Photo of Matthew Cin

On May 25, 2023 Gov. Ron DeSantis signed into law an amendment (Amendment) to the Florida Telephone Solicitation Act (FTSA), clarifying ambiguities and corralling what has been a runaway gust of telemarketing litigation since the passage of the FTSA almost two years ago. Under the FTSA, an individual could bring suit against a telemarketer for using an automated telephone dialing system (ATDS) that simply selected phone numbers or dialed telephone numbers to place calls or send messages without prior consent. In other words, even if the caller dialed the phone number manually, the call would still be subject to the FTSA if the number was automatically selected using software. This Amendment clarifies that suit can be brought only if the ATDS both selects and dials the phone number. While still not specifically defining what constitutes an ATDS, this two-part test should stem the flow of FTSA litigation by greatly narrowing the present standard.

Continue Reading Sunshine State Clarifies Telemarketing Regulation, Quieting Storm of Litigation Blown In by Florida Telephone Solicitation Act

On March 28, Iowa Governor Kim Reynolds signed Senate File 262 into law, making Iowa the sixth state to adopt comprehensive data privacy legislation. The Iowa Consumer Data Protection Act (ICDPA) is set to take effect on January 1, 2025.

The ICDPA is largely business friendly and mostly comparable to the Utah Consumer Privacy Act. Businesses that are already in compliance with other states’ privacy laws—such as the California Consumer Privacy Act—likely will not need to make any additional changes to their policies or practices to comply with the ICDPA. The ICDPA does not require businesses to conduct risk assessments, practice purpose limitations or data minimization, and businesses have a generous 90-day cure period for suspected violations. Furthermore, as we’ve seen with the other states that have recently passed comprehensive privacy laws, the law does not provide a private right of action for consumers, as enforcement authority sits exclusively with the Iowa Attorney General.

Continue Reading Iowa Becomes Sixth State to Pass Comprehensive Data Privacy Law

On February 17, 2023, the exposure risk of a company found to be violating Illinois’ Biometric Information Privacy Act (BIPA) increased to a potentially crippling amount. What was previously commonly understood to entail a maximum of $1,000 per negligent (or $5,000 for reckless) violation per plaintiff now authorizes a $5,000 fine per instance of collection, turning—for example—the nonconsensual use of an employee’s fingerprint for clocking in and out of work multiple times per day to 1,040 violations of BIPA per year if a full-time employee clocks in and/or out just four times each day, potentially resulting in estimated damages of $1,040,000 for negligent violations or $5,200,000 for reckless violations

Continue Reading BIPA Ahead: A New Ruling Introduces a Staggering Depth Beneath the Tip of the BIPA Iceberg

We’ve been closely watching the evolution of telemarketing laws since the Supreme Court’s 2021 decision in Facebook v. Duguid, which held that most modern dialing systems are not autodialers—or “automated telephone dialing systems” under the Telephone Consumer Protection Act (TCPA).  The Facebook decision led to a flurry of legislative activity at both the state and federal levels. Florida and Oklahoma enacted state-level statutes that have been interpreted to cover modern dialing systems, and Georgia, Washington, Michigan and other states have considered similar legislation. At the federal level, a new bill was proposed in July 2022 that would have amended the TCPA to cover 21st century dialing technologies—not just those using a random or sequential number generator. The federal bill has not made any meaningful progress, but a recent request from FCC Chairwoman Jessica Rosenworcel may prompt the legislature to act.

Continue Reading Game of Phones: Revisiting the Autodialer

In the wake of the Supreme Court’s 2021 decision in Facebook v. Duguid—which held that most smartphones and similar modern technology do not qualify as “automated telephone dialing systems,” under the Telephone Consumer Privacy Act (TCPA)—there has been a spike in state legislative activity aimed at strengthening local telemarketing laws. Florida’s Telephone Solicitation Act (FTSA) became the first state telemarketing law of its kind on July 1, 2021. The FTSA, which does not clearly define the types of automated technology covered by the statute, creates room for a broader interpretation of the types of devices that can qualify as regulated dialing technology. Oklahoma has now become the next state to enact such legislation, the Oklahoma Telephone Solicitation Act (OTSA), which largely mimics the FTSA and came into effect on November 1, 2022.

Continue Reading Oklahoma’s New Restrictive Telemarketing Law: Could Other States Be Next?

Illinois continues to be a hotbed of privacy litigation, in large part due to Illinois’s landmark Biometric Information Privacy Act (BIPA), which was enacted in 2008. Despite the flood of cases in the wake of Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), this is only the first BIPA class action lawsuit to proceed to trial. On October 12, 2022, in Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.), a federal jury in Chicago found in favor of a class of more than 44,000 truck drivers who alleged that BNSF Railway Company (BNSF) violated BIPA by unlawfully scanning employee fingerprints for identity verification purposes without giving notice and obtaining their prior written permission. U.S. District Judge Kennelly entered a judgment against BNSF for $228M in damages. This case highlights many important considerations for organizations deploying biometric technologies in Illinois, including the potential for vicarious liability for a vendor’s actions, and provides valuable insight into how damages in BIPA cases are calculated. This decision from the Illinois court demonstrates that defendants can face significant civil liability in BIPA litigation, and companies using or collecting biometric information should be aware of these risks.

