Litigation

Since its inception in 1998, the Children’s Online Privacy Protection Act (COPPA) has been the cornerstone of protecting the personal data of minors under the age of 13 in the United States. COPPA imposes various requirements, including parental consent, notice and transparency, and data minimization, among other things, on online services that are “directed to children [under 13]” and “mixed audience” online services, or those that have actual knowledge that they have collected personal data from a child [under 13] online.

Many organizations that previously did not have to worry about COPPA or COPPA-based standards as applied to state consumer privacy laws should be aware of the trend in state privacy legislation to expand restrictions and obligations beyond COPPA’s under age 13 standard, to minors that are at least 13 and under the age of 18 (“Teens”). This trend began in 2020 with the California Consumer Privacy Act (CCPA) requiring consent for “sale” of personal information of consumers at least age 13 but younger than 16 years of age  (the California Privacy Rights Act expanded that requirement to “sharing” as well). Consent must be given by the Teen or, if the consumer is under age 13, by the parent, using COPPA verification standards. Other relevant aspects regarding this trend, of which organizations should be aware, include:Continue Reading Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws

State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.

Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.

While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.

The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.

Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:Continue Reading State Privacy Law Patchwork Presents Challenges

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Australian Privacy Regulator Commences Penalty Proceedings Against Medibank | Privacy World

Guidance on how Ofcom and the ICO intend to

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Singapore Publishes Generative AI Model Governance Framework | Privacy World

FCC Chair Proposes Investigation of Potential Disclosure Requirements for AI-Generated

Last week was a busy one for AI regulation. The week started and ended with big news from Colorado: on Monday, Colorado’s legislature passed “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems” (SB 24-205) (Colorado AI Law) and, on Friday, Governor Jared Polis (D) signed the Colorado AI Law “with reservations” according to his letter to Colorado’s legislature. Although the Colorado legislature is the first U.S. lawmaker to pass general AI legislation, Colorado’s Governor has expressly invited Congress to replace the Colorado AI Law with a national regulatory scheme before the Colorado AI Law’s February 1, 2026, effective date.Continue Reading All Eyes on AI: Colorado Governor Throws Down the Gauntlet on AI Regulation After Colorado General Assembly Passes the Nation’s First AI Law

Last week, the Illinois House of Representatives joined the Illinois Senate in passing amendments to the state’s Biometric Information Privacy Act (“BIPA”) to limit the scope of possible damages for violations of BIPA. As covered extensively here on PW, last year in Cothron v. White Castle, the Illinois Supreme Court held that an individual person accrues a separate statutory claim each time a defendant collects or discloses the individual’s biometric information in violation of BIPA. While the dissent in Cothron accurately observed that the combination of statutory damages and “per-scan” accrual meant that businesses could face “punitive, crippling liability . . . wildly exceeding any remotely reasonable estimate of harm,” the Cothron majority determined that “concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”Continue Reading Illinois Legislature to Amend BIPA to Overrule Illinois Supreme Court Damages Decision

Earlier this month, arbitration services provider JAMS announced that it created a new set of Mass Arbitration Procedures and Guidelines (“Mass Procedures”) for use in mass arbitrations.  Like competitor American Arbitration Association’s (“AAA”) update to its mass arbitration supplementary rules (“AAA Supplementary Rules”) earlier this year, JAMS’s new procedures include some features that may mitigate some of the more abusive practices common to mass arbitrations, but do not fully eliminate the risks posed by mass arbitrations.  Read on for an overview of these new procedures and the accompanying fee schedule.Continue Reading Arbitration Provider JAMS Creates New Mass Arbitration Procedures

Privacy pros know that tracking all the US consumer privacy laws is a challenge. The Privacy World team is here to help. In this post, we’ve collated information and resources regarding the consumer privacy laws in Texas, Oregon and Florida – all three of which are effective as of July 1, 2024. While the Florida privacy law’s status as an “omnibus” consumer privacy law is debatable given its narrow applicability and numerous carveouts, we’ve included it in this post for completeness. We’ve also provided a list of effective dates for the other state consumer privacy laws enacted but not yet in effect and some compliance approaches for your consideration.Continue Reading Are You Ready for July 1? Florida, Oregon, and Texas on Deck

The Illinois Genetic Information Privacy Act, 410 ILCS 513/1, et seq. (“GIPA”), which was passed in 1998 and amended in 2008, had until recently received little attention from the plaintiffs’ bar. That changed last August, after a court granted certification in a federal GIPA class action involving alleged unauthorized disclosure of consumers’ genetic information to unknown third-party developers by a website that sold DNA analysis reports. See Melvin v. Sequencing, LLC, 344 F.R.D. 231, 233 (N.D. Ill. 2023). Over 50 GIPA cases were filed in 2023 alone in the wake of that ruling, with many more now pending in Illinois state and federal courts. As this litigation trend continues almost a year following the granting of class certification in Melvin, companies are asking: what is GIPA, are we subject to it, and what should we do to mitigate litigation risk?  Employers, insurance companies, and others that collect health- and genetic-related information should read on to learn more.Continue Reading Employers and Insurance Companies Continue To Be Targeted with Deluge of Claims Under the Illinois Genetic Information Privacy Act

On March 22, the Western District of Washington granted a motion to remand cases removed from state court in In re Fred Hutchinson Data Security Litigation, 2:23-cv-01893-JHC, 2024 WL 1240681 (W.D. Wash. March 22, 2024). In doing so, it highlighted for litigators and companies alike a lesson in the importance of understanding how courts determine citizenship when determining diversity jurisdiction under the Class Action Fairness Act (“CAFA”).Continue Reading Relying on CAFA’s Discretionary “Home-State” Exception, Federal Court Punts Data Breach Class Action Back to State Court