Developments in Law and Policy from Venable's eCommerce, Privacy, and Cybersecurity Group
In this issue, we examine a letter written by a bipartisan group of Senators regarding children's privacy during the COVID-19 pandemic. Around the agencies, we highlight the Federal Trade Commission's postponement of the GLBA Safeguards Rule workshop and their request for comment on the health breach notification law. In California, we provide an update on the Californians for Consumer Privacy's ballot initiative and a digital health data information privacy bill. We discuss Vermont's security breach notice act's July 1, 2020, effective date. Across the pond, we explore the United Kingdom's Information Commissioner's data protection priorities and the European Data Protection Board's cooking tracking guidelines.
Heard on the Hill
Bipartisan Group Senators Request that the FTC Investigate EdTech and Advertising Companies' Use of Children's Data
On May 8, 2020, Senators Edward J. Markey (D-MA), Josh Hawley (R-MO), Richard Blumenthal (D-CT), Bill Cassidy (R-LA), Dick Durbin (D-IL), and Marsha Blackburn (R-TN) sent a letter requesting the Federal Trade Commission (FTC) to investigate how data from children online is being utilized in educational technology (EdTech) and digital marketing. The Senators urged the FTC to consider revisions to the Children's Online Privacy Protection Act Rule (COPPA Rule) to help ensure that personal information from children online is safeguarded effectively during the increase of online offerings for children during the COVID-19 pandemic.
The Senators' letter referenced Section 6(b) of the FTC Act, noting that the provision provides the FTC with authority to require entities to provide answers on data use and storage with respect to information from children online. The letter posed a series of questions for consideration in examination of the EdTech companies and explained that the COPPA Rule must account for the "new normal' of online platforms, which the Senators said have become integral to American education to meet the needs of educators, parents, and children.
The Senators expressed concern that digital marketing presents risk of privacy invasion on the use of data from children online, as the Senators stated that the children are consuming more content and spending more time online. The Senators urged the FTC to use all available avenues to ensure the COPPA Rule can protect children.
Around the Agencies and Executive Branch
Federal Trade Commission Extends Comment Period and Reschedules GLBA Safeguards Rule Workshop
The Federal Trade Commission (FTC) rescheduled its Safeguards Workshop, which provides a forum to discuss proposed amendments to the Safeguards Rule, from May 13 to July 13, 2020. The FTC also extended its deadline to submit comments from June 12 to August 12, 2020.
The Safeguards Rule was issued under the Gramm-Leach-Bliley Act and, among other matters, requires covered "financial institutions" to develop, implement, and maintain a comprehensive information security program.
In 2019, the FTC sought comments on proposed amendments to the Safeguards Rule that would add more detailed requirements regarding what must be included in a comprehensive information security program and proposed to expand the definition of "financial institutions" subject to the Safeguards Rule to cover "finders" who charge a fee to connect consumers to lenders.
The FTC is hosting the Safeguards Workshop to "explore some of the issues raised in response" to these proposed amendments and has specifically requested "information, empirical data, and testimony" on topics including, but not limited to:
- Price models for specific elements of information security programs
- Standards for security in various industries
- The availability of third-party information security services aimed at different sized institutions
- Information about penetration and vulnerability testing
- The cost of and possible alternatives to encryption and multifactor authentication
The Safeguards Workshop will be live streamed from the FTC's website.
Federal Trade Commission Requests Public Comment on the Health Breach Notification Rule
On May 8, 2020, the Federal Trade Commission (FTC) announced that it is seeking public comment on its Health Breach Notification Rule (HBN Rule). Every ten (10) years, the FTC reviews its rules and guides to determine whether they need modifications.
In 2009, the FTC issued the HBN Rule pursuant to section 13407 of the American Recovery and Reinvestment Act of 2009 (Recovery Act). The HBN Rule became effective on August 25, 2009, and companies were subject to enforcement by the FTC on February 22, 2010. The Recovery Act directed the FTC to issue a rule supplementing the protections for personal health records and electronic records of identifiable health information contained within the Recovery Act. Specifically, the Recovery Act directed the FTC to issue a rule requiring vendors of personal health records (PHR), their third-party service providers, and similar entities to provide notification of any breach of unsecured PHR. The HBN Rule sets forth the content, timing, and methods of notification for breaches of unsecured PHR. For breaches affecting more than five-hundred (500) individuals, the HBN Rule requires notification to the FTC. The FTC has not filed an enforcement action under the HBN Rule.
Similarly, the Health Insurance Portability and Accountability Act (HIPAA) contains three rules for entities covered under HIPAA (e.g., health care providers, health plans, and health care clearinghouses): Privacy Rule; Security Rule; and Breach Notification Rule. Specifically, in the event of a breach of unsecured protected health information, the HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to notify affected individuals, the United State Department of Human Services (HHS), and in some cases, publicly on the entity's website or the media.1 Whereas the HBN Rule is enforced by the FTC, the HIPAA Breach Notification Rule is enforced by the HHS Office of Civil Rights. As such, the HBN Rule "does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity." 2 Instead, according to the FTC, entities such as direct-to-consumer technologies and services such as mobile health applications, virtual assistants, and platform health tools are subject to the HBN Rule.
