and New York have also proposed such legislation. The proposed biometric law in New York state would mirror Illinois’ BIPA, including its private right of action provision. In California, the CCPA also broadly defines biometric information as one of the categories of personal information protected by the law.

Additionally, states are increasingly amending their breach notification laws to add biometric information to the categories of personal information that require notification, including 2021 amendment in Connecticut and 2020 amendments in California, D.C., and Vermont. Similar proposals across the U.S. are likely in 2022.

In response to the constantly evolving legislation related to biometric technology, we have created an interactive biometric law state map to help businesses that want to deploy these technologies, which inevitably require the collection, storage, and/or disclosure of biometric information, track their privacy and security compliance obligations.

  1. Ransomware Attacks

Ransomware attacks continued to make headlines in 2021 impacting large organizations, including Colonial Pipeline, Steamship Authority of Massachusetts, the NBA, JBS Foods, the D.C. Metropolitan Police Department and many more. Ransomware attacks are nothing new, but they are increasing in severity. There has been an increase in frequency of attacks and higher ransomware payments, in large part due to increased remote work and the associated security challenges.  The healthcare industry in particular has been substantially impacted by the onset of the COVID-19 pandemic  – a recent study by Comparitech found that ransomware attacks on the healthcare industry has resulted in a financial loss of over $20 billion in impacted revenue, litigation and ransomware payments and growing.

In fact, the FBI jointly with the Cybersecurity and Infrastructure Security Agency (CISA) went so far as to issue a warning to be on high alert for ransomware attacks for holidays in light of numerous targeted attacks over other holidays earlier in the year.

Moreover in 2021, the National Institute of Standards Technology (NIST)  released a preliminary draft of its Cybersecurity Framework Profile for Ransomware Risk Management. The NIST framework provides steps for protecting against ransomware attacks, recovering from ransomware attacks, and determining you organization’s state of readiness to prevent and mitigate ransomware attacks.

Ransomware continues to present a significant threat to organizations as we move into 2022. Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends.

Here are some helpful resources for ransomware attack prevention and response:

  1. Biden Administration Prioritizes Cybersecurity

In large part due to significant threat of ransomware attacks discussed above, the Biden Administration has made clear that cybersecurity protections are a priority. In May of 2021, on the heels of the Colonial Pipeline ransomware attack that snarled the flow of gas on the east coast for days, the Biden Administration issued an Executive Order on “Improving the Nation’s Cybersecurity” (EO). The EO was in the works prior to the Colonial Pipeline cyberattack, however was certainly prioritized as a result. The EO made a clear statement on the policy of the Administration, “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” This EO will mostly impacts the federal government and its agencies. However, several of the requirements in the EO will reach certain federal contractors, and also will influence the private sector.

Shortly after the Biden Administration issued the EO, it followed in August 2021 with the issuance of a National Security Memo (NSM) with the intent of improving cybersecurity for critical infrastructure systems. This NSM established an Industrial Control Systems Cybersecurity Initiative (the “Initiative”) that will be a voluntary, collaborative effort between the federal government and members of the critical infrastructure community aimed at improving voluntary cybersecurity standards for companies that provide critical services.

The primary objective of the Initiative is to encourage, develop, and enable deployment of a baseline of security practices, technologies and systems that can provide threat visibility, indications, detection, and warnings that facilitate response capabilities in the event of a cybersecurity threat.  According to the President’s Memo, “we cannot address threats we cannot see.”

And most recently, in early January 2022, President Biden issued an additional NSM to improve the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.  “Cybersecurity is a national security and economic security imperative for the Biden Administration, and we are prioritizing and elevating cybersecurity like never before…Modernizing our cybersecurity defenses and protecting all federal networks is a priority for the Biden Administration, and this National Security Memorandum raises the bar for the cybersecurity of our most sensitive systems,” stated the White House in its issuance of the latest NSM.

The U.S. government will continue to ramp up efforts to strengthen its cybersecurity as we head into 2022, impacting both the public and private sector. Businesses across all sectors should be evaluating their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

  1. COVID-19 privacy and security considerations

During 2020 and 2021, COVID-19 presented organizations large and small with new and unique data privacy and security considerations. And while we had high hopes that increased vaccination rates would put this pandemic in the rearview mirror, the latest omicron strand showed us otherwise. Most organizations, particularly in their capacity as employers, needed to adopt COVID-19 screening and testing measures resulting in the collection of medical and other personal information from employees and others. While the Supreme Court has stayed OSHA’s ETS mandating that employers with 100+ employees require COVID-199 vaccination and the Biden Administration ultimately withdrew the same, some localities have instituted mandates depending on industry, and many employers have voluntarily decided to institute vaccine requirements for employees.  Ongoing vigilance will be needed to maintain the confidential and secure collection, storage, disclosure, and transmission of medical and COVID-19 related data that may now include tracking data related to vaccinations or the side effects of vaccines.

