Category: Legislative Developments & Trends

Categories
Biometric Privacy Legal Landscape Case Law Developments Legislative Developments & Trends

Colorado Attorney General Announces Adoption of Amendments to Colorado Privacy Act Rules + Attorneys General Oppose Clearview AI Biometric Data Privacy Settlement

Colorado Adopts Amendments to CPA Rules

The Colorado Attorney General announced the adoption of amendments to the Colorado Privacy Act (“CPA”) rules. The rules will become effective on January 30, 2025. The rules provide enhanced protections for the processing of biometric data as well as the processing of the online activities of minors. Specifically, companies must develop and implement a written biometric data policy, implement appropriate security measures regarding biometric data, provide notice of the collection and processing of biometric data, obtain employee consent for the processing of biometric data, and provide a right of access to such data. In the context of minors, the amendment requires that entities obtain consent prior to using any system design feature designed to significantly increase the use of an online service of a known minor and to update the Data Protection Assessments to address processing that presents heightened risks to minors. Entities already subject to the CPA should carefully review whether they may have heightened obligations for the processing of employee biometric data, a category of data previously exempt from the scope of the CPA.


Attorneys General Oppose Clearview AI Biometric Data Privacy Settlement

A proposed settlement in the Clearview AI Illinois Biometric Information Privacy Act (“BIPA”) litigation is facing opposition from 22 states and the District of Columbia. The Attorneys General of each state argue that the settlement, which received preliminary approval in June 2024, lacks meaningful injunctive relief and offers an unusual financial stake in Clearview AI to plaintiffs. The settlement would grant the class of consumers a 23 percent stake in Clearview AI, potentially worth $52 million, based on a September 2023 valuation. Alternatively, the class could opt for 17 percent of the company’s revenue through September 2027. The AGs contend the settlement doesn’t adequately address consumer privacy concerns and the proposed 39 percent attorney fee award is excessive. Clearview AI has filed a motion to dismiss the states’ opposition, arguing it was submitted after the deadline for objections. A judge will consider granting final approval for the settlement at a hearing scheduled on January 30, 2025. 

To read more articles from the January 2025 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Categories
Biometric Privacy Legal Landscape Case Law Developments Legislative Developments & Trends

Proposed Amendments to Colorado Privacy Act Rules + Landmark Ruling on Retroactive Application of BIPA Amendments

Colorado AG Releases Revisions to Draft Colorado Privacy Act Rules

The Colorado Attorney General’s Office released the second version of its proposed amendments to the Colorado Privacy Act rules. This round of revisions seeks to take into account concerns expressed through public input to the first draft of the amendments. The rules address two laws amending the Colorado Privacy Act that heightened protections for biometric data and children’s data that were signed into law in 2024. The amendments to the Colorado Privacy Act require businesses operating in Colorado to keep written policies on how they handle and dispose of biometric data and to provide consumers with notice of the collection of biometric information take effect July 1, 2025. The draft rules define the notice and consent requirements for biometric data, including notice and consent requirements for employees, contractors, and subcontractors. Amendments to the Colorado Privacy Act relating to children’s data take effect on October 1, 2025, and will require companies to use “reasonable care” to avoid harms to a consumer they know is under 18 and limit use and collection of minors’ data.


Blank Rome Secures Landmark Ruling on Retroactive Application of BIPA Amendments

A Blank Rome team representing DNJ Intermodal Services LLC prevailed in striking the complainant’s prayer for relief, which sought $1,000 or $5,000 for each of the thousands of times six plaintiffs allegedly had their hands scanned at work. Will County Judge Roger D. Rickmon found—perhaps the first among Illinois state judges—that a recent amendment to the Biometric Information Privacy Act (“BIPA” or “the Act”), which stipulates that a business collecting identical biometric data multiple times from the same person in violation of the law is liable for only a single violation, applies retroactively to claims that arose and were filed prior to August 2, 2024, the effective date of the Act. This landmark ruling shaves potential BIPA damages for most pending cases from astronomical damages of millions (or hundreds of millions) of dollars to $1,000 or $5,000 per person. The question of whether BIPA’s amendment applies retroactively is simmering in courts throughout the state of Illinois and is expected to eventually make its way up to Illinois’ Courts of Appeals and perhaps the Illinois Supreme Court. The Blank Rome team representing DNJ Intermodal Services LLC included Daniel SaeediRachel SchallerJeffrey N. Rosenthal, Amanda Noonan, and Gabrielle Ganze

To read more articles from the December 2024 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Categories
Biometric Privacy Legal Landscape Case Law Developments Legislative Developments & Trends

Illinois Governor Signs the First Amendment to BIPA Since Its Passage 16 Years Ago

Daniel R. Saeedi, Rachel L. Schaller, and Gabrielle N. Ganze |

An amendment to Illinois’ biometric privacy law, the Illinois Biometric Information Privacy Act (“BIPA”) has finally become law. And, this amendment implements major changes to how damages accrue under BIPA.

