The recently released discussion draft of the American Privacy Rights Act rejects the opt-out approach to targeted advertising in 17 state consumer privacy laws, and instead requires express affirmative opt-in consent for tailoring online ads based on a specific viewer’s interests and activities, akin to the prevailing European approach.  In a guest post published earlier this week by Bloomberg Law, Privacy World’s Alan Friel and Kyle Fath explain why this would do more harm than good to consumers, threaten the ad-supported online content business model that supports a free and open Internet, and increase the economic digital divide.  Read more here.

With several consumer privacy laws and regulations going into effect this year, businesses need to be conducting and documenting formal assessments of their data practices, known as “Data Protection Impact Assessments” or “DPIAs.” We previously discussed DPIA requirements under the Virginia Consumer Data Protection Act (“VCDPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), California Privacy Rights Act (“CPRA”), and Colorado Privacy Rights Act (“CPA”) here, and DPIA requirements under the California Age-Appropriate Design Code Act (“CAADCA”) and New York City’s Local Law 144 (“Local Law 144”) here. Continue Reading Navigating Data Privacy Assessments Amid New State Laws

Data privacy litigators are well aware of the critical importance of a motion to dismiss to have meritless data incident claims kicked at the pleadings stage.  A recent decision underscores the importance of choice of law arguments as part of a comprehensive litigation strategy.  Why?  Well in some cases, differences between the laws of two states regarding frequently litigated data incident claims can be dispositive for purposes of a motion to dismiss.  Read on to learn more.

First, some background.  It is well-established that federal courts sitting in diversity apply the forum state’s conflict of laws rules.  For instance, in Greenstate Credit Union v. Hy-Vee, Inc., a data incident litigation recently pending in federal district court in Minnesota, the court noted that:

Under Minnesota law, the first inquiry is whether an actual conflict of laws exists.  Next, the court must determine ‘whether the law of both states can be constitutionally applied.’  If there is an outcome determinative conflict and the law of both states can be constitutionally applied, then the court applies Minnesota’s multifactor test . . .to determine which states’ law should apply.

2021 U.S. Dist. LEXIS 133894 (D. Minn. July 19, 2021).

Many data incident litigations involve common law tort claims (eg, negligence) that have some similarities across the jurisdictions.  As such, the reaction of some data privacy newbies may be reject choice of law considerations in a litigation.  After all, everyone knows a negligence claim always involves application of the same four elements (duty, breach, causation, damage) anyways, right?

Wrong answer.  Choice of law arguments can be dispositive regarding which party prevails in a litigation.  Therefore, making an informed assessment of which forum’s laws can and should apply in a data breach litigation is a mission critical inquiry at the onset of a case.

As an example, Greenstate Credit Union concerned a class action dispute arises out of Hy-Vee’s handling of a data breach that exposed consumers’ credit card data.  Plaintiff GreenState Federal Credit Union is a federally chartered credit union with its principal place of business in Iowa.  Defendant Hy-Vee is incorporated in Iowa and has its principal place of business in Iowa.  However, Hy-Vee operates supermarkets, convenience stores, and gas stations, with 240 retail stores in eight states, including Minnesota.

Why does this matter?  Plaintiff asserted claims under the Minnesota Plastic Card Security Act (PCSA), common law negligence, negligence per se, and for declaratory and injunctive relief.  Defendant argued, however, that instead of Minnesota law, the law of Iowa should govern Plaintiff’s claims.  This was motivated by the fact that unlike Minnesota, Iowa has adopted the economic loss doctrine.  As articulated by the Iowa Supreme Court, this doctrine “bars recovery in negligence when the plaintiff has suffered only economic loss.”

Here, the court found that:

GreenState’s negligence claim would be barred by Iowa’s economic loss doctrine.  GreenState’s alleged injuries – cancelling compromised cards, reissuing new cards, reimbursing members for fraudulent charges, and losing interest and transaction fees because of reduced card use — are all indirect economic losses . . .Because GreenState alleges nothing more than economic losses, Iowa law bars its negligence claims.

