Hashed & Salted: Vol. 1, Issue 8

Hashed & Salted | A Privacy and Data Security Update

Welcome to our latest issue of Hashed & Salted. Will the cooler fall temperatures bring a cooldown to privacy news? If this month is any indication, we don’t think so. 

On the federal level, the American Data Privacy and Protection Act (H.R. 8152), the bipartisan consumer data privacy bill discussed in our June issue, appears to be stalled after House Speaker Nancy Pelosi raised concerns with the bill’s ability to pre-empt the CCPA. The amendments adopted in the most recent version include changes to the private right of action provisions (shortening the delay period from four to two years and adding a small business exemption); expanding the definition of “employee data” to significantly enlarge the carve-out from coverage in the bill and the definition of “sensitive covered data” to include race, color, ethnicity, religion, membership in a union and internet browsing history; creating a new tiered approach to the knowledge approach related to advertising to children; changes to the requirements for express consent; and changes to the definitions of “covered entity” and “service provider,” among other amendments. Attempts to amend the bill’s preemption provision were unsuccessful. While there is still a desire among regulators to reach a compromise, the path forward is uncertain at the moment. 

While federal privacy legislation continues to move at a glacial pace, government regulators at both the state and federal levels are moving much more swiftly. The Federal Trade Commission (FTC) this month issued its “Commercial Surveillance and Data Security Advance Notice of Proposed Rulemaking” (the ANPR is also referred to as the Trade Regulation on Commercial Surveillance and Data)—marking the beginning of the FTC’s rulemaking process. Containing nearly 100 questions, the ANPR requests public comment on the nature and prevalence of harmful commercial surveillance practices, the balance of costs and countervailing benefits of these practices for consumers and competition, and proposals for protecting consumers from harmful and prevalent commercial surveillance practices. 

At the state level, California’s Attorney General’s Office (OAG) released its first publicly reported settlement resulting from an alleged violation of the California Consumer Privacy Act. The settlement, which involved Sephora, highlights the OAG’s very broad interpretation of “sale” and its follow-through on its promise to issue enforcement notices to companies that do not honor the Global Privacy Control. The OAG also released updated enforcement summaries, which focused on disclosures to consumers, loyalty programs and a failure to provide notice of a financial incentive. 

On the other coast, the New York Department of Financial Services (NYDFS) just released proposed amendments to its Cybersecurity Regulation that, if adopted, will impose new requirements on covered entities, including annual independent cybersecurity audits for larger entities, risk assessments for all entities, new technology requirements, mandatory 24-hour reporting for cyber ransom payments, new restrictions on privileged accounts and higher expectations for board expertise to oversee businesses’ cyber risk. The amendments also create a new type of covered entity, Class A companies—covered entities with more than 2,000 employees or more than $1 billion in gross annual revenue averaged over the past three years from all business operations of the company and its affiliates.

In our articles this month, Eyvonne Mallett, of counsel at Loeb, reports on the Consumer Financial Protection Bureau’s (CFPB) work on its open banking rule aimed at enabling consumers to own, access and share their financial data by giving third-party financial service providers access to that data through application program interfaces (APIs), how the rule has been delayed by privacy and data security concerns, and how the CFPB might be able to get the rule over the finish line. 

In our second article, guest author Toby Irenshtain provides a deep dive into commercial surveillance and its potential benefits and risks. In our team member spotlight, read more about Toby, a second-year law student and Business Law Scholar at Georgetown University Law Center, who interned this summer at the Future of Privacy Forum and Loeb & Loeb, as she shares her passion for privacy law—and for some high-flying adventure.

• CFPB’s Open Banking Rule Delayed by Data Privacy and Security Concerns
• Commercial Surveillance: Technology, Government and Civil Rights Implications
• Team Member Spotlight: Toby Irenshtain
• Event Spotlight: IAB Public Policy & Legal Summit
• In Case You Missed It: A Privacy and Employment Law Primer: Recent Updates on Discrimination and Privacy Implications of Technology in the Workplace

CFPB’s Open Banking Rule Delayed by Data Privacy and Security Concerns

The Consumer Financial Protection Bureau (CFPB) is working on a final proposal for its open banking rule. If codified, the open banking rule will enable consumers to own, access and share their financial data however and with whomever they choose. Open banking generally refers to a consumer’s ability to control their financial data by allowing third-party financial service providers to access financial data in real time through the use of application program interfaces (APIs). Read the full alert. 

Commercial Surveillance: Technology, Government and Civil Rights Implications

As brick-and-mortar stores struggle to compete with online retailers’ data access, physical surveillance technologies have become increasingly sophisticated, enabling the creation, monitoring and analysis of customer data in real time. Artificial intelligence (AI)-powered cameras equipped with facial recognition technology (FRT) and object detection have been implemented alongside thermal-sensing people-counters and tailored marketing messages. Companies considering adding these technologies must carefully assess their benefits and risks in order to boost their bottom line while protecting against liability and reputational harm. Read the full alert.

Team Member Spotlight: Toby Irenshtain

Toby Irenshtain is a second-year law student and business law scholar at Georgetown University Law Center. A proud first-generation college (and law) student who received her Bachelor of Science from Vanderbilt University in 2021, Toby looks forward to receiving her J.D. in 2024 and practicing law that builds, maintains and supports sustainable businesses worldwide. Toby interned this summer at the Future of Privacy Forum and Loeb & Loeb through the Federal Communications Bar Association’s Diversity Pipeline Program. 

How did you develop your area of focus?

I became excited about privacy law in my first year of law school as a growing practice that lies at the intersection of business, law and technology. I participated in the Federal Communications Bar Association Diversity Pipeline Program and had the opportunity to engage with privacy attorneys’ practice in both the nonprofit and law firm spaces. I thoroughly enjoyed these experiences and am eager to see how the practice grows! During my 1L summer, I researched the civil rights implications of algorithmic harms, tracked state and federal laws, and helped out the teams as necessary at both the Future of Privacy Forum and Loeb & Loeb. 
 
What’s exciting you/grabbing your attention right now?

I’ve been intrigued recently by privacy-enhancing technologies (PETs) as a technical solution for instilling privacy-by-design principles in company data management. I believe that if used correctly—and regulated clearly—these technologies, from homomorphic encryption to differential privacy, hold the potential to greatly improve many companies’ privacy systems. I’m closely watching this space to see which companies begin implementing them and how regulators seek to regulate or contextualize their use. 
 
What’s one thing most people would be surprised to know about you?

Most people would be surprised to hear that I’m a flying trapeze artist! I started young and have been attending classes and performing in Washington, D.C., and New York for almost 10 years. Flying is an exhilarating experience, and I’m grateful to be able to learn and perform on the ring. It’s a careful balance of risk, adrenaline, safety and a workout—I couldn’t recommend it more.

Event Spotlight: IAB Public Policy & Legal Summit

Loeb & Loeb is proud to have sponsored the IAB Public Policy & Legal Summit on June 8, 2022, where Jessica Lee, Chair, Privacy, Security & Data Innovations, spoke. View event.

A Privacy and Employment Law Primer: Recent Updates on Discrimination and Privacy Implications of Technology in the Workplace

Employers have increasingly used technology in the workplace to monitor and evaluate applicants and employees. These tools range from systems that monitor employee activity on electronic devices to artificial intelligence (AI) that assesses job applicants or evaluates employee work product. As reliance on these technologies has proliferated in the past several years, state and federal lawmakers have responded with increased scrutiny of these technologies, focusing in particular on two areas—employee monitoring and the use of AI in the workplace. These technologies involve different but intersecting legal concerns, including workplace discrimination and privacy. Read the full alert.