On June 28, 2024, Pennsylvania enacted amendments to its Breach of Personal Information Notification Act (“BPINA”). These amendments contain a number of significant changes, including clarifying a key definition, adding a new notification obligation to the Attorney General, requiring organizations to provide credit monitoring services, and reducing the threshold to notify consumer reporting agencies. These amendments—which take effect today, September 26, 2024—bring Pennsylvania in line with many other states that have taken steps to strengthen their respective data breach notification laws.Continue Reading Pennsylvania Strengthens Data Breach Notification Law
Matthew Cin
In Law360, Matthew Cin Discusses the Implications of Illinois’s Biometric Information Privacy Act Reform
Ropes & Gray data, privacy & cybersecurity associate Matthew Cin spoke with Law360, about Illinois’s recent amendments to its Biometric Information Privacy Act (BIPA). Ever since it was enacted in 2008, BIPA, which can restrict companies from collecting and sharing biometric data without data subjects’ consent, has been a source of privacy-related litigation and…
Biometric Privacy Update: Illinois Legislature Balances BIPA, but Don’t Mess with Texas
On Friday, August 2, Governor J.B. Pritzker of Illinois signed into law SB2979, an amendment to the state’s landmark biometric privacy law. The amendment offers a welcome step forward to correcting the rapid overexpansion of potential damages associated with violations of the law without curbing any of its privacy protections. The measure amends the state’s Biometric Information Privacy Act (“BIPA”) in two significant ways. First, the law, as amended now expressly includes electronic signatures as a form of “written release.” Second, the amendment limits actions for recovery to a maximum of one violation per plaintiff, rather than one violation per instance of collection or transmission of biometric information. This post examines the amendment and its impacts on businesses collecting biometric information in the state. We also highlight notable biometric privacy developments in Texas.Continue Reading Biometric Privacy Update: Illinois Legislature Balances BIPA, but Don’t Mess with Texas
FCC Provides Long-Awaited Clarification on Revocation of Consent
On April 4, 2024, the Federal Communications Commission (“FCC”) adopted new rules updating the Telephone Consumer Protection Act’s (“TCPA”) requirements regarding a consumer’s ability to revoke consent to receive calls and messages (collectively “messages”). Generally speaking, the TCPA in part restricts messages sent using an automated telephone dialing system absent the organization obtaining the necessary prior consent from the consumer. Importantly, the rules (1) further clarify the ways in which a consumer may revoke consent; (2) require that organizations honor requests within a reasonable time; and (3) clarify the process by which organizations can confirm the scope of a consumer’s request to revoke consent to receive further messages. We unpack these key developments in more detail below.Continue Reading FCC Provides Long-Awaited Clarification on Revocation of Consent
California Court of Appeal Restores CPPA Authority to Enforce Privacy Regulations
On February 9, 2024, a California state court of appeal unanimously vacated a lower court ruling, green-lighting the California Privacy Protection Agency’s authority to commence enforcement of the Agency’s first set of regulations. Until now, the Agency’s authority to enforce regulations it has promulgated under the California Consumer Privacy Act (“CCPA”) has been delayed. The Agency had been poised to begin enforcing its latest batch of completed privacy regulations on July 1, 2023, but a trial court’s ruling put this work on hold until March 29, 2024. That hold has now evaporated, and so the Agency can commence enforcement activities with immediate effect. The decision also impacts future Agency rulemaking such as the Agency’s draft regulations on cybersecurity audits, privacy impact assessments, and automated decision-making, which will no longer be subject to the 12-month stay of enforcement.Continue Reading California Court of Appeal Restores CPPA Authority to Enforce Privacy Regulations
States Move Forward with Automated Privacy Opt-Out Signals; Colorado Approves First Universal Opt-Out Mechanism
