Passed in 2008, the Illinois Biometric Information Privacy Act (BIPA) regulates collection of biometric markers such as fingerprints or facial metrics. Since its passage, the Illinois BIPA has been used to restrict technology giants and their use of users’ personal information, particularly photographs. To understand the scale of this, Facebook reported in a 2013 whitepaper that its users have uploaded more than 250 billion photos. It was estimated in 2017 that the total number of digital photos stored in electronic databases was around 5 trillion.

Documenting and categorizing the faces of a significant percentage of the world’s population represents a major opportunity for technology and data companies. Ten years into enforcement and a figurative eternity into the technological evolution of the process, the Illinois BIPA has been an unavoidable feature of the big data landscape. Though potentially impactful cases remain pending (or on appeal), technology companies largely have been unable to convince courts that their facial recognition technologies should escape regulation under BIPA. 
Continue Reading

Hackers delight in targeting U.S. companies during the holiday season triggering a year-end spike in cyber-attacks, with Carbon Black reporting a 57.5 percent increase in attempted cyber-attacks during past holiday seasons. This year we can expect that threat actors across the globe will remain online throughout the holiday season, looking to capitalize on the distraction of the holidays and the increased internet traffic that comes with online holiday shopping.

Accordingly, now, more than ever, companies should remain alert to the possibility of a cyber-attack on their information systems, especially ransomware attacks, which have more than doubled this year alone according to McAfee Labs. The FBI has also gone so far as to issue a private bulletin to automotive companies warning of “a wide range of cyber threats and malicious activity in the near future,” according to an FBI report obtained by CNN. The FBI indicates that cyber-attacks “have resulted in ransomware infections, data breaches leading to the exfiltration of personally identifiable information, and unauthorized access to enterprise networks.” 
Continue Reading

Cookies are the subject of much discussion in data regulation. If you visited a website that complies with the European General Data Protection Regulation (GDPR), you have seen the usual cookies popup. Maybe you wondered why this is necessary. At a basic level, the use of cookies is regulated by GDPR and the California Consumer Privacy Act (“CCPA”), and concerned site owners. Conventional knowledge (and in many cases practice) is that cookies should be disclosed—and that non-essential cookies, particularly those involved in advertising, require consent.

What exactly are cookies?

The “what” is known. The “why” is rarely discussed. The term “cookies” has its roots in magic cookies—identification tokens – in UNIX. Web cookies made their appearance in 1994 with Netscape Navigator 0.9 beta—in other words, the beta of the first commercialized web browser. This technology, which was once patented(!) involves data that is placed on a user’s computer in response to a user action. That information can then be read by the site later. It was first designed for use in shopping carts—so that a commercial website would not have to create an ID and store shopping selections unless and until a user decided to buy. Cookies were recognized by Internet Explorer 2 by 1995, they hit the media in 1996 in the Financial Times, and in the same year, the Federal Trade Commission began public hearings on them. Just as they have always been a part of the internet landscape, so have they been controversial. 
Continue Reading

In a ruling with implications for data privacy litigation nationwide, the Ninth Circuit recently stayed its decision allowing a biometric privacy class-action suit to proceed against Facebook, thus permitting the social media company to appeal the decision to the Supreme Court. The outcome of Facebook’s appeal could affect the law of standing with respect to data privacy litigation.

The lawsuit arose from Facebook’s “Tag Suggestions” feature, which used facial recognition technology to match known user faces to unknown faces in uploaded pictures. If the technology recognized a match, then Facebook would notify the person who uploaded the picture and suggest that the uploader “tag” the person recognized. If the uploader followed the suggestion, Facebook would link the recognized person to the picture. Facebook enabled this feature by default, although users could opt out. 
Continue Reading

As businesses and privacy professionals were holding their breath awaiting the California Governor’s signature on pending amendments to the much anticipated California Consumer Privacy Act (“CCPA”), California’s Attorney General took the spotlight yesterday by releasing the similarly anticipated CCPA Regulations, Cal. Code Regs. tit. 11, .§999.300, et seq. (“Regulations”). Since the passage of the CCPA in June 2018, the regulations to accompany the CCPA have been touted as “guidance” on how to comply with the CCPA. Although only in draft form, some may argue that the newly released regulations increase the CCPA compliance burden, while others may argue the Regulations merely provide much needed detail on how to comply with the CCPA.

