In late June 2022 H.R. 8152 was introduced which seeks to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. 

What are some of the important aspects of the bill?

According to the Congressional Research Service the bill proposes the following:

Covered Entities. It would apply to most entities, including nonprofits and common carriers. Some entities, such as those defined as large data holders that meet certain thresholds or service providers that use data on behalf of other covered entities, would face different or additional requirements.

Covered Data. It would apply to information that “identifies or is linked or reasonably linkable” to an individual.

Duties of Loyalty. It would impose several duties on covered entities, including requirements to abide by data minimization principles and special protections for certain types of data, such as geolocation information, biometric information, and nonconsensual intimate images.

Transparency. It would require covered entities to disclose, among other things, the type of data they collect, what they use it for, how long they retain it, and whether they make the data accessible to the People’s Republic of China, Russia, Iran, or North Korea.

Consumer Control and Consent. It would give consumers various rights over covered data, including the right to access, correct, and delete their data held by a particular covered entity. It would require covered entities to get a consumer’s affirmative, express consent before using their “sensitive covered data” (defined by a list of sixteen different categories of data). It would further require covered entities to give consumers an opportunity to object before the entity transfers their data to a third party or targets advertising toward them.

Youth Protections. It would create additional data protections for individuals under the age of 17, including a prohibition on targeted advertising, and it would establish a Youth Privacy and Marketing Division at the Federal Trade Commission (FTC).

Third-Party Collecting Entities. It would create specific obligations for third-party collecting entities, which are entities whose main source of revenue comes from processing or transferring data that it does not directly collect from consumers (e.g., data brokers). These entities would have to comply with FTC auditing regulations and, if they collect data above the threshold amount of individuals or devices, would have to register with the FTC.

Civil Rights and Algorithms. It would prohibit most covered entities from using covered data in a way that discriminates on the basis of protected characteristics (such as race, gender, or sexual orientation). It would also require large data holders to conduct algorithm impact assessments. These assessments would need to describe the entity’s steps to mitigate potential harms resulting from its algorithms, among other requirements. Large data holders would be required to submit these assessments to the FTC and make them available to Congress on request.

Data Security: It would require covered entities to adopt data security practices and procedures that are reasonable in light of their size and activities. It would authorize the FTC to issue regulations elaborating on these data security requirements.

Small- and Medium-size Businesses: It would also relieve small- and medium-size businesses from complying with several requirements; for instance, these businesses may respond to a consumer’s request to correct their data by deleting the data, rather than correcting it.

Enforcement. It would be enforceable by the FTC, under that agency’s existing enforcement authorities, and by state attorneys general in civil actions.

Private right of action. It would create a delayed private right of action starting four years after the law’s enactment. Injured individuals would be able to sue covered entities in federal court for damages, injunctions, litigation costs, and attorneys’ fees. Individuals would have to notify the FTC or their state attorney general before bringing suit. Before bringing a suit for injunctive relief or a suit against a small- or medium-size business, individuals would be required to give the violator an opportunity to address the violation.

Preemption. It would generally preempt any state laws that are “covered by the provisions” of the ADPPA or its regulations, although it would expressly preserve sixteen different categories of state laws, including consumer protection laws of general applicability and data breach notification laws. It would also preserve several specific state laws, such as Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act and California’s private right of action for victims of data breaches.

Section by section specifics can be found here. 

We are going to see more privacy proposals on the state and federal level. 

Lanton Law is a national healthcare & technology law and government affairs firm. Our technology practice has been monitoring privacy developments nationwide. If you are a commerce, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

According to the U.S. House Committee on Energy and Commerce:

“U.S. Representatives Frank Pallone, Jr., D-N.J. and Cathy McMorris Rodgers, R-Wash., Chairman and Ranking Member of the House Committee on Energy and Commerce, and U.S. Senator Roger Wicker, R-Miss., Ranking Member of the Senate Committee on Commerce, Science, and Transportation, today released a discussion draft of a comprehensive national data privacy and data security framework. The draft legislation is the first comprehensive privacy proposal to gain bipartisan, bicameral support.”  

What does the American Data Privacy and Protection Act do?

