Country profile: USA
Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, takes a look at the biggest developments in the USA during 2021, and looks ahead at what 2022 might bring.
What happened in 2021?
The California Consumer Privacy Act of 2018 ('CCPA') celebrated one year of enforcement and CCPA amendments The California Attorney General ('AG') issued a report on the enforcement actions carried out under the CCPA in 2020. The report included anonymised examples of the various enforcement actions taken by the AG's office over the past year giving some insight to companies and practitioners. Violations investigated and enforced included:
- issues with privacy notices, including insufficient detail, too much legalese, a lack of an unequivocal statement regarding absence of a 'sale', or a missing toll free phone number;
- missing 'Do Not Sell' link and other issues regarding honoring the opt-out of sale;
- issues with service provider agreements;
- failing to respond to consumer requests in a timely manner;
- failing to post a notice of financial incentive; and
- issues with notices at collection on digital properties and physical locations.
In addition, California passed a few small amendments to the CCPA as well as a bill that would make it unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and would also make it unlawful for a person, who is not an authorised person, as defined, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data through the commission of a crime.
Virginia and Colorado passed comprehensive privacy laws
Virginia and Colorado join California as the only U.S. states with comprehensive data privacy laws with Virginia's Consumer Data Protection Act ('CDPA') and the Colorado Privacy Act ('CPA').
The laws take after the CCPA in many ways including:
- enhanced transparency requirements for one's privacy notice;
- consumer rights including: access, deletion, and opt out of sale; and
- requirements for flowing data privacy obligations downstream to service providers.
The laws have unique aspects that include:
- special obligations for sensitive information;
- requirements to conduct Data Privacy Impact Assessments; and
- requirements for the processing to be 'necessary and proportionate'.
AI and algorithmic transparency
In 2021 the Federal Trade Commission ('FTC') issued its consent order on Everalbum, Inc. dealing with facial recognition.
Notably, the FTC refrains from using any biometric information to:
- create Face Embedding (data, such as a numeric vector, derived in whole or in part from an image of an individual's face); and
- to train, develop, or alter any facial recognition model or algorithm without notice and consent.
The FTC ordered the company to delete all photos as well as all face embeddings derived from biometric information collected from users who have not provided consent. This brought to the forefront the complex issues with the use of artificial intelligence ('AI') and facial recognition. To this were added some privacy bills Country profile: USA targeting algorithmic transparency including the Algorithmic Justice and Online Platform Transparency Act of 2021 to prohibit harmful algorithms, increase transparency into websites' content amplification, and moderation practices. The FTC also indicated that it will issue rulemaking on privacy and AI.
GLBA Safeguards Rules got amended and expanded
The proposed amendment to the Standard for Safeguarding Customer Information ('the Safeguards Rule') under the Gramm-Leach-Bliley Act of 1999 ('GLBA') was passed in 2021 and was effective from 10 January 2022. The rule expands the definition of the term 'financial institution' to which the law applies and includes the 'finder' option which makes many more institutions subject to it.
The amended rule includes:
- detailed requirements for an information security program;
- new requirements for accountability such as a person in charge of compliance;
- some exemptions for small businesses; and
- additional requirements for risk assessments.
Massachusetts Right to Repair law litigation ongoing
In 2020, Massachusetts passed a law requiring that, commencing with model year 2022, vehicles sold in Massachusetts using telematics systems should be equipped with 'an inter-operable, standardized and open access platform' that will enable customers and independent repair shops to access mechanical data from those systems. This law has been challenged in litigation in 2021 which is ongoing. The lawsuit alleges that the law is unenforceable because it conflicts with Federal law and makes personal driving data available to third parties with no safeguards to protect core vehicle functions and consumers' private information or physical safety.
FTC guidance on health app data
Even information which is not subject to the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') may have enhanced requirements regarding breach notifications under the FTC Health Breach Notification Rule. The FTC issues guidance that organisations using 'health applications and connected devices' to 'collect or use' consumers' personal health information must comply with the cybersecurity, privacy, and notification mandates of the Health Breach Notification Rule.
The race for state privacy laws picked up steam in 2021. More than 20 states introduced over 30 bills in 2021. These bills are in some ways similar to the CCPA, but differ in many aspects, often including elements from the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). We see this trend continuing in 2022.
What do we have in store for 2022?
More emphasis on good disclosures and consumer choice
The FTC has been vocal about this and this can also be read between the lines from the California AG One Year Enforcement report. It is time to 'stay away from the 'may''. Gone are the days of vague privacy notices leaving much to the imagination. Roll on specific disclosures, in plain language, that your audience can understand and get a good picture of what is going on with the data.
