Seyfarth Synopsis: The U.S. District Court for the Northern District of Illinois recently denied Plaintiff’s motion to reconsider a prior dismissal of his privacy action due to untimeliness.  In a case titled Bonilla, et al. v. Ancestry.com Operations Inc., et al., No. 20-cv-7390 (N.D. Ill.), Plaintiff alleged that consumer DNA network Ancestry DNA violated the Illinois Right of Publicity Act (“IRPA”) when it uploaded his high school yearbook photo to its website.  The Court initially granted Ancestry’s motion for summary judgment, finding Plaintiff’s claims to be time-barred under the applicable one-year limitations period.  Upon reconsideration, Plaintiff  – unsuccessfully – made a first-of-its-kind argument that the Court should apply the Illinois Biometric Privacy Act’s five-year statute of limitations to the IRPA.

Continue Reading Federal Court Rejects Application of BIPA Statute of Limitations to Privacy Act Violations
markus-spiske-gcgves5H_Ac-unsplash

With the passage of Senate Bill 262, Florida has become the latest state who has woken up to the political capital that a state privacy law can provide. And while we see a lot of the “usual suspects” which populate other state privacy laws (e.g. notice, consumer rights, collection and use restrictions, etc.) – which we have posted on frequently – Florida didn’t just look to privacy with SB 262.  It also addressed two other issues which seem to be on the mind of Governor DeSantis – government censorship of online social media platforms, and protection of a minor’s personal information.

Continue Reading Florida’s SB 262 – What Florida Thinks of Privacy (and more)
SG - ANA Webinar

On Tuesday, June 13 at 1:00 p.m. Eastern, Seyfarth attorneys Kristine Argentine, John Tomaszewski, and Paul Yovanic will present at the Association of National Advertisers webinar,  “Emerging Issues Surrounding Privacy Class Actions and Compliance in 2023.”

The webinar will address the recent surge in consumer class actions, compliance considerations, and recent developments in the law related to privacy claims, including TCPA and State Mini-TCPAs, the Video Privacy Protection Act, data breach claims, biometric privacy, and claims related to collection of data through google analytics tools, such as chat functions, pixels, and cookies. 

For more information and to register, click here.

test

You may have recently seen press reports about lawyers who filed and submitted papers to the federal district court for the Southern District of New York that included citations to cases and decisions that, as it turned out, were wholly made up; they did not exist.  The lawyers in that case used the generative artificial intelligence (AI) program ChatGPT to perform their legal research for the court submission, but did not realize that ChatGPT had fabricated the citations and decisions.  This case should serve as a cautionary tale for individuals seeking to use AI in connection with legal research, legal questions, or other legal issues, even outside of the litigation context.

In Mata v. Avianca, Inc.,[1] the plaintiff brought tort claims against an airline for injuries allegedly sustained when one of its employees hit him with a metal serving cart.  The airline filed a motion to dismiss the case. The plaintiff’s lawyer filed an opposition to that motion that included citations to several purported court decisions in its argument. On reply, the airline asserted that a number of the court decisions cited by the plaintiff’s attorney could not be found, and appeared not to exist, while two others were cited incorrectly and, more importantly, did not say what plaintiff’s counsel claimed. The Court directed plaintiff’s counsel to submit an affidavit attaching the problematic decisions identified by the airline.

Continue Reading Use of ChatGPT in Federal Litigation Holds Lessons for Lawyers and Non-Lawyers Everywhere
michal-jakubowski-oQD9uq4Rd4I-unsplash

Tennessee and Montana are now set to be the next two states with “omnibus” privacy legislation. “Omnibus” privacy legislation regulates personal information as a broad category, as opposed to data collected by a particular regulated business or collected for a specific purpose, like health information, financial or payment card information. As far as omnibus laws go, Tennessee and Montana are two additional data points informing the trend we are seeing at the state level regarding privacy and data protection. Fortunately (or unfortunately depending on your point of view) these two states have taken the model which was initiated by Virginia and Colorado instead of following the California model.

Is there Really Anything New?

While these two new laws may seem to be “more of the same”, the Tennessee law contains some new interesting approaches to the regulation of privacy and data protection. While we see the usual set of privacy obligations (notice requirements, rights of access and deletion, restrictions around targeted advertising and online behavioral advertising, et cetera) in both the Tennessee and Montana laws, Tennessee has taken the unusual step of building into its law specific guidance on how to actually develop and deploy a privacy program in the Tennessee Information Protection Act (“TIPA”).

Continue Reading Two New State Privacy Laws – But What is Really New?

The My Health My Data Act (“Act”) was approved by the Washington State House on April 17, 2023. The Act is now with Governor Jay Inslee for signature and is expected to be signed into law in its current form, which is broad enough to warrant anyone with any activity in Washington to consider its scope and implications for operations. Because the Act will be enforceable through a private right of action, it has the potential to create substantial legal exposure for violations.

