Efforts to Protect Consumer Data Face Corporate Pushback
Corban Rhodes and Ross Kamhi write: We are at a pivotal moment with respect to how the law protects consumer personal information. The public, however, is largely unaware of the concerted opposition protection legislation faces from technology giants.
October 12, 2017 at 01:00 PM
16 minute read
We are at a pivotal moment with respect to how the law protects consumer personal information. The public, however, is largely unaware of the concerted opposition protection legislation faces from technology giants.
As information technology expands at a blistering pace, questions about how companies may go about gathering, using, distributing, and safeguarding their customers' information loom large. Legislators and regulators have struggled not only to keep pace with these changes, but also to establish who will lead the conversation.
While the federal government has taken a backseat role in passing legislation that protects consumer privacy rights, many state legislatures have stepped up to fill the void, introducing laws aimed at regulating the types of information companies can collect and what companies must do before they can disclose such information. But states have experienced challenges passing such legislation, often facing pushback from large technology companies that depend on the collection of user data to generate revenue. This has produced an ongoing battle at the state level between privacy advocates and technology companies over the appropriate breadth of such regulations.
The Federal Government Rolls Back Privacy Protections. The federal government under the Trump administration and current Republican-controlled congress has begun pulling back on the regulation of consumer data.
On Dec. 2, 2016, during the final weeks of the Obama administration, the Federal Communications Commission (FCC) issued a regulation, known as the “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” aimed at requiring Internet service providers, such as Comcast, Verizon, and AT&T, to protect the confidentiality of customer proprietary information.
The rules would have required that Internet service providers, among other things, (1) obtain affirmative consent and opt-in customer approval to use and share customer proprietary information, including financial information, geo-location information, and web-browsing history; (2) take reasonable measures to secure this customer information; and (3) provide notification to customers, the FCC, and law enforcement in the event of data breaches that could result in harm.
However, before these rules had even gone into effect, Congress passed legislation in March 2017 nullifying these rules, and that legislation was signed into law the following month. As a result, Internet service providers can freely share customers' sensitive confidential information, including browsing data, app usage, and personally identifiable information, without providing notice to consumers or obtaining their consent.
State Legislators Have Stepped Up to Fill the Void, But Big Business Is Pushing Back. While the federal government has rolled back efforts to secure customer data, states have taken matters into their own hands, introducing new legislation aimed at protecting consumer privacy rights. But these efforts have faced significant hurdles thus far because large technology companies have so far successfully lobbied against the passage of sweeping regulations.
The battle between privacy advocates and the technology industry has been most active in Illinois, where, during 2017, state legislators introduced a number of laws aimed at protecting consumer privacy, including the Geolocation Privacy Protection Act (GPPA), which aims to prevent companies from collecting, using, storing, or disclosing a smartphone user's geolocation information unless the entity provides notice and receives affirmative express consent. Despite the bill's narrow focus, business groups pushed back, and were largely successful at limiting its scope.
Indeed, early drafts of the GPPA specifically provided a private right of action, entitling a person whose rights are violated to recover liquidated damages of $1,000 or actual damages, whichever is greater, as well as attorney fees and costs, and other relief a court may deem appropriate, such as an injunction. While the bill was up for debate in the Illinois legislature, it underwent significant changes, including removal of the private-right-of-action provision, which many privacy advocates view as an important safeguard against a company's violation of privacy laws. Certain crucial groups were also provided exemptions from the law, including Internet, wireless, and telecommunications service providers.
On June 28, 2017, the Illinois legislature passed this narrowed version of the bill. While the passage of the GPPA was a notable success for privacy advocates, the limited focus of the version that ultimately passed in the Illinois legislature reflected the strength of the technology industries' lobbying efforts. Ultimately, the bill never became law, as Illinois Governor Bruce Rauner vetoed the bill on Sept. 22, 2017.
A similar battle is currently playing out in Illinois with respect to the Right to Know Act, also introduced in 2017, which would require websites or apps to inform consumers about certain information-sharing practices. Many websites and social-media services collect vast amounts of detailed personal information about consumers, and rely on sharing this valuable information with third parties to generate revenue. The Right to Know Act aims to provide consumers with greater transparency about these information-sharing processes, requiring commercial websites and online services that collect or disclose personal information of Illinois residents to (1) identify all categories of personal information that is collected or disclosed; (2) identify the third parties with whom that information is shared; and (3) provide a description of a customer's rights, as specified in the statute.
An early draft of the Right to Know Act provided a private right of action, but, as with the GPPA, this provision was later removed, and is not in the version of the bill that is currently pending before the Illinois legislature. Still, even this narrowed version of the proposed law appears unlikely to pass the Illinois House, where it is currently stalled, as it has seen a number of co-sponsors rescind their support following significant pushback from the business community.