• Establish a strong national framework to protect consumer data privacy and security;

• Grant broad protections for Americans against the discriminatory use of their data;

• Require covered entities to minimize on the front end, individuals’ data they need to collect, process, and transfer so that the use of consumer data is limited to what is reasonably necessary, proportionate, and limited for specific products and services;

• Require covered entities to comply with loyalty duties with respect to specific practices while ensuring consumers don’t have to pay for privacy;

• Require covered entities to allow consumers to turn off targeted advertisements;

• Provide enhanced data protections for children and minors, including what they might agree to with or without parental approval; 

• Establish regulatory parity across the internet ecosystem; and

• Promote innovation and preserve the opportunity for start-ups and small businesses to grow and compete.

The discussion draft can be found here.

Lanton Law is a national healthcare & technology law and government affairs firm. Our technology practice has been monitoring privacy developments nationwide. If you are a commerce, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

Senator Creem and Senator Lesser have introduced S.46 titled “An Act Establishing the Massachusetts Information Privacy Act.” The bill can be found here. The Act applies to Massachusetts businesses that earn $10,000 or more annual revenue through 300 or more transactions or that process or maintain the personal information of 10,000 or more unique individuals during the course of a calendar year. The bill has protections on the collection of biometric or location information and seeks to prevent companies from discriminating based on consumer personal information. The MA Information Privacy Commission would also be created by this proposal to oversee this bill’s regulatory scheme. 

This bill mirrors the efforts unleashed by the landmark General Data Protection Regulation (GDPR) in Europe which has been followed by efforts in California. Massachusetts did have a predecessor to S.46 in 2019 which stalled in the legislature.

The bill is currently in the Advanced Information Technology, the Internet and Cybersecurity Committee.  If you are a technology, healthcare or commerce stakeholder then this is something to keep a watch on.  

Lanton Law is a national healthcare & technology law and government affairs firm. Our technology practice has been monitoring privacy developments nationwide. If you are a commerce, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

Lanton Law’s privacy practice has been closely monitoring the various state conversations around data privacy. We previously wrote a blog post titled California’s Consumer Privacy Act Could Be Coming to a State Near You, where we traced how California took the first step to create a consumer privacy law in the wake of Europe’s General Data Protection Regulation.    

So what’s going on with Virginia? Earlier this month the Virginia Senate passed 

 Senate Bill 1392, titled the Consumer Data Protection Act. The Virginia House of Delegates approved a companion (identical) House Bill H.B. 2307 by an 89-9 vote. Each bill likely will be heard in committee next week by the opposite chamber, which provides additional opportunities to make amendments. The state General Assembly will adjourn on March 1, it is expected that Governor Northam will sign the legislation. 

What does the bill do? The proposed legislation seeks the following:

“Establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising. The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort. The bill has a delayed effective date of January 1, 2023.”

As with major policy issues that have yet to have a federal solution, states like California, Virginia and others are creating piecemeal policies, which will create compliance issues for entities that operate in several jurisdictions. New York, Oklahoma, Washington State, Minnesota, and North Dakota are jurisdictions that we continue to monitor with brewing policies on point.  

As we become more reliant on technology which crosses several sectors now, businesses are finding that they have to increase their awareness of state and federal policy in order to remain compliant. We at Lanton Law can help. Our legal and lobbying tools can help offer your organization a clear path forward to navigate what will be changing policies for healthcare, technology and clean energy stakeholders. We are a D.C. based firm with no state boundaries as we are active nationwide. Contact us today to discuss your options. 

Last month as part of the State of the State 2021, Governor Cuomo announced a comprehensive law around personal data and privacy protections for New York state residents.

So what does this proposal outline?

According to the Governor’s proposal “This law will mandate that companies that collect information on large numbers of New Yorkers disclose the purposes of any data collection and collect only data needed for those purposes. Governor Cuomo will also establish a Consumer Data Privacy Bill of Rights guaranteeing every New Yorker the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services.”  

“The proposal also expressly protects sensitive categories of information including health, biometric and location data and creates strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data. New York State will work with other states to ensure competition and innovation in the digital marketplace by promoting coordination and consistency among their regulatory policies. 

New York’s proposal seems to be following a trend set by California’s Privacy Rights and Enforcement Act. We believe that we are witnessing a slow moving transition towards similar oversight in other states. 

