Written by Victoria Dorum
on 

2019 Privacy Watchlist: the Year Ahead

alt text

Standing in Private Right of Action Cases

  Standing in data privacy cases has been a hot button issue in courts for over a decade. Throughout this time consumers and data subjects continued to have a difficult time proving concrete injuries. One of the latest cases to be tossed out of court for lack of standing was last year’s Rivera v. Google.1 In Rivera, plaintiffs sued Google for violation of the Illinois Biometric Privacy Act (BIPA). The allegations were that Google failed to get the users’ consent before creating and using “face templates” through its facial recognition software. Google also did not disclose its policy for retaining and deleting biometric data. Plaintiffs further argued that a recent Google software bug gave outside developers access to the data of 500,000 Google+ users and put their data at risk for hacking. Judge Edmond Chang dismissed the suit for lack of standing ruling that the users did not show that they’ve actually been harmed by Google’s practices or face the risk of harm from alleged violations.

  In contrast, on January 8, 2019, an Illinois District Court found sufficient standing in Browner v. Am. Eagle Bank.2 In Browner, Judge Joan B. Gottschall rejected a motion to dismiss complaint holding that a plaintiff’s allegations that a bank accessed her credit report from Trans Union without her consent and no legitimate business reason to do so, adequately alleges a concrete injury as opposed to a mere procedural violation of the Federal Credit Reporting Act.

  The two Illinois decisions do little to clarify the standard for finding a concrete injury where an individual’s data is accessed without authorization. Thus, perhaps the most important decision on he ground of standing is still ahead. Frank v. Gaos, a case in front of the United States Supreme Court originally involved an approval of a cy pres settlement award with Google.3 A cy pres award is a mechanism of distributing settlement proceeds to non-profit organizations as opposed to the injured parties in a class action, because the amount of money distributed to aggrieved individuals would be negligible due to the size of the class. At oral argument on October 31, 2018, however, the Court focused on whether it even has standing to decide the issue in light of precedent in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), which requires a concrete and particularized injury. The Solicitor General appeared as amicus curiae4, supporting neither party, and argued at oral argument and in its supplemental brief, that none of the named plaintiffs have Article III standing, because plaintiff’s theories of harm rested on mere technical violations of the Stored Communications Act or other unduly speculative injuries. 5 The Supreme Court is expected to issue its before the end of the term next June. It is possible, however, that Supreme Court’s decision will not be the last for Frank v. Gaos, as it may pass on the opportunity to elaborate on its decision in Spokeo altogether and remand the case to the lower court, which in turn may leave the issue of cy pres unresolved, possibly further leaving this case on our watchlist for a long time.

Pending Legislation Before Congress

  Though legislators have been busy with various proposals, so far very little has been accomplished in the area of data privacy and security on the federal level. It is possible, however, that 2019 is the year we’ll see comprehensive federal legislation. In early November 2018, Senator Wyden introduced a sweeping federal privacy law reform bill entitled the Consumer Data Protection Act (“CDPA”).6 If passed, the CDPA would be run through the Federal Trade Commission, which then would be able to set and enforce a minimal privacy and security standard, create a Do Not Track database to allow consumers to opt out of third-party web sharing, and require companies to give consumers information on how their personal data is stored and used, among other actions. The bill also calls for enhanced punitive damages enforced by the FTC to a maximum of 4% of total gross revenue, a standard currently employed by GDPR. Further, the bill calls for annual privacy reports prepared by executives. This reporting provision is one of the most controversial provisions of the bill because it calls for criminal penalties on senior executives for submitting misleading information and disclosure failures with regard to privacy breaches. The bill proposes quiet steep criminal penalties of up to 20 years in prison.

  CDPA is not the only legislation currently pending before Congress. Several other, more focused, legislations were proposed. CONSENT Act, or Customer Online Notification for Stopping Edge-provider Network Transgressions, requires web services to get opt-in and opt-out agreements to use personal data from users and to alert them when there’s been a data breach.7 Data Care Act of 2018 would establish numerous consumer protections designed to address access and use of personal data online and prevent technology companies from knowingly doing harm to their users.8 The Social Media Privacy and Consumers Rights Act governs social media platforms and requires that the terms of service are written in clear language. The Act also requires that users be shown what information has been collected about them and are given greater access to control the collected data. The Act further requires opt out capabilities from data tracking. Additionally, the Act would have breach notification requirements and make privacy programs a requirement for online platforms.

FTC Enforcement and Regulation

  On September 13, 2018 the Federal Trade Commission (“FTC”) opened a series of hearings on Competition and Consumer Protection.9 At the hearings’ opening address, FTC Chairman Joseph Simons stated that a goal of these hearings was to make sure that the FTC was involved in discussions about these challenges and to make sure “policy and enforcement decisions [^are] based on the best evidence and analysis.”10 These hearings will play an important role in informing the Commission and setting its enforcement agenda over the next few years. The FTC also announced that it would dedicate four days of hearings in December 2018 and February 2019 to examine the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters.11 Public comment was invited on various specific questions to be discussed at the February event. This comment period closed on December 21, 2018. Additionally, FTC welcomed comments on data security and privacy hearings until March 13, 2019. According to the Commission, it will be the first comprehensive re-examination of its approach to consumer privacy since 2012.