Several laws apply to data the organizations may collect in this instance. In the case of employees, for example, the Americans with Disability Act (ADA) requires maintaining the confidentiality of employee medical information and this may include COVID-19 related data. Several state laws also have safeguard requirements and other protections for such data that organization should be aware of when they or others on their behalf process that information.

Many employees will continue to telework during 2022 (and beyond). A remote workforce creates increased risks and vulnerabilities for employers in the form of sophisticated phishing email attacks or threat actors gaining unauthorized access through unsecured remote access tools. It also presents privacy challenges for organizations trying to balance business needs and productivity with expectations of privacy. These risks and vulnerabilities can be addressed and remediated through periodic risk assessments, robust remote work and bring your own device policies, and routine monitoring.

As organizations continue to work to create safe environments for the in-person return of workers, customers, students, patients and visitors, they may rely on various technologies such as wearables, apps, devices, kiosks, and AI designed to support these efforts. These technologies must be reviewed for potential privacy and security issues and implemented in a manner that minimizes legal risk.

Some reminders and best practices when collecting and processing information referred to above and rolling out these technologies include:

  • Complying with applicable data protection laws when data is collected, shared, secured and stored including the ADA, Genetic Information Nondiscrimination Act, CCPA, GDPR and various state laws. This includes providing required notice at collection under the California Consumer Privacy Act (CCPA), or required notice and a documented lawful basis for processing under the GDPR, if applicable.
  • Complying with contractual agreements regarding data collection; and
  • Contractually ensuring vendors who have has access to or collect data on behalf of the organization implement appropriate measures to safeguard the privacy and security of that data.
  1. “New” EU Standard Contractual Clauses

In July of 2020 the Court of Justice of the European Union (CJUE) published its decision in Schrems II which declared the EU-US Privacy Shield invalid for cross border data transfers and affirmed the validity standard contractual clauses (“SCCs) as an adequate mechanism for transferring person data from the EEA, subject to heightened scrutiny.  However, the original SCCs were unable to adequately address the EU Commission’s concerns about the protection of personal data.

On June 4, 2021, the EU Commission adopted “new” modernized SCCs to replace the 2001, 2004, and 2010 versions in use up to that point – effective since September 27,2021. The EU Commission updated the SCCs to address more complex processing activities, the requirements of the GDPR, and the Schrems II decision. These clauses are modular so they can be tailored to the type of transfer.  if a data exporter transfers data from the EU to a U.S. organization, the U.S. organization must execute the new SCCs unless the parties rely on an alternate transfer mechanism or an exception exists. This applies regardless of whether the U.S. company receives or accesses the data as a data controller or processor. The original SCCs apply to controller-controller and controller-processor transfers of personal data from the EU to countries without a Commission adequacy decision. The updated clauses are expanded to also include processor-processor and processor-controller transfers. While the existing SCCs were designed for two parties, the new clauses can be executed by multiple parties. The clauses also include a “docking clause” so that new parties can be added to the SCCs throughout the life of the contract.

The obligations of the data importer are numerous and include, without limitation:

  • documenting the processing activities it performs on the transferred data,
  • notifying the data exporter if it is unable to comply with the SCCs,
  • returning or securely destroying the transferred data at the end of the contract,
  • applying additional safeguards to “sensitive data,”
  • adhering to purpose limitation, accuracy, minimization, retention, and destruction requirements,
  • notifying the exporter and data subject if it receives a legally binding request from a public authority to access the transferred data, if permitted, and
  • challenging a public authority access request if it reasonably believes the request is unlawful.

The SCCs require the data exporter to warrant there is no reason to believe local laws will prevent the importer from complying with its obligations under the SCCs. In order to make this representation, both parties must conduct and document a risk assessment of the proposed transfer.

If an organization that transfers data cross border has not already done so it should be implementing the new procedures and documents for the SCCs. This is, of course, if they are not relying on an alternate transfer mechanism or an exception exists. Organizations will also need to review any ongoing transfers made in reliance on the old SCCs and take steps to comply. As with new transfers, this will require a documented risk assessment and a comprehensive understanding of the organization’s process for accessing and transferring personal data protected under GDPR. For additional guidance on the new EU SCCs, our comprehensive FAQs are available here.

