January 2023 AFS Privacy Report: Colorado Department of Law Issues Updated Draft CPA Rules

Headlines that Matter for Privacy and Data Security.

On

US News

Colorado Department of Law Issues Draft CPA Revisions

On December 22, the Colorado Department of Law issued updates to the draft Colorado Privacy Act (CPA) rules. These revisions build on written comments and feedback from the stakeholder session held in Mid-November, 2022. The revisions include definitions of key terms such as “controller,” “employee,” “employer,” “noncommercial purpose,” and “personal data.” The new draft includes the requirements that communications to consumer be “straightforward and accurate, and must not be written or presented in a way that is unfair, deceptive, false or misleading.” 

The revisions include additional guidance for controllers on how to treat personal data archived or on backup systems. They also include illustrative examples of balancing the needs of the controller and the rights of the consumer; for example, how to balance the controller’s need to protect trade secrets and the consumer’s right to data portability. The revisions modify the required and detailed content of data protection assessments and provide important considerations for freedom of speech and enforcement actions involving the press. The proposed revisions can be found here. Interested parties can continue providing feedback here and attend the proposed draft rulemaking hearing on February 1, 2023. The registration link can be found here.  

BIPA Suits Continue to Rise – Recent Targets include Five Guys and Wella

A new purported class action lawsuit in Illinois alleges that the burger chain Five Guys violated the Illinois Biometric Information Privacy Act (BIPA) in connection with requiring employees to submit finger scans when clocking into work. BIPA requires that covered entities develop and publish written policies regarding the retention and destruction of biometric information, obtain informed written consent to collect that information, and destroy the information when the initial purpose for its collection is satisfied or after three years, whichever comes first. Five Guys allegedly failed to follow these requirements and is now facing potential statutory penalties of $1,000 for each negligent violation or $5,000 for each intentional or reckless violation. The lawsuit alleges that Five Guys employed more than 100 employees during the relevant timeframe. The case is Greenwood v. Five Guys Operations, LLC, ND. Ill., No. 22-cv-07169, December 20, 2022. The complaint can be found here

Five Guys is not the only company facing a new BIPA suit. Wella, a cosmetics company, is facing a proposed class action in Illinois federal court. Wella’s Virtual Hair Dye Try-On tool allegedly collected users’ biometric information without obtaining the required written consent from users. The company also allegedly failed to inform users how long their biometric information would be stored and when it would be destroyed. The case is Shores v. Wella Operations US LLC, case number 1:22-cv-07152, in the US District Court for the Northern District of Illinois. The complaint can be found here

Since the law was passed in 2008, BIPA’s application has been sporadically clarified by courts. The Illinois First District Appellate Court is the latest body to provide guidance for companies that collect biometric data as part of their products or services. The Court decided in a recent case involving a tech company that, because customers voluntarily provided their biometrics for optional features, their data was stored locally on their own devices and the company did not collect or store the biometric information on separate servers, the privacy requirements of BIPA were not triggered. This resulted in a win for the tech company and provided important guidance for businesses looking to avoid BIPA penalties. The decision can be found here

These suits come after a November decision from the Second District Appellate Court of Illinois that held that data retention policies are required at or before the first collection of biometric information. The case is Mora v. J&M Plating, Inc., 2022 IL App (2d) 210692, 2022 WL 17335861 (2022).

Our BIPA Class Actions – 2022 Round-Up summarizes the year’s BIPA litigation highlights.

FTC Releases Updated Mobile Health App Tool 

On December 7, 2022, the Federal Trade Commission (FTC) released an updated Mobile Health App Interactive Tool. The tool is used by app developers who collect and process health data to access guidance on applicable federal laws and regulations. The tool covers topics such as the FTC’s Health Breach Notification Rule, the Children’s Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act. Importantly, the tool provides general guidance, not personalized legal advice. The updated tool can be found here. The FTC’s announcement can be found here.  

CCPA Board Provides Status Update on CPRA Rulemaking 

On December 16, 2022, the California Privacy Protection Agency (CPPA) board met to discuss the status of rulemaking in progress in regard to the California Privacy Rights Act (CPRA). Assuming that the second round of public comments does not result in any additional changes to the proposed rules, it is possible that the proposed regulations released in November will take effect in final as early as April 2023. In addition, a CPPA subcommittee proposed topics to the CPPA board for proposed rulemaking on risk assessments, cybersecurity audits, and automated decision-making early next year. Finally, the CPPA released a memorandum, found here, providing recommendations on responding to, and making, legislative proposals. Meeting materials can be found here

FTC Fines Epic Games $520 Million for Privacy Violations

On December 19, 2022, the FTC announced that Epic Games, Inc., had agreed to pay $520 million for allegedly violating the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule and for allegedly using “dark patterns” in its user interface. The announcement described two record settlements: (1) a $275 million penalty for Epic’s alleged violations of COPPA and the COPPA Rule, and (2) a $245 million refund to customers for its use of dark patterns, which were alleged to have steered customers into accidental purchases.

In addition to the record monetary relief, Epic is required to adopt changes to its default settings that will add affirmative consent to Fortnite’s purchasing interface and better protect user privacy.

Global News

European Commission Kicks-Off Approval Process for the EU-US Data Privacy Framework 

On December 13, the European Commission released a draft adequacy decision, which can be found here, for the European Union (EU)-US Data Privacy Framework. Adequacy decisions are a tool provided by the General Data Protection Regulation (GDPR) that legitimizes transfers of personal information from the EU to non-EU countries by providing protection for personal information. This decision, if ultimately adopted, would provide EU companies looking to transfer personal information to the United States with a new mechanism to validate their transfers. The draft adequacy decision is the latest development in this process since President Biden’s executive order in October. The executive order can be found here. The European Data Protection Board must next provide its opinion on the Framework, after which, if approved, the draft adequacy decision would need to be approved by a committee of EU member states as well as the European Parliament. The approval process is anticipated to run through the first half of 2023.

Denmark’s DPA Publishes Personal Data Guidance

Datatilsynet, Denmark’s Data Protection Authority, has released a cheat-sheet on protecting printed material which, in just a few bullet points, clarifies that the EU’s GDPR applies to printed material in addition to electronic data. The cheat-sheet is intended to be posted near printers to help organizations better comply with the GDPR. Datatilysnet also announced that more guidance regarding print and “removable” media was forthcoming in 2023 for those concerned with the GDPR’s treatment of data storage on USBs or other hard drives. The guidance is available here (in Danish only). 

UK Department of Digital, Culture, Media, & Sport Outlines Online Safety Bill 

The UK’s Online Safety Bill is still making its way through Parliament, but the Department of Digital, Culture, Media, and Sport (DCMS) has recently released a memo detailing the improvements to children’s Internet safety that the Bill promises to bring about. DCMS Secretary of State, Michelle Donelan, promised that the Bill would protect children from illegal and harmful content by holding popular social media platforms legally responsible for the content on their sites. Notably, the Bill seeks to hold companies responsible not only for illegal content, such as content involving self-harm (which the Bill categorizes as illegal for the first time), but also traumatizing or harmful content that is not explicitly illegal. The Bill also requires improved due diligence on companies’ age restrictions, including requiring that companies implement age checking measures for sensitive content. If the Bill is passed, social media giants would have to institute extensive new safety protocols to remain compliant and avoid hefty penalties. The Bill is available here.

Australia Passes New Privacy Bill

The Office of the Australia Information Commissioner (OAIC) announced the passing of the Privacy Legislation Amendment to enhance the OAIC’s ability to regulate privacy matters and protect Australian residents’ personal data. Of note, the Bill provides for increased penalties to bring the law more in line with the European General Data Protection Regulation. For further information, the OAIC announcement may be found here

New Year Reminder 

As we enter 2023, it is important to remember that new privacy laws are taking effect, including privacy laws in California (January 1, 2023), Virginia (January 1, 2023), Colorado (July 1, 2023), Connecticut (July 1, 2023), and Utah (December 31, 2023). On the international front, if your new contracts have not incorporated the revised Standard Contractual Clauses, the deadline was December 27.

Please contact the ArentFox Schiff Privacy Team if you would like compliance assistance.  

Contacts

Continue Reading