The FTC seeks comments on the costs and benefits of the HBN Rule, and whether specific sections should be retained, eliminated, or modified. In particular, the FTC is seeking comments on topics such as:
- Whether the definitions in the HBN Rule are clear and appropriate, and more specifically, whether the definitions are clear and appropriate based on changes in technology and the economy
- Whether the requirements for the content of notice for a breach are clear and appropriate
- What benefits the HBN Rule has provided to businesses and consumers, and whether modifications should be made to increase such benefits
- What modifications, if any, should be made to the HBN Rule to address developments in health care products and services, technology changes, and economic conditions (e.g., impacts of COVID-19, adopting the standardization of application programming interfaces, etc.)
Public comments are due by August 20, 2020, and they may be submitted online or on paper.
In the States
"Californians for Consumer Privacy" Files Signatures to Qualify Initiative for the November 2020 Ballot
On May 4, 2020, Alastair Mactaggart's nonprofit political committee, Californians for Consumer Privacy, submitted over 900,000 signatures to county elections officials in an effort to certify a new privacy-related initiative for the November 2020 ballot. The initiative, titled the California Privacy Rights Act of 2020 (CPRA), follows in the footsteps of the California Consumer Privacy Act of 2018 (CCPA). Like the CPRA, the CCPA began as a ballot initiative sponsored by Californians for Consumer Privacy. Before the 2018 election, the California legislature enacted the CCPA in a matter of days in exchange for its advocates' withdrawal of the ballot initiative.
If approved by California voters in November, the CPRA would materially amend the CCPA and would impose new compliance responsibilities on businesses. Among other changes to the CCPA, the CPRA would:
- Create rules, disclosure obligations, and consumer rights with respect to "sensitive personal information," a new defined term
- Give consumers the right to correct inaccurate personal information
- Establish a new state agency called the California Privacy Protection Agency to enforce the CPRA
- Impose added contracting requirements on regulated entities
- Triple CCPA fines for violations of the statute pertaining to personal information of consumers under 16 years of age
California Secretary of State Alex Padilla (Secretary of State) sent a memorandum to county elections officials on May 14, 2020, instructing them to verify a random sample of the signatures that were submitted to qualify the CPRA for the ballot. The California Elections Code requires officials to verify at least 500 signatures or 3 percent of the signatures filed in the relevant county, whichever is greater. If enough signatures are deemed valid, the Secretary of State will determine that the measure qualifies for the November 2020 ballot.
According to the Secretary of State's memorandum to the counties, elections officials "have until June 26, 2020" to complete the task of validating a random sample of signatures. However, Alastair Mactaggart and others filed a petition for writ of mandate in the Superior Court of the State of California, County of Sacramento against the Secretary of State on June 8, 2020, alleging that the California Constitution and state Elections Code require the measure to qualify for the ballot by June 25, 2020.
The petitioners asked the court to issue a writ of mandate compelling the Secretary of State to notify county elections officials that they must file their random sample results no later than 5:00 p.m. PST on June 25, 2020, so the initiative is not at risk of missing the deadline to qualify for the ballot.
California Assembly's Health Committee Approves Digital Health Data Information Privacy Bill
On May 18, 2020, the California Assembly Committee on Health (Committee) held a hearing to consider AB 2280, a bill that would regulate providers of "personal health record" products and services by placing certain information collected through those systems within the scope of the California Confidentiality of Medical Information Act (CMIA). The bill was introduced by Assembly Member Ed Chau (D) and was approved by the Committee by a 10-0 vote for a referral to the California Assembly Committee on Appropriations. Assembly Member Chau left the bill "on call," which allows other Committee members to add or change their votes as the bill continues to be considered.
The bill would classify the providers and developers of personal health record devices, software, mobile apps, and websites as "providers of health care" subject to the CMIA. As defined by the bill, a "personal health record" is a commercial Internet website, online service, or product that is approved by the Food and Drug Administration and used by an individual at the direction of a health care provider with the purpose of collecting "personal health record information." The bill would define "personal health record information" to include individually identifiable information about an individual's mental or physical condition that is collected through a "personal health record." Should the bill pass into law, providers of "personal health record" products and services, like websites and mobile apps that are used at a doctor's direction, would need to ensure compliance with the CMIA for the "personal health record information" collected through these products and services.
Assembly Member Chau stated that he introduced the bill in order to bring the providers of new digital health products and services within the scope of the CMIA. He noted that he is open to working with opponents to "fine-tune" the legislation as the bill makes its way through the legislative process. The Committee on Appropriations has not scheduled a hearing on the bill at this time.
Updates to Vermont's Security Breach Notice Act Become Effective July 1, 2020
Vermont's Security Breach Notice Act (9 V.S.A. § 2435) has been amended to include several new provisions that will become effective on July 1, 2020. As part of these changes, the definition of "personally identifiable information" (PII) will expand to include more types of data such as additional identification numbers (like individual taxpayer identification number and passport number), certain unique biometric data used for identification or authentication purposes, genetic information, and certain health information including health records. A public letter from the Vermont Attorney General's Office (AG) discussing the new law stated that the health language was left intentionally broad. The AG noted that "health records are not necessarily limited to records maintained by a health provider or other HIPAA-covered entity, [t]hey could include, for example, information about an individual's health maintained by a business or a data broker."