  1. TCPA

In April 2021, the U.S. Supreme Court issued a monumental decision with significant impact on the future of Telephone Consumer Protection Act (TCPA) class action litigation. The court narrowly ruled to qualify as an “automatic telephone dialing system”, a device must be able to either “store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator”.  The underlying decision of the Ninth Circuit was reversed and remanding.

The Supreme Court unanimously concluded, in a decision written by Justice Sotomayor, that to qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store, or to produce, a telephone number using a random or sequential number generator.

“Expanding the definition of an autodialer to encompass any equipment that merely stores and dials telephone numbers would take a chainsaw to these nuanced problems when Congress meant to use a scalpel,” Justice Sotomayor pointed out in rejecting the Ninth Circuit’s broad interpretation of the law.

Moreover, Sotomayor noted that, “[t]he statutory context confirms that the autodialer definition excludes equipment that does not “us[e] a random or sequential number generator.””  The TCPA’s restrictions on the use of autodialers include, using an autodialer to call certain “emergency telephone lines” and lines “for which the called party is charged for the call”. The TCPA also prohibits the use of an autodialer “in such a way that two or more telephone lines of a multiline business are engaged simultaneously.” The Court narrowly concluded that “these prohibitions target a unique type of telemarketing equipment that risks dialing emergency lines randomly or tying up all the sequentially numbered lines at a single entity.”

The Supreme Court’s decision resolved a growing circuit split, where several circuits had previously interpreted the definition of an ATDS broadly  to encompass any equipment that merely stores and dials telephone numbers, while other circuits provided a narrower interpretation, in line with the Supreme Court’s ruling. It was expected the Supreme Court’s decision would help resolve the ATDS circuit split and provide greater clarity and certainty for parties facing TCPA litigation. In the six months following the Supreme Court’s decision, the Institute of Legal Reform documented a 31% drop in TCPA filings, compared to the six months prior to the ruling.  Nonetheless, many claims based on broad ATDS definitions are still surviving early stages of litigation in the lower courts, and some states have enacting (or are considering) “mini-TCPAs” which include a broader definition of ATDS. While the Supreme Court’s decision was considered a win for defendants facing TCPA litigation, organizations are advised to review and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance, as they move into 2022.

  1. Global Landscape of Data Privacy & Security

2021 was a significant year for the global landscape of data privacy and security.  As discussed above, on June 4th, the European Commission adopted new standard contractual clauses for the transfer of personal data from the EU to “third countries”, including the U.S. On August 20, China passed its first comprehensive privacy law, the Personal Information Protection Law (PIPL), similar in kind to the EU’s GDPR.  The law took effect in November of 2021.  In addition, China published 1) Security Protection Regulations on the Critical Information Infrastructure and 2) the Data Security Law which aim to regulate data activities, implement effective data safeguards, protect individual and entity legitimate rights and interests, and ensure state security – both effective September of 2021.  Finally, Brazil enacted  Lei Geral de Proteção de Dados Pessoais (LGPD), its first comprehensive data protection regulation, again with GDPR-like principles. The LGPD became enforceable in August of 2021.

In 2022, U.S. organizations may face increased data protection obligations as a result of where they have offices, facilities, or employees; whose data they collect; where the data is stored; whether it is received from outside the U.S.; and how it is processed or shared. These factors may trigger country-specific data protection obligations such as notice and consent requirements, vendor contractual obligations, data localization or storage concerns, and safeguarding requirements. Some of these laws may apply to data collection activities in a country regardless of whether the U.S. business is located there.

  1. Federal Consumer Privacy Law

Numerous comprehensive data protection laws were proposed at the federal level in recent years. These laws have generally stalled due to bipartisan debate over federal preemption and a private right of action. And while, every year, we ask ourselves whether this will be the year, 2022 may indeed be the year the U.S. enacts a federal consumer privacy law.  2022 has barely begun and a coalition which includes the U.S. Chamber of Congress together with local business organizations in over 20 states have issued a letter to Congress highlighting the importance of enacting a federal consumer privacy law as soon as possible.

“Data is foundational to America’s economic growth and keeping society safe, healthy and inclusive…Fundamental to the use of data is trust,” the coalition noted. “A national privacy law that is clear and fair to business and empowering to consumers will foster the digital ecosystem necessary for America to compete.”

Moreover, with California, Virginia, and Colorado all with comprehensive consumer privacy laws (as discussed above), and approximately half of U.S. states contemplating similar legislation, there is a growing patchwork of state laws that “threatens innovation and create consumer and business confusion,” as stated in the coalition’s letter to Congress.