(emphasis supplied).

Additionally, based on Minnesota’s choice of law rules, the court found that “[a]ll of Hy-Vee’s relevant information security employees and decision-making are located in Iowa.  It is predictable that Iowa law would apply.”  For these reasons, among others, the court held that Iowa law should apply.  It then promptly dismissed Plaintiff’s claims pursuant to a straightforward application of Iowa’s damages law.

While the economic loss rule is one of the more well-known variations in state law, there are other areas involving even more nuance.  Which in turn makes choice of law considerations (and assessment of if a defendant should strategically advocate for the law of a different forum in which a litigation was filed to apply) absolutely essential.

For more on this developing area of the law, stay tuned.  CPW will be there to keep you in the loop.

 

 

In Ducharme v. Madewell Concrete, LLC, No. 6:20-1620-HMH, 2020 U.S. Dist. LEXIS 127615 (D.S.C. July 17, 2020), Defendants Madewell Concrete, LLC and Kevin Johnston’s (“Johnston”) (collectively, “Defendants”) motion to dismiss Plaintiff Robert Ducharme’s (“Plaintiff”) South Carolina Homeland Security Act (“SCHSA”) claim pursuant to Federal Rule of Civil Procedure 12(b)(6) was denied.

Plaintiff alleges that Defendants deliberately misclassified him as a salaried employee, which exempted him from the overtime requirements of the Fair Labor Standards Act (“FLSA”). Accordingly, Plaintiff contends that he was not compensated for his overtime work. Plaintiff also alleges that Defendant Johnston illegally and without authorization accessed Plaintiff’s personal email account.

Plaintiff’s lawsuit alleges three claims: violations of (1) the Stored Communications Act, (2) the SCHSA, and (3) the FLSA.

Defendants argue that Plaintiff’s SCHSA claim is preempted by the Electronic Communications Privacy Act (“ECPA”) because in 18 U.S.C. § 2518(10)(c), “Congress expressed clear intent that any alleged interception of any ‘electronic communications’ falls under the exclusive remedy of the [ECPA].” Accordingly, the Court describes the dispute as whether “the interception of electronic communications provisions of the ECPA preempt a claim based on the interception of electronic communications provisions of the SCHSA.”

In holding that § 2518(10)(c) does not expressly preempt state law claims, the Court noted that  “Congress could have easily and explicitly stated that the remedies in the ECPA are the exclusive remedies for all interceptions of electronic communications or that the ECPA preempts state law claims, but it did not do so.” The Court went on to find that the legislative history of § 2518(10)(c) indicates that “the interceptions of electronic communications were not subject to the exclusionary rule absent a Fourth Amendment violation.” Thus, state law remedies are permissible for certain intercepts of electronic communications (such as personal emails) and “the ECPA does not preempt Plaintiff’s claim under the SCHSA. This case is a good reminder that employers should be mindful to ensure compliance with applicable state privacy laws, in addition to the well-known federal ones.

Nineteen states have followed the lead of California and passed consumer privacy laws.  Three went into effect this year and eight will become effective in 2025.  The remainder become effective in 2026.  Charts at the end of this post track effective dates (see Table 1) and applicability thresholds (see Table 2).  While there are many similar aspects to these laws, they also diverge from each other in material ways, creating a compliance challenge for organizations. In addition, there are other privacy laws pertaining specifically to consumer health data,[1] laws specific to children’s and minors’ personal data and not part of a comprehensive consumer privacy law,[2] AI-specific laws,[3] or laws, including part of overall consumer privacy laws, regulating data brokers[4] that enterprises need to consider. 

A recent article published by the authors in Competition Policy International’s TechReg Chronical details the similarities and differences between the 20 state consumer privacy laws and a chart at the end of this post provides a quick reference comparison of these laws (see Table 3).