The new law also adds a requirement related to notification in the event of a breach of login credentials. The amended law defines login credentials separately from PII as "a consumer's username or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account." In the event of a credential breach, data collectors may be required to provide notification both to the affected consumers and to the AG.
Finally, the conditions for permitting substitute (as opposed to direct) notice to consumers have changed. The AG's office reported that "previously, substitute notice was permitted where the cost of Direct Notice via writing or telephone would exceed $5,000, more than 5,000 consumers would be receiving notice, or the data collector does not have sufficient contact information." Now, according to the Vermont AG, "substitute notice is only permitted where the lowest cost of providing Direct Notice via writing, email, or telephone would exceed $10,000, or the data collector does not have sufficient contact information. It is no longer permitted to provide substitute notice where the number of consumers exceeds a certain threshold," among other changes. Put another way, if the data collector has the contact information of affected consumers, and the data collector can provide Direct Notice via one of the specified methods for a total amount of $10,000 or less, the data collector must provide Direct Notice.
United Kingdom's Information Commissioner's Office Outlines Data Protection Priorities
On May 5, 2020, Elizabeth Denham, the Information Commissioner in the United Kingdom (UK), published a blog post, "Information Commissioner sets out new priorities for UK data protection during COVID-19 and beyond," outlining the Information Commissioner's Office (ICO)'s new priorities for data protection and protecting the public interest during COVID-19. Commissioner Denham indicated that the re-assessed priorities accompany guidance published by the ICO on April 15th that details the regulatory approach the ICO will take in light of the ongoing COVID-19 pandemic.
In the blog post, Commissioner Denham stated, "I want to set out how we have reshaped our priorities for the coming months… [My teams] have looked ahead to assess where and how we should narrow our focus on the areas we can have the greatest impact to protect the public interest and support economic growth and innovation." The blog post notes that the ICO's focus will be on protecting the public interest while ensuring responsible data sharing and monitoring intrusive and disruptive technology.
Over the coming months, the ICO seeks to align its approach with the following priorities:
- Protecting vulnerable citizens through identifying and taking action against entities seeking to use or obtain personal data unlawfully or inappropriately during COVID-19.
- Supporting economic growth and digitalization, including for small businesses, by providing access to clear information, support, and practical tools.
- Shaping proportionate surveillance, while maintaining awareness on contact tracing, testing, and other emerging surveillance issues.
- Enabling good practice in AI in order to ensure privacy and data protection.
- Enabling transparency to improve public confidence about how personal data is used.
- Maintaining business continuity by developing new ways of working in readiness for recovering. The ICO will continue to maintain its statutory functions, such as dealing with complaints and investing data breach reports.
European Data Protection Board Issues Cookie Tracking Guidelines
On May 4, 2020, the European Data Protection Board (EDPB) adopted updated guidelines on consent (Guidelines) that address the use of cookie walls and scrolling to obtain consent under the European Union's General Data Protection Regulation (GDPR). The Guidelines build upon the Article 29 Working Party Guidelines on consent that were endorsed by the EDPB in May 2018.
The GDPR requires consent to be freely given, specific, informed, and unambiguous to be valid, and various European supervisory authorities have provided additional insight explaining when consent is valid. To provide further clarity on this concept of consent, the EDPB revised the Guidelines to address the validity of consent when obtained through cookie walls and scrolling.
- Cookie Walls. The Guidelines clarify that cookie walls are not a valid means of obtaining consent, as data subjects are not presented with a genuine choice. Specifically, the Guidelines explain that for consent to be freely given, access to services and functionalities cannot be made conditional on the data subject's consent to storing information in the data subject's terminal equipment or to accessing information already stored in such equipment. Because a cookie wall requires the user to accept cookies to access services or functionalities, the user is not presented with a genuine choice. Therefore, when a data subject accepts cookies through a cookie wall, the data subject's choice is not freely given and consent is not valid.
- Scrolling. The Guidelines now include scrolling or swiping through a webpage, or other similar activities, as examples of actions that are ambiguous and therefore cannot form the basis of valid consent. According to the Guidelines, because such actions may be difficult to distinguish from other interactions, the actions "will not under any circumstances satisfy the requirement of a clear and affirmative action." In addition, the Guidelines explain that as consent must be able to be withdrawn as easily as consent is granted, it would be difficult for the data subject to withdraw consent based on scrolling in a manner as easy as granting the consent.
As the EDPB contributes to the consistent application of data protection rules throughout the European Union, the EDPB's Guidelines are likely to bring greater certainty to companies while also furthering a consistent view of what constitutes valid consent across the European Union member states.
1 45 CFR §§ 164.400-414.
2 16 C.F.R. § 318.1(a).
3 MacTaggart et al. v. Padilla, No. ___, Verified Petition for Writ of Mandate (Cal. Sup. Ct. June 8, 2020).