Seyfarth Synopsis: Both Portland and New York City have followed the example set by Illinois’ Biometric Information Privacy Act (“BIPA”), a statute that has spawned thousands of cookie-cutter class action suits regarding the alleged collection of biometric information. Like BIPA, these new ordinances create a private right of action for individuals that could subject local businesses to potentially millions of dollars in liability. Businesses in these cities should carefully review these new ordinances as well as any technology they be using that has the potential to collect biometric information.

For several years now, businesses operating in Illinois have become well accustomed to the myriad lawsuits being filed, and harsh and unwavering penalties being imposed, under Illinois’ Biometric Information Privacy Act (“BIPA”). Despite the toll on businesses imposed by the ever-increasing class action and appellate litigation brought on by the statute, other jurisdictions have enacted similar legislation.

As of January 1, 2021, Portland, OR and New York City have become the newest jurisdictions to pass laws placing restrictions on the collection and/or use of biometric technology by businesses. Although the Portland and New York City ordinances differ from each other (as well as BIPA) in significant ways, they each share a common feature: a private right of action. Accordingly, these new laws have the potential to bring on a rash of high-stakes class action litigation in each of these cities.

The specifics of each ordinance are detailed below:

Portland, OR

Portland’s ordinance bans private entities from using any “facial recognition technology” in any “places of public accommodation,” with limited exceptions, such as when it is necessary to comply with federal, state, or local laws, for individuals to access their smart devices (like facial recognition on iPhones) and for use in social media applications.

The ordinance creates a private right of action “against the Private Entity in any court of competent jurisdiction for damages sustained as a result of the violation or $1,000 per day for each day of violation, whichever is greater and such other remedies as may be appropriate,” as well as attorneys’ fees to a prevailing party.

While at first reading it may appear that the law only covers the use of facial recognition in public places, the ordinance is not so narrowly drafted. Private entities are subject to the ordinance if they constitute a “place[] of public accommodation,” which is defined in the ordinance to include “any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise” but excludes “an institution, bona fide club, private residence, or place of accommodation that is in its nature distinctly private.”

Accordingly, if a facility constitutes a “place of public accommodation,” then it could be liable for facial recognition technology employed anywhere in the facility regardless of whether it is public facing. Although a narrower reading of the statute may be more reasonable, courts in Illinois have routinely broadened the scope of BIPA and it is possible Portland courts would do the same.

New York City

New York City’s newly passed biometric privacy legislation has been pending before the city council for several years. Indeed, Seyfarth previously detailed this ordinance while it was still pending legislation.

The ordinance orders that “[a]ny commercial establishment” that collects biometric information from “customers” must disclose such collection “by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language” that customers’ biometric information is being collected. The ordinance further makes it “unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”

The law provides that individuals “aggrieved by” a violation of the ordinance may file a private right of action, but places some conditions on this right.

  • If the individual alleges the business collected their biometric information without making the required disclosures, the individual can only initiate a private action if they first provide written notice to the business of their intent to sue and provide the business 30 days to cure the violation by placing clear and conspicuous notice at their establishment. If the business does not cure within 30 days, the individual may sue and recover $500 for “each” violation.
  • If the individual alleges the business shared their biometric information in exchange for something of value or otherwise profited from the “transaction,” then the individual may sue without any prior notice to the business. The individual may recover $500 for “each” negligent violation of this section and may recover $5,000 for “each” intentional or reckless violation of this section.

Only the biometric information of “customers” is protected under the law and the law also makes clear that “‘customer’ means a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment.”

*****

Businesses in Portland, OR, and New York City should be mindful of these new laws and act accordingly. Such businesses with compliance questions should contact a member of Seyfarth’s Biometric Privacy Compliance & Litigation Practice Group.

California has once again decided it needed to pass privacy legislation to protect the residents of the great state from the nefarious actions of Big Tech.  However, this time they did it with a ballot initiative and not via the thoughtful (mostly) mechanism of the legislative process.  The proponents of the California Privacy Rights Act of 2020 (“CPRA”) touted this as an improvement over the CCPA – but is it really?  To listen to the proponents of the CPRA, it aims to strengthen California consumer privacy rights, while for the most part, avoiding the imposition of overly-burdensome requirements on a business, particularly those businesses that are already CCPA compliant.  So, what’s changed, really? Continue Reading California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)

Today, the Court of Justice of the EU has handed down its judgment in the highly-anticipated Facebook Ireland case (aka Schrems II) and invalidated the Privacy Shield Decision. For those of you who have followed this case, the CJEU took a “left turn at Albuquerque” in its decision since the primary contention of Mr. Schrems was that the Commission Decision around Standard Contractual Clauses (“SCCs”) was invalid.

