On March 28, Iowa Governor Kim Reynolds signed Senate File 262, effective January 1, 2025, making Iowa the sixth state to offer comprehensive privacy protections. Iowa’s new legislation appears to be the most business-friendly omnibus privacy law yet, with fewer requirements than those of other states. The law will apply to a person who conducts business in Iowa or produces products or services targeted to Iowa residents, and who meets either of the following requirements in a calendar year: (1) processes the personal data of 100,000 consumers or more (consumers defined as residents of Iowa “acting only in an individual or household context”) or (2) controls or processes the personal data of at least 25,000 consumers and derives over 50% of annual gross revenue from the sale of personal data.

Continue Reading Joining the Privacy Party: Iowa Becomes the Sixth State To Adopt a Comprehensive Privacy Law

The Federal Trade Commission (FTC) issued a press release and a request for information on March 22, 2023, soliciting comments from the public on cloud computing business practices, including issues related to market power, competition, and potential data security risks.

Regarding data security, the request for information seeks to gain insight on cloud computing against the backdrop of FTC guidance to businesses on steps to secure and protect data stored in the cloud. This request comes amid recent FTC enforcement matters (such as against education technology provider Chegg) alleging failure to adequately secure data stored on third-party cloud computing services.

Continue Reading FTC Requests Comments on Cloud Computing Business Practices With Potential Data Security Impacts

On March 24, 2023, Texas House Representative Giovanni Capriglione participated in a virtual interview with the Dallas chapter of the International Association of Privacy Professionals (IAPP) about his recently introduced bill, HB 4, also known as the Texas Data Privacy and Security Act (TDPSA). The interview was moderated by Samantha V. Ettari, Perkins Coie LLP senior counsel and co-chair of the IAPP KnowledgeNet Dallas Chapter, and Justin L. Koplow, AT&T senior legal counsel and also a co-chair of the IAPP Dallas Chapter. The conversation focused on a variety of subjects, including Rep. Capriglione’s professional technology background and subsequent journey into privacy issues, the development of the TDPSA, its specific provisions, and how the bill compares to privacy regimes in other states, including the Virginia Consumer Data Protection Act (VCDPA), on which it was modeled. This is the third comprehensive consumer privacy bill Rep. Capriglione has advanced, and this one appears to be channeling the momentum of six states’ comprehensive privacy laws, Texas denizens’ apparent interest in consumer privacy, and a significant national conversation around consumers’ and children’s privacy. 

Continue Reading Saddle Up: Texas Makes Another Push to Join States With Comprehensive Consumer Privacy Laws

After years out of circulation, class-action lawsuits asserting claims under the Video Protection Privacy Act are now back in reruns. More than 100 putative class actions alleging violations of the VPPA have been filed against publishers that use the Meta pixel on their websites.

It remains to be seen whether these lawsuits will survive evaluation on the merits. This will depend on how courts apply a number of definitions set forth in the law. In the meantime, publishers should review their use of the Meta pixel on webpages that feature video content and heed the litigation as a lesson in complying with a growing patchwork of privacy laws that can apply to a single data processing activity.

Click here to read entire Update.

The Consumer Financial Protection Bureau (CFPB) announced on March 15, 2023, that it is issuing a Request for Information (RFI) about the business practices of data brokers, which the agency said will assist it in “planned rulemaking” under the Fair Credit Reporting Act (FCRA). The CFPB has explained it is seeking information on (1) “new business models that sell consumer data,” including information relevant to assessments of whether companies using these new business models are covered by the FCRA, and (2) “consumer harm and any market abuses, including those that resemble harms Congress originally identified . . . in passing the FCRA.”

Click here to read entire Update.

Critical infrastructure companies should expect substantial new federal cybersecurity requirements based on the National Cybersecurity Strategy that President Biden announced on March 2, 2023. The Strategy includes enhanced requirements for critical infrastructure. Specifically, President Biden pivoted federal cybersecurity policy from encouraging voluntary adoption of proactive security measures to using regulation and other measures to mandate adoption in private industry. In addition to those mandates, the Strategy signals an intent to shift security responsibility from consumers and end users to technology firms and software providers. After the Administration announced the Strategy, the EPA released a memorandum addressing cybersecurity in public water systems and TSA released an aviation cybersecurity amendment.
Companies will need to comply with these mandates immediately and stay up to date on additional requirements to come.

Click here to read the full Update.

Utah state lawmakers are poised to change how (and when) minors who reside in Utah can use social media. Introduced in January, S.B. 152 and H.B. 311 recently cleared the Utah legislature and both bills have been sent to Governor Spencer Cox, who dismissed industry concerns that the bills would pose privacy risks, impede minors’ independence, and violate the First Amendment. If signed, the bills would go into effect on March 1, 2024.

Continue Reading Utah Legislature Approves Social Media Restrictions for Minors

The U.S. District Court for the Northern District of Illinois recently found that in order for cell tower warrants to be supported by probable cause and satisfy Fourth Amendment concerns, they must include protocols limiting the government’s collection of information from individuals not involved in the underlying criminal activity. In In re Application for Tower Dump Data for a Sex Trafficking Investigation, No. 23 M 87, 2023 WL 1779775 (N.D. Ill. Feb. 6, 2023), the court only approved a “tower dump” warrant, commonly named as such for its tendency to sweep broadly and collect innocent third parties’ information, after the government provided restrictions on its search.

Continue Reading Northern District of Illinois Clarifies Standards for Tower Dumps 

The Federal Energy Regulatory Commission has published a final rule calling for the North American Electric Reliability Corporation to develop standards for internal network cybersecurity monitoring. This rule will be required for all high-impact bulk electric systems and medium-impact bulk electric systems with external roundtable activity and conduct a study of the security of other bulk electric systems.

The forthcoming standards will require covered entities to identify baseline network traffic patterns to enable anomaly detection, implement technologies that can monitor and detect unauthorized behavior and other anomalies within a trusted network, and collect data to analyze potential threats and help prevent attackers from easily covering their tracks.

The final rule signals increased attention to cybersecurity regulation, particularly with respect to critical infrastructure operations, zero trust rollout, and supply chain security that is likely to continue both within and beyond the energy sector.

Click here to read the full Update.

The Federal Trade Commission on March 2, 2023, announced a proposed complaint and proposed consent order with BetterHelp, Inc., an online counseling platform that allegedly disclosed consumer health data to third-party advertising platforms. The settlement requires payment of $7.8 million to be used for consumer refunds—the first time an FTC action has required the return of funds to consumers whose health data was allegedly compromised.

The BetterHelp case comes just weeks after the FTC’s enforcement action against GoodRx, which was also alleged to have made unauthorized disclosure of consumer health data to third-party advertising platforms. Together, the two cases demonstrate the significant attention the FTC is paying to consumer health privacy issues.

This Update discusses the BetterHelp case and its implications for further FTC scrutiny.

Click here to read the full Update.