Do you want a simple way to keep current on important privacy changes? Avoid sleepless nights wondering whether you missed a privacy speed bump or pothole between annual updates? Worry no longer. Troutman Pepper is pleased to offer More Privacy, Please — a monthly newsletter recapping significant industry and legal developments, as well as trends in the areas of cybersecurity, information governance, and privacy.

• California Attorney General Announces Approval of Additional CCPA Regulations. On March 15, now former California Attorney General Xavier Becerra announced that the California Office of Administrative Law approved his fourth set of proposed modifications to the California Consumer Privacy Act’s (CCPA) implementing regulations (Fourth Set of Modifications), completing the finalization process. The Fourth Set of Modifications focus on providing consumers with clarity as to how they can opt out of the sale of their personal information and include provisions (i) banning so-called “dark patterns” that delay or obscure the process for opting out of the sale of personal information; (ii) permitting businesses to use an opt-out icon in addition to any “Do Not Sell My Personal Information” link; and (iii) requiring businesses that sell personal information collected offline to provide an offline right-to-opt-out notice. Troutman Pepper’s analysis of the Forth Set of Modifications can be found here. For information on how to comply with the CCPA, see Troutman Pepper’s article series on CCPA enforcement available here.
• California Privacy Protection Agency Board Members Appointed. On March 17, California Governor Gavin Newsom, former Attorney General Xavier Becerra, Senate President Pro Tempore Toni G. Atkins, and Assembly Speaker Anthony Rendon announced the establishment of the five-member inaugural board for the California Privacy Protection Agency (Agency), the first stand-alone agency in the U.S. dedicated to the protection and enforcement of consumers’ data privacy rights. Agency board members include (1) Jennifer M. Urban, an attorney who served as a clinical professor of law and director of policy initiatives for the Samuelson Law, Technology, and Public Policy Clinic at the University of California, Berkeley School of Law since 2009; (2) John Christopher Thompson, senior vice president of government relations at LA 2028; (3) Angela Sierra, an attorney, now former chief assistant attorney general of the Public Rights Division, and a 33-year veteran of the California Department of Justice; (4) Lydia de la Torre, an attorney and now former of counsel at Squire Patton Boggs LLP; and (5) Vinhcent Le, a technology equity attorney at the Greenlining Institute. Ms. Urban will serve as chair of the board.
• Illinois Considers Dramatic Changes to its Biometrics Statute. State lawmakers in Illinois are considering House Bill 559, which would revisit Illinois’ Biometric Information Privacy Act (BIPA), an act regulating the collection, distribution, and storage of individuals’ biometric information. On March 17, House Minority Leader Jim Durkin introduced the bill, citing the “cottage industry for a select group of attorneys to file class action lawsuits against big and small employers and nonprofit agencies.” Among other things, HB 559 requires that to initiate an action under BIPA, the “aggrieved person” must provide written notice of violation identifying the specific provisions being violated. The receiving entity then has 30 days in which to cure the violation to avoid litigation. Notably, the bill also specifies a one-year statute of limitations, an issue currently under review by the Illinois Appellate Court.
• Federal “Information Transparency and Personal Data Control Act” Introduced. On March 10, Rep. Suzan DelBene (D-WA) introduced a comprehensive federal privacy bill, citing the need for more predictable standards amid the patchwork of evolving state privacy laws. According to DelBene, the Information Transparency and Personal Data Control Act would “create a national data privacy standard to protect our most personal information and bring our laws into the 21st Century.” The bill seeks to regulate personal information, including financial data, biometric and genetic information, geolocation information, sexual orientation, citizenship and immigration status, Social Security numbers, religious beliefs, and information about children under 13 by, among other things, mandating opt-in provisions that will give the Federal Trade Commission rulemaking authority and subject companies to regular privacy audits.
• Florida Considers Comprehensive Consumer Privacy Bill Similar to CCPA. Florida House Bill 969 (HB 969) would create new obligations for certain businesses and greatly expand consumers’ rights in their personal information. Among other things, the bill (1) requires businesses that collect consumers’ personal data to disclose their data collection and selling practices; (2) allows consumers to request a copy of personal data collected and to demand deletion of such information; and (3) mandates businesses that collect personal information to implement reasonable security procedures and practices to protect the information. Critically, the bill also establishes a private cause of action against businesses that fail to maintain reasonable security procedures and practices to protect consumers’ information from unauthorized disclosure. The bill also expands the definition of “personal information” in the Florida Information Protection Act of 2014 (FIPA) to include biometric information. If passed, HB 969 would go into effect on January 1, 2022.