Will 2022 be the year the U.S. government enacts a federal consumer privacy law? Only time will tell.  We will continue to update as developments unfold.

  1. Cyber Insurance

Over the past several years, if your organization experienced a cyberattack, such as ransomware or a diversion of funds due to a business email compromise (BEC), and you had cyber insurance, you likely were very thankful. However, if you are renewing that policy (or in the cyber insurance market for the first time), you are probably looking at much steeper rates, higher deductibles, and even co-insurance, compared to just a year or two ago. This is dependent on finding a carrier to provide competitive terms, although there are some steps organizations can take to improve insurability.

Claims paid under cyber insurance policies are significantly up, according to Marc Schein*, CIC, CLCS, National Co-Chair Cyber Center of Excellence for Marsh McLennan Agency who closely tracks cyber insurance trends. Mr. Schein identified the key drivers hardening the cyber insurance market: ransomware and business interruption.

According to Fitch Ratings’ Cyber Report 2020, insurance direct written premiums for the property and casualty industry increased 22% in the past year to over $2.7 billion, representing the demand for cyber coverage. The industry statutory direct loss plus defense and cost containment (DCC) ratio for standalone cyber insurance rose sharply in 2020 to 73% compared with an average of 42% for the previous five years (2015-2019). The average paid loss for a closed standalone cyber claim moved to $358,000 in 2020 from $145,000 in 2019.

The effects of these, other increases in claims, and losses from cyberattacks had a dramatic impact on cyber insurance. Perhaps the most concerning development for organizations in the cyber insurance market is the significantly increased scrutiny carriers are applying to an applicant’s insurability.

There are no silver bullets, but implementing administrative, physical and technical safeguards to protect personal information may dramatically reduce the chances of a cyberattack, and that is music to an underwriter’s ears. As an organization heads into 2022, ensuring such safeguards are instituted and regularly reviewed, can go a long way.

*      *     *     *     *

For these reasons and others, we believe 2022 will be a significant year for privacy and data security.

Happy Privacy Day!

Few want to get past the COVID-19 pandemic more than leaders of federal and state unemployment benefit departments. For the last 2 years they have been successfully targeted for fraud and data breaches, racking up billions in losses. Thousands of employees across the country, including yours truly, have had false claims submitted in their name.

Why is this happening? It appears to be a combination of factors, most leading back to one driving force – COVID-19. Congress’ passing rich unemployment compensation benefits to offset the economic carnage stemming from the pandemic created a significant incentive for criminal hackers, specifically the Pandemic Unemployment Assistance (PUA) program. During the same time, the numbers of workers in state unemployment offices went down due to layoffs, while the number of applications for unemployment benefits skyrocketed. Couple that with an expansion of benefits to workers without traditional pay stubs (e.g., gig workers) making verification harder, and data security gaps and challenges regularly facing state agencies and organizations generally, and there is a perfect storm for fraud and data breaches to proliferate.

Here’s a rundown of just some of the losses reported by Yahoo!news:

  • Oregon – $24 million in 2020
  • Washington – $646 million in 2020
  • California – $20 billion, since the start of the pandemic through October 2021
  • Federal – $87.3 billion since the start of the pandemic through September 30, 2021, per the DOL (relying on a historical improper payment rate of 10%).

What are some of the effects? There is, of course, a significant loss of taxpayer dollars, not to mention all the time spent trying to resolve the fraud, getting the much-needed benefits to those whose benefits were delayed due to the fraud, and implementing stronger controls.

With so many employees learning of and reporting false unemployment claims being submitted in their name, employers across the country have had to jump into to help. Frequently, many employees at a single company reported fraud at the same time, making it seem as if the company was the victim of a breach. While it is always important to appropriately investigate suspected data incidents, a compromise to the employer’s systems generally was not the reason for the employees’ reports in these cases.

Is it coming to an end? Maybe not. On Friday, Pennsylvania’s Department of Labor and Industry (L&I) reported it is investigating “sophisticated attacks” on its systems. According to reports,

unemployment recipients stopped receiving their checks, and that L&I telephone agents told they were among numerous Pennsylvanians whose direct-deposit banking information had been changed

What can affected organizations and individuals do? Affected federal and state agencies have been and continue to be taking steps to minimize these attacks and the resulting fraud. One of those steps is to deploy facial recognition technologies to more strongly verify the the identities of claimants. By late summer, more than half of the states in the U.S. have contracted with ID.me to provide ID verification services. For private sector organizations, the deployment of such technologies to verify identities of customers and employees faces a growing web of regulation.  Other efforts to curb this kind of activity includes steps all organizations might consider, like enabling multi-factor authentication (MFA). This is something the PA L&I wished it did. Hopefully, pandemics are not regular occurrences. But planning for business interruption is critical.

