Hashed & Salted | A Privacy and Data Security Update
Welcome back to Hashed & Salted!
We are excited to be back for Volume 2 of our newsletter with deep dives and insights into the key privacy issues facing companies today.
At the beginning of the year, I was reading predictions for the advertising and media companies for 2023. One prediction suggested that the focus on privacy is basically “over.” The industry knows what to expect now, so privacy won’t be such a big issue this year.
If you ask me, that could not be further from the truth.
As I look ahead to the privacy road map for 2023, I see two distinct parts: what we know and what we don’t (yet) know. What we know is that five states have comprehensive privacy laws going into effect this year. Two of those states—Colorado and California—will enact significant packages of regulations that will add color to the statutory requirements. These are just two of many examples where the regulations will impact adtech. This is also the first year that the United States will have an agency dedicated to enforcing privacy regulations (and one that intends to monitor and regulate marketplace behavior very closely). At the federal level, the Federal Trade Commission (FTC) will continue to be active, setting an aggressive privacy agenda that includes the potential for personal liability for executives.
And then there is the unknown side of the road map. Dozens of states are considering comprehensive privacy laws at the moment, some of which include requirements to obtain opt-in consent for personalization or targeted advertising, opt-in consent to use sensitive information, rules around automated decision-making, and default privacy settings for children’s data. While the odds are that one or two of these states will pass privacy laws this year, how many or which ones remains unknown.
We are also seeing new legal attacks on cookies and similar technologies in lawsuits alleging that the use of session replay cookies violates federal and state wiretapping laws, a new wave of Video Privacy Protection Act (VPPA) litigation focusing on the use of pixels in advertising videos, and the possibility that pixels on health care websites might be deemed to violate the Healthcare Insurance Portability and Accountability Act (HIPAA). At the same time, Congress is revisiting enacting a federal privacy law, but it is unclear whether that will make it over the finish line.
In short, adtech continues to be the target of scrutiny, much of which is driven by concerns around privacy.
Biometric data continues to be in the spotlight this year. In addition to the more than a dozen bills pending before state legislatures, the Illinois Supreme Court continues to define and strengthen the nation’s oldest biometric data law—the Biometric Information Privacy Act (BIPA). The state high court recently held that all claims for BIPA violations are subject to a five-year statute of limitations, reversing a ruling by an intermediate appellate court applying a one-year time limit for violations of the statute’s restrictions on profiting from and dissemination of biometric data. In another case, the state supreme court added additional teeth to BIPA, concluding that a claim under the statute accrues every time biometric data is unlawfully collected and disclosed instead of just the first time. With the potential for exponentially increasing the number of violations and a longer statute of limitations, these decisions open the door even wider for what could be record-breaking fines for companies that don’t strictly comply with the law’s requirements.
While it might sound nice to think that privacy is off the table for this year, companies should be aware that it isn’t going anywhere. If anything, it’s just getting more complex.
In this issue, Senior Counsel Robyn Mohr explores the trends in state privacy legislation, explaining not only the biometric data bills but also those aimed at children’s and teen’s privacy, social media, and comprehensive privacy protection. We’ve also included an updated resource for mapping privacy requirements. And in our team member spotlight, we are highlighting Partner Chris Ott, a litigator in our data governance litigation and investigations practice, who joined Loeb in September. Chris took time from helping companies navigate the recent wave of litigation involving session replay cookies and similar technologies to talk to us about the lure of complex—and unsettled—areas of the law, and a previous job that might just be desirable today given the current high price of groceries.
In This Issue:
- Trends in 2023 State Privacy Regulations
- Mapping Privacy Requirements
- Team Member Spotlight: Chris Ott
- In Case You Missed It
- Event Spotlight
As attempts to pass federal privacy legislation failed (yet again) last year, state legislatures across the country have been actively introducing both comprehensive consumer privacy bills and more targeted privacy legislation (for example, bills focusing on areas like children’s privacy and social media platforms). By the end of February, nearly 20 state legislatures had introduced comprehensive consumer privacy legislation. Most bills include California Consumer Privacy Act (CCPA)-style rights, providing consumers with the ability to access, delete or correct their information as well as allowing consumers to opt out of “sales” and targeted advertising or requiring opt-in consent to process their sensitive information. We are starting to see different “flavors” of regulation emerging from the states, however.
Read more here.
This guide addresses the privacy requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (including all amendments) (CCPA), the California Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (CDPA), Colorado’s Colorado Privacy Act (CPA), Utah’s Consumer Privacy Act (UCPA) and Connecticut’s Data Privacy Act (CTDPA).
In This Guide:
- Effective Dates
- Other Consumer Rights
- Business Obligations
- Processor Obligations
Read more here.
How did you develop your area of focus?
I have always chased complexity. That attraction led me to be interested in high-tech, high-stakes business litigation, which in turn drew me to data security conflicts, investigation and litigation.
What’s exciting you/grabbing your attention right now?
The law is very unsettled when it comes to privacy and data security liability. There are a lot of opportunities to be aggressive and add value for clients.
What’s one thing most people would be surprised to know about you?
In another life, I was a Vail ski instructor. I also put myself though college by working on a chicken farm. And, I’m ambidextrous.
When the FTC announced a December settlement with the maker of popular video game Fortnite, the headline was the $520 million penalty Epic Games Inc. agreed to pay for allegedly violating the privacy of children under the age of 13 and teens between the ages of 13 to 17, and for using deceptive website interface design practices. But beyond the record-smashing penalty, the two settlements raise important questions about the current legal framework for protecting the privacy of both children and teenagers.
Read our alert on the Epic Games settlement here.
Jessica Lee, chair of the firm’s Privacy, Security & Data Innovations practice, took the stage at IAB Tech Lab’s REARC: Build For Privacy Series Feb. 16 to present the panel “Navigating the Privacy, Legal, and Compliance World in 2023.” Read about the event here.
Loeb & Loeb LLP is proud to sponsor the IAB Policy & Legal Summit taking place on April 3, 2023, where Senior Counsel Robyn Mohr will be speaking on the panel “Trends in Enforcement of Federal Privacy Laws.” Read more about the event here.
Sign up for our Hashed & Salted newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest.