On February 9, 2024, a California state court of appeal unanimously vacated a lower court ruling, green-lighting the California Privacy Protection Agency’s authority to commence enforcement of the Agency’s first set of regulations. Until now, the Agency’s authority to enforce regulations it has promulgated under the California Consumer Privacy Act (“CCPA”) has been delayed. The Agency had been poised to begin enforcing its latest batch of completed privacy regulations on July 1, 2023, but a trial court’s ruling put this work on hold until March 29, 2024. That hold has now evaporated, and so the Agency can commence enforcement activities with immediate effect. The decision also impacts future Agency rulemaking such as the Agency’s draft regulations on cybersecurity audits, privacy impact assessments, and automated decision-making, which will no longer be subject to the 12-month stay of enforcement.Continue Reading California Court of Appeal Restores CPPA Authority to Enforce Privacy Regulations
States have recently taken important steps toward implementing so-called “Universal Opt-Out Mechanisms” (“UOOMs”), which will provide consumers with a method for automatically exercising privacy rights. UOOMs, sometimes referred to as opt-out preference signals, are user enabled features, typically within the user’s browser or through a browser add-on, that send a signal to each website the user visits to communicate the user’s preference to opt-out of certain target advertising (and potentially other uses of data discussed below). Several states have adopted a requirement to honor UOOMs as part of their “comprehensive” privacy law. New Jersey, which has recently enacted a comprehensive privacy law, includes an UOOMs requirement that, unique among state legislation, would extend the right to opt-out through UOOMs to include opting out of the use of automated decisionmaking technologies. Businesses may struggle to implement technical solutions for responding to UOOMs, particularly if the specifications for UOOMs vary between states. Businesses should work with their IT teams or website providers to ensure they have developed solutions to comply, if they have not done so already.Continue Reading States Move Forward with Automated Privacy Opt-Out Signals; Colorado Approves First Universal Opt-Out Mechanism
What has often been considered to be one of the most heavily litigated privacy laws over the last decade, the Telephone Consumer Protection Act’s (“TCPA”) applicability (or lack thereof) to many modern text message dialing technologies has been significantly curtailed as a result of the United States Supreme Court’s narrow definition of what constitutes an automatic telephone dialing system (“ATDS”) in Facebook v Duguid. However, this is still a very active area, and we expect 2024 to reshape the contours of TCPA litigation. In this post, we provide a summary of noteworthy developments in federal and state telemarketing privacy laws as well as our predictions on what may be around the corner in 2024.Continue Reading You Better Watch Out, You Better Not Cry…Telemarketing Changes Are Coming to Town in 2024
For the second day of data, we are taking a look around the world. The most significant new international data protection law of 2023 is probably India’s long-awaited comprehensive data protection law, the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). The DPDP Act was enacted and notified in the Official Gazette on 11 August 2023. The law will not come into effect until the government provides notice of an effective date, which is still forthcoming, with different effective dates expected for different provisions. Last month, Rohan Massey, co-leader of Ropes & Gray’s data, privacy & cybersecurity practice, sat down with Sajai Singh, a partner at J. Sagar Associates in Bangalore, to discuss the law.Continue Reading Unpacking India’s Digital Personal Data Protection Act
On May 25, 2023 Gov. Ron DeSantis signed into law an amendment (Amendment) to the Florida Telephone Solicitation Act (FTSA), clarifying ambiguities and corralling what has been a runaway gust of telemarketing litigation since the passage of the FTSA almost two years ago. Under the FTSA, an individual could bring suit against a telemarketer for using an automated telephone dialing system (ATDS) that simply selected phone numbers or dialed telephone numbers to place calls or send messages without prior consent. In other words, even if the caller dialed the phone number manually, the call would still be subject to the FTSA if the number was automatically selected using software. This Amendment clarifies that suit can be brought only if the ATDS both selects and dials the phone number. While still not specifically defining what constitutes an ATDS, this two-part test should stem the flow of FTSA litigation by greatly narrowing the present standard.Continue Reading Sunshine State Clarifies Telemarketing Regulation, Quieting Storm of Litigation Blown In by Florida Telephone Solicitation Act
On March 28, Iowa Governor Kim Reynolds signed Senate File 262 into law, making Iowa the sixth state to adopt comprehensive data privacy legislation. The Iowa Consumer Data Protection Act (ICDPA) is set to take effect on January 1, 2025.