State Consumer Privacy Legislation

  Last year California passed California Consumer Privacy Act (“CCPA”), which allows consumers the right to request a business to disclose the categories and specific pieces of personal information that the business has collected about the consumers as well as the source of that information and business purpose for collecting the information. CCPA provides that consumers may request that a business delete personal information that the business collected from the consumers. It also provides that consumers have the right to opt out of a business’s sale of their personal information and prohibits a business from discriminating against consumers who opt out. Moreover, CCPA creates a private right of action for violations of the act.12 The law takes effect in 2020 and having been rushed through legislature may still undergo a number of amendments in the near future. California has long been a pioneer in privacy and data protection regulation and more states may follow suit in passing their own versions of consumer data privacy laws, especially if comprehensive federal legislation ultimately fails to pass. A similar law to CCPA was already proposed in New Jersey. 13

State Data Breach Notification Legislation

  As new data breaches were reported by the media nearly everyday in 2018, states have been busy enacting new data breach notification laws and updating existing laws. Alabama and South Dakota were the last two states to enact breach notification laws.14 Thus, currently all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have data breach notification statutes. With legislations in place, there is still plenty to watch for on the breach notification front. In 2018, Louisiana, Virginia, Oregon, Arizona and Iowa amended existing breach notification laws with things like explicit notification deadlines, regulator notification requirements, expanded PII definitions and credit monitoring requirements.15 More states may follow suit in 2019 and implement further amendments to their existing laws. Additionally, South Carolina and Vermont passed sector specific data breach notification laws that both took effect on January 1, 2019.16 South Carolina’s new law applies to insurance carriers and Vermont’s new law applies to data brokers. In light of these laws, additional sector-specific data breach notification requirements are a realistic expectation in the coming year.

  1. Rivera v. Google, N.D. Ill., 16-cv-02614 (Dec. 29, 2018). ↩︎

  2. Browner v. Am. Eagle Bank, 2019 BL 6822, N.D. Ill., No. 18-cv-1494 (Jan. 8, 2019). ↩︎

  3. In re Google Referrer Header Privacy Litig., 869 F.3d 737 (9th Cir. 2017), cert. granted sub nom. Frank v. Gaos, No. 17-961 (U.S. Apr. 30, 2018). ↩︎

  4. A total of 27 merits amicus briefs were filed in Frank v. Gaos making it one of the most examined cases in 2018. Adam Feldman, Empirical SCOTUS: Which Supreme Court cases are generating the most interest?, SCOTUSblog (Jan. 10, 2019, 10:15 AM). ↩︎

  5. Frank v. Gaos, Supp. Br. of U.S., No. 17-961 (U.S. filed Nov. 2018). ↩︎

  6. See https://www.wyden.senate.gov/imo/media/doc/Wyden%20Privacy%20Bill%20 Discussion%20Draft%20Nov%201.pdf ↩︎

  7. See https://www.congress.gov/115/bills/s2639/BILLS-115s2639is.pdf ↩︎

  8. See https://www.congress.gov/115/bills/s3744/BILLS-115s3744is.pdf ↩︎

  9. See FTC, “Hearings on Competition and Consumer Protection in the 21st Century,” available at: https://www.ftc.gov/policy/hearings-competition-consumer-protection. ↩︎

  10. FTC, “FTC Announces Hearings on Competition and Consumer Protection in the 21st Century” (Jun. 20, 2018) available at: https://www.ftc.gov/news-events/press-releases/2018/06/ftc-announces-hearings-competition-consumer-protection-21st?utm_source=slider. ↩︎

  11. See FTC, “FTC Announces Sessions on Consumer Privacy and Data Security As Part of its Hearings on Competition and Consumer Protection in the 21st Century” (Oct. 26, 2018) available at: https://www.ftc.gov/news-events/press-releases/2018/10/ftc-announces-sessions-consumer-privacy-data-security-part-its. ↩︎

  12. Assemb. Bill 375, 2017-2018 Reg. Sess., Ch. 55, Sec. 2 (Cal. 2018). ↩︎

  13. To learn about a proposed consumer data privacy bill in New Jersey, see my earlier article here. ↩︎

  14. Alabama (SB 318), South Dakota (SB No. 62). ↩︎

  15. Louisiana (Act. No. 382), Virginia (HB 183), Oregon (SB 1551), Arizona (HB 2145), Iowa (HF 2354). ↩︎

  16. South Carolina (H4655), Vermont (H. 764). ↩︎