Today, the Federal Trade Commission (FTC) announced that it anticipates proposing a privacy rulemaking this month, with comments closing in August.  This announcement follows the agency’s statement in December that it planned to begin a rulemaking to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” 

The Connecticut legislature passed Connecticut SB 6 on April 28, 2022.  If signed by the governor, the bill would take effect on July 1, 2023, though the task force created by the bill will be required to begin work sooner.

The bill closely resembles the Colorado Privacy Act, with a few notable additions.  Like the Colorado Privacy Act, the bill adopts “controller” and “processor” terminology, provides consumers with rights to access, correct, delete, obtain a copy, and opt-out of certain types of processing of their personal data, and requires consent for certain activities.
Continue Reading Connecticut Legislature Passes Comprehensive Privacy Bill

On April 12, at the International Association of Privacy Professionals’ global privacy conference, Colorado Attorney General Phil Weiser gave remarks on his office’s approach to the rulemaking and enforcement of the Colorado Privacy Act.
Continue Reading Colorado Attorney General Remarks on CPA Rulemaking

In a new post on the Covington Digital Health blog, our colleagues discuss the Office for Civil Rights’ (“OCR”) recently published request for information (“RFI”) seeking comment on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  The RFI seeks input as to how covered entities and business

In March, the Supreme Court issued its decision in Federal Bureau of Investigation v. Fazaga, No. 20-828, holding that the state secrets privilege—and its dismissal remedy—applies to cases that may also be subject to the judicial review procedures set forth in the Foreign Intelligence Surveillance Act (“FISA”).  In so holding, the Court reversed the Ninth Circuit’s 2020 ruling that FISA displaces the state secrets privilege in cases involving electronic surveillance.

Continue Reading Supreme Court Holds FISA Does Not Displace the State Secrets Privilege

On March 15, 2022, President Biden signed the Consolidated Appropriations Act 2022, a $1.5 trillion omnibus spending package to fund the government through September 2022.  The omnibus spending package includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”), which establishes two cyber incident reporting requirements for covered critical infrastructure entities:  a 24-hour requirement to report any ransomware payments to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and a 72-hour requirement to report all covered cyber incidents to CISA.  These requirements will take effect upon the issuance of implementing regulations from the Director of CISA.
Continue Reading President Biden Signs Critical Infrastructure Ransomware Payment and Cyber Incident Reporting into Law

Last Thursday, the Eastern District of Virginia in United States v. Chatrie, No. 19-cr-00130, 2022 WL 628905, denied a motion to suppress evidence obtained from Google pursuant to a geofence search warrant.  Geofence warrants are a relatively new investigative tool that target private companies’ databases of location data, compelling these companies to produce the location data of every user that was in a particular area over a particular span of time.  The court invalidated the warrant for lack of particularized probable cause, but declined to suppress the evidence obtained from Google—which linked the defendant to the scene of a 2019 bank robbery—because the officers sought the warrant in good faith.
Continue Reading Federal Court Expresses Skepticism About Validity of Geofence Warrants But Declines Suppression Remedy

Utah appears poised to be the next state with a comprehensive privacy law on its books, following California, Virginia, and Colorado.  On March 2nd, the Utah House of Representatives voted unanimously to approve an amended version of the legislative proposal, and the Senate concurred with the House amendment on the following day.  Formalities are now being completed to send the bill to Governor Spencer Cox for signature.

The Utah Consumer Privacy Act (“UCPA”) provides for consumer rights and responsibilities for controllers and processors.  Although the bill generally tracks the comprehensive privacy law passed in Virginia last year, the VCDPA, there are some notable differences.  Key provisions in the bill include the following:
Continue Reading Utah Legislature Passes Comprehensive Privacy Bill

An Illinois federal district court recently rejected dismissal of Illinois Biometric Information Privacy Act (“BIPA”) claims in In re Clearview AI, Inc., Consumer Privacy Litigation, No. 21-cv-135 (N.D. Ill.).  The Clearview plaintiffs alleged that Clearview violated their privacy rights without their knowledge and consent by scraping more than three billion photographs of facial images from the internet and using artificial intelligence algorithms on the images to harvest individuals’ unique facial biometric identifiers and corresponding biometric information.  Clearview sought dismissal of the BIPA claims under the First Amendment, extraterritoriality doctrine, dormant commerce clause, and BIPA’s express exemption for  photographs.  The court rejected these grounds, and declined to dismiss the BIPA claims.
Continue Reading Court Rejects Dismissal of Illinois Biometric Information Privacy Act Against Clearview AI in Pending Multidistrict Litigation