The ICDPA is largely business friendly and mostly comparable to the Utah Consumer Privacy Act. Businesses that are already in compliance with other states’ privacy laws—such as the California Consumer Privacy Act—likely will not need to make any additional changes to their policies or practices to comply with the ICDPA. The ICDPA does not require businesses to conduct risk assessments, practice purpose limitations or data minimization, and businesses have a generous 90-day cure period for suspected violations. Furthermore, as we’ve seen with the other states that have recently passed comprehensive privacy laws, the law does not provide a private right of action for consumers, as enforcement authority sits exclusively with the Iowa Attorney General.Continue Reading Iowa Becomes Sixth State to Pass Comprehensive Data Privacy Law
On February 17, 2023, the exposure risk of a company found to be violating Illinois’ Biometric Information Privacy Act (BIPA) increased to a potentially crippling amount. What was previously commonly understood to entail a maximum of $1,000 per negligent (or $5,000 for reckless) violation per plaintiff now authorizes a $5,000 fine per instance of collection, turning—for example—the nonconsensual use of an employee’s fingerprint for clocking in and out of work multiple times per day to 1,040 violations of BIPA per year if a full-time employee clocks in and/or out just four times each day, potentially resulting in estimated damages of $1,040,000 for negligent violations or $5,200,000 for reckless violationsContinue Reading BIPA Ahead: A New Ruling Introduces a Staggering Depth Beneath the Tip of the BIPA Iceberg
We’ve been closely watching the evolution of telemarketing laws since the Supreme Court’s 2021 decision in Facebook v. Duguid, which held that most modern dialing systems are not autodialers—or “automated telephone dialing systems” under the Telephone Consumer Protection Act (TCPA). The Facebook decision led to a flurry of legislative activity at both the state and federal levels. Florida and Oklahoma enacted state-level statutes that have been interpreted to cover modern dialing systems, and Georgia, Washington, Michigan and other states have considered similar legislation. At the federal level, a new bill was proposed in July 2022 that would have amended the TCPA to cover 21st century dialing technologies—not just those using a random or sequential number generator. The federal bill has not made any meaningful progress, but a recent request from FCC Chairwoman Jessica Rosenworcel may prompt the legislature to act.Continue Reading Game of Phones: Revisiting the Autodialer
In the wake of the Supreme Court’s 2021 decision in Facebook v. Duguid—which held that most smartphones and similar modern technology do not qualify as “automated telephone dialing systems,” under the Telephone Consumer Privacy Act (TCPA)—there has been a spike in state legislative activity aimed at strengthening local telemarketing laws. Florida’s Telephone Solicitation Act (FTSA) became the first state telemarketing law of its kind on July 1, 2021. The FTSA, which does not clearly define the types of automated technology covered by the statute, creates room for a broader interpretation of the types of devices that can qualify as regulated dialing technology. Oklahoma has now become the next state to enact such legislation, the Oklahoma Telephone Solicitation Act (OTSA), which largely mimics the FTSA and came into effect on November 1, 2022.Continue Reading Oklahoma’s New Restrictive Telemarketing Law: Could Other States Be Next?
Illinois continues to be a hotbed of privacy litigation, in large part due to Illinois’s landmark Biometric Information Privacy Act (BIPA), which was enacted in 2008. Despite the flood of cases in the wake of Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), this is only the first BIPA class action lawsuit to proceed to trial. On October 12, 2022, in Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.), a federal jury in Chicago found in favor of a class of more than 44,000 truck drivers who alleged that BNSF Railway Company (BNSF) violated BIPA by unlawfully scanning employee fingerprints for identity verification purposes without giving notice and obtaining their prior written permission. U.S. District Judge Kennelly entered a judgment against BNSF for $228M in damages. This case highlights many important considerations for organizations deploying biometric technologies in Illinois, including the potential for vicarious liability for a vendor’s actions, and provides valuable insight into how damages in BIPA cases are calculated. This decision from the Illinois court demonstrates that defendants can face significant civil liability in BIPA litigation, and companies using or collecting biometric information should be aware of these risks.Continue Reading First-Ever BIPA Trial – Jury Awards Staggering $228M in Damages