Contents


    Executive Summary

    Data privacy remains a critical concern in today’s digital landscape, with an ever-growing focus on the delicate balance between data collection and individual privacy. Data privacy encompasses diverse topics such as healthcare, geo-location tracking, public safety measures, and online browsing behaviors. In recent years, heightened awareness and regulatory efforts have underscored the importance of safeguarding personal data. Companies, websites, and applications that handle private information face increasing liability risks. Misuse of data can lead to consequences, including legal penalties stemming from violations of state and federal laws, allegations of willful misconduct, and breaches of contractual agreements.

    Moreover, as society becomes increasingly interconnected, the insurance and reinsurance industries are grappling with the implications of cyber privacy concerns. The widespread adoption of internet technologies among insurers and insured alike necessitates a proactive approach to mitigate risks associated with data breaches and privacy violations.

    In this evolving landscape, it is imperative for businesses to prioritize robust data protection measures and compliance with regulatory frameworks. Failure to do so not only poses financial and reputational risks but also erodes trust among consumers and stakeholders. As data privacy concerns continue to evolve, companies must remain vigilant in addressing emerging threats and upholding their commitment to safeguarding personal information.

    Background

    Data privacy has become an increasingly critical issue globally, driven by rapid technological advancements, growing concerns over surveillance, and high-profile data breaches. With the proliferation of digital platforms, social media, and e-commerce, individuals are generating vast amounts of personal data, raising questions about how this information is collected, used, and protected. In response to these concerns, governments around the world have implemented or proposed regulations to safeguard individuals’ privacy rights and hold businesses accountable for data handling practices.

    HTTP cookies, flash cookies, device fingerprinting, photos on the internet, search engines, and social networking sites all pose risks to internet privacy. Cookies are uncompiled text files that help coordinate remote website servers and a personal browser to display. Some cookie features include automatic logins and authentication, shopping cart functions, third party ad serving, advertisement management, and other preference settings. Cookies store personal information that is generated by a manual input into websites’ order forms, registration pages, payment pages, web searches, and other online forms. Typically used for ecommerce, cookies are often encoded and protected from hacking by a remote server.

    Depending on the website, terms of service, and privacy policy, some information posted on different sites or applications can be permanent. Searching on internet engines and social network usage can present risks to internet privacy. Companies can use search engines and social media to data mine information about users—which is often used for advertising purposes. The government can also be a threat to online privacy. Information has been recently made public that the government monitors website usage, email, text messages, and other private information to help prevent terrorist threats.

    Injuries and Damages

    Customers engaging in business with online companies expect a reasonable level of privacy for their data. For companies, the challenge becomes to balance data utility with information protection. Injuries can include:

    • Emotional distress
    • Property damage
    • Discrimination
    • Identity theft
    • Business interruption
    • Data loss
    • Fraud

    A violation of privacy, depending on magnitude and sensitivity of information, can have serious implications on a person’s life.

    Legislation and Regulation

    Information privacy or data protection laws prohibit the disclosure or misuse of information held on private individuals. More than 130 countries have adopted laws dealing in some way with data protection.

    United States: State laws and the Federal Trade Commission (FTC)

    State Laws

    In the United States, data privacy legislation exists as a patchwork of federal and state laws governing different sectors and aspects of data protection. While federal laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Children's Online Privacy Protection Act (COPPA) provide protections for specific types of data, there is no comprehensive federal privacy law. However, there has been a growing push for federal privacy legislation, spurred by high-profile data scandals, increasing consumer awareness, and the need to harmonize regulations across states.

    More than a dozen states in the U.S. have enacted comprehensive consumer data privacy laws. California has been at the forefront of the data privacy movement, spearheading significant legislative developments with the California Consumer Privacy Act (CCPA) in 2018. This landmark legislation, effective from January 1, 2020, established pioneering privacy rights and imposed new obligations on businesses regarding the collection and sale of Californians’ personal information. Building upon the CCPA’s framework, California voters approved the California Privacy Rights Act (CPRA) on November 3, 20202, further refining and expanding privacy protections. The CPRA took effect on December 16, 2020, ushering in additional provisions, although many of its revisions became enforceable on January 1, 2023. Together, these laws set a precedent for comprehensive data privacy regulations and inspired other states to enact similar measures.

