There has been a steady increase in lawsuits focusing on whether businesses lawfully collect and use personal data. These claims impact a broad range of data processing activities in consumer and employment contexts and are not limited to any particular business sector. Businesses subject to unlawful data processing claims and demands incur serious losses in terms of litigation costs and out-of-court settlements.
With the increase in privacy litigation, the insurance industry has experienced a barrage of claims. As a result, many insurance carriers are thoroughly scrutinizing the technology businesses use to collect and retain personal data, especially from their public-facing websites. Similar to how they vulnerability test businesses' external-facing attack surfaces and information technology infrastructure, i.e., outside-in scanning, insurance companies are now assessing businesses' websites for certain types of cookies, pixels and tracking codes. Insurance companies will use this information to assess legal risks, establish corresponding premium costs and determine scopes of coverage.
To avoid data protection-related lawsuits and unnecessary coverage disputes with insurance carriers, businesses must evaluate the technology solutions used to collect personal data from both employees and consumers, assess their legal bases for data processing and compliance with data protection laws, and engage with their insurance brokers and carriers to understand the scope of their policies, especially exemptions that limit their ability to recover damages from unlawful personal data processing.
Data protection obligations: The legal framework
Recent unlawful personal data processing claims often focus on the collection and processing of personal identifiers, e.g., IP addresses, social media handles and communication content derived from consumer-facing websites, biometric data collection and processing, and telecommunications transmitted to employees via certain automated dialing technologies.
Website configuration claims. Organizations commonly configure their websites with cookies, pixels and tags that identify and monitor end-user behavior, including time a website is accessed, specific webpages visited and online videos watched. This data can be used to identify fraudulent or harmful activity on a website, improve a website's functionality and personalize advertising to enhance a business's marketing program. Privacy advocates claim these website configurations may violate certain federal and state privacy laws, such as the California Invasion of Privacy Act, and have demand organizations pay restitution — often in the form of large monetary settlements — for noncompliance. In his recent opinion addressing the merits of one such CIPA claim, U.S. District Court Judge Jesus Bernal noted the plaintiff's attorney in the case works with multiple "testers" who scour websites looking for privacy violations to "drum up these lawsuits" and obtain a "quick cash settlement."
Biometric data. In the 2019 case Rosenbach v. Six Flags Entertainment, the Illinois Supreme Court found plaintiffs do not have to demonstrate actual harm or injury resulting from alleged violations of the Biometric Information Privacy Act to seek statutory damages. Given that organizations may possess, collect or otherwise obtain biometric data in a variety of circumstances, such as through biometric timeclocks, authentication solutions, like Windows Hello, and website "try-on" features, BIPA lawsuits have skyrocketed. In February's Cothron v. White Castle System case, the Illinois Supreme Court concluded a separate BIPA claim accrues each time a private entity scans or transmits an individual's biometric data in violation of the law. In other words, every collection and disclosure of biometric data between the same two parties constitutes a new BIPA violation for which a plaintiff is eligible to receive damages. This framework has the potential to create crippling liabilities for organizations that unlawfully collect biometric data.
Telecommunications claims. There are federal and state laws requiring organizations to obtain written consent prior to transmitting certain informational or marketing communications through automatic telephone dialing systems or similar automated technologies. Although autodialer-related litigation previously focused on direct-to-consumer advertising, claims in the employment context rose when businesses began using autodialers to transmit SMS communications to their employees, including company announcements and scheduling changes, without first obtaining proper consent. Using an autodialer to transmit messages to hundreds or even thousands of employees significantly raises concerns about legal compliance, especially within business sectors with high turnover or classes of workers prone to having their cellphone numbers terminated and reassigned.
Compliance measures
Businesses should focus compliance efforts in five key areas to minimize their risk of being subject to unlawful data processing claims:
Data inventory and security. Businesses should develop processing records, i.e., data maps/inventories, describing the types of personal data collected from employees, customers and website users to help them understand and comply with data processing legal requirements. To assist in this process, organizations should routinely scan their own websites to account for the videos they post and for each cookie, pixel and tag they deploy. This is especially important for third-party social media pixels designed to consolidate, extract or share data on an end user's website activity with other profiling information. Third-party scanning tools, such as Blacklight, are readily available and designed to identify these types of website technologies. As part of their processing records, it is important for organizations to identify the level of security used to safeguard personal data during storage and transmission, including whether it is segmented from other corporate information, and whether its access is limited, encrypted and protected with multifactor authentication.
Privacy notices. Most data protection laws require organizations to provide notice prior to collecting individuals' personal data, but these requirements vary from law to law. For instance, the BIPA requires organizations to develop (and make available to the public) policies establishing retention schedules and guidelines for destroying biometric data that describe "the specific purpose and length of term" for which the data is being used. It is important that these privacy notices satisfy their corresponding legal requirements, as noncompliance with even minor, technical areas of a privacy law could result in legal claims and class action lawsuits.
Consent. How a business obtains employee or consumer consent is a fact-specific determination, dependent on the law at issue. In Illinois, the BIPA requires organizations to obtain "written releases" from individuals whose biometric data they collect. The Video Privacy Protection Act, on the other hand, mandates organizations must receive individuals' "informed written consent" in forms that are "distinct and separate from any form setting forth other legal or financial obligations of the consumer," prior to the disclosure of video-related personal data, e.g., website videos watched or purchased. Not only is it important for organizations to obtain proper consent from their employees, customers and website users, they also need to retain proper records of this consent to rebut noncompliance allegations and for general legal compliance purposes.
Mandatory arbitration. To avoid class action litigation, settle claims quickly and minimize legal expenses, organizations should assess whether they can mandate arbitration to settle data processing-related disputes. In the employment context, it is common for organizations to include mandatory arbitration clauses in their employee agreements and, in the consumer context, businesses should assess whether their website terms and conditions and customer contracts include mandatory arbitration clauses.
Vendor management. To streamline compliance with their data protection obligations, organizations should establish vendor-management processes wherein key internal stakeholders are notified when the business plans to retain new service providers who will receive personal data on their behalves. This process helps ensure businesses maintain an accurate record of processing, establish (or delegate to the service provider) appropriate privacy notice and consent responsibilities, impose information security requirements on service providers and properly allocate data breach liability.
Insurance considerations
Privacy-related claims are on the rise, and they have focused on the wrongful collection of personal data. In turn, insurance carriers scrutinize companies' security practices and assess the types of data they collect and how it is used. Insurance carriers increasingly require supplemental applications to specifically address how policyholders collect personal data. These applications often contain highly technical questions on an organization's website configurations and data processing activities. It is critical to thoughtfully respond to these questions because any material misrepresentation or inaccurate response could result in coverage nullification or disputes. Therefore, it is important to review these questions closely and discuss them with counsel, brokers and stakeholders within the organization, including IT security and marketing, and to maintain a consistent approach to data management. It is also crucial to watch for biometric data or pixel and tracking code exclusions within insurance policies, as well as wrongful data collection exclusions on cyber or media liability policies. Coverage is limited, but companies with strong controls and compliance have options in the cyber-insurance marketplace.