Continue Reading First-Ever BIPA Trial – Jury Awards Staggering $228M in Damages

Last week, a group of U.S. House of Representatives Democrats introduced the RoboText Scam Prevention Act (“RSPA”). If passed, the bill would amend the Telephone Consumer Protection Act (“TCPA”). As predicted in the wake of the Supreme Court’s decision in Facebook v. Duguid, the RSPA is Congress’s attempt to clarify the TCPA by proposing modernizations that would address 21st century dialing technologies that were not in place when the law was first passed, but the bill’s broad definitions could create more confusion than clarity if it is passed without further changes.

Continue Reading Newly-Proposed TCPA Amendment Could Lead to Expansive Coverage

At a meeting of the California Privacy Protection Agency (“CPPA”) on June 8, we learned additional information about the initial batch of proposed regulations (“Proposed Regulations”) to the California Privacy Rights Act (“CPRA”) that were published on May 27. The Proposed Regulations keep much of the pre-existing California Consumer Privacy Act (“CCPA”) regulations but modify and add some key provisions. Because the CPRA was drafted as an amendment to the CCPA, the Proposed Regulations reference the CCPA (as amended by the CPRA). The Proposed Regulations focus on data subject rights, contractual requirements, and obligations related to disclosures, notices, and consents. Additional proposals will cover cybersecurity audits, privacy risk assessments, and automated decision making, among other areas. While we expect significant changes as the Proposed Regulations proceed through the formal rulemaking process, which the CPPA has not yet officially started, we provide our key takeaways below:

Continue Reading Recent Activity from the California Privacy Protection Agency

In a unanimous decision issued on February 3, 2022, the Illinois Supreme Court held in McDonald v. Symphony Bronzeville Park that the Illinois State Workers’ Compensation Act (“WCA”) did not bar claims under the Illinois’ Biometric Information Privacy Act (“BIPA”). In doing so, the court eliminated one significant defense commonly raised in such cases, since many BIPA class actions are brought in the context of employment (many of which were stayed pending the decision in McDonald). Critically, though, the decision does not preclude other potential defenses including claims of federal preemption.

BIPA is one of the most actively litigated privacy statutes in the United States. Among other things, it requires that businesses obtain consent prior to collecting biometric information (fingerprints, facial geometry information, iris scans and the like), issue a publicly available data retention policy, and refrain from certain data sales and disclosures. Because BIPA provides for a private right of action along with statutory damages of $1,000 to $5,000 per violation, it has proved fertile ground for the plaintiff’s bar.

Continue Reading Illinois Supreme Court Finds Illinois Biometric Information Privacy Act Not Preempted By State Workers’ Compensation Law

Artificial Intelligence (AI), including machine learning and other AI-based tools, can be effective ways to sort large amounts of data and make uniform decisions. The value of such tools has been embraced by some employers as an efficient way to address current increased hiring needs in the current job market. The use of artificial intelligence () as an aid to employers in making employment decisions—e.g., recruitment, resume screening, or promotions—has been on the radar of lawmakers and regulators in recent years, particularly out of concern for the risk that these tools may mask or entrench existing discriminatory hiring practices or create new ones. For example, some workers have filed charges with the Equal Employment Opportunity Commission (EEOC) based on alleged discrimination that resulted from employers’ use of AI tools, leading the EEOC to establish an internal working group in October 2021 to study the use of AI for employment decisions. Elsewhere, a bill addressing the discriminatory use of AI was proposed in Washington, DC in late 2021, and Illinois enacted one of the first U.S. laws directly regulating the use of AI in employment-related video interviews in 2019. In contrast, a bill proposed in California in 2020 suggested that AI could be used in employment to help prevent bias and discrimination.

On November 10, 2021, the New York City Council passed the latest such bill, which places new restrictions on New York City employers’ use of AI and other automated tools in making decisions on hiring and promotions. The measure—which takes effect on January 2, 2023—regulates the use of “automated employment decision tools” (AEDTs) which it defines as computational processes “derived from machine learning, statistical modeling, data analytics, or artificial intelligence” that issue a “simplified output” to “substantially assist or replace” decision-making on employment decisions (i.e., hiring new candidates or promoting employees). Under the new law, employers and employment agencies are barred from using AEDTs to screen candidates unless certain prerequisites are met. First, the AEDT must be subject to a bias audit within the last year. Second, a summary of the results of the most recent audit, as well as the distribution date of the AEDT, must be made publicly available on the employer’s or employment agency’s website. The law describes this “bias audit” as “an impartial evaluation by an independent auditor” which “shall include, but not be limited to” assessing the AEDT’s “disparate impact on persons” based on race, ethnicity, and sex.

Continue Reading NYC Law Aims To Reduce Bias Introduced by AI in Employment Decisions