The increasing demands around data security and data privacy has presented new challenges to business operations and compliance efforts. Not to mention there are new rising risks around consumer data privacy expectations. 

Lanton Law is a national boutique law and lobbying firm that focuses on healthcare/life sciences and technology. We are the dedicated business partner that you need behind you to help you confront the changing regulatory landscape around data. 

If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today!

The Illinois Biometric Information Privacy Act enacted in 2008 was an important first step in developing policy on biometrics. According to the law, a private entity possessing biometric information accessible to the public must have a retention schedule and policy for permanently destroying biometric information. Additionally, there are restrictions on how a private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information. Most importantly, this law requires obtaining written consent prior to collecting biometric information as the law provides a private right of action for anyone injured under the Act. 

Interestingly, the case of Patel v. Facebook is an illustration of how this law applies to our growing dependence on technology. The question in Patel, is whether the collection of an individual's biometric data in violation of the Illinois Biometric Information Privacy Act is sufficient to establish Article III standing. According to the complaint, plaintiffs’ allege that Facebook subjected them to facial-recognition technology without complying with an Illinois statute intended to safeguard their privacy. Since the plaintiff did not allege substantive harm, the defendant moved to dismiss the case on Article III standing grounds. However; the Ninth Circuit stated that “Because a violation of the Illinois statute injures an individual’s concrete right to privacy, we reject Facebook’s claim that the plaintiff have failed to allege a concrete injury-in-fact for purposes of Article III standing.”

This case is in contrast to Santana v. Take-Two Interactive Software, Inc. who in 2017 interesting had the same Illinois law at issue. In this case plaintiff purchased NBA 2K15 and used the MyPlayer feature that allowed the creation of MyPlayer avatars. However; the Illinois Biometric Information Privacy Act’s private right of action allowed for plaintiff to allege that defendant “(1) collected their biometric data without their informed consent; (2) disseminated their biometric data to others during game play without their informed consent; (3) failed to inform them in writing of the specific purpose and length of term for which their biometric data would be stored; (4) failed to make publicly available a retention schedule and guidelines for permanently destroying plaintiffs’ biometric data; and (5) failed to store, transmit, or protect from disclosure plaintiffs’ biometric data by using a reasonable standard of care or in a manner that is at least as protective as the manner in which it stores, transmits, and protects other confidential and sensitive information.”

The Second Circuit in contrast to Patel, found that the plaintiff lacked standing for this claim because they did not allege that this deficient notice created any material risk that would have “resulted in plaintiffs’ biometric data being used or disclosed without their consent.”

So what happens now? First Santana is a summary order which means that this is not binding precedent on the Second Circuit. The Patel court attempted to distinguish itself from Santana by saying that in Patel unlike Santana, the plaintiff did not know that their biometric information was being collected. It seems like the U.S. Supreme Court may be the appropriate forum to settle this split decision by the Court of Appeals. This is especially true as Congress has not yet passed a federal biometric law that could put all questions to rest. Needless to say that as technology companies look for innovative ways to deliver advanced customer experiences, these stakeholders may want to forecast how their new products may be impacted by enacted laws like biometrics. Contact Lanton Law for additional information.  

Recently, we have learned of Amazon’s new hand scanning idea to revolutionize consumer interactions via fintech. The idea would involve creating a payment system that would biometrically scan a user’s hand to transfer payment from the user to Amazon, instead of via a credit card, phone application or cash. New point of sale terminals equipped with this technology would be placed in brick and mortar stores so that customers can “travel lighter” by not having to worry about carrying physical payment forms. There are early indications that Visa will be working with Amazon on this idea, along with potentially Mastercard, J.P. Morgan, Wells Fargo and others. While this theoretically sounds like a logical fit for where technology and banking or “fintech” is moving, are there laws in place that govern biometrics? 

Surprisingly, there is not a lot of established law on the issue of biometrics. We first started hearing about biometrics in 2014 with a Congressional bill titled the “Biometric Information Privacy Act,” also known as H.R. 4381. Sponsored by Representative Stockman (R-TX), the bill called for penalties to a business entity, governmental entity or person who knowingly (1) fraudulently obtains personal physiological biometric information relating to an individual; or (2) discloses personal physiological biometric information without permission from the individuals to which the personal physiological biometric information pertains. That bill did not get much traction. 

