On Monday, May 22, the European Data Protection Board (EDPB) published a decision hitting Meta, parent of Facebook, WhatsApp, and Instagram, with a €1.2b ($1.3b) fine for impermissibly transmitting personal information from the European Economic Area (EEA) to the United States. The EDPB described Meta’s activities as “serious” and including “transfers that are systematic, repetitive, and continuous,” and it stated that the fine was intended to serve as a “strong signal to organizations that serious infringements have far-reaching consequences.”Continue Reading How Much Forgiveness Does $1.3 Billion Buy in the EU?
Data Collection
Texas Passes One of the Strongest Data Privacy Laws in the Nation
In between impeaching an Attorney General and creating a new type of business court, the 88th Texas Legislature passed the Texas Data Privacy and Security Act (TDPSA) (H.B. 4), which, once signed by Governor Abbott, will take effect July 1, 2024. State data privacy statutes generally track concepts in Europe’s General Data Protection Regulation (GDPR), including notices of data collection, data subject rights (knowing what data a business has, correcting it, deleting it, opting out of certain uses of personal data, etc.), and restrictions on use or transfer of personal data. Texas, which would join nine other states in enacting “comprehensive” data privacy regulations, has added some twists and traps for the unwary, particularly midsized businesses engaging in interstate commerce. Here are three notable features of the TDPSA.Continue Reading Texas Passes One of the Strongest Data Privacy Laws in the Nation
UK GDPR Reform: A Bridge Too Far?
The United Kingdom may be headed for a major break from EU GDPR. In mid-2022, the UK began studying potential reform of GDPR. This was revived with the United Kingdom’s Data Protection and Digital Information (No. 2) Bill (Bill 265, 58/3), introduced on March 8, 2023. It includes 106 groups of line-item amendments to the General Data Protection Act 2018 (UK GDPR). Particularly significant is a modification to what qualifies “personal data” under the prior act (and the EU GDPR). Article 4(1) of GDPR (and present UK GDPR) sweeps into “personal data;”
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
(emphasis added). Continue Reading UK GDPR Reform: A Bridge Too Far?
If You Pass It, They Will Comply (Someday): Iowa Becomes Latest State to Pass Comprehensive Data Privacy Law
Iowa became the sixth state to pass a comprehensive data privacy law, joining California, Colorado, Connecticut, Utah, and Virginia. Instead of standing out from the crowd, the Iowa legislature passed a law that imposes attenuated obligations stated in those other states’ laws . Below are some highlights from the Act relating to consumer data protection (the “Iowa Act”):Continue Reading If You Pass It, They Will Comply (Someday): Iowa Becomes Latest State to Pass Comprehensive Data Privacy Law
BetterHelp… Themselves: FTC Fines Company for Improper Deceptive Advertising Practices
The Federal Trade Commission (“FTC”) recently issued a proposed order requiring BetterHelp, an online counseling service, to pay $7.8 million over misrepresentations to consumers and improper disclosures of consumers’ health information to advertisers, such as Facebook, Snapchat, Criteo, and Pinterest.[1] This order and consent agreement comes a month after the FTC entered a settlement with GoodRx for similar privacy violations, which we examined in the following article here.Continue Reading BetterHelp… Themselves: FTC Fines Company for Improper Deceptive Advertising Practices
From Your “Clicks” To Targeted Ads: FTC Fines Company for Its “Deceptive” Use of Pixels
How does Facebook know you want sugar-free snacks? These personal ads may have targeted you based on your online searches or a refill of your diabetes medicine collected by the digital health company GoodRx. GoodRx has been sending this personal health information such as prescription information to ad platforms like Facebook and Google to use and monetize your data.
But the Federal Trade Commission did not approve of GoodRx’s actions and, last Wednesday, fined the digital health company for its “deceptive practices” in the disclosure of personal and health information to third-party advertising companies and platforms like Meta and Google for advertisement purposes.[1] At the core of the complaint, the FTC cited the inconsistencies between the statements made in GoodRx’s privacy policy and its actual business practices, specifically, the company’s use of online tracking tools such as web beacons and software development kits (generally referred to as pixels) for targeted and personalized ads.Continue Reading From Your “Clicks” To Targeted Ads: FTC Fines Company for Its “Deceptive” Use of Pixels
Bad News for BIPA Defendants: Illinois Supreme Court Holds That Five-Year Statute of Limitations Applies to All BIPA Claims
Today, the Illinois Supreme Court issued a long-awaited and highly-anticipated decision in Tims v. Black Horse Carriers, Inc., which is sure to have a long-term ripple effect on litigation under the Illinois Biometric Information Privacy Act (“BIPA”) going forward. With no dissenting opinion, the Supreme Court reversed the Illinois First District Appellate Court’s decision applying two separate statutes of limitation depending on the section under which a plaintiff’s BIPA claim is brought. The Supreme Court held instead that the five-year catchall statute of limitations period contained in the Illinois Code of Civil Procedure applies to all BIPA claims. Specifically, the Supreme Court held that two separate statutes of limitation go against Illinois public policy and could cause an “unclear, inconvenient, inconsistent, and potentially unworkable regime” for BIPA litigation.Continue Reading Bad News for BIPA Defendants: Illinois Supreme Court Holds That Five-Year Statute of Limitations Applies to All BIPA Claims
Are BIPA Claims a Runaway Train? Defendant Hit With $228 Million Federal Jury Verdict in Rogers v. BNSF Railway
On Wednesday, a federal jury broke new ground for lawsuits alleging violations of the Illinois Biometric Information Privacy Act (BIPA). Rogers v. BNSF Railway Co. is the first BIPA class action to go to trial in Illinois, and after only five days of trial and a mere hour of deliberation, the jury returned a verdict in favor of the plaintiff resulting in a whopping $228 million damage award to the class.
Continue Reading Are BIPA Claims a Runaway Train? Defendant Hit With $228 Million Federal Jury Verdict in Rogers v. BNSF Railway
Another Brick in the Wall: California’s Age-appropriate Design Code Act
School is in session and companies are preparing for the slew of new data privacy laws taking effect through 2023 into 2024 but California piled on more homework for those companies handling data of minors. On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”).[1] Modeled from UK’s Age-Appropriate Design Code, the Act imposes novel legal obligations on entities that provide “an online service, product, or feature likely to be accessed by children.” The obligations stem from the common belief that “children are particularly vulnerable from negotiating perspective with respect to their privacy rights.” [2]
Continue Reading Another Brick in the Wall: California’s Age-appropriate Design Code Act
BIPA Lives On: Illinois Supreme Court Rejects Common Employer Defense of Workers’ Comp Preemption
The Illinois Supreme Court unanimously ruled on Thursday that the Illinois Biometric Information Privacy Act (BIPA) is not preempted by the Illinois Workers’ Compensation Act (IWCA).
This decision clears the way for employees to pursue BIPA statutory damages ($1,000 for each negligent violation or $5,000 for each intentional or reckless violation), a significant and costly defeat for employers in a case that was followed closely by attorneys on both sides of the bar.Continue Reading BIPA Lives On: Illinois Supreme Court Rejects Common Employer Defense of Workers’ Comp Preemption