Minnesota’s governor signed the Minnesota Consumer Data Privacy Act (MNCDPA or the Act) into law at the end of May, making Minnesota the 18th state to enact a comprehensive consumer privacy law. The MNCDPA will take effect for most covered entities on July 31, 2025. The law provides a 30-day cure period, which will sunset on January 31, 2026, six months after the Act’s effective date. Entities that violate the Act are subject to injunction and civil penalties of up to $7,500 per violation. Like most other state privacy laws, the MNCDPA does not include a private right of action and will be enforced solely by the attorney general.

Continue Reading Minnesota’s Unique Spin on Consumer Data Privacy

The Federal Trade Commission (FTC) announced on April 26, 2024, that a final rule modifying its Health Breach Notification Rule (HBNR) adopted on a 3-2 vote along party lines. The final rule caps the FTC’s transformation of the HBNR into a broad privacy and data breach notice rule widely applicable to health and wellness apps and websites from a traditional cybersecurity data breach notice rule applicable to a limited set of companies that offer online personal health record repositories or applications and those companies’ service providers. That transformation began in 2021 when the FTC issued a policy statement that interpreted the rule to apply to the disclosure of covered information without an individual’s authorization and to a broad range of health and wellness apps. The final rule codifies the interpretations in the 2021 policy statement and several subsequent enforcement actions to apply the HBNR to a broad range of health and wellness apps and to require “breach” notification when consumer identifiable health data is disclosed without consumer authorization, even outside of traditional cybersecurity intrusions. The final rule goes into effect on July 29, 2024.

Continue Reading FTC Expands Health Breach Notification Rule

Introduction

The Maryland Age-Appropriate Design Code Act (SB 571 / HB 603) (MD AADC) was signed into law on May 9, 2024, with an October 1, 2024, effective date. The law is the second of its kind in the United States, following the California Age-Appropriate Design Code Act (CA AADC), which was passed in 2022 and is currently enjoined on constitutional grounds pending appeal in the U.S. Court of Appeals for the Ninth Circuit. Similar to the CA AADC (and the U.K.’s AADC), the MD AADC provides for privacy and safety requirements for children under age 18. Notably, the MD AADC also includes changes seemingly directed at surviving constitutional challenges under U.S. law. We have outlined the major differences between the two U.S. AADCs below.

Continue Reading Maryland’s Enactment of the Age-Appropriate Design Code Act

Since the European Union seized the early global lead in regulating artificial intelligence, the U.S. Congress has made noise about the need for federal AI legislation, but progress has been slow. The absence of a similarly comprehensive federal law from Congress has created a vacuum that is now being filled by individual states.

Read the full Update here.

For years, the Illinois Supreme Court and the U.S. Court of Appeals for the Seventh Circuit were in lockstep in protecting corporate policyholders from overreaching insurers looking to avoid BIPA liability. Recently, however, the Seventh Circuit strayed from that in Thermoflex Waukegan, LLC v. Mitsui Sumitomo Insurance USA, Inc., ruling on the applicability of several general liability policy exclusions to BIPA lawsuits with mixed results for policyholders.

Read the full Update here.

As Allison Handy noted on our Public Chatter blog, Erik Gerding, the Director of the U.S. Securities and Exchange Commission (SEC) Division of Corporation Finance, issued a statement on May 21 clarifying public companies’ obligations to disclose cybersecurity incidents under Item 1.05 of Form 8-K. The statement looks like a response to the potential—and actual—“abundance of caution” filings in which public companies disclose that an incident occurred but do not announce whether the incident met the SEC’s materiality threshold.

Continue Reading Clarifying Guidance on Abundance-of-Caution Disclosures under SEC Cybersecurity Rule

Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the American Privacy Rights Act on April 7, 2024. This announcement of a bipartisan, bicameral proposal for a federal comprehensive consumer privacy law was a significant—and unexpected—development in longstanding efforts to adopt federal privacy legislation. 

Read the full Update here.

This year, the blossoming of spring is accompanied by a pair of noteworthy California Privacy Protection Agency (CPPA) updates. First, on March 8, the CPPA and staff convened to discuss new draft regulations related to automated decision-making technology (ADMT) and risk assessments, as well as updates to existing California Consumer Privacy Act (CCPA) regulations. Second, on April 2, the Enforcement Division of the CPPA released its first-ever “Enforcement Advisory,” which “share[s] observations from the [CPPA’s] Enforcement Division to educate and encourage businesses to comply with the law.”

Continue Reading CPPA Board Updates Timing for Regulations, and Enforcement Division Releases Enforcement Advisory: Focus on Data Minimization!

One month after the February 22, 2024, announcement of enforcement actions against data brokers X-Mode and InMarket Media, the Federal Trade Commission (FTC) announced a complaint and proposed consent order requiring software security company Avast Limited and two subsidiaries, Avast s.r.o. and Jumpshot, Inc. (collectively, Avast), to pay $16.5 million to resolve allegations that they unfairly and deceptively sold granular, reidentifiable web browsing data for advertising purposes. The FTC’s action against Avast reflects its continued focus on the mass collection and sale of sensitive personal data for advertising purposes.

