TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

United States Privacy Digest | Notes from the IAPP, March 11, 2022 Related reading: Notes from the IAPP, March 4, 2022


This was an eventful week for privacy in United States federal court. 

First, the U.S. Supreme Court declined to hear Alphabet’s attempt to dismiss a lawsuit filed by company stakeholders, which alleges the company fraudulently concealed a security glitch that left user data vulnerable. Second, Facebook agreed to settle a class-action lawsuit claiming it had gathered information about Android users’ call and text messages, but the settlement terms have not been finalized. Third, a class-action lawsuit was filed in federal court in New York against HBO over allegations that it shared consumers’ watch lists with Facebook without their consent. Lastly, a decision by a federal district court judge in Virginia ruled police violated the Fourth Amendment when it collected Google location data to find people near the scene of a 2019 bank robbery. The case could make it harder for police to obtain warrants to collect tracking data from cellphones to find people close to a crime scene.

State law was also top-of-mind for privacy stakeholders this week. 

The Chief Justice of the Missouri Supreme Court advocated before state lawmakers to pass the Judicial Privacy Act, a piece of legislation that prohibits publicizing or displaying of judges' personal information. The Chief Justice cited the fact that judges are becoming increasingly vulnerable to harassment online and at home, citing attempted murders of judges and their families and an assassination attempt of a Texas judge. If passed, Missouri would join 11 other states which have passed a version of the Judicial Privacy Act.

The Virginia General Assembly ended its 2022 regular legislative session and sent two bills to the governor’s desk which amend the Virginia Consumer Data Protection Act. One of the bills modifies consumers’ "right to delete" personal data held by third party controllers into a "right to opt out of processing." The other bill contains three amendments. First, it authorizes the Virginia attorney general’s office to seek actual damages in court for aggrieved consumers. Second, it exempts any political organization from the law. Lastly, it gives the Virginia attorney general flexibility in enforcing the law by deeming whether a cure for alleged violations are possible. 

A California lawmaker introduced a bill to strengthen California’s data broker law, one of only two in the nation. The bill requires stricter rules for data brokers’ annual registration and reporting requirements while increasing the penalties for violations. The bill also expands enforcement authority to include California Privacy Protection Agency in addition to the California Department of Justice.

In other news, the FTC announced a first-of-its-kind order this week, TikTok neared a deal to localize U.S. users’ data domestically, and the SEC signaled that it may tighten breach reporting requirements.

WW International, a diet and fitness provider, reached a $1.5 million settlement with the Federal Trade Commission over allegations it had violated the Children’s Online Privacy Protection Act. As part of the settlement, the FTC also issued a first-of-its-kind order that WW International destroy previously collected personal information and products associated with the alleged COPPA violations. 

TikTok and Oracle neared a deal to store U.S. consumers’ personal data without allowing access by TikTok’s Chinese parent company, ByteDance. Discussions between the two companies began in September 2020 following concern that TikTok’s U.S. operations ran through China. The deal is not yet final as it awaits approval through the Committee on Foreign Investment.

The U.S. Securities and Exchange Commission proposed a rule that would require publicly traded companies to report cyberattacks within four days. Reporting for companies would require them to disclose if any data was stolen, the steps taken to address the attack and how business operations were affected. Also, a company would have to periodically update investors about the “material effects” the attack had. 

It was a busy week in U.S. privacy, and we’ll keep you updated on these and other related stories as they develop.


If you want to comment on this post, you need to login.