In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

BREAKING:  Ohio’s Legislature Considering Passing the Ohio Personal Privacy Act with Support of Governor DeWine and Lt. Governor Husted | Consumer Privacy World

Constitutional Challenges to Biometric Privacy Laws: BIPA Clearview Litigation as a Litmus Test? | Consumer Privacy World

Second Colonial Pipeline Data Incident Litigation Filed on Behalf of. . . . Over Ten Thousand Gas Stations? | Consumer Privacy World

At this point, readers of CPW are familiar with the Clearview Illinois Biometric Information Privacy Act (“BIPA”) litigation.  The case raises novel data privacy and constitutional issues, as underscored by a recent development in the case.

Clearview previously moved to dismiss Plaintiffs’ claims under BIPA and various other states’ laws.  Among other arguments, Clearview claimed that Plaintiffs were improperly attempting to apply BIPA to Clearview’s out-of-state conduct in violation of Illinois’ extraterritoriality doctrine (which requires that the conduct at issue occurred “primarily and substantially” in the state).  This standard was plainly not satisfied here, Clearview argued, as none of the conduct relevant to Plaintiffs’ claims occurred in Illinois, and therefore the litigation should be dismissed.  Clearview also argued if BIPA applied to Clearview’s conduct, then BIPA would violate the dormant Commerce Clause of the U.S. Constitution, which precludes the application of a state statute that has the effect of regulating conduct in another state.

Besides these challenges, Clearview asserted that Plaintiffs’ claims are barred by the First Amendment and Article One Section Four of the Illinois Constitution.  According to Clearview, this is because both protect the creation and dissemination of information—which includes the collection and use of public photographs that appear on the Internet.  Besides these constitutional challenges, Clearview also argued that Plaintiffs failed to plead a cognizable BIPA claim under Section 15(c) of the statute (to be discussed on this blog another day).

Plaintiffs have opposed Clearview’s motion.  Last week, several consumer privacy groups weighed in, seeking leave to file amicus briefs supporting Plaintiffs—including the Electronic Frontier Foundation (“EFF”) and the Center on Privacy & Technology at Georgetown Law (“Center”).  Unsurprisingly, these groups have contrary views as to BIPA and whether it passes constitutional muster.  For example, as recently argued by the Center, BIPA is a content-neutral law that protects against the harm facial recognition technology poses to Illinois residents’ rights to privacy and free expression.  This includes in relation to protecting residents from police misuse of facial recognition technology [Note: Remember Clearview’s customers?]

As more states (like New York) pass biometric laws, similar arguments are going to be raised in future data privacy litigations.  Although how the court rules regarding BIPA in the context of the Clearview litigation will not be dispositive for these cases, it will provide a useful metric for predicting the direction of the law on this topic.  Not to worry-CPW will be there every step of the way to keep you in the loop.  Stay tuned.

CPW covered the Colonial Pipeline cyberattack earlier this year, in which a ransomware attack carried out by cybercriminals crippled the Colonial Pipeline’s functionality.  The Pipeline was taken offline as a remedial measure, causing significant gasoline shortages across the Eastern United States (as a reminder, the Colonial Pipeline supplies the east coast of the United States with gasoline.  The pipeline is a critical part of U.S. petroleum infrastructure, transporting around 2.5 million barrels per day of gasoline, diesel fuel, heating oil and jet fuel.  It stretches 5,500 miles and carries nearly half of the East Coast’s fuel supply).

In the wake of the cyberattack, owners of the Colonial Pipeline were hit with a putative class action that was filed in federal court in Georgia.  Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.).  Plaintiffs in Dickerson alleged that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.”  Plaintiffs allege that the Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations]” (emphasis supplied).

The end of last month, a second putative class action complaint was filed concerning the Colonial Pipeline attack, EZ Mart 1, LLC v. Colonial Pipeline Company, Case No. 1:21-cv-02522 (N.D. Ga.).  As in the previous suit, we again see an allegation that the Defendants “failed to implement and maintain reasonable security procedures and practices appropriate to operating the Pipeline” (emphasis added).  This is raised in the context of an alleged “duty to adopt reasonable measures to ensure the continued and uninterrupted operation of the Pipeline,” as the “Pipeline is essential infrastructure and a vital artery for the distribution of fuel to most of the eastern United States.”

In this case, Plaintiff here seeks to certify a class action “on behalf of the more than 11,000 gas stations negatively impacted by the Ransomware Attack” that “experienced a fuel shortage, an increase in price paid for gasoline, or an inability to sell fuel to their customers as a result of the Ransomware Attack.”  And again, just like in Dickerson, the damages claimed arise not from the exposure of private information, but from increased gas prices caused by the pipe shutdown.  Is the start of a trend casting consumer pricing class actions in the framework of a cybersecurity incident by plaintiffs lawyers?  Time will tell.