• A California Court Held CCPA Does Not Apply Retroactively. In Gardiner v. Walmart, Inc., a Walmart customer who purchased goods online filed a putative class action, alleging that Walmart’s cybersecurity procedures led to a purported unauthorized disclosure of his personal identifying information. The court denied the plaintiff’s attempt to base his CCPA claim on an alleged breach that occurred before January 1, 2020, the date the CCPA became effective. The court held that because the CCPA lacks an explicit retroactivity provision, it cannot apply retroactively under California law. Conceding that the alleged breach occurred after January 1, 2020, the plaintiff argued that because his personal information is being sold on the dark web, the CCPA applies. The court disagreed, holding that a CCPA claim requires a “violation of the duty to implement and maintain reasonable security procedures and practices” that occurred on or after January 1, 2020, which was not alleged in the complaint. Troutman Pepper’s analysis of the decision can be found here.

• $92 Million TikTok Settlement On Hold Due to Objections. On March 2, U.S. District Judge John Z. Lee of the Northern District of Illinois refrained from granting preliminary approval of the $92 million settlement reached several months ago in multidistrict litigation, which accused TikTok of violating a number of privacy statutes, including Illinois’ Biometric Information Privacy Act (BIPA). Instead, the court continued the preliminary approval hearing to April 6 and ordered supplemental briefing on how the parties arrived at the final $92 million figure; how they addressed differences between adult users and minor users of the popular video-sharing app; and additional explanation for why class members purportedly couldn’t be notified about the deal through the app itself.

• European Data Protection Board Published Virtual Voice Assistant Guidelines. On March 12, the European Data Protection Board (EDPB) published its “Guidelines 02/2021 on Virtual Voice Assistants” for public consultation. Virtual voice assistants (VVA; think Amazon’s “Alexa” or Apple’s “Siri”) have the ability to understand voice commands and either execute them or relay them to other systems. Widely available on most smartphones and other “smart” devices, VVAs collect large amounts of personal data, including all user commands (e.g., browsing or search history) and device responses (e.g., appointments from a calendar). Because VVAs transfer and store voice and other data to remote servers, they raise compliance issues under both the General Data Protection Regulation (GDPR) and the e-Privacy Directive.
• China Issues Rules on the “Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications.” On March 12, the Cyberspace Administration of China released final rules on the “Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications” (Rules), available here in Chinese. According to the Cybersecurity Law of China, collection of personal information must follow the principles of legitimacy, propriety, and necessity. The Rules defined “necessary personal information” as personal information essential to the regular operation of mobile applications (apps). For 39 specified types of apps, the Rules delineate the types of personal information considered “necessary” and may be collected and used. Other types of apps are identified as not having any need to collect personal information. The Rules will become effective on May 1, 2021.
• ICO Fines Two Companies for Sending Nuisance Texts During the Pandemic. The Information Commissioner’s Office (ICO) fined two companies — Leads Works Ltd. and Valca Vehicle Ltd. — for sending spam text messages during the COVID-19 pandemic. West Sussex-based Leads Works was fined £350,000 for sending unwanted texts, attempting to capitalize on the pandemic that included messages that said, “In lockdown and want to earn extra cash? … .” Valca Vehicle was fined £80,000 for similar messages that said, “*firstname* Affected by Covid? Struggling with finances? lost job /furloughed? Were here to help! Gvnmnt backed support see if you qualify http://www.debtquity.org.”