United States

Members of Congress are gearing up for national laws on autonomous vehicles. Last week in the Senate, John Thune (R-S.D.), Gary Peter (D-Mich.), and Bill Nelson (D-Fla.) released a list of principles for bipartisan legislation in advance of a hearing they convened on June 14, 2017, entitled “Paving the
Continue Reading Senate, House, and FTC Seek to Steer the Course of Self-Driving Vehicles

On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute.  The law prohibits any “person” from “enroll[ing] a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”  It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers.  With the new law, Washington has become only the third state after Illinois and Texas to enact legislation that regulates business activities related to biometric information.  Although the three laws seek to provide similar consumer protections around the collection, use, and retention of biometric data, the Washington law defines the content and activity it regulates in different terms, and, similar to Texas, but unlike Illinois, the Washington law does not provide a private right of action.

The Washington statute, as compared to existing biometrics laws, is notable for its definition of “biometric identifier.”   In the law, a “biometric identifier” is “data generated by automatic measurements of an individual’s biological characteristics,” including “fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.”  Washington’s definition of “biometric identifier” may be broader than that in the Texas statute, but Washington’s definition does not specifically provide for a “scan of hand or face geometry,” as is the case in the Illinois statute.  Washington’s definition of “biometric identifiers” specifically excludes “physical or digital photograph, video or audio recording or data generated therefrom” (in addition to certain health-related data), suggesting the statute will have limited application in the context of facial recognition technology.
Continue Reading Washington Becomes the Third State with a Biometric Law

The FCC has released the Notice of Proposed Rulemaking (“NPRM”) on “Restoring Internet Freedom” that was adopted by a 2-1 vote at the Commission’s open meeting on May 18.  The NPRM is substantively very similar to the draft released by Chairman Pai on April 27, and the comment deadlines remain the same: July 17 for initial comments and August 16 for reply comments.

Of possible relevance from a privacy perspective, the NPRM now asks about the jurisdictional effects of finding broadband to be an interstate information service.  As he explained in his statement approving adoption of the NPRM, Commissioner O’Rielly had asked that this question be added to the NPRM, and he expressed the view that this finding should foreclose states and localities from regulating the privacy practices of ISPs (among other matters).  Whether the FCC would attempt to make such a broad preemption finding remains to be seen.   
Continue Reading FCC Releases NPRM on Broadband ISPs and Net Neutrality Rules

Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would  create new online privacy requirements.  The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of their privacy policies, obtain opt-in consent for sensitive data, and opt-out consent for non-sensitive data.  In its current form, the BROWSER Act would define sensitive data more broadly than in existing FTC guidelines—mirroring the since-repealed privacy rules that the FCC adopted last year for ISPs, but applying those standards to ISPs and edge providers alike.

The BROWSER Act defines “sensitive user information” to include financial information, health information, children’s data, social security numbers, precise geo-location information, contents of communications, and, most notably, web browsing or app usage histories.  ISPs and edge providers must obtain “opt-in approval” from users prior to using, disclosing, or permitting access to such sensitive information.  For “non-sensitive user information,” the BROWSER Act requires opt-out consent.  And companies may not condition the provision of services, or otherwise refuse services, based on the waiver of privacy rights under the BROWSER Act.
Continue Reading New Republican Privacy Bill Would Expand Scope of “Sensitive” Data

The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C.  The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, address concerns that have been raised, and seek to ensure that the Privacy Shield is well positioned to continue operating as a valid legal basis for transfers of personal data from the EU to the U.S.

Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce (“Commerce”) and the European Commission (“Commission”), with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  Regulators have also indicated that they plan to solicit and incorporate feedback and comments from other Privacy Shield stakeholders as part of the review process, including from self-certified companies and other interested organizations.

Although this is the first annual review, it is important to note that the Privacy Shield has already been the subject of intense public scrutiny.  The draft text of the framework was released in February, several months prior to the final release in July, and a number of stakeholders took the opportunity to comment on the text, leading to several revisions designed to improve and strengthen the Privacy Shield. 
Continue Reading First Annual Privacy Shield Review Will Comprehensively Assess the Framework

On May 11, 2017, President Trump signed an Executive Order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the “Order”).  The long-anticipated directive was issued months after the White House originally planned to release a cybersecurity order in February.  Since then, revised drafts of the order were circulated, including a version from February 10, 2017 (the “Revised Draft”) that differed significantly from the initial draft order, but aligned with Executive Order 13636, “Improving Critical Infrastructure Security,” which was signed by President Obama on February 12, 2013.  With few exceptions, the Order signed yesterday mirrors the Revised Draft that we previously analyzed in our February 17, 2017 blog post titled “Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors.”  Here, we highlight key differences between the Revised Draft and the final Order.