Avast Complaint

In its complaint, the FTC alleges that Avast marketed its products, including browser extensions and antivirus software, as tools to protect consumer privacy, such as by blocking third parties from tracking online activity through cookies. The FTC alleges that Avast (via its Jumpshot subsidiary) collected more than eight petabytes of consumer browsing data, such as search queries and the URLs of webpages visited by consumers, via browser extensions and antivirus software marketed as privacy-protective. The FTC alleges that Avast indefinitely retained these browsing records, typically tied to a persistent identifier, in granular form. The FTC further alleges that Avast sold these detailed data feeds to a variety of clients—including advertising, marketing, and data analytics companies and data brokers.

The FTC claims such actions were deceptive. According to the FTC, after advertising to consumers both that its products would protect their privacy by preventing third parties from tracking their online activity and that it would only ever share their browsing data in aggregate and anonymous form, Avast turned around and did the exact opposite. The FTC’s complaint alleges that Avast sold granular data that in some cases purchasers were not only free to re-associate with individuals, but in some cases such re-association was the very point of the purchase.

The FTC also alleges that Avast’s collection, retention, and sale of the granular browsing data was unfair. According to the FTC, this data processing was done without adequate notice and consumer consent. More specifically, the FTC alleges that in many instances, Avast’s privacy disclosures either did not state that consumers’ browsing data would be shared with third parties for advertising purposes or indicated that such data would only be shared in aggregate and anonymous form. Notably, the FTC also characterizes “re-identifiable browsing data” as “sensitive,” and alleges that the browsing data collected by the Avast products, such as web searches and websites, reveal consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content, and interest in prurient content. According to the FTC, Avast’s practice of linking browsing information to device and other identifiers, as well as coarse location data, over time, increased the likelihood that a consumer could be reidentified, which was likely to cause substantial consumer injury.

Consent Order

The proposed consent order generated headlines with the requirement that Avast must pay $16.5 million, The FTC commissioners touted this as “the highest monetary remedy in a de novo privacy violation case” brought by the FTC to date, that is, the highest monetary remedy for a privacy violation under Section 5(a) of the FTC Act. The FTC has said that it intends to use this money to provide redress to affected consumers.

The order bans Avast from selling, licensing, or otherwise disclosing web browsing data from Avast products to third parties for advertising purposes. It also requires Avast to obtain affirmative express consent before selling, licensing, or otherwise disclosing web browsing data from non-Avast products to third parties for such purposes.

Similar to the X-Mode and InMarket orders, the order mandates that Avast not only delete the web browsing data that it collected through Jumpshot, but also delete or destroy any models, algorithms, or software developed based on that data. Avast also must instruct any third party that received such data to delete the data and any models or algorithms derived from them or software developed to analyze the data.

In addition, the order subjects Avast to typical FTC privacy order provisions, such as prohibitions on certain privacy-related misrepresentations and the requirement to implement a mandated privacy program with biennial third-party assessments for 20 years.

Takeaways

The FTC’s enforcement actions against X-Mode, InMarket, and now Avast signal the agency’s continued focus on data brokers and others in the business of aggregating and selling large volumes of what the FTC views as sensitive data for advertising purposes. In a recent blog post, the FTC reinforced common themes across the Avast, X-Mode, and InMarket actions, such as the following:

  • First, in a line that has attracted significant attention, the FTC asserts that “Browsing and location data are sensitive. Full stop.” While the FTC has long asserted that precise location data is sensitive, it remains to be seen whether its characterization of web browsing data as “sensitive” marks a sustained shift in the FTC’s thinking, or if this is a reflection of the specific facts of Avast’s alleged practices. In any event, the Avast case makes clear that even data lacking “traditional standalone elements of personally identifiable information” can reveal sensitive information about consumers. And if the risk of such disclosure is likely to cause substantial injury to consumers, it may be unfair.
  • Second, the FTC expects companies to be clear about how consumers’ personal data will be used, shared, and retained. Without clear notice, “[p]eople have no way to object to—let alone control,” how their data is handled.
  • Third, the purposes for which data is processed should align with the purposes for which it was collected.
  • Fourth, the FTC expressed skepticism about contractual restrictions on data reidentification or misuse where, for example, such restrictions contain loopholes or are not audited or enforced against downstream recipients of data.

Last month, Senators Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.) reintroduced the Kids Online Safety Act (KOSA), initially introduced last term, noting that the bill now has 62 cosponsors, bipartisan support, and is poised to pass in the Senate.

KOSA would apply to online platforms (including social media services and virtual reality environments), online video games, messaging applications, and video streaming services that are used, or are reasonably likely to be used, by an individual under 17 years of age, subject to enumerated exceptions.

Below we discuss some of KOSA’s key requirements, including notable changes in the most recent version of the bill, as well as in the incorporated Filter Bubble Transparency Act.

Continue Reading Kids Online Safety Act Gains Momentum in the Senate