Continue reading “Illinois Governor Signs the First Amendment to BIPA Since Its Passage 16 Years Ago”
Categories
Biometric Privacy Legal Landscape Legislative Developments & Trends

BIPA Amendments + FTC Warns Automakers

Amendments to the Illinois Biometric Information Privacy Act Would Dramatically Affect Accrual of Damages

The Illinois Legislature approved Senate Bill 2979 (“S.B. 2979”) to amend the Biometric Information Privacy Act (“BIPA”). SB 2979 would limit the extent of potential civil penalties awarded under BIPA by clarifying that multiple collections of a person’s biometric identifier or biometric information using the same method of collection is considered a single violation of BIPA. Once signed, S.B. 2979 will overturn the Illinois Supreme Court’s interpretation of accrual of damages under BIPA in Cothron v. White Castle Sys., Inc., which held that separate BIPA claims accrued with each scan or transmission. SB 2979 further provides that BIPA’s “written release” requirement may be met by an electronic signature.

Senators Call on FTC to Investigate Automakers; FTC Issues Warning to Automakers

Senators Ron Wyden and Edward Markey issued a letter to the Federal Trade Commission (“FTC”) Commissioner Lina Khan requesting that the FTC investigate major automakers’ sharing of geolocation data in response to law enforcement requests. The letter follows an inquiry by Senator Wyden’s office, which asked the association representing automakers how their members respond to law enforcement requests for location information collected from vehicles. The letter alleges that several auto manufacturers do not require a warrant or court order to provide geolocation information to law enforcement as required by their pledge under the Consumer Privacy Protection Principles of the Alliance of Automobile Manufacturers and the Association of Global Automakers. Two weeks later, the FTC released a post to its Technology Blog reminding car manufacturers, and all businesses, that the FTC will take action to protect consumers against unfair and deceptive practices with respect to the collection, use, and sharing of data, particularly sensitive personal data such as geolocation and biometric data.

To read more articles from the June 2024 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Categories
Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Legislative Developments & Trends

Maryland Passes Unique and Operationally Challenging Privacy Law

Philip N. Yannella, Sharon R. Klein, Timothy W. Dickens, and Jason C. Hirsch |

Maryland recently became the fifth state in 2024—and the 17th U.S. state overall—to pass a comprehensive data privacy law. Effective October 1, 2025, the Maryland Online Data Privacy Act (“MODPA”) contains a number of unique provisions that govern the processing of sensitive and children’s data, among other things. These unique provisions, combined with the broad applicability of the law, makes MODPA one of the more operationally challenging privacy laws passed in the United States to date.

Scope and Applicability

MODPA applies to individuals that do business in Maryland or target services to Maryland residents and who, during the prior calendar year, either controlled or processed the personal data of at least 35,000 Maryland residents or controlled or processed the personal data of at least 10,000 Maryland residents and derived more than 20 percent of their gross revenue from the sale of personal data. The 35,000 threshold is 0.56 percent of Maryland’s total population of 6.18 million and is notably lower than other state privacy laws. Most U.S. states set a threshold for processing of 100,000 state residents. Only Delaware, with a population of 990,000, has a processing threshold as low as Maryland’s. The law also lacks a full exemption for non-profit institutions as well as institutions of higher education.

The relatively low threshold for compliance combined with the lack of familiar exemptions means that MODPA will likely trigger compliance obligations for a swath of institutions that haven’t had to comply with many other U.S. state privacy laws.

Read the full client alert on our website.

Categories
Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Legislative Developments & Trends

The Oregon Consumer Data Privacy Act Takes Effect July 1, 2024

Gabrielle N. Ganze |

With its passage of Oregon Consumer Data Privacy Act (“OCDPA”), Oregon became one of 16 states to pass comprehensive data privacy laws.

Regulated Entities and Data

The OCDPA generally applies to any person who meets two requirements:

  1. conducts business in the state, or “provides” products or services to Oregon’s residents; and
  2. within a calendar year, controls or processes personal data of
    • 100,000 or more consumers, or
    • 25,000 or more consumers and also derives at least 25 percent of its gross revenue from selling personal data.