Congressional members have recently taken a cautious tone when dealing with Amazon’s cutting edge technology. For example, in late 2018 Rep. Jimmy Gomez (D-CA) joined by Senator Edward Markey (D-MA), Reps. Luis Gutiérrez (D-IL), John Lewis (D-GA), Judy Chu (D-CA), Ro Khanna (D-CA), Pramila Jayapal (D-WA), and Jan Schakowsky (D-IL) sent a letter to Amazon Chairman, President, and CEO Jeff Bezos, requesting information about Amazon’s facial recognition technology, branded and sold as “Amazon Rekognition. The letter expressed concern of the technology’s potential impact on communities of color. And while there are no federal rules outlining biometrics, we do see federal agencies speaking with the tech community on utilizing biometric technology for future unspecified projects.

State policy on this issue has been a bit of a mixed bag. While Illinois, Washington and Texas have biometric laws on the books, other states are following suit. Florida, Arizona, Massachusetts, Connecticut and New Hampshire to name a few are states that are debating biometrics, while California is about to undergo implementing its CCPA otherwise known as the California Consumer Privacy Act protections. We wrote a prior blog on the specifics of the new California law, which we believe will be a precursor to similar policies being developed in the near future.  

In conclusion, we expect fintech to continue to be ahead of the law as companies like Amazon push forward to create marketplace solutions that provide convenience and a relatable user experience.  The question becomes whether policymakers are comfortable with the pace of expansion and the awkwardness of proceeding with little to no regulatory oversight on something as personal to us as our biometrics.

Contact Lanton Law for additional information or for strategies on how to deal with unsettled legal and policy within biometrics. 

In 2016, the Athens Orthopedic Clinic in Georgia was hacked by an anonymous hacking group called the “Dark Overlord.” The group’s action caused a major data breach and affected approximately 200,000 patients. The information obtained involved social security numbers, health insurance information, birth dates, and addresses. 

The Clinic refused to pay the ransom to the thief and advised those affected patients to set up anti-fraud protections. A lawsuit by the victims ensued seeking damages from the Clinic, which caused the courts to consider whether a data breach victim must suffer actual financial loss to be compensated or is the threat of future harm enough to make a claim for compensation? 

On December 23, 2019 the Georgia Supreme Court in Collins et al. v. Athens Orthopedic Clinic, P.A. reversed the Georgia Court of Appeals decision and ruled that “the injury the plaintiffs allege that they have suffered is legally cognizable.” 

As we rely more on technology and sensitive information such as our healthcare records are quickly exchanged from one healthcare provider to another, the risk of data breaches rises. Protected health information (PHI) often includes items such as Social Security numbers, birth dates, home and email addresses, and diagnosis codes can be used by hackers to buy prescription drugs online, purchase medical equipment, or create false identifications, to name a few. It seems that health care data is now more valuable than credit card data since health care data fraud takes longer for a consumer to both realize and report. 

That is why it is even more important for stakeholders that traffic in data to not only ensure that these stakeholders have adequate security protocols to protect against data breaches, but these stakeholders must develop rapid response plans to alert affected parties and assess potential monetary damages. Lanton Law assesses stakeholders potential risks and makes recommendations to help limit stakeholder liability. Contact Lanton Law to get started!    

In November 2019, we published a blog post titled More Data Oversight on the Horizon that discussed increasing Congressional oversight over data privacy, while highlighting the importance of the Online Privacy Act of 2019. 

In preparation for 2020, Lanton Law is forecasting that it is more likely than not that some form of federal privacy legislation will become law in 2020. One proposed legislative candidate for privacy in 2020 is the Consumer Online Privacy Rights Act (COPRA). This bill is sponsored by Senator Cantwell (D-WA).

According to Senator Cantwell’s press release, the Act otherwise known as S.2968 “establishes privacy rights, outlaws harmful and deceptive practices, and improves data security safeguards for consumers shopping or conducting business online.” The release discusses specifics stating that (COPRA) “gives Americans control over their personal data; prohibits companies from using consumers’ data to harm or deceive them; establishes strict standards for the collection, use, sharing, and protection of consumer data; protects civil rights; and penalizes companies that fail to meet data protection standards. The legislation also codifies the rights of individuals to pursue claims against entities that violate their data privacy rights.” 