Continue Reading Are You Ready for The Latest U.S. State Consumer Privacy Laws?

Regulators in states without omnibus state privacy laws, like New York, are staking their claim over privacy regulation and enforcement. After months of investigating the deployment of tracking technologies and privacy controls on various websites, the New York State Attorney General (“NY AG”) published its guidance, Website Privacy Controls: A Guide for Business. The NY AG also published a companion guidance for consumers, A Consumer Guide to Web Tracking, which provides a high-level overview of how websites track consumers and what steps consumers can take to protect their privacy. Stay tuned for potential enforcement actions and big-figure settlements. Will New York follow Texas in this regard?

NY AG Investigation and Findings

Tracking technologies, like cookies and tags (i.e., pixels), are utilized by businesses to collect and assess information regarding how individuals interact with the business’ website or mobile app. While tracking technologies can provide valuable insights for businesses, they also raise privacy concerns regarding data collection, selling, sharing, creation of detailed profiles about individuals that are used for targeted advertising, cross-site tracking that leads to a comprehensive understanding of an individual’s interests and behavior without the individual’s knowledge or consent, and more.  The Federal Trade Commission (“FTC”) is attempting Section 5 Magnuson-Moss rulemaking on this, which they call surveillance capitalism.

Continue Reading Businesses Beware: New York Eyeing Privacy Regulation and Enforcement Even Absent Omnibus State Privacy Law

Since its inception in 1998, the Children’s Online Privacy Protection Act (COPPA) has been the cornerstone of protecting the personal data of minors under the age of 13 in the United States. COPPA imposes various requirements, including parental consent, notice and transparency, and data minimization, among other things, on online services that are “directed to children [under 13]” and “mixed audience” online services, or those that have actual knowledge that they have collected personal data from a child [under 13] online.

Many organizations that previously did not have to worry about COPPA or COPPA-based standards as applied to state consumer privacy laws should be aware of the trend in state privacy legislation to expand restrictions and obligations beyond COPPA’s under age 13 standard, to minors that are at least 13 and under the age of 18 (“Teens”). This trend began in 2020 with the California Consumer Privacy Act (CCPA) requiring consent for “sale” of personal information of consumers at least age 13 but younger than 16 years of age  (the California Privacy Rights Act expanded that requirement to “sharing” as well). Consent must be given by the Teen or, if the consumer is under age 13, by the parent, using COPPA verification standards. Other relevant aspects regarding this trend, of which organizations should be aware, include:

Continue Reading Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws

State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.

Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.

While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.

The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.

Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:

Continue Reading State Privacy Law Patchwork Presents Challenges

The first month of 2024 brought two new state privacy laws. On January 18, the New Hampshire legislature passed the 15th US state consumer privacy law (notably, still subject to some procedural requirements and signature by Governor Chris Sununu before it is officially law). The New Hampshire law was passed a few days after New Jersey’s new consumer privacy law (Approved P.L.2023, c.266) was signed into law on January 16. 

Both new state consumer privacy laws follow the now-familiar format, offering consumer privacy rights and requiring role-based data processing agreements, but with a few notable differences. A more detailed comparison follows.

Continue Reading New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws

Privacy teams have more to do with Gov. Abbot signing the Texas Data Privacy and Security Act, also known as TX HB 4 (the “Act”), after several last minute amendments. This is in addition to new comprehensive privacy laws from Tennessee (also amended late in the game before submission to the Governor), Indiana, Iowa, Montana and Florida that have passed this spring alone.

Importantly, there is not a minimum number of records processed or annual revenue threshold for businesses to be in the scope of the law. It has broad applicability to companies who do business in the state and who process or sell personal data. It does contain the usual entity and data level exceptions (e.g., GLBA, HIPAA, FCRA, etc.) and explicitly excludes data collected in the human resources or business-to-business context. Continue Reading Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law