Necessary and proportionate - more obligations on the controller/businesses
The new US laws already include a requirement for the business to conduct an analysis, at the start of the processing, to ensure that the collection of information and its use is 'necessary and proportionate'. Now, the FTC has published statements explaining the issues with relying solely on 'notice and consent' and putting all of the responsibility on the individuals and stated that it would initiate rulemaking imposing some 'top down' obligations on the processors of the information to decide, at the outset, whether this is a proper, ethical use of the information.
Dark patterns – out
The FTC and the California AG are putting an emphasis on addressing the use of dark patterns. Companies should stay away from designs intended to improperly influence the behaviour of individuals, both specially as regulated by the CCPA (the opt out of sale cannot be designed as a 'dark pattern') and generally as discussed by the FTC in the general design of your interactions with people's data.
Profiling and AI
The use of automated technologies and AI in various life functions is picking up speed and getting regulator attention. A new law passed in New York regulates the use of AI in the employee hiring process (similar to an existing Illinois law). The use and significance of profiling is addressed in the California Privacy Rights Act of 2020 ('CPRA') and is one of the topics to be addressed in the CPRA Regulations currently being formulated by the California Privacy Protection Agency ('CPPA'). It will be interesting to see the direction of the regulation, whether it takes after Article 22 of GDPR, and how it has been interpreted to date.
Cookies and 'Do Not Sell'
The topic of browser-based consents will get more attention in 2022, as this is also one of the key topics out for public consultation for the forthcoming CPRA Regulations.
The use of biometric data both in the employer-employee context and to analyse the behaviour of customers is picking up attention. We have seen an uptick in lawsuits under Biometric Information Privacy Act of 2008 ('BIPA') in a number of contexts starting from the traditional 'time clock' equivalent to smart toothbrushes, to identification for doing your taxes or boarding a flight to driver's monitoring technology.
With new biometric bills popping up in Maryland, New York, and Kentucky, additional states may join the fray for even more litigation on this subject. The solution: a privacy notice that addresses the collection of biometric data, consent from the individuals, and policies and procedures for retention and disposal of the biometric data.
Incoming California regulator, the CPPA, commenced its pre-rulemaking process and issued an invitation for comments on rulemaking regarding key issues for the CPRA. The issues include:
- processing that presents a significant risk to consumers' privacy or security;
- cybersecurity audits and risk assessments performed by businesses;
- automated decision making/profiling;
- scope and process for the agency's audit authority;
- consumer rights to delete, correct, and to know (including requests, and exemptions to business from responding);
- the right to opt out of sale;
- the right to limit the sharing of sensitive information;
- specific pieces of information in response to a right to know request; and
- definitions and categories (including unique identifiers, intentional interaction, precise geolocations, and dark patterns).
The CPPA received numerous comments, spanning approximately 900 pages with varying opinions and suggestions. We are anxiously awaiting word on the progress of the rulemaking, and the commencement of enforcement of the CCPA by the CPPA.
It is only two months into 2022 and we have already seen nearly 20 states file more than 30 data privacy bills. The bills are all generally based on the CCPA, the Washington Privacy Act, Virginia's CDPA, and/or Colorado's CPA (with the exception of Nebraska and DC which are modeled after the Uniform Law Commission's (ULC) Uniform Personal Data Protection Act) but with many differences in definitions, private right of action, scope of adoption of terms, and concepts from the GDPR, etc. It is expected that between six and 15 states manage to pass their privacy bills in 2022, definitely making things interesting.
Privacy Shield 3.0?
The world is anxiously following developments coming from the EU in the aftermath of the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C311/18) ('the Schrems II Case') which invalidated the cross-border data transfer mechanism, the European Commission's EU-US Privacy Shield Decision, which was used by thousands of US based companies and imposed very onerous requirements for those companies who wish to use the alternative transfer method, and the Standard Contractual Clauses, when transferring personal data to the U.S.
We have been seeing a lot of enforcement actions out of Europe effectively prohibiting (or at least making very difficult) the use of certain US-based cloud service providers. At issue are US data surveillance laws, and chief among them, Section 702 of the Foreign Intelligence Surveillance Act of 1978 ('FISA'). Over 2021, the US Department of State and the European Commission have been busy trying to reach an agreement that would provide a solution for the data transfers from Europe while addressing the Schrems II Case's decision on the matter. Recently, Didier Reynders, the European Commissioner for Justice, expressed optimism that a solution, colloquially dubbed 'Privacy Shield 3.0', would be reached, potentially by the summer of 2022.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia