In 2020, Illinois residents whose photos were included in the Diversity in Faces dataset brought a series of lawsuits against multiple technology companies, including IBM, Facefirst, Microsoft, Amazon, and Google alleging violations of Illinois’ Biometric Information Privacy Act.[1] In the years since, the cases against IBM and FaceFirst were dismissed at the agreement of both parties, while the cases against Microsoft, Amazon, and most recently, Google were dismissed at summary judgment.Continue Reading What the Diversity in Faces Litigation Means for Biometric Technologies
Lindsey Tonsager
Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.
Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.
Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.
The Maryland Online Data Privacy Act Set to Reshape the State Privacy Legislation Landscape with Stringent Requirements
Last month, the Maryland legislature passed the Maryland Online Data Privacy Act (“MODPA”). Pending Governor’s signature, Maryland will become the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Nebraska.
MODPA contains unique provisions that will require careful analysis to ensure compliance, including: data minimization requirements; restrictions on the collection, sale, or transfer of sensitive data; and consumer health data-related obligations. These unique provisions have the potential to create additional work streams even for companies who have come into compliance for existing state laws. This blog post summarizes the statute’s key takeaways.Continue Reading The Maryland Online Data Privacy Act Set to Reshape the State Privacy Legislation Landscape with Stringent Requirements
Nebraska Enacts Nebraska Data Privacy Act
On April 17, the Nebraska governor signed the Nebraska Data Privacy Act (the “NDPA”) into law. Nebraska is the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Maryland. The NDPA will take effect on January 1, 2025. This blog post summarizes the statute’s key takeaways.Continue Reading Nebraska Enacts Nebraska Data Privacy Act
Kentucky Passes Comprehensive Privacy Bill
Earlier this month, the Kentucky legislature passed comprehensive privacy legislation, H.B. 15 (the “Act”), joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, and New Hampshire. The Act is awaiting the Governor’s signature. If signed into law, the Act would take effect on January 1, 2026. This blog post summarizes the statute’s key takeaways.Continue Reading Kentucky Passes Comprehensive Privacy Bill
Florida Enacts Social Media Bill Restricting Access for Teens Under the Age of Sixteen
On Monday, March 25, Florida Governor Ron DeSantis signed SB 3 into law. At a high level, the bill requires social media platforms to terminate the accounts of individuals under the age of 14, while seeking parental consent for accounts of those 14 or 15 years of age. The law will become effective January 1, 2025. Continue Reading Florida Enacts Social Media Bill Restricting Access for Teens Under the Age of Sixteen
Commissioner Remarks at FTC PrivacyCon 2024
The FTC convened its eighth annual privacy conference on March 6, 2024. The full transcript of the event can be found here. Both Chair Khan and Commissioner Bedoya provided remarks during the event that are likely to be considered provocative by many.Continue Reading Commissioner Remarks at FTC PrivacyCon 2024
Utah Repeals and Replaces Social Media Regulation Act
On March 7, Utah repealed and replaced its Social Media Regulation Act, which had previously been challenged in a pair of lawsuits by NetChoice and the Foundation for Individual Rights and Expression. The replacement legislation is spread across two enacted bills, SB 194 and HB 464. SB 194 contains the bulk of the legislation’s general provisions, while HB 464 includes a private right of action for certain harms associated with a minor’s use of algorithmically curated social media. We summarize below some of the key features of the new legislation, which will go into effect on October 1, 2024.Continue Reading Utah Repeals and Replaces Social Media Regulation Act
California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments
At its March 8, 2024 meeting, the Board of the California Privacy Protection Agency (“CPPA”) moved, by a 3-2 vote, to advance proposed regulations addressing automated decision-making technology (“ADMT”) and risk assessments for the processing of personal information. Notably, the Board’s vote only allows staff to begin paperwork preliminary to a rulemaking; it did not actually initiate the formal rulemaking process. At the meeting, the CPPA Staff clarified that the Board will need to re-review the draft rules for ADMT, privacy risk assessments, and cyber audits and vote again to initiate the rulemaking process. The CPPA’s General Counsel Philip Laird said he expects the Board will vote to begin the formal rulemaking process for all three topics in July 2024, at the earliest. Once formal rulemaking begins, the Board has one year to finalize the regulations, per California’s Administrative Procedure Act.Continue Reading California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments
California Attorney General Announces Second CCPA Settlement
The California Attorney General recently announced a settlement with DoorDash to resolve allegations that DoorDash violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). Continue Reading California Attorney General Announces Second CCPA Settlement
California Appeals Court Vacates Enforcement Delay of CPPA Regulations
On February 9, the Third Appellate District of California vacated a trial court’s decision that held that enforcement of the California Privacy Protection Agency’s (“CPPA”) regulations could not commence until one year after the finalized date of the regulations. As we previously explained, the Superior Court’s order prevented the CPPA from enforcing the regulations…