While the Court did opine on the SCC issue, it didn’t stop there. The Court actually took up a broader scope and addressed the validity of the Privacy Shield decision. In a mentally acrobatic exercise, we ended up with a judgment that preserved the SCCs decision (kind of), but invalidated the Privacy Shield Decision – even after there had been multiple renewals of the adequacy finding of Privacy Shield in the past. Additionally, along with the logical gymnastics around Privacy Shield, the SCCs aren’t quite out of the woods yet. Continue Reading CJEU Invalidates EU-US Privacy Shield Framework

From court closures and the way judges conduct appearances and trials to the expected wave of lawsuits across a multitude of areas and industries, the COVID-19 outbreak is having a notable impact in the litigation space—and is expected to for quite some time.

To help navigate the litigation landscape, we are kicking off a webinar series that will take a look at what’s happening now and what to expect in terms of litigation practice and litigation trends in the months to come. The initial webinars detailed below will be supplemented by topic-specific programs that will take a deeper dive into the respective topics. Feel free to attend one or all, and please invite your colleagues.

Court Is “In Session”: The Post-Pandemic Courthouse

In the first installment of our Post-Pandemic Litigation Webinar Series, Seyfarth litigators from a variety of legal disciplines will examine the virtual courthouse in a post-pandemic world. Specifically, our presenters will address:

  • What is going on in courts across the country, and how/when are they rescheduling
  • How will state, federal, and bankruptcy courts run post-pandemic
  • Will we be able to have jury trials
  • How long this “new normal” is expected to last
  • Necessary tools needed to adapt and keep your cases moving forward
Moderator:

Scott Carlson, Partner, Seyfarth Shaw

Speakers:

Suzanna Bonham, Partner, Seyfarth Shaw
Gina Ferrari, Partner, Seyfarth Shaw
William Hanlon, Partner, Seyfarth Shaw
Scott Humphrey, Partner, Seyfarth Shaw

Tuesday, July 14, 2020

1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

If you have any questions, please contact Colleen Vest at cvest@seyfarth.com and reference this event.

New Era, New Litigation: Lawsuits You Can Expect in the Post-Pandemic Environment

During the second installment of our Post-Pandemic Litigation Webinar Series, our panel will provide high-level insights on what companies of all sizes can expect in terms of litigation as a result of COVID-19. Specifically, our presenters will address the high-level trends we are observing in the following areas:

  • Bankruptcy and Financial Services
  • Class Actions and TCPA
  • Commercial Litigation
  • Construction and Real Estate Litigation
  • Health Care, Life Sciences, and Pharmaceutical
  • Securities Litigation
  • Trade Secrets and Cybersecurity/Privacy
Moderator:

James McGrath, Partner, Seyfarth Shaw

Speakers:

Kristine Argentine, Partner, Seyfarth Shaw
Jesse Coleman, Partner, Seyfarth Shaw
Tonya Esposito, Partner, Seyfarth Shaw
Richard Lutkus, Partner, Seyfarth Shaw
Kate Schumacher, Partner, Seyfarth Shaw
Rebecca Woods, Partner, Seyfarth Shaw

Wednesday, July 22, 2020

1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

If you have any questions, please contact Danielle Freeman at dfreeman@seyfarth.com and reference this event.

Monday, California Attorney General Xavier Becerra submitted of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).  Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA.  This final submission comes after various public forums, hearings, commentary, and revisions to the regulations. Continue Reading The CCPA Regulations Are Finally Here

At the beginning of 2020, a Federal privacy law, similar to that of GDPR or PIPEDA, was a faint and distant reality. However, in light of some mobile device and other monitoring being considered because of the COVID-19 pandemic, US Senators Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; John Thune (R-S.D.), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Jerry Moran (R-Kan.), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Marsha Blackburn (R-Tenn.) announced on Friday, May 1, a bill proposing the enactment of the “COVID-19 Consumer Data Protection Act,” which would apply to American health, geolocation, and proximity information.