The Act creates new and unique consumer rights and obligations for business relating to the collection, sharing, and use of “Consumer Health Data” (“CHD”). It expressly aims to “close the gap between consumer knowledge and industry practice” by expanding obligations related to processing of CHD to entities not covered by HIPAA. However, it is significantly broader in potential scope, including, in part, due to the gaping definition of CHD (which expressly includes data that identifies past, present, or future physical or mental health status, for example, “bodily functions” and “precise location information that could reasonably indicate an attempt to receive health services or supplies”). The Act will impact a range of business, including advertisers, mobile app providers like health and wellness trackers, wearable device manufacturers and, of course, healthcare and wellness industry companies and their data processors handling non-HIPAA-regulated CHD. Notably, the Act expressly addresses abortion/reproductive health services and gender-affirming care services (including by making it unlawful for any person to use a “geofence” (or virtual boundary) around a facility that provides health care services) for the purposes of identifying or tracking consumers seeking such services; collecting CHD from consumers; or sending them notifications, messages, or advertisements related to their CHD or health care services. This restriction applies regardless of consent or opt-in.

Continue Reading Washington’s “My Health My Data” Act

On March 15, 2023 the Securities and Exchange Commission (“SEC”) proposed three new sets of rules (the “Proposed Rules”) which, if adopted, would require a variety of companies to beef up their cybersecurity policies and data breach notification procedures. As characterized by SEC Chair Gary Gensler, the Proposed Rules aim to promote “cyber resiliency” in furtherance of the SEC’s “responsibility to help protect for financial stability.”[1]

In particular, the SEC has proposed:

  • Amendments to Regulation S-P which would, among other things, require broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures for response to data breaches, and to provide notice to individuals “reasonably likely” to be impacted within thirty days after becoming aware that an incident was “reasonably likely” to have occurred (“Proposed Reg S-P Amendments”).[2]
  • New requirements for a number of “Market Entities” (including broker-dealers, clearing agencies, and national securities exchanges) to, among other things: (i) implement cybersecurity risk policies and procedures; (ii) annually assess the design and effectiveness of these policies and procedures; and (iii) notify the SEC and the public of any “significant cybersecurity incident” (“Proposed Cybersecurity Risk Management Rule”).[3]
  • Amendments to Regulation Systems Compliance and Integrity (“Reg SCI”) in order to expand the entities covered by Reg SCI (“SCI Entities”) and add additional data security and notification requirements to SCI Entities (“Proposed Reg SCI Amendments”).[4]
Continue Reading SEC Proposes Sweeping New Cybersecurity Rules: Is Your Company Prepared?

Under China’s data protection regulatory framework, data processors are required to pass a security assessment conducted by the cybersecurity regulator before transferring certain categories or volumes of data out of China. This January, six months after the Cyberspace Administration of China (“CAC”) released the Measures on Security Assessment of Outbound Data Transfers (“Measures”), the Beijing counterpart of CAC reported the first two cases where the data processors passed the security assessments led by CAC, which sheds some light on the uncertainty and complexity of the security assessment.

Uncertainty of Reviewing Process and End of Grace Period

As disclosed by Beijing CAC, as of February 22, 2023, Beijing CAC has assisted more than 310 entities with their potential applications for the security assessment of outbound data transfers, and has received 48 formal applications from organizations in industries such as technology, e-commerce, healthcare, finance, automotive, and civil aviation, including multinational companies. Among many applications, CAC granted two organizations with the approval for transferring data out of China, namely the Beijing Friendship Hospital of the Capital Medical University and Air China.

Continue Reading China Unveils Two Approved Outbound Data Transfer Cases
CCPA

It’s been no doubt a week of mixed emotions at the California Privacy Protection Agency (“CPPA”) which last week had its final CCPA regulations (“Regulations”) approved and filed with the California Secretary of State by the Office of Administrative Law. The final regulations have been stated to be “effective immediately”. The result is that California employers are now going to have a significant burden around compliance with California privacy law which they didn’t have previously.

Taken on its face, “effective immediately” would mean that enforcement of the regulations would be available (if not acted upon) immediately. However, as with much about the CCPA, this may not be definitive.

First, the California Administrative Procedure Act (“APA”) provides that regulations become effective on one of four quarterly dates based on when the final regulations are filed with the Secretary of State. Under the APA the enforcement date would still be July 1, because the regulation was filed between March 1 and May 31. See Cal. Gov. Code §11343.4(a)(3).

Second, Proposition 24 (the actual amendment to the CCPA) itself provides timing of enforcement of the new provisions of the CCPA. Specifically, Cal. Civ. Code §1798.185(d) states “Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023.

Continue Reading CCPA Regulations Are Here – We Think

This just in….March 30, 2023. The California Office of Administrative Law has approved the CCPA Regulations and they are effective immediately. The text has not changed substantively since the modifications proposed late last year.

Without further ado, please read the CPPA’s announcement here.

At printing time, the final documents were to “be made available on the agency website as soon as they have been processed.”