    Other states including Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia have followed suit with their own legislation, each offering varying degrees of consumer protections, including rights to access, correction, deletion, data portability, and opt-out options. These laws aim to regulate how businesses collect, process, and store personal data, with some focusing on specific aspects like protections for children’s data or regulations for online advertising.

    Each state’s legislation differs in scope and approach, ranging from business-friendly laws like Utah’s Consumer Privacy Act to more stringent measures like Oregon’s Consumer Privacy Act, which includes provisions on biometric data and lacks exemptions found in other states. Effective dates vary, with some laws already in effect and others set to take effect in the coming years, such as Delaware’s Personal Privacy Act, which becomes effective on January 1, 2025. These diverse state-level efforts reflect the growing concerns about data privacy and aim to provide consumers with greater control over their personal information in an increasingly digital world.

    The American Privacy Rights Act of 2024

    A bipartisan effort led by Rep. Cathy McMorris Rodgers and Sen. Maria Cantwell is set to introduce the American Privacy Rights Act (APRA), a comprehensive federal data privacy law resembling Europe's General Data Protection Regulation (GDPR). The proposed legislation aims to grant Americans extensive privacy rights, including the ability to opt out of targeted advertising, access, correct, and delete their personal data held by companies, and opt out of algorithmic decision-making in crucial areas like employment and housing. APRA seeks to preempt existing state privacy laws to create a consistent regulatory framework nationwide, but its prospects in Congress remain uncertain amid lobbying efforts from various stakeholders.

    The push for APRA comes as a response to the growing demand for stronger data privacy protections among American consumers and signals a significant shift towards harmonizing federal regulations to create a predictable regulatory landscape. However, the bill's introduction is likely to spark intense lobbying efforts, with tech firms and other stakeholders vying to influence its provisions, particularly concerning the extent of privacy rights granted to consumers and the enforcement mechanisms. Despite these challenges, proponents of APRA argue that it represents a crucial step towards giving Americans greater control over their personal data in the digital age, aligning with widespread public support for increased regulation of consumer data.

    The Federal Trade Commission

    The Federal Trade Commission (FTC) provides guidelines and acts for data privacy. The ‘Fair Information Practice Principles, represents widely accepted concepts concerning fair information practices in an electronic marketplace. Further, the FTC created the Children Online Privacy Protection Act (COPPA) in 1998 to respond to growing concerns that young people may not realize the risk of data tracking. COPPA limits online services which gather information from children under the age of 13 and created warning labels if potential harmful information or content was presented. In 2000, the Children’s Internet Protection Act (CIPA) was developed to implement requirements for schools, libraries and other entities offering online services to children. Specifically, CIPA requires filtered access to content harmful to minors.

    Europe: General Data Protection Regulation (GDPR) and Copyright Directives

    The European Union passed the GDPR in 2016, which was a monumental piece of legislation for cyber security and privacy. Although the GDPR primarily applies to online databases operating in the European Union, most companies in the US engage in business with European Union members, meaning that they are also regulated by the GDPR. As of 2018, all organizations are expected to comply with the GDPR. Some companies have temporarily shut off access to European users while they consider how to respond to the new regulations.

    The core components of the GDPR that concern cyber security include:

    • After discovering a data breach, businesses must notify authorities within 72 hours
    • Businesses must conduct compliance assessments
    • Businesses are now liable for personal data processing
    • Businesses must request permission to process personal data using clear language
    • Enterprises that violate the GDPR can be fined up to 4% of annual global turnover

    After GDPR was implemented, the European Union Directive on Copyright in the Digital Single Market passed in March 2019. The EU Copyright Directives provide wider cross-border access to online material and a more robust copyright marketplace for educational and cultural materials.

