2021 was another busy year for data privacy regulatory enforcement and litigation. With some distance to reflect on last year, we have prepared this post identifying and describing important trends from 2021 that can help provide insight into what to expect in the data privacy landscape in 2022.

Data Privacy Regulatory Enforcement Trends

Federal Trade Commission (FTC) and state enforcement action in 2021 centered on several key areas, including protecting children.

An FTC enforcement action last year alleged that the maker of an online coloring book application violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information about children who used the app without notifying their parents and obtaining their consent.  The allegations note that the app included a “Kids” category that was targeted to children.  The FTC further claimed that the app’s social media features collected personal information from users and that some parents, lacking knowledge of these features, may have inadvertently permitted their young children to use the app.

State Attorney Generals have also actively enforced COPPA.  The New Mexico Attorney General in August announced a federal lawsuit accusing the developer of the “Angry Birds” mobile gaming franchise of illegally collecting data under COPPA.  The lawsuit alleged that the developer, Rovio, knowingly collects the personal information of children under 13 that play the game.  The allegations also state that Rovio sends the information to third-party marketing companies.

Another key area of focus for the FTC was health apps.  The FTC finalized a settlement with Flo Health Inc., following allegations that FloHealth shared the health information of its users with outside data analytics providers after promising the information would remain private.  According to the allegations, Flo Health gave users’ health information to third parties, including Google, LLC and Facebook, Inc., through its Facebook Analytics tool.  The allegations further state that Flo Health agreed to each company’s standard terms of service and allowed the third parties the ability to use users’ personal health information widely, including for advertising.

The FTC also focused on health apps outside of the enforcement context.  In September, the FTC issued a policy statement requiring health apps and connected devices that collect or use consumers’ health information to comply with the Health Breach Notification Rule.  The change requires health apps and connected devices to notify consumers and others when their health data is breached.

Data Privacy Litigation Trends

Major decisions in data privacy litigation in 2021 focused primarily on state law causes of action, with the Illinois Biometric Privacy Act (BIPA) and California Invasion of Privacy Act (CIPA) producing interesting litigation results.

Litigation under BIPA continued to keep courts busy in 2021, with significant decisions clarifying the scope of BIPA.  In Tims v. Black Horse Carriers, Inc., an Illinois state appellate court clarified that the statutes of limitation applicable to BIPA claims vary depending on the nature of the claim.  The court determined that the one-year limitation period applied to privacy actions that contained a “publication” element, but in contrast violations of Section 15(a)’s retention policy, Section 15(b)’s informed consent, and Section 15(e)’s data safeguarding requirements have a five-year limitation period.  And in McGoveran v. Amazon Web Services, Inc the District of Delaware dismissed a BIPA claim against Amazon Web Services (AWS) and Pindrop Security on extraterritoriality grounds, holding that the plaintiffs’ location in Illinois where their biometric data was allegedly collected was not enough to establish conduct by defendants in Illinois.

In 2021, California courts grappled with interesting applications of CIPA.  CIPA was originally conceived as a wiretapping statute but creative plaintiffs’ counsel are now testing the bounds of how CIPA may be applied to internet communications.  In Brown v. Google, the Northern District of California denied a motion to dismiss a putative class brought against Google asserting violation of CIPA and the federal Wiretap Act over Google’s alleged collection of data from users browsing in incognito mode.  In Silver v. Stripe the Northern District of California granted in part and denied in part Stripe’s motion to dismiss a suit alleging violations of California, Florida, and Washington wiretap laws due to Stripe’s role as a payment processer on Instacart’s website.

Several cases were litigated in 2021 involving CIPA Section 631 and session replay software, which collects data about a user’s interactions with a website that the website operator can later view.  Plaintiffs have contended that this practice amounts to eavesdropping on communications between websites and their website users.  The Northern District of California has dismissed three such cases — Graham v. Noom, Johnson v. Blue Nile, and Yale v. Clicktale — holding that the software companies are service providers serving as extensions of the website operators, and that they therefore fall under Section 631’s party exception.  But the Central District of California in Yoon v. Lululemon and Saleh v. Nike held that the claims could proceed past the motion to dismiss stage.  Until the Ninth Circuit weighs in, this area of the law remains unsettled.

The Inside Privacy Blog will continue to monitor data privacy regulatory enforcement and litigation, looking to identify the significant trends in 2022.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jenna Zhang Jenna Zhang

Jenna Zhang advises clients across industries on data privacy, cybersecurity, and emerging technologies. 

Jenna partners with clients to ensure their compliance with the rapidly evolving federal and state privacy and cybersecurity laws. She supports clients in designing new products and services, drafting privacy…

Jenna Zhang advises clients across industries on data privacy, cybersecurity, and emerging technologies. 

Jenna partners with clients to ensure their compliance with the rapidly evolving federal and state privacy and cybersecurity laws. She supports clients in designing new products and services, drafting privacy notices and terms of use, responding to cyber and data security incidents, and evaluating privacy and cybersecurity risks in corporate transactions. In particular, she advises clients on substantive requirements relating to children’s and student privacy, including COPPA, FERPA, age-appropriate design code laws, and social media laws.

As part of her practice, Jenna regularly represents clients in data privacy investigations and enforcement actions brought by the Federal Trade Commission and state attorneys general. She also supports clients in proactive engagement with regulators and policymakers to ensure their perspectives are heard.

Jenna also maintains an active pro bono practice with a focus on supporting families in adoptions, guardianships, and immigration matters.

Photo of Kimberly Railey Kimberly Railey

Kimberly Railey is an associate in the firm’s Washington, DC office. She is a member of the Election and Political Law Practice Group, advising corporations, PACs, nonprofits, and individuals on compliance with federal and state lobbying, campaign finance, and government ethics laws. She…

Kimberly Railey is an associate in the firm’s Washington, DC office. She is a member of the Election and Political Law Practice Group, advising corporations, PACs, nonprofits, and individuals on compliance with federal and state lobbying, campaign finance, and government ethics laws. She also represents and counsels clients in matters before government agencies and Congress.

Prior to law school, Kimberly was a political reporter for a nonpartisan publication in Washington, DC.