This case raises the difficult questions for the Plaintiff looming in Dickerson (standing, whether a duty was owed, issues of causation).  Still, these cases could have a major impact on the future of data privacy/cybersecurity litigation, and it will be important to keep an eye on any major developments.  For our readers, we’ve got you covered.  Stay tuned to CPW for all the information you need.  And in the meantime, in case you missed it, on Tuesday May 25 CPW’s Kristin Bryan and Ericka Johnson hosted CPW’s first-ever virtual webinar jointly with Squire Patton Boggs’ Global Supply Chain blog  The webinar focused on the Colonial Pipeline hack.

In the wake of Virginia and Colorado passing comprehensive privacy legislation this year, the Ohio legislature is similarly considering a privacy bill, albeit one that would impose fewer restrictions on businesses and does not include a private right of action.  The Ohio Personal Privacy Act (“OPPA”), was introduced yesterday by Republican state Reps. Carfagna, of Delaware County and Hall, of Butler County, with the backing of Governor DeWine and Lt. Governor Husted.  Co-sponsors include Representatives Click, Plummer, Schmidt, Lanese, White, Stewart, Carruthers, and Ginter.  The OPPA gives consumers certain rights pertaining to their data and creates new obligations for non-exempt businesses in Ohio.  Read on to learn more as well as for exclusive comments from those involved in the bill’s drafting.

Under the OPPA, consumers would be allowed to access their personal data and obtain a copy of certain information in a portable format.  Consumers would also have the right to request that a business delete personal data that the business has collected from the consumer for commercial purposes and that the business maintains in an electronic format.  Additionally, under the OPPA consumers would have a right to request that a business that sells personal data to third parties not sell the consumer’s personal data.  Unlike the California Consumer Privacy Act (“CCPA”), the OPPA would not provide consumers with a private right of action.  Instead, enforcement is at the discretion of the Ohio Attorney General’s Office (“OAGO”) (although consumers may file complaints with OAGO for purported violations of the OPPA).

The OPPA would apply to entities: (1) with at least $25 million in gross annual revenues in Ohio, (2) those that control or processes the personal data of 100,000 or more consumers, or (3) that over the course of a calendar year derive over fifty per cent of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers.  There are certain exceptions, including but not limited to institutions of higher education, business to business transactions, a covered entity or business associate under the Health Insurance Portability and Accountability Act, and a financial institution or an affiliate of a financial institution governed by the federal Gramm Leach-Bliley Act.

Businesses would have an affirmative defense to liability under the OPPA if they create, maintain, and comply with a written privacy program that reasonably conforms to the national institute of standards and technology (“NIST”) privacy framework.

CyberOhio, an advisory committee launched by then-Ohio Attorney General Mike DeWine, was involved with drafting of the OPPA.  Now, CyberOhio is a branch of InnovateOhio, headed by Lt. Governor Jon Husted.  CyberOhio is composed of an Advisory Committee comprised of cybersecurity industry experts and business leaders and led by Kirk M. Herath, who CPW’s Kristin Bryan connected with advance of the OPPA being introduced.

As Mr. Herath explained, “CyberOhio considered other state’s privacy laws when drafting the OPPA, and attempted to come up with an alternative to the California/CCPA/CPRA model.”  In a break from other states, the Advisory Committee explicitly adopts the NIST privacy standard in the OPPA.  This was intended, Mr. Herath commented, “to provide a flexible approach that would evolve as technology continues to advance.”  Brian Ray, the Director, Center for Cybersecurity and Privacy Protection at Cleveland Marshall Law School, also commented in advance of the OPPA’s introduction that “the OPPA expressly precludes derivative claims, in a deliberate effort to prevent plaintiff’s counsel from attempting an end-run around the statute’s lack of a private right of action.”

For more on this development, stay tuned.  CPW will be there to keep you in the loop.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

How the Colorado Privacy Act Compares to the California, Virginia and European Union Laws That Inspired It | Consumer Privacy World

Ninth Circuit Affirms Summary Judgment for CRA in FCRA Litigations, Reiterating Requirement of Actual Harm for Negligent Violations of the Statute | Consumer Privacy World

After TransUnion Standing Decision, District Court Allows Blackbaud MDL to Go Forward | Consumer Privacy World

NFT Playbook: Alan Friel, Kyle Fath and Carlton Daniel Tell You What You Need to Know | Consumer Privacy World

Cookieless Future? Kyle Fath Looks Into the Crystal Ball | Consumer Privacy World

Top Privacy Developments Of 2021: Midyear Report | Consumer Privacy World

Alan Friel Talks to Law360 About New Colorado Privacy Law | Consumer Privacy World

As Alan Friel, Glenn Brown, Ann LaFrance, Kyle Fath, Elliot Golding, Niloufar Massachi and Kyle Dull explain in a comprehensive, 16-page analysis here, on June 8, 2021, the Colorado legislature passed SB 21-190, known as the Colorado Privacy Act (CPA or CO Act), which the governor signed into law on July 7, 2021.  The CO Act is a mishmash of concepts from other jurisdictions. It is in large part modeled on the March 2021 Virginia Consumer Data Protection Act (CDPA), but with California influences, such as a broader definition of “sale” and requiring companies to look for and honor global privacy signals. Both the California consumer privacy regime, and even more so the CDPA, were inspired by Europe’s General Data Protection Regulation (GDPR), but depart from it in many material ways.