For organizations and their employees affected by unemployment fraud, it is important to quickly report incidents and follow recommended steps by the applicable agency. Below are just a few of the online resources that may be helpful.

Efforts to secure systems and data from a cyberattack often focus on measures such as multifactor authentication (MFA), endpoint monitoring solutions, antivirus protections, and role-based access management controls, and for good reason. But there is a basic principle of data protection that when applied across an organization can significantly reduce the impact of a data incident – the minimum necessary principle. A data breach reported late last year by the Rhode Island Public Transit Authority (RIPTA) highlights the importance of this relatively simple but effective tool.

In December 2021, RIPTA sent notification of a data breach to several thousand individuals who were not RIPTA employees. Reports of the incident prompted inquiries from a state Senator in Rhode Island, Louis P. DiPalma, and union officials who represented the affected individuals. According to Rhode Island’s Department of Administration (DOA), a forensic analysis conducted in connection with the incident indicates the affected files included health plan billing records pertaining to State of Rhode Island employees, not RIPTA employees. The DOA goes on to state that:

[s]tate employee data was incorrectly shared with RIPTA by an external third party who had responsibility for administering the state’s health plan billing.

An investigation is underway to confirm exactly what happened. The content of recent conversations between state officials and union representatives reported in the press indicate that an RIPTA payroll clerk received a file containing state employee health plan data in August 2020, stored it on the employee’s hard drive, where it remained until August 2021, when the cyberattack on RIPTA occurred. It is unclear why the employee received the information, from whom, or whether it was appropriate to maintain it.

Regardless, the “minimum necessary” principle, simply stated, requires that organizations take reasonable steps so that confidential and personal information are only accessed, used, maintained, or disclosed to carry out the applicable business functions. Consider, for example, that retention policies are becoming increasingly important from a compliance perspective, such as with regard to the California Privacy Rights Act of 2020 (CPRA), which amends and supplements the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), and the Illinois Biometric Information Privacy Act (BIPA).  This principle can be applied at multiple points in the operations of the organization, including without limitation:

  • When requesting information. Think about what elements of information the organization collects from customers, students, patients, vendors, employees, and others. Is it more information than is needed to carry out the purpose(s) for the collection? Can portals, forms, etc. be modified to limit the information collected?
  • When receiving information. Employees cannot always control the information they receive from parties outside the organization. But when they do, what steps or guidelines are in place to determine what is needed and what is not needed? For information that is not needed, what is the process for alerting the sender, if necessary, returning the data, and/or removing it from the systems?
  • When using information. Employees carry out many critical business functions that require the use of confidential and personal information. Do they always need all of it? Are there instances where less information can be sufficient for the processing of an important business function.
  • When storing information. The task at hand has been completed and the question becomes what information should be retained. The answer can be a complex web of legally mandated retention requirements, contractual obligations, business needs, and other considerations. But organizations should carefully analyze these issues an establish protocols for employees to follow. Note that under the CPRA, a covered business may not retain a consumer’s personal information for longer than is reasonably necessary for the stated purpose it was collected.
  • When responding to requests or disclosing information. Whether engaging in billing and collection activities, responding to an attorney demand letter, reporting information to the government, administering benefit plans for employees, or any number of other typical business functions, organizations make disclosures of confidential and personal information. Important questions to ask are (i) what data does the requesting party really need, (ii) what classifications of information are actually in the file being disclosed and are there limitations on the disclosure of that information, and (iii) whether the response or disclosure can have the same effect with less data.

In thinking about these questions, there may not be a clear right or wrong answer to whether the information should or should not have been collected, used, stored, or disclosed. However, from a risk management perspective, it is helpful to review business procedures, practices, operations, forms, etc. for ways to minimize exposure to confidential and personal information. Applying the minimum necessary principle can be an effective way of minimizing the organization’s data footprint so that should it experience a security incident, there is the possibility for less data to be compromised.

The use of smart dashcams and vehicle cameras, including those leveraging AI technology, may trigger the next wave of BIPA litigation, according to two cases filed in Illinois this week.

Enacted in 2008, the Illinois Biometric Information Privacy Act, 740 ILCS 14 et seq. (the “BIPA”), went largely unnoticed until a few years ago when a handful of cases sparked a flood of putative class action litigation over the collection, use, storage, and disclosure of biometric information. Many of these cases were filed by plaintiffs who alleged BIPA violations when time management devices called for them to swipe their finger to clock in or out of work. Use of those devices, many plaintiffs claim, resulted in the collection of their fingerprints without the corresponding notice, consent, and other measures required under the BIPA. The focus may be shifting to a new technology: AI-powered dashcams.