Attempts in other states to protect consumers' privacy rights have faced similar fates. Earlier this year, a number of states, including Alaska, Connecticut, Montana, New Hampshire, and Washington, debated laws that aimed to protect consumers' biometric information (that is, biological-identifying information, such as fingerprints and face scans) from collection, requiring companies to provide notice and obtain consent before collecting such information. These proposed laws were largely modeled after an existing Illinois statute, the Illinois Biometric Information Privacy Act of 2008 (BIPA), which requires companies to obtain informed, written consent before collecting biometric data and provides aggrieved consumers a private right of action and statutory damages.
These states' efforts to pass biometric-information-privacy laws have all largely failed, in part because the technology industry has successfully pushed back against the proposed statutes. As the use of facial recognition technology has become more widespread in the technology industry, a number of companies have faced lawsuits under BIPA for their alleged collection of biometric information from users. Passage of similar laws in other states would potentially expose these companies to additional legal liability.
The proposed bills in Alaska, Connecticut, Montana, and New Hampshire all failed to pass, and only in Washington did the proposed bill become law. But that bill was significantly narrowed in ways that reflect the successful lobbying efforts of the technology industry. For example, the Washington law's definition of “biometric identifier” is far narrower than how it is defined under the Illinois law, and specifically carves out biometric identifiers generated from photos, which will likely limit the law's application to social media companies that use facial-recognition technology. The Washington law also does not provide a private right of action.
What's Next? As the legal system struggles to keep pace with rapid technological innovation and the privacy issues that come along with it, certain states have taken the lead, proposing laws that seek to protect consumers' privacy rights without stifling innovation. Not surprisingly, this has produced an ongoing battle between privacy advocates and the business community about the appropriate breadth of such regulations. Recent court decisions have added further fuel to the fire, including the Ninth Circuit's August 2017 decision on remand from the Supreme Court in Robins v. Spokeo, — F.3d —, 2017 WL 3480695 (9th Cir. Aug. 15, 2017), which found that the harm stemming from a violation of the Fair Credit Reporting Act—which provides statutory damages for a violation—was concrete enough to establish standing. This decision will likely make it easier for consumers to demonstrate standing in cases involving statutes that provide statutory damages for violations of certain privacy rights.
While large technology companies so far have been successful at limiting the passage of sweeping legislation, increasing scrutiny from consumers and regulators alike suggest that the battles have only begun.
Corban Rhodes is of counsel and Ross Kamhi is an associate at Labaton Sucharow.
We are at a pivotal moment with respect to how the law protects consumer personal information. The public, however, is largely unaware of the concerted opposition protection legislation faces from technology giants.
As information technology expands at a blistering pace, questions about how companies may go about gathering, using, distributing, and safeguarding their customers' information loom large. Legislators and regulators have struggled not only to keep pace with these changes, but also to establish who will lead the conversation.
While the federal government has taken a backseat role in passing legislation that protects consumer privacy rights, many state legislatures have stepped up to fill the void, introducing laws aimed at regulating the types of information companies can collect and what companies must do before they can disclose such information. But states have experienced challenges passing such legislation, often facing pushback from large technology companies that depend on the collection of user data to generate revenue. This has produced an ongoing battle at the state level between privacy advocates and technology companies over the appropriate breadth of such regulations.
The Federal Government Rolls Back Privacy Protections. The federal government under the Trump administration and current Republican-controlled congress has begun pulling back on the regulation of consumer data.
On Dec. 2, 2016, during the final weeks of the Obama administration, the Federal Communications Commission (FCC) issued a regulation, known as the “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” aimed at requiring Internet service providers, such as
The rules would have required that Internet service providers, among other things, (1) obtain affirmative consent and opt-in customer approval to use and share customer proprietary information, including financial information, geo-location information, and web-browsing history; (2) take reasonable measures to secure this customer information; and (3) provide notification to customers, the FCC, and law enforcement in the event of data breaches that could result in harm.
However, before these rules had even gone into effect, Congress passed legislation in March 2017 nullifying these rules, and that legislation was signed into law the following month. As a result, Internet service providers can freely share customers' sensitive confidential information, including browsing data, app usage, and personally identifiable information, without providing notice to consumers or obtaining their consent.
State Legislators Have Stepped Up to Fill the Void, But Big Business Is Pushing Back. While the federal government has rolled back efforts to secure customer data, states have taken matters into their own hands, introducing new legislation aimed at protecting consumer privacy rights. But these efforts have faced significant hurdles thus far because large technology companies have so far successfully lobbied against the passage of sweeping regulations.
The battle between privacy advocates and the technology industry has been most active in Illinois, where, during 2017, state legislators introduced a number of laws aimed at protecting consumer privacy, including the Geolocation Privacy Protection Act (GPPA), which aims to prevent companies from collecting, using, storing, or disclosing a smartphone user's geolocation information unless the entity provides notice and receives affirmative express consent. Despite the bill's narrow focus, business groups pushed back, and were largely successful at limiting its scope.
