Iowa became the sixth state to pass a comprehensive data privacy law, joining California, Colorado, Connecticut, Utah and Virginia. Instead of standing out from the crowd, the Iowa legislature passed a law that imposes attenuated obligations stated in those other states’ laws . Below are some highlights from the Act relating to consumer data protection (the “Iowa Act”):

Continue Reading If You Pass It, They Will Comply (Someday): Iowa Becomes Latest State to Pass Comprehensive Data Privacy Law

The Federal Trade Commission (“FTC”) recently issued a proposed order requiring BetterHelp, an online counseling service, to pay $7.8 million over misrepresentations to consumers and improper disclosures of consumers’ health information to advertisers, such as Facebook, Snapchat, Criteo, and Pinterest.[1] This order and consent agreement comes a month after the FTC entered a settlement with GoodRx for similar privacy violations, which we examined in the following article here.

Continue Reading BetterHelp… Themselves: FTC Fines Company for Improper Deceptive Advertising Practices

On February 1, 2023, the California Privacy Protection Agency (CPPA) released a final draft of the regulations for enforcing the California Privacy Rights Act (CPRA). These regulations provide stricter restrictions on the collection of personal information. Of note is that collection practices must be “consistent with the reasonable expectations of the consumers.” According to 11 C.C.R. § 7002(b), expected to become final this year, “reasonable expectations” hinge on factors such as the relationship between the business and its consumers, the source of personal information, and the methods employed by the business collecting the data, and the involvement of other entities and third parties. If CPPA takes an expansive enforcement position on Section 7002, several types of automotive businesses could be impacted by this “consumer expectation” test.

Continue Reading CPRA Regulation 7002: Detour for Automotive Businesses?

After its February 2, 2023, decision in Tims v. Black Horse Carriers, Inc., which held that a five-year statute of limitations applies to all claims brought under the Illinois Biometric Information Privacy Act (“BIPA”), the Illinois Supreme Court has now answered the question of when a BIPA claim accrues: each time an entity scans or transmits an individual’s biometric identifier or information.     

Continue Reading BIPA Claims Accrue at Each Scan or Transmission, per Illinois Supreme Court

How does Facebook know you want sugar-free snacks? These personal ads may have targeted you based on your online searches or a refill of your diabetes medicine collected by the digital health company GoodRx. GoodRx has been sending this personal health information such as prescription information to ad platforms like Facebook and Google to use and monetize your data.

But the Federal Trade Commission did not approve of GoodRx’s actions and, last Wednesday, fined the digital health company for its “deceptive practices” in the disclosure of personal and health information to third-party advertising companies and platforms like Meta and Google for advertisement purposes.[1] At the core of the complaint, the FTC cited the inconsistencies between the statements made in GoodRx’s privacy policy and its actual business practices, specifically, the company’s use of online tracking tools such as web beacons and software development kits (generally referred to as pixels) for targeted and personalized ads.

Continue Reading From Your “Clicks” To Targeted Ads: FTC Fines Company for Its “Deceptive” Use of Pixels

Today, the Illinois Supreme Court issued a long-awaited and highly-anticipated decision in Tims v. Black Horse Carriers, Inc., which is sure to have a long-term ripple effect on litigation under the Illinois Biometric Information Privacy Act (“BIPA”) going forward. With no dissenting opinion, the Supreme Court reversed the Illinois First District Appellate Court’s decision applying two separate statutes of limitation depending on the section under which a plaintiff’s BIPA claim is brought. The Supreme Court held instead that the five-year catchall statute of limitations period contained in the Illinois Code of Civil Procedure applies to all BIPA claims. Specifically, the Supreme Court held that two separate statutes of limitation go against Illinois public policy and could cause an “unclear, inconvenient, inconsistent, and potentially unworkable regime” for BIPA litigation.

Continue Reading Bad News for BIPA Defendants: Illinois Supreme Court Holds That Five-Year Statute of Limitations Applies to All BIPA Claims

On Wednesday, a federal jury broke new ground for lawsuits alleging violations of the Illinois Biometric Information Privacy Act (BIPA). Rogers v. BNSF Railway Co. is the first BIPA class action to go to trial in Illinois, and after only five days of trial and a mere hour of deliberation, the jury returned a verdict in favor of the plaintiff resulting in a whopping $228 million damage award to the class. Continue Reading Are BIPA Claims a Runaway Train? Defendant Hit With $228 Million Federal Jury Verdict in Rogers v. BNSF Railway

School is in session and companies are preparing for the slew of new data privacy laws taking effect through 2023 into 2024 but California piled on more homework for those companies handling data of minors. On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”).[1] Modeled from UK’s Age-Appropriate Design Code, the Act imposes novel legal obligations on entities that provide “an online service, product, or feature likely to be accessed by children.” The obligations stem from the common belief that “children are particularly vulnerable from negotiating perspective with respect to their privacy rights.” [2]

Continue Reading Another Brick in the Wall: California’s Age-appropriate Design Code Act

Effective January 1, 2023, companies subject to the California Consumer Privacy Act (“CCPA”) will face heightened compliance requirements when collecting personal information about their workers, business partners, and job applicants. The partial moratoriums in the CCPA that had applied to these data sets are set to expire, meaning that the CCPA will now apply with full force come the new year. Further, the California Privacy Rights Act (“CPRA”), which amends and reenacts the CCPA, becomes fully effective on January 1, 2023, and enforced beginning July 1, 2023, with a look-back period to January 1, 2022. The CPRA provides additional obligations and consumer data rights that will further complicate covered businesses’ compliance efforts with regard to the personal information of their employees and business contacts.

What were the partial exemptions?

Continue Reading CCPA/CPRA Set To Cover Employee, Job Applicant, and Business Personal Information: A Trap for the Unwary?

Note: This story featuring commentary from Dykema’s Cinthia Granados Motley was originally published by Bloomberg Gov

  • Critical infrastructure industries would have to report hacks
  • Spending deal heading for House vote later on Wednesday

By Maria Curi | March 9, 2022, 5:31AM ET

Cybersecurity legislation that would impose new hack and ransomware reporting requirements on businesses was included in a spending bill lawmakers unveiled early Wednesday.

The Senate passed the cyber reporting requirements on March 1 under a bill (S. 3600) from Sen. Gary Peters (D-Mich). Peters previewed their inclusion in the spending bill Tuesday. Continue Reading Cyberattack Reporting Requirements Included in Spending Deal