Organizations whose employees drive regularly to perform job functions raise several issues – safety, productivity, loss prevention, expense reimbursement, among others. For these reasons, some organizations deploy telematics and related technologies to better manage their fleets. A tool in this process is the vehicle camera, such as dashcams, that are capable of monitoring (and recording) video and/or audio of the driver, passengers, and in some cases persons outside the vehicle. These devices also can track location and how a vehicle is being driven – hard acceleration, sharp turns, lane changing, etc. But, it is the use of AI and machine learning technologies that is raising questions about whether biometric identifiers and/or information are being collected.

According to at least one of these recently filed complaints, the vehicle camera does not just take a traditional video recording of the driver. It uses AI and machine learning technologies to detect driver behavior. More specifically, product descriptions claim the intelligent cameras can identify if drivers are inattentive, distracted, or tired through facial mapping technology which scans the geometry of the face and analyzes the resulting data.

Under BIPA, a “biometric identifier” generally means “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and “biometric information,” means “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.

It is unclear at this point whether these complaints have any merit, however, organizations that are using AI-powered vehicle cameras should be reviewing that technology carefully with their vendors to understand the nature and extent of the data being collected. For assistance with understanding the legal framework concerning biometric information, please see our Biometric Law Map

The CCPA has reached the two-year mark. This is a good time for businesses to review the success of their compliance programs, recalibrate for the CCPA’s third year, and gear up for the CPRA’s January 1, 2023 effective date.

Here are a few suggestions:

  1. Privacy Policies. The CCPA requires a business to update the information in its privacy policy or any California-specific description of consumers’ privacy rights at least once every twelve months. If your business has not already done so, now is a good time to review both online and offline data collection practices to ensure privacy policies accurately disclose, at a minimum, the categories of personal information (“PI”) collected in the preceding 12 months, the categories of PI sold in the preceding twelve months, and the categories of PI it disclosed for a business purpose in the last 12 months.

Given the challenges of the last few months, your business may be collecting PI beyond what it currently discloses in its privacy policies. For example, the business may need to update its privacy policies to disclose the collection and use of COVID-19 related screening information, biometric information, or PI collected as a result of remote work situations.

If your business needs to update its privacy policy to reflect additional data collection activities, it will likely need to update its “notice at collection”, including employee and job applicant privacy notices.

  1. Employee training. The CCPA requires that a business ensure all employees handling inquiries about consumer rights, the businesses’ privacy practices, or its compliance with the CCPA are informed of applicable CCPA requirements. Businesses will want to
  • review training programs to ensure they include appropriate CCPA related content;
  • determine whether employee handbooks and manuals have been updated accordingly; and,
  • document that relevant employees have received training.
  1. Reasonable Safeguards. The CCPA does not currently create an affirmative obligation to implement reasonable safeguards for protecting consumer PI; however, it provides a private right of action to consumers whose PI has been involved in a data breach resulting from the business’s failure to implement reasonable security safeguards. With this in mind, your business will want to review whether it has
  • performed an annual risk assessment to identify new or enhanced risks, threats, or vulnerabilities to its systems or the PI it collects or maintains;
  • reviewed and updated its written information security program and data retention schedule;
  • practiced its incident response plan; and
  • updated its vendor management program to address cyber-based risk.

CCPA compliance is an ongoing activity, and these action items are worthy of review at the one-year mark. However, further year-end review might also include

  • an assessment of the business’s website’s accessibility;
  • confirmation that service provider agreements have been amended to satisfy the CCPA; and
  • incorporation of relevant CCPA provisions in new service provider contracts.

Although the CCPA does not mandate implementing reasonable safeguards, this will change effective January 1, 2023. The CPRA, which amends the CCPA, creates an affirmative duty to do so. Businesses should use the next year to identify what constitutes reasonable safeguards for their data and systems, begin implementing those safeguards, update internal policies and procedures as necessary, and train staff.

The CPRA also amends the CCPA disclosure requirements to include information relating to the collection and use of “sensitive personal information”. In addition, California consumers will have the right to limit the business’s use of this information in certain circumstances, similar to the right to opt out of the sale of personal information. In order to comply, businesses may need to revisit and expand their data mapping to capture sensitive personal information.

These are just two examples that necessitate reviewing your business’s data protection program and setting in motion processes to prepare for the CPRA. We will continue to post on steps your business can take in anticipation of January 1, 2023.