Indeed, early drafts of the GPPA specifically provided a private right of action, entitling a person whose rights are violated to recover liquidated damages of $1,000 or actual damages, whichever is greater, as well as attorney fees and costs, and other relief a court may deem appropriate, such as an injunction. While the bill was up for debate in the Illinois legislature, it underwent significant changes, including removal of the private-right-of-action provision, which many privacy advocates view as an important safeguard against a company's violation of privacy laws. Certain crucial groups were also provided exemptions from the law, including Internet, wireless, and telecommunications service providers.
On June 28, 2017, the Illinois legislature passed this narrowed version of the bill. While the passage of the GPPA was a notable success for privacy advocates, the limited focus of the version that ultimately passed in the Illinois legislature reflected the strength of the technology industries' lobbying efforts. Ultimately, the bill never became law, as Illinois Governor Bruce Rauner vetoed the bill on Sept. 22, 2017.
A similar battle is currently playing out in Illinois with respect to the Right to Know Act, also introduced in 2017, which would require websites or apps to inform consumers about certain information-sharing practices. Many websites and social-media services collect vast amounts of detailed personal information about consumers, and rely on sharing this valuable information with third parties to generate revenue. The Right to Know Act aims to provide consumers with greater transparency about these information-sharing processes, requiring commercial websites and online services that collect or disclose personal information of Illinois residents to (1) identify all categories of personal information that is collected or disclosed; (2) identify the third parties with whom that information is shared; and (3) provide a description of a customer's rights, as specified in the statute.
An early draft of the Right to Know Act provided a private right of action, but, as with the GPPA, this provision was later removed, and is not in the version of the bill that is currently pending before the Illinois legislature. Still, even this narrowed version of the proposed law appears unlikely to pass the Illinois House, where it is currently stalled, as it has seen a number of co-sponsors rescind their support following significant pushback from the business community.
Attempts in other states to protect consumers' privacy rights have faced similar fates. Earlier this year, a number of states, including Alaska, Connecticut, Montana, New Hampshire, and Washington, debated laws that aimed to protect consumers' biometric information (that is, biological-identifying information, such as fingerprints and face scans) from collection, requiring companies to provide notice and obtain consent before collecting such information. These proposed laws were largely modeled after an existing Illinois statute, the Illinois Biometric Information Privacy Act of 2008 (BIPA), which requires companies to obtain informed, written consent before collecting biometric data and provides aggrieved consumers a private right of action and statutory damages.
These states' efforts to pass biometric-information-privacy laws have all largely failed, in part because the technology industry has successfully pushed back against the proposed statutes. As the use of facial recognition technology has become more widespread in the technology industry, a number of companies have faced lawsuits under BIPA for their alleged collection of biometric information from users. Passage of similar laws in other states would potentially expose these companies to additional legal liability.
The proposed bills in Alaska, Connecticut, Montana, and New Hampshire all failed to pass, and only in Washington did the proposed bill become law. But that bill was significantly narrowed in ways that reflect the successful lobbying efforts of the technology industry. For example, the Washington law's definition of “biometric identifier” is far narrower than how it is defined under the Illinois law, and specifically carves out biometric identifiers generated from photos, which will likely limit the law's application to social media companies that use facial-recognition technology. The Washington law also does not provide a private right of action.
What's Next? As the legal system struggles to keep pace with rapid technological innovation and the privacy issues that come along with it, certain states have taken the lead, proposing laws that seek to protect consumers' privacy rights without stifling innovation. Not surprisingly, this has produced an ongoing battle between privacy advocates and the business community about the appropriate breadth of such regulations. Recent court decisions have added further fuel to the fire, including the Ninth Circuit's August 2017 decision on remand from the Supreme Court in Robins v. Spokeo, — F.3d —, 2017 WL 3480695 (9th Cir. Aug. 15, 2017), which found that the harm stemming from a violation of the Fair Credit Reporting Act—which provides statutory damages for a violation—was concrete enough to establish standing. This decision will likely make it easier for consumers to demonstrate standing in cases involving statutes that provide statutory damages for violations of certain privacy rights.
While large technology companies so far have been successful at limiting the passage of sweeping legislation, increasing scrutiny from consumers and regulators alike suggest that the battles have only begun.
Corban Rhodes is of counsel and Ross Kamhi is an associate at
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Post-Pandemic Increase in Live Events Prompts Need for Premise Liability Action
7 minute read
Are Federal and State Superfund Laws the Best Way to Address Microplastics?
10 minute readTrending Stories
- 1Who Got the Work: 16 Lawyers Appointed to BioLab Class Action Litigation
- 2White & Case Settles Wrongful Conviction Lawsuit With City Agreeing to Pay $9.45 Million
- 33 New Judges: Here's Who Kemp Just Appointed to the Bench
- 4Apple Asks Judge to 'Follow the Majority Practice' in Dismissing Patent Dispute Over Night Vision Technology
- 5Texas Supreme Court to Review "Implied" Performance Controversy in Oil-Gas Leases
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
