Hashed & Salted | A Privacy and Data Security Update
Welcome to our latest issue of Hashed & Salted! The legislative activity at the state level continues unabated. As we predicted last month, Connecticut has become the next state to enact a comprehensive privacy bill.
Senate Bill 6, “An Act Concerning Personal Data Privacy And Online Monitoring,” passed both the state’s General Assembly and Senate last month, and was signed into law by Gov. Ned Lamont on May 12. The law will largely take effect on July 1, 2023, with additional obligations to recognize a universal opt-out becoming effective on Jan. 1, 2025.
At the same time as state legislatures across the country continue to debate comprehensive privacy bills, multiple regulators across the U.S.—and globally—are increasingly focused on children’s and teens’ privacy. No fewer than half a dozen federal bills that would amend or augment the Children’s Online Privacy Protection Act (COPPA) have been introduced in Congress in the past year, and in his March State of the Union address, President Joe Biden specifically called on federal lawmakers to “strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children[.]”
In the meantime, industry self-regulators are also focused on privacy for the under-18 set. The Center for Industry Self-Regulation (CISR), the BBB National Programs’ nonprofit foundation, last month unveiled the “TeenAge Privacy Program (TAPP) Roadmap.” While COPPA and the Children’s Advertising Review Unit (CARU), the COPPA safe harbor program run by the BBB, address the online privacy of children 13 and under, until now no self-regulatory guidance has focused on the online privacy of teenagers.
In this issue, associate Ryan Gallagher takes a deep dive into the security issues in blockchain-based technologies like cryptocurrencies, utility and non-fungible tokens, and decentralized networks.
In our second article, associate Melaina Jobs examines web harvesting in the context of the Ninth Circuit’s recent decision in hiQ Labs, Inc. v. LinkedIn Corp. And in our team member spotlight, Jessica Lee, Chair of Loeb’s Privacy, Security & Data Innovations practice, shares her views on the broadening of privacy concerns in the U.S., beyond consumer privacy and online ad targeting—and how she took a short detour at the beginning of her legal career.
In This Issue
- Crypto, Blockchain and the Promise of Web3: Managing the Risk in Emerging Technologies
- Ninth Circuit Provides Path Forward for Web Scraping of Public Data
- Team Member Spotlight: Jessica Lee, CIPP/US, CIPP/E, CIPM, Chair, Privacy, Security & Data Innovations
- Event Spotlight: “Vetting Your Privacy Tech” at Programmatic IO
- In Case You Missed It: FTC and CARU Compel COPPA Compliance From Healthy Eating Company and Smartwatch Maker
Blockchain-based technologies like cryptocurrencies, utility and non-fungible tokens, and decentralized networks are demanding more attention than ever. Over the last decade, cryptocurrency has evolved from facilitating underground dark web markets, to enabling unregulated capital raise programs during the Initial Coin Offering frenzy, and it is now emerging as a fundamental component of Web3 and its integrated digital economies. While serious questions about scalability, security and the regulatory landscape remain, many businesses may soon find undeniable value in these technologies. Read the full alert here.
In hiQ Labs, Inc. v. LinkedIn Corp., the Ninth Circuit considered whether the Computer Fraud and Abuse Act (CFAA) could be invoked to preempt state law claims arising out of the web scraping of publicly available data from a website owned by another entity. Unlike other circuit courts, the Ninth Circuit took a narrow view of the CFAA, concluding that hiQ “raised serious questions” about whether LinkedIn may invoke the CFAA to preempt hiQ’s state law claims. Read the full alert here.
Team Member Profile: Jessica Lee, CIPP/US, CIPP/E, CIPM, Chair, Privacy, Security & Data Innovations
How did you develop your area of focus?
I started as the only associate in the New York office of Loeb’s Advertising, Media & Technology practice, where most of our clients were using or starting to use data in connection with their advertising or marketing campaigns. Privacy was part of my practice, but this was well before the GDPR, the CCPA and the rest of the alphabet soup of comprehensive privacy laws were on the books. I learned the business and transactional side of the industry, and as the patchwork of privacy laws grew, I began to focus my practice almost exclusively on privacy. I now support clients across a number of industries that view data as a critical business asset.
I think the U.S. is starting to fully realize the impact of privacy on the preservation of civil rights and civil liberties. That connection has always existed, but I think we have been focused on the consumer protection aspect of privacy (whether practices were transparent and reasonable and otherwise complied with legal obligations) in the U.S. Outside certain legal frameworks, it has been hard to identify privacy “harms,” which means that it can be difficult to establish standing in federal court or obtain damages for privacy violations under statutes that do not provide for statutory damages. However, I think regulator and individual attention is starting to focus on the impact of facial recognition tools, the role of bias in AI and the ability of law enforcement to access online activities, among other developments. I think that people are starting to understand that the need for privacy goes well beyond concerns about why an ad for shoes follows you around online.
What’s one thing most people would be surprised to know about you?
I took six months off between my first law firm job and my clerkship and worked in film. I produced a short and a feature-length film (the feature received distribution), and I helped start an online film distribution platform for indie films (which is out of business today). I made $60 in real money and thousands in deferred fees, which I have yet to collect. Thankfully, I didn’t quit my day job and stuck with the law once my clerkship began.
Jessica Lee, Chair of Loeb’s Privacy, Security & Data Innovations practice, will be a panelist for “Vetting Your Privacy Tech,” May 24, during Programmatic IO, held May 23 – 25 in Las Vegas. View event here.
In Case You Missed It: FTC and CARU Compel COPPA Compliance From Healthy Eating Company and Smartwatch Maker
For the ‘In Case You Missed It’: Two regulatory authorities recently took enforcement actions against two very different companies in the area of children’s privacy rights. The outcomes reached—one of which includes a $1.5 million penalty and the deletion of “tainted” data—signal that the regulatory and self-regulating entities intend to continue prioritizing enforcement of COPPA. Read full alert here.
Sign up for our Hashed & Salted newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest here.