The leaders of our Wage & Hour Practice, Justin Barnes Jeffrey Brecher and Eric Magnus collaborated with us on this article.

According to reports, Kronos, the cloud-based, HR management service provider, suffered a data incident involving ransomware affecting its information systems. Kronos communicated that it discovered the incident late on Saturday, December 11, 2021, when it “became aware of unusual activity impacting UKG solutions using Kronos Private Cloud.”   Shortly after,  Kronos issued a helpful Q & A for customers impacted by the incident. The company confirmed:

[T]his is a ransomware incident affecting the Kronos Private Cloud—the portion of our business where UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed. At this time, we are not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud.

This incident has already impacted time management, payroll processing, and other HR-related activities of organizations using the affected services. Ransomware and similar attacks also could compromise confidential and personal information maintained on affected systems, although there is no indication of that at this point. Clearly, organizations that use these services can be affected in several ways. The FAQs below provide information on some of the key issues these organizations should be thinking about.

Isn’t this really Kronos’ problem?

This certainly is a significant issue for Kronos and, based on communications from Kronos, the company is in the process of remediating the incident and alerting its impacted customers. However, because of the nature and extent of the services Kronos provides to its customers (i.e., employers), there are several issues that HR, IT and other groups inside organizations that are customers of the affected services need to be doing. We address some of those items below.

From a communications perspective, this incident likely will receive significant news coverage, prompting questions from employees about the impact of the incident on their personal information, their schedules, their pay, etc. Employers will need to think carefully about how to respond to these inquiries, especially when there is little known at this point about the incident.

From a compliance perspective, employers should be reviewing and implementing their contingency plans depending on the scope of services received from Kronos. For example, clients using Kronos time management systems should be evaluating what measures they should be implementing to ensure their employees’ time is properly captured and paid. A company has a legal obligation to accurately track hours worked, regardless of whether their third-party vendor (like Kronos) responsible for the task can do so or not. Clients might want to institute, in the short-term, paper timekeeping and tracking systems to ensure that employees are taking appropriate breaks and being paid for all time worked. It would be especially helpful in this situation to have employees sign off that the amount of time they report and the breaks they took are accurate.

From a cybersecurity standpoint, the answer to the question of whether this is only Kronos’ problem likely is no. All 50 states, as well as certain cities and other jurisdictions, have breach notification laws. If there is a breach of security under those laws, there may be a notification obligation. The notification obligation to affected individuals largely rests with the owner of that information, which likely would be employers. We anticipate that if notification is required, Kronos may take the lead on that, although employers will want some assurances that notification will be provided in a time and manner consistent with applicable law.

What should we be doing?

There are several steps employers likely will need to take in response to this incident, not all of which are clear at this point because of what little is currently known. Still, there are some action items affected employers should be considering:

  • Stay informed. Closely follow the developments reported by Kronos, including coordinating with your HR and IT teams.
  • Consult with counsel. Experienced cybersecurity and employment counsel can help employers properly identify their obligations and coordinate with Kronos, as needed.
  • Communicate with employees. Maintaining accurate and consistent communications with employees is critical, especially considering a significant part of the discussions around this incident could be taking place in social media. Your employees and their representatives, where applicable, may already be aware of this incident. To be prepared to address and respond to employee concerns, organizations should consider providing an initial short summary of the incident to potentially impacted individuals as soon as possible. That communication could be expanded over time with more information as it come available, perhaps in the form of FAQs like these. Less is more on the initial communication, again, given what little is known. However, it is important to let employees know the organization is aware of the incident and actively taking steps to mitigate its effects on employees.
  • Review Your Kronos Services and Service Agreement. Begin evaluating the services that the organization receives from Kronos. This will help to implement contingency plans, but also to assess the nature and extent of the information that Kronos maintains on the organization’s behalf. The organization might be able to conclude early on that, while there may be impacted systems and operations, Kronos was not in possession of the kind of personal information pertaining to employees of the organization that could lead to a breach notification obligation. This information could be reassuring for employees. Also, review the services agreement between the organization and Kronos as it may include provisions that have particular relevance here. For example, the agreement may outline a process agreed to between the parties for handling data incidents like this.
  • Review your cyber insurance policy. It might be premature to make a claim against the organization’s cyber policy, assuming the organization has a cyber policy – an important consideration nowadays. But, key stakeholders should review the situation and discuss potential coverage options with the organization’s insurance broker and/or legal counsel. Becoming more familiar with existing cyber insurance policies and coverage is prudent as it might cover some of the costs an organization incurs in connection with incidents like this.
  • Evaluate vendors. What some are asking may have led to the Kronos incident is the “Log4j” vulnerability, however, that has not been confirmed at this time. Log4j is described as a Java library for logging error messages in applications. Because other vendors also may have Log4j exposure, organizations may want to use this incident as a reason to examine more closely the data privacy and security practices of other third-party vendors, regardless of whether the Log4j vulnerability was exploited here. This is particularly the case for those vendors that handle the personal information of employees and customers.
  • Revisit your own data security compliance measures. Organizations also should check their own systems for Log4j and other vulnerabilities and fix them as quickly as possible.