The question is whether this legislation will be able to pass in a hotly contested election year. At this point it is unknown. This bill thus far has no Republican co-sponsors so it has yet to gain bi-partisan traction. However; with the new and increasing scrutiny surrounding tech companies and their treatment of consumer data, we anticipate that the political winds may shift against technology companies. It’s better to be aware of trends instead of being caught off guard by them. 

Lanton Law helps tech and fintech stakeholders navigate both the regulatory and legislative landscape on a state and federal level. If you have questions about compliance, new potential business strategies or what the policy landscape will look like for your business, contact us to learn about your options.  

No matter what, technology will always move faster than the law. With this maxim and our ever increasing reliance on convenient information, we have seen technology companies try to bring us what we want to see while also collecting a staggering amount of information on consumers. With regulations scant on personal data, Congress is slowly becoming more active in making policy governing technology. 

In November 2019, Congresswomen Anna G. Eshoo (D-CA) and Zoe Lofgren (D-CA) introduced the Online Privacy Act of 2019 (H.R. 4978). According to the sponsors, the bill proposes to strengthen user rights, places obligations on companies to protect users’ data, establishes a new federal agency to enforce privacy protections, and strengthens enforcement of privacy law violations.  

The sponsors press release discussed the following points which are highlights of the bill: 

• Creating User Rights – The bill grants every American the right to access, correct, or delete their data. It also creates new rights, like the right to impermanence, which lets users decide how long companies can keep their data.

• Placing Clear Obligations on Companies – The bill minimizes the amount of data companies collect, process, disclose, and maintain, and bars companies from using data in discriminatory ways. Additionally, companies must receive consent from users in plain, simple language.

• Establishing a Digital Privacy Agency (DPA) – The bill establishes an independent agency led by a Director that’s appointed by the President and confirmed by the Senate for a five-year term. The DPA will enforce privacy protections and investigate abuses.

• Strengthening Enforcement – The bill empowers state attorneys general to enforce violations of the bill and allows individuals to appoint nonprofits to represent them in private class action lawsuits.

 With so many controversies surrounding the use and rights of consumer data, we fully expect more government oversight into technology. If you are a technology stakeholder and you are interested in learning more about emerging policy or understanding potential risks to your business model contact us for legal or government affairs solutions at Lanton Law.

Oftentimes policy changes that sweep across the nation originate in policy “hot spots” like Massachusetts, California, New York, etc. This time its consumer privacy. As we rely more and more on the internet of things, artificial intelligence and fitness applications, we are unfortunately becoming more exposed to potential data breaches. If you operate in California, the California Consumer Privacy Act (CCPA) will be a defining factor in how you manage risks around consumer data. Approximately 500,000 businesses across all business sectors will have to comply with CCPA once the act goes into effect on January 1, 2020. 

So what is the CCPA? Passed in 2018 as AB 375, the Act models itself on Europe’s General Data Protection Regulation that went into effect recently. The bill awards California residents with the right to be informed on how companies collect and use their data. The law also allows their personal data to be deleted. CCPA creates a sliding scale approach by applying to California businesses who generate an annual gross revenue of $25 million with half of their annual revenue deriving from selling consumer information, or by companies that buy, sell or share personal information from at least 50,000 consumers, households or devices. 

Recently, the California legislature passed five bills seeking to amend CCPA in which Governor Gavin Newsom (D-CA) has until October 13, 2019 to sign or veto the legislation. Additionally, the state attorney general is expected to release draft regulations by the end of the year. Interestingly, an economic impact assessment prepared by a third party for the California Attorney General’s office stated that the new law could cost companies a total of up to $55 billion in initial compliance costs. 

So what is this important? Our society’s reliance on connectivity is not slowing down. The very companies that many of us interact with on a daily basis such as Amazon, Twitter and Facebook find themselves at the center of how they will comply with CCPA. But while this can be explained away as something that impacts only California, I have seen this type of legislation starting to spread to a cluster of other states. 

If you traffic in data, it will be a good idea to take inventory of your operational risks and whether your company will be able to comply if a similar law is enacted in your state. If you need assistance with regulatory compliance or are interested in finding out how your company can best engage with policymakers on this issue, don’t hesitate to reach out to us at either Lanton Strategies or Lanton Law.