Over the past year, website operators have experienced a proliferation of lawsuits under the Federal Video Privacy Protection Act (“VPPA”), a Reagan-era statute prohibiting the nonconsensual disclosure of an individual’s video tape rental history. Despite its nondigital origin, litigation under the VPPA has successfully targeted the ubiquitous use of tracking technologies on businesses’ websites, creating a risk of significant class-action damages under VPPA’s $2,500 per violation statutory-damages clause. Read on for more details about the risk of litigation under the VPPA and how best to avert it.

Continue Reading Analog Law with Digital Teeth: Litigation Under the Video Privacy Protection Act and Potential Liability for Businesses

Over the past few years, data privacy and security has been the focus of many state legislatures.  CA, CO, CT, IA, UT and VA have already passed comprehensive data privacy laws. Indiana joined them on May 1, 2023 when the Governor signed the latest consumer privacy bill into law.  Many other states have bills in the legislatures that are likely to become law, including FL, MT and TN (where the bills are awaiting the governors’ signatures).   Though most of these laws apply to businesses that control or process personal data of 100,000 or more residents in each of those states, California’s data privacy law applies to any business that has gross annual revenue of over $25M if it collects the personal data of any California resident, which includes employees and business contacts.

Continue Reading Failing to Comply With the Slew of New Data Privacy Laws Can Be Costly to Companies

On March 29, 2023, Iowa became the latest in a small but growing number of states to enact comprehensive data privacy legislation.  Like its counterpart laws in California, Connecticut, Colorado, Utah and Virginia, Iowa’s data privacy law – formally titled “An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions” (“IDPL”) – provides a detailed framework regulating the collection and use of consumer personal data, and affords consumers various rights as to data collected about them.  Fortunately, many of the requirements imposed by the IDPL, which goes into effect on January 1, 2025, are largely similar to those applicable in the other five states, and especially those in Connecticut, Colorado, Utah and Virginia.[1]

Continue Reading Iowa Joins Data Privacy Vanguard

An Illinois Supreme Court ruling on February 17, 2023 opened the door to astronomical damages under the Illinois Biometric Information Privacy Act (“BIPA”).  Enacted in 2008, BIPA provides for a private right of action against an entity that collects or discloses a person’s biometric identifier without opt-in consent.

Continue Reading The Door Opens for Astronomical Damages Under BIPA

Cyberattacks on corporate networks are on the rise, and the ramifications from such attacks can be financially devastating. Recent benchmarking data shows that the number of material cyber breaches at large businesses increased by 20.5% from 2020 to 2021, with cybersecurity budgets across industries aimed at preventing breaches jumping 51%. And while businesses suffering cyberattacks emanating from state-sponsored entities may have insurance coverage for their losses, the scope of coverage available can vary dramatically depending on the amount of coverage purchased and the terms and conditions of policies. Interestingly, next month Lloyd’s is adding exclusions to limit insurance coverage for state-sponsored cyberattacks.

Read on to learn how to prepare your company for these rapidly evolving security risks and why policyholders should review cyber, property and other policies to determine which may provide cyberattack coverage.

The Supreme Court of Illinois relied on legislative intent, policy concerns and precedents to hold that all Biometric Information Privacy Act claims are subject to a five-year statute of limitations. Read on to learn more about the Tims v. Black Horse Carriers, Inc. opinion and how it may impact businesses and their BIPA decisions going forward.

In a unanimous decision, the Ohio Supreme Court found that a computer software company’s business owners insurance policy does not cover losses resulting from a ransomware attack on the company’s computer software systems because the attack did not cause physical loss or physical damage to the software.

Read on for background on this case and analysis of the ruling.

A bipartisan coalition of state attorneys general sent a comment letter to the Federal Trade Commission highlighting the risks to consumers from businesses’ surveillance and their collection and storage of data such as health information and location tracking.

Read on for details about this development and how companies that collect such information can minimize risks to their businesses and their customers.

As 2022 draws to a close, it is important to keep in mind that key state-level regulations on consumer and employee data privacy will become effective as soon as 2023 begins. Data security measures, personal data processing activities and privacy policies of businesses covered by the regulations are now proscribed specific standards and requirements in recognition of the consumer rights created by each of the Acts. As a result, businesses need to ensure that their policies and practices are adjusted to address the increased privacy risk.

The Virginia Consumer Data Protection Act (“VCDPA”) will go into effect on January 1, 2023. This statute requires companies who operate in Virginia or target Virginia consumers (whether or not the company is located in Virginia) and collect personal information from more than 100,000 Virginia consumers annually to meet certain cybersecurity requirements and to offer certain privacy rights to those consumers, such as the right to opt-out. For more specifics on the VCDPA read on here.

The California Privacy Rights Act (“CPRA”) also goes into effect on January 1, 2023. This statute applies to any business that collects the personal information of a California resident if that business meets one of the following three criteria:  (1) had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year; (2) alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more California consumers or, households; or (3) derives 50 percent or more of its annual revenues from selling or sharing California consumers’ personal information.  These businesses must meet certain disclosure and cybersecurity requirements and must offer certain privacy rights to those consumers.  Subject to certain exceptions, these rights include the right by the consumers to know what information is collected about them, the rights to correct and delete their personal information, the right to opt-out of the sale or sharing of their personal information and the right to limit the use of their sensitive personal information.  Read on for more specifics on the CPRA here.

Our Data Privacy & Security team can assist with drafting privacy policies that are consistent with the Virginia CDPA and the CPRA. Contact us today to learn more.

On Nov. 21, 2022, the Federal Communications Commission issued a declaratory ruling and order finding that “ringless voicemails” to wireless phones are “calls” made using an artificial or prerecorded voice. Such calls, therefore, are subject to the Telephone Consumer Protection Act and callers must obtain consent before delivering such messages.

Read on to learn about the FCC’s ruling and why companies should not rely on a vendor’s representation that its technology falls outside the TCPA’s reach.