In their must read analysis, they down the similarities and differences of the three US state consumer privacy regimes.

With the stroke of his pen on July 7, Governor Jared Polis (D) signed the Colorado Privacy Act (CPA or Act) into law, making the Centennial State the third U.S. state to pass comprehensive consumer privacy legislation.  The Act, passed by the legislature on June 8, is a combination of elements of California and Virginia consumer privacy laws, possibly creating a harmonization model for other states to follow.  For a comprehensive comparison of the three states’ laws click here.   The CPA will be enforceable as of July 1, 2023.

This week new privacy legislation was signed by the Colorado governor–The Colorado Privacy Act, which will effect on July 31, 2023.  It requires businesses to give consumers the ability to access, correct, delete and opt out of the sale of their personal information or processing of this data for targeted advertising and profiling purposes.  However, the statute does not include a private right of action.  Instead, it entrusts sole authority to the state’s attorney general and district attorneys to enforce the law.

Alan Friel provided expert insights to Law360 on this development which you can access here.  And stay tuned later today as Alan Friel and his privacy pros will be providing a comprehensive breakdown of this new data privacy statute and what it all means.

 

In a recent litigation and appeal involving claims under the Fair Credit Reporting Act (“FCRA”), the Ninth Circuit affirmed the district court’s grant of summary judgment to the defendant, in a win for CRAs named in similar litigation.  Leoni v. Experian Info. Solutions, 2021 U.S. App. LEXIS 17687 (9th Cir. June 14. 2021).  Read on for details about the case and its implications.

First, some background.  Plaintiff filed suit against Experian regarding a purported error in her consumer report.  Plaintiff alleged that the report erroneously stated that Plaintiff owed a debt had been previously discharged by a bankruptcy court.  Plaintiff requested that Experian investigate this issue.  The investigation report subsequently sent to Plaintiff stated that the debt was discharged, but incorrectly noted that the debt was “included in Chapter 13 Bankruptcy on November 08, 2016” (when in actuality, the debt had been discharged several months earlier).  Plaintiff then filed suit for negligent and willful violations of the FCRA—based solely on this misdating issue.

Assessing the case de novo on appeal, the Ninth Circuit first analyzed whether Experian committed a willful violation of the FCRA.  To prevail on this claim, Plaintiff was required to demonstrate that Experian “knowingly violated the statute or recklessly disregarded its requirements.”  Ramirez v. TransUnion LLC, 951 F.3d 1008, 1031 (9th Cir. 2020).  The Court found that the record did not raise a material issue of fact that Experian knowingly or recklessly changed the “included in bankruptcy” date.  Rather, Experian’s error was, at most, negligent.

The Court then turned to the standard for negligent violation of the FCRA, which requires Plaintiff to suffer “actual damages.”  See 15 U.S.C. § 1681o(a)(1); see also Dennis v. BEH-1, LLC, 520 F.3d 1066, 1069 (9th Cir. 2008), as amended.  In support of this requirement, Plaintiff asserted his damages were (1) he “avoided applying for credit for fear of being denied, (2) “the inaccurate information could serve as a factor in Experian credit scores,” (3) he suffered from emotional distress, (4) he incurred transportation costs traveling to his attorneys office, and (5) he “lost time considering issues related to the inaccurate credit reporting.”

The Ninth Circuit rejected all of these attenuated theories of injury, finding they were non-cognizable for purposes of supporting his claim.  For instance, Plaintiff did not point to any evidence that the “included in bankruptcy” date lowered his credit score apart from his actual bankruptcy.  Additionally, the Court found that the cost of traveling to his attorneys’ office or the time Plaintiff spent reviewing the credit reports were likewise not compensable because Plaintiff incurred these expenses for the sole purpose of correcting inaccurate reporting.  Based on these findings, the Ninth Circuit held that the district court properly awarded summary judgment to Experian on Plaintiff’s claims that Experian willfully and negligently violated the FCRA.

This case is a reminder of the requirement of actual damages to support claims under the statute, and how emotional distress and costs incurred to correct inaccurate reporting are inadequate.  Stay tuned to CPW for more important privacy developments out of the Ninth Circuit as well as other courts discussing the FCRA.

As covered on Law360, “State legislatures and the U.S. Supreme Court left their marks on the privacy landscape in the first half of 2021, with Virginia and Colorado adding to the growing state privacy law patchwork and the nation’s high court delivering a pair of rulings that are expected to limit statutory privacy claims.”  Alan Friel contributed his expert insights to Law360’s midyear report, which can be accessed here.