Section 1:  Cybersecurity of Federal Networks

The first section of the Order continues to primarily address cybersecurity risk management and IT modernization within the executive branch consistent with the Revised Draft and Executive Order 13636 signed by President Obama.  The Order incorporates nearly all of the Revised Draft’s language in this section, with minor exceptions.
Continue Reading White House Issues New Cybersecurity EO

Automated vehicle technology is accelerating, and regulators are racing to keep up.  On June 28, 2017, the Federal Trade Commission and the National Highway Traffic Safety Administration (“NHTSA”) will hold a workshop to examine the consumer privacy and security issues posed by automated and connected vehicles.  The workshop comes several months after the Department of Transportation and NHTSA promulgated a Notice of Proposed Rulemaking (“NPRM”) that would require all new passenger vehicles to be capable of vehicle-to-vehicle (“V2V”) communications by the early 2020s.
Continue Reading Parties Discuss Privacy Issues in Advance of FTC, NHTSA Workshop on Connected Cars

The Ninth Circuit announced today that the full court will rehear the case in which the three-judge panel opinion had dismissed the FTC’s lawsuit against AT&T for allegedly violating Section 5 of the FTC Act due to past “throttling” practices around unlimited data plans.  According to the panel opinion, the
Continue Reading Ninth Circuit Will Rehear Dismissal of FTC Throttling Suit

In Perry v. Cable News Network, the Eleventh Circuit dealt another loss to putative class-action plaintiffs seeking to use the Video Privacy Protection Act (“VPPA”) as a weapon against free online video services. The court affirmed that to be a “subscriber” of a video service—someone who can sue under the VPPA—one must have a genuine commitment, relationship, or association with that service. Because the Perry plaintiff could not show that, he lost.

The VPPA creates a cause of action for video service providers that disclose their consumers’ personally identifiable information alongside their viewing information. The typical Internet example is a paid video service that gives an advertiser a paying subscriber’s email address and viewing history.

To sue under the VPPA, a person must be a “consumer.” The VPPA defines that term as meaning a renter, purchaser, or subscriber of goods or services from a video service provider. “Subscriber” has raised the question of whether someone who downloads and uses a free app can be a “consumer” who can sue under the VPPA. At least in the Eleventh Circuit, Ellis v. Cartoon Network, Inc. answered that question: something more than mere use is needed. Instead, Ellis held that a proper VPPA plaintiff needs “some type of commitment, relationship, or association (financial or otherwise)” between the plaintiff and the video service provider.

In Perry, the district court relied on Ellis to dismiss plaintiff Perry’s suit without leave to amend because he was merely a user of CNN’s free app. Perry argued he could state a VPPA claim because he subscribed to CNN’s television channel through his cable package. This cable subscription let Perry access exclusive content via the CNN app. Perry said this made him a CNN app subscriber. He also said he paid CNN indirectly through his cable subscription. Perry appealed to the Eleventh Circuit on those theories.
Continue Reading Eleventh Circuit Hands Another VPPA Loss to Video App Plaintiffs

In a widely anticipated step, FCC Chairman Ajit Pai has released a draft Notice of Proposed Rulemaking (“NPRM”) on the legal framework that governs broadband providers and related net neutrality questions.

Most notably from a privacy perspective, the draft NPRM proposes to find that broadband Internet access service is an “information service” under the Communications Act, reversing the 2015 “telecommunications service” classification that had brought broadband providers under the statutory privacy requirements of Title II of that Act.

The draft NPRM states that the 2015 reclassification “stripped FTC authority over Internet service providers,” in light of the common carrier exemption in Section 5 of the FTC Act.  By reversing the FCC’s prior finding that broadband is a common carrier service, the draft NPRM proposes to “return jurisdiction over Internet service providers’ privacy practices to the FTC, with its decades of experience and expertise in this area.”
Continue Reading FCC Chairman Pai Proposes New Regulatory Framework for Broadband ISPs, Seeks Comment on Net Neutrality Rules