On October 10, 2019, California’s Office of the Attorney General released a notice of proposed rulemaking action, text of the proposed regulations, initial statement of reasons, and economic impact statement. The deadline to provide comments is December 6, 2019. 
Continue Reading

On September 5, 2019, the federal district court for the Northern District of Illinois issued an order that denied a motion to dismiss a class action brought under the Illinois Biometric Information Privacy Act (“BIPA”). Although the claims in Rogers v. CSX Intermodal Terminals, No. 19-2937, 2019 U.S. Dist. LEXIS 151135 (N.D. Ill. Sept. 5, 2019) largely survived a motion to dismiss, the district court did hand the defense bar a small—but potentially significant—victory.

The plaintiff in Rogers is a former truck driver.  His duties included visiting CSX facilities to pick up and deliver freight. The plaintiff was required to scan his fingerprints to gain entrance to the facility. The plaintiff filed a BIPA class action based on CSX’s failure to provide the required disclosures before collecting his fingerprints and to maintain a publicly available policy on CSX’s retention of biometric data. The complaint also alleged that CSX’s violations were intentional and reckless, an allegation which if proven would result in a $5,000 per violation penalty. 
Continue Reading

After a busy year of legislative activity that brought forth many proposed amendments to the California Consumer Privacy Act (CCPA), Governor Gavin Newsom will be presented with six bills that will alter and/or clarify the scope of the CCPA. He is expected to sign all of them into law in October.

Employee Data:  The original version of the CCPA did not contain an exemption for employees’ personal information. Assembly Bill 25 brings needed clarity to the question of whether employee data will fall under the CCPA. This is a critical issue, given that certain personal information is necessarily used on a daily basis for business. Under AB 25, employees and prospective employees are excluded from most of the CCPA’s protections, which include: the right to request deletion of personal information; the right to inquire about what personal information is collected; the right to inquire about the sources of personal information; the right to inquire about the purpose for collecting or selling personal information; and the right to inquire about the categories of third parties with whom the employer or prospective employer shares their personal information. 
Continue Reading

On August 22, 2019, the Substance Abuse and Mental Health Services Administration of the United States Department of Health and Human Services (“SAMHSA”) issued a proposed rule amending the Confidentiality of Substance Use Disorder Patient Records regulations set forth at 24 CFR Part 2.  These regulations were initially implemented to provide heightened protection of patient records covering the treatment of substance use disorder (“SUD”) provided by certain federally funded programs (“Part 2 programs”).

The proposed regulations do not modify the general requirements for the confidentiality of SUD patient records created by Part 2 programs.  Part 2 continues to prohibit the disclosure of SUD records without patient consent except as specifically permitted in situations such as in the case of a bona fide medical emergency, for purposes of scientific research, audit or program evaluation, or with an appropriate court order after showing good cause. 
Continue Reading

Following a security incident involving its website’s chat function, Delta filed suit in the Southern District of New York against its tech vendor, [24]7.ai. Delta alleged fraud, negligence and breach of contract. A consumer class action lawsuit had already been filed against Delta in the Northern District of Georgia, related to the same incident.

According to the Complaint, on March 28, 2018, Delta was notified by [24]7.ai that a security incident had potentially compromised personally identifying information and payment card data of up to 825,000 of Delta’s customers. Delta alleges that “at least one third-party attacker gained access to Defendants’ computer networks and modified the source code of Defendants’ chat services software to enable the attacker to ‘scrape’ PII and payment card data from individuals using websites of Defendants’ clients, including Delta’s website…” Delta engaged a forensics team and began working with federal law enforcement upon receiving notice from [24]7.ai. Delta then publicly announced the breach, notified its customers, launched free credit monitoring services, and filed a lawsuit against [24]7.ai. Delta is seeking reimbursement of all breach-related costs. 
Continue Reading

This blog post is the third in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”). The statute takes effect on January 1, 2020–which is less than six months away. Please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.

You may see our first and second posts here and here.

Thanks for reading!


Continue Reading