“Personal data” regulated by the Act broadly includes any “derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”

The OCDPA imposes additional requirements for personal data that is considered “sensitive data.” Such data includes children’s data; genetic or biometric data; precise geolocation data; or data that “reveals a consumer’s” national origin, citizen or immigration status, racial or ethnic background, religious beliefs, mental or physical condition/diagnosis, sexual orientation, transgender or non-binary status, or status as a victim of crime. This definition of sensitive data is more expansive that other privacy statutes with its inclusion of categories such as transgender or non-binary status.

Continue reading “The Oregon Consumer Data Privacy Act Takes Effect July 1, 2024”
Categories
Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Legislative Developments & Trends

Colorado Becomes the First State to Explicitly Protect “Neural Data”

Daniel R. Saeedi |

Colorado has amended its privacy statute, the “Colorado Privacy Act,” to explicitly protect “neural data.” The new amendment, signed into law by Governor Jared Polis on April 17, 2024, adds both “neural data” and “biological data” as defined terms under its umbrella of “Sensitive Data” to be protected in accordance with the statute, and which cannot be collected without first obtaining the consumer’s consent.

The new amendment defines “neural data” as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device.” “Biological data,” which was a previously undefined term under the statue, now means “data generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions,” if the data is “intended to be used, singly or in combination with other personal data, for identification purposes.” The amendment further clarifies that “biological data” includes “neural data.”

Continue reading “Colorado Becomes the First State to Explicitly Protect “Neural Data””
Categories
Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Legislative Developments & Trends

Is Your Business in Compliance with Washington’s New Data Privacy Statute?

Gabrielle N. Ganze |

Washington’s new data privacy statute, “My Health, My Data Act” (“MHMD” or the “Act”), officially became fully effective on March 31, 2024, for regulated entities under the Act, while small businesses have until June 30, 2024, to comply. The purpose of MHMD is to protect consumers’ personal health data not otherwise protected by federal regulation, such as HIPAA. Businesses should be familiar with Washington’s preexisting biometric privacy law, RCW 19.375, and recognize MHMD’s coverage is far more expansive. MHMD regulates the collection, sharing, selling, and processing of “consumer health data.” It applies to entities that conduct business in Washington as well as those that provide services or products to Washington.

Notably, the Act does not regulate the collection of employee data like other privacy statutes. However, the scope of MHMD’s regulation expands far beyond traditional health data and biometric data, which has been the focus of many other data privacy statutes throughout the country. Unlike Washinton’s biometric statute, MHMD can be enforced by private parties through a private right of action, in addition to the Attorney General. Consumers can sue for damages and other relief for violations of MHMD, which gives it the potential to spur class action litigation.

Continue reading “Is Your Business in Compliance with Washington’s New Data Privacy Statute?”
Categories
Biometric Privacy Legal Landscape Legislative Developments & Trends

Amendments to the Illinois Biometric Information Privacy Act Would Dramatically Affect Accrual of Damages

Alex C. Nisenbaum |

Lawmakers introduced a bill to revise the Illinois Biometric Privacy Act (“BIPA”) that would, in part, change the manner in which violations of BIPA accrue.

The Illinois State Supreme Court ruled in Cothron v. White Castle Sys., Inc. “that a claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent” in violation of BIPA.

The proposed bill would change the accrual of violations so that each initial collection of a biometric identifier would amount to one violation, rather than under each scan or transmission. The change would significantly diminish the amount of statutory damages available for BIPA violations. Use of biometric data in the context of employee timekeeping may involve only one initial collection but several scans during a work day to clock in and clock out. Under the new bill, violations would no longer accrue for any of the scans beyond the initial collection. The bill also adds “electronic signature” to the definition of “written release” under the law.

To read more articles from the March 2024 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Categories
Biometric Privacy Legal Landscape Legislative Developments & Trends

Montana Passes Law Regulating Facial Recognition Use by Police

Jason C. Hirsch |

Montana recently passed the Facial Recognition for Government Use Act (“FRGUA”), which permits state and local agencies, including law enforcement, to use facial recognition to look for suspects, victims of, or witnesses to serious crimes. However, FRGUA prohibits the use of “continuous” facial recognition and establishes human review and audit procedures to ensure compliance with the technology. FRGUA requires police to obtain a warrant to use facial recognition absent exigent circumstances. It also restricts the state motor vehicle division to set up facial recognition only with prior approval of the legislature.

In terms of disclosure, third-party vendors of facial technology and public agencies must have use and privacy policies for individuals. Finally, FRGUA imposes monetary penalties for negligent violations of the statute and grants the attorney general the authority to initiate enforcement actions.

To read more articles from the August 2023 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.