This comes as various tech giants rush to develop an opt-in functionality or application that would allow users to trace their whereabouts to determine potential exposure to the deadly virus. The proposed Act aims to heighten protection for Americans’ data by imposing requirements on businesses similar to those seen in the CCPA and GDPR, such as providing notice to consumers at the point of collection regarding how data will be handled, how long it will be maintained, and to whom it may be transferred. Businesses would also need to allow consumers to opt out of the collection, processing, or transfer of applicable data under the Act. Further, businesses regulated by the FTC would be required to obtain affirmative consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for purposes of tracking the spread of COVID-19. We also see the concepts of data de-identification, data minimization, data security requirements, which all similarly sound very familiar.

While this proposed legislation applies only to health, proximity, and geolocation data, the burning question becomes whether, if enacted, this Act will pave the path toward Federal US Privacy Legislation.

While a lot of ink has been spilled on the California Consumer Privacy Act (“CCPA”) over the last 18 months, one of the things which has become quite apparent to those of us who view privacy through a lens which considers both EU and US perspectives is that the CCPA is actually not an EU-style law. Except for the right to delete data, all the consumer rights in the CCPA actually existed (albeit in a much less aggressive form) for many categories of information under prior California law. When one considers the number of carve-outs to the deletion right, the CCPA actually looks a lot like what is the more traditional approach to privacy that is prevalent under US jurisprudence. Continue Reading Europe’s Privacy Law is Coming – Just Not Via California

While the United States largely hit the brakes as of March in the wake of the COVID-19 crisis, California Attorney General Xavier Becerra made clear his intentions to begin enforcement of the Act on July 1, 2020, as originally planned.  This announcement came despite many organizations’ pleas to defer enforcement in order to relieve the additional stress imposed on organizations as they respond to the COVID-19 crisis, and continue to work towards ensuring their compliance with the CCPA.  While Becerra has not yet published his final regulations on the Act, there are aspects of the regulations that we expect to be largely intact in their current form once the final regulations are out as a result of reviewing the three drafts General Becerra has already produced. Continue Reading What We Can Expect from the CCPA Regulations

In this unprecedented time, businesses are, more than ever, implementing and rapidly rolling out programs for remote or at-home work by employees. The quick changes in local and state governmental “shelter in place” instructions and Public Heath directives have placed significant strains on remote networks and caused local shortages of laptop computers at office supply and electronic stores across the country.

With this unexpected increase in remote workers, many companies are pushing the limits of their existing remote access technology, or deploying ad hoc technology and access solutions as quickly as possible. Some of those companies are not taking the time to consider potential information security, privacy, and other compliance ramifications for those same remote workers.

It is entirely appropriate and necessary for companies to adapt their technology and work networks are utilized to the greatest degree possible to remain in operation and serve business and customer needs. But as always, data security and privacy should always be part of the equation.

Below are some essential things to know about the security risks posed by remote or at-home worker, and a Technical Checklist for Remote employees to make sure your corporate data is safe, and you do not risk compliance challenges with data privacy law and requirements. Continue Reading Cybersecurity, Data Privacy, and Compliance Issues Related to Remote Workers

The rush for California to get all of the “rules of the road” ready for next year has seemed to cause a bit of confusion with California’s privacy law. Draft regulations were published the same day the Governor signed into law a series of amendments to the underlying law. It is all a bit confusing, However, now that the Governor has signed the last raft of amendments, and the dust has somewhat settled, the question on everyone’s mind is: What changed in the California Consumer Protection Act (“CCPA”)? How does this effect the draft regulations that the Attorney General published?

Fortunately, there are a number of significant changes which help clarify the CCPA, as well as materially change the scope of the CCPA – even if the AG didn’t include some of these changes into the initial draft regulations announced earlier this month. The most impactful changes across industries are as follows:

Business employees

To start off, the issue of employee coverage under the CCPA has been a fractious one. On one hand, business has rightly claimed that the relationship with an employee is not the same as the relationship with a customer. On the other hand, privacy advocates have claimed that employees shouldn’t give up privacy rights just because they are employees. Continue Reading CCPA Amendments – What did California Actually Do?