Will the state breach notification laws apply?

We do not know if there has been a “breach” at this point. This will require investigation and analysis of the incident, which we understand is underway at Kronos at this time. However, if the incident affects certain unencrypted personal information of individuals, such as names coupled with social security numbers, drivers’ license numbers, financial account numbers, medical information, biometric information or certain other data elements, state breach notification laws may apply. Organizations that utilize Kronos’ services globally must consider a broader definition of personal data, such as under the General Data Protection Regulation (GDPR).

Thousands of organizations have suffered similar attacks, all of which illustrate the importance of planning for a response, not only trying to prevent one. Third party service providers play important roles for most organizations, particularly with regard to their HR systems and corresponding operations. It will take some time to work through this incident, but it should be a reminder for all affected organizations to continue to develop, refine, and practice their contingency plans.

On September 17, 2021, a three-judge panel of the Illinois Appellate Court for the First Judicial District issued a long-awaited decision regarding the statute of limitations for claims under the state’s Biometric Information Privacy Act (“BIPA”) in Tims v. Black Horse Carriers, Inc. The Tims decision marks the first appellate guidance regarding this issue.  Although the BIPA is silent as to the applicable statute of limitations, the panel concluded that claims brought under section 15(a), (b), and (e) of the statute, which are the claims requiring companies to have a publicly available policy, obtain informed consent, and reasonably safeguard biometric data, are subject to a five-year limitations period.  BIPA claims brought under sections 15(c) and (d) of the statute, which are the claims which prohibit profiting from the use of biometric data or disclosure of biometric data are subject to a one-year statute of limitations.

In reaching its split decision regarding the applicable statute of limitations, the panel noted that each duty under the BIPA is “separate and distinct,” and that a private entity “could violate one of the duties while adhering to others.”  The panel further opined that “a plaintiff who alleges and eventually proves violation[s] of multiple duties could collect multiple recoveries of liquidated damages.” The panel looked to the text of the BIPA without consideration of the legislative history of the statute, and precedent, including the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., in reaching its conclusion.

Section 13-201 of the Illinois Code of Civil Procedure provides that there is a one-year statute of limitations for “actions for slander, libel or for publication  matter violating the right of privacy,” while section 13-205 has a five-year “catchall” statute of limitations for “all civil actions not otherwise provided for.”  The panel concluded that 13-201 does not apply to all privacy actions, but rather only privacy actions “where publication is an element or inherent part of the action.”  On these grounds, the panel determined that section 13-201’s one-year statute of limitations only applies to BIPA claims under sections 15(c) and (d) of the statute, which prohibit entities from “sell[ing], leas[ing], trad[ing], or otherwise profit[ing] from” or disclosing biometric data. With respect to those claims, the panel held that “publication or disclosure of biometric data is clearly an element of an action.”

Conversely, the panel concluded that claims under sections 15(a), (b), and (e) “have absolutely no element of publication or dissemination,” and thus, the five-year “catchall” statute of limitations applies.

In Tims, the First District was not asked, nor did it decide, the issue of when a claim under the BIPA accrues.  However, the accrual issue is currently the subject of an appeal before the federal Seventh Circuit Court of Appeals in Cothron v. White Castle.  The Seventh Circuit heard oral argument in Cothron on September 14, 2021, and has been asked by the plaintiff-appellant to certify the accrual issue to the Illinois Supreme Court for consideration.  In Marion v. Ring Container, the Illinois Appellate Court for the Third Judicial District is set to decide whether a one-year, two-year, or five-year statute of limitations applies to claims under the BIPA.  The Marion appeal is currently stayed pending a decision in McDonald v. Symphony Bronzeville, in which the Illinois Supreme Court will decide with finality whether BIPA claims arising in the employment context are preempted by the Illinois Workers’ Compensation Act.

There has been an influx of biometric privacy litigation in recent years. Private entities that collect, use, and store biometric data increasingly face compliance obligations as the law attempts to keep pace with ever-evolving technology. Creating a robust privacy and data protection program or regularly reviewing an existing one can mitigate risk and ensure legal compliance.