States have recently taken important steps toward implementing so-called “Universal Opt-Out Mechanisms” (“UOOMs”), which will provide consumers with a method for automatically exercising privacy rights. UOOMs, sometimes referred to as opt-out preference signals, are user enabled features, typically within the user’s browser or through a browser add-on, that send a signal to each website the user visits to communicate the user’s preference to opt-out of certain target advertising (and potentially other uses of data discussed below). Several states have adopted a requirement to honor UOOMs as part of their “comprehensive” privacy law. New Jersey, which has recently enacted a comprehensive privacy law, includes an UOOMs requirement that, unique among state legislation, would extend the right to opt-out through UOOMs to include opting out of the use of automated decisionmaking technologies. Businesses may struggle to implement technical solutions for responding to UOOMs, particularly if the specifications for UOOMs vary between states. Businesses should work with their IT teams or website providers to ensure they have developed solutions to comply, if they have not done so already.Continue Reading States Move Forward with Automated Privacy Opt-Out Signals; Colorado Approves First Universal Opt-Out Mechanism
You Better Watch Out, You Better Not Cry…Telemarketing Changes Are Coming to Town in 2024
What has often been considered to be one of the most heavily litigated privacy laws over the last decade, the Telephone Consumer Protection Act’s (“TCPA”) applicability (or lack thereof) to many modern text message dialing technologies has been significantly curtailed as a result of the United States Supreme Court’s narrow definition of what constitutes an automatic telephone dialing system (“ATDS”) in Facebook v Duguid. However, this is still a very active area, and we expect 2024 to reshape the contours of TCPA litigation. In this post, we provide a summary of noteworthy developments in federal and state telemarketing privacy laws as well as our predictions on what may be around the corner in 2024.Continue Reading You Better Watch Out, You Better Not Cry…Telemarketing Changes Are Coming to Town in 2024
Unpacking India’s Digital Personal Data Protection Act
For the second day of data, we are taking a look around the world. The most significant new international data protection law of 2023 is probably India’s long-awaited comprehensive data protection law, the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). The DPDP Act was enacted and notified in the Official Gazette on 11 August 2023. The law will not come into effect until the government provides notice of an effective date, which is still forthcoming, with different effective dates expected for different provisions. Last month, Rohan Massey, co-leader of Ropes & Gray’s data, privacy & cybersecurity practice, sat down with Sajai Singh, a partner at J. Sagar Associates in Bangalore, to discuss the law.Continue Reading Unpacking India’s Digital Personal Data Protection Act
Sunshine State Clarifies Telemarketing Regulation, Quieting Storm of Litigation Blown In by Florida Telephone Solicitation Act
On May 25, 2023 Gov. Ron DeSantis signed into law an amendment (Amendment) to the Florida Telephone Solicitation Act (FTSA), clarifying ambiguities and corralling what has been a runaway gust of telemarketing litigation since the passage of the FTSA almost two years ago. Under the FTSA, an individual could bring suit against a telemarketer for using an automated telephone dialing system (ATDS) that simply selected phone numbers or dialed telephone numbers to place calls or send messages without prior consent. In other words, even if the caller dialed the phone number manually, the call would still be subject to the FTSA if the number was automatically selected using software. This Amendment clarifies that suit can be brought only if the ATDS both selects and dials the phone number. While still not specifically defining what constitutes an ATDS, this two-part test should stem the flow of FTSA litigation by greatly narrowing the present standard.Continue Reading Sunshine State Clarifies Telemarketing Regulation, Quieting Storm of Litigation Blown In by Florida Telephone Solicitation Act
Iowa Becomes Sixth State to Pass Comprehensive Data Privacy Law
On March 28, Iowa Governor Kim Reynolds signed Senate File 262 into law, making Iowa the sixth state to adopt comprehensive data privacy legislation. The Iowa Consumer Data Protection Act (ICDPA) is set to take effect on January 1, 2025.
The ICDPA is largely business friendly and mostly comparable to the Utah Consumer Privacy Act. Businesses that are already in compliance with other states’ privacy laws—such as the California Consumer Privacy Act—likely will not need to make any additional changes to their policies or practices to comply with the ICDPA. The ICDPA does not require businesses to conduct risk assessments, practice purpose limitations or data minimization, and businesses have a generous 90-day cure period for suspected violations. Furthermore, as we’ve seen with the other states that have recently passed comprehensive privacy laws, the law does not provide a private right of action for consumers, as enforcement authority sits exclusively with the Iowa Attorney General.Continue Reading Iowa Becomes Sixth State to Pass Comprehensive Data Privacy Law