    China

    While the U.S. and Europe sought to ensure better protections surrounding an individual’s data, China did not start to implement privacy laws until about 30 years later. At first, China’s laws reflected the U.S.’ regional approach to privacy legislation. In 2016, China’s Cybersecurity Law provided data protection close to global standards. Specifically, China’s laws have requirements for data collection, and breach notification. Compared to the GDPR and U.S. privacy laws, China limits freedom of expression online more significantly and does not protect the right to be forgotten online.

    Liability and Insurance

    Because privacy can encompass a variety of sources and breaches, the liability issues for privacy cover a wide spectrum. They include:
    • Negligence
    • Violation of state and federal laws
    • Willful misconduct
    • Breach of contract
    • Bodily injury
    • Property damage

    Most commercial general liability and property insurance policies exclude cyber coverage from their terms, leading to the emergence of cyber insurance as a “stand alone” line of coverage. In the case of privacy, companies are more likely to need third party coverage, which applies when a lawsuit is filed, claims are made, or regulators demand information because of the liability issues. Common third-party costs regarding privacy include legal defense, settlements and damages, the cost of responding to regulatory inquiries, and regulatory fines and penalties.

    Litigation

    Wiretapping Lawsuits

    In recent years, there has been a surge in nationwide data privacy litigation class actions, primarily centered on alleged violations of wiretap laws at both federal and state levels. Consumer-facing businesses stand accused of sharing users’ communications with third parties without proper consent. Businesses are intercepting these communications with the use of technologies such as chatbots, website session replay, and pixel tracking.

    At the federal level, plaintiffs’ attorneys are frequently citing the 1986 Electronic Communications Privacy Act (ECPA) in their lawsuits. This legislation regulates the interception and storage of electronic communications. Under the ECPA, businesses can face legal action if they intercept user communications without proper authorization or consent. Additionally, the ECPA governs the disclosure of electronic communications by service providers and imposes penalties for unauthorized access to such communications.

    At the state level, class actions alleging breaches of wiretap laws are particularly prevalent in states with robust privacy regulations, such as California, Pennsylvania, and Illinois. These states have statutes that typically hold businesses liable for intercepting user communications without consent, and some, like California's 1967 Invasion of Privacy Act, carry hefty statutory damages.

    Despite the evolving landscape of technology and the challenges in applying these laws to modern innovations like chatbots and other digital communication tools, plaintiffs' attorneys persist in pursuing claims under novel theories of liability. This trend underscores the importance for businesses to stay vigilant in ensuring compliance with both federal and state privacy laws to avoid potential legal liabilities and reputational harm.

    Brown et al v. Google, LLC (2020)

    The case of Brown et al v. Google, LLC, a class action lawsuit filed in 2020, was recently settled in Oakland federal court. The case involved millions of Google users who utilized private browsing features in various browsers, such as Google Chrome’s “Incognito” mode. The plaintiffs alleged that Google’s analytics, cookies, and applications allowed the company to track users’ internet activities even when they believed they were browsing privately. They argued that this tracking violated their privacy and turned Google into an “unaccountable trove of information” by gathering data on their personal interests, online habits, and potentially sensitive searches. The lawsuit claimed that Google’s actions breached users’ expectations of privacy and constituted deceptive practices.

    The terms of the settlement, subject to approval by U.S. District Judge Yvonne Gonzalez Rogers, compel Google to enhance transparency regarding data collection during private browsing sessions. This involves updates to disclosures regarding the extent and nature of data collected, a process that Google has already initiated. Furthermore, Google will enable users of its Incognito mode to block third-party cookies for a period of five years, effectively limiting data accumulation during private browsing sessions.

    While Google has denied any wrongdoing, it has agreed to destroy billions of data records as part of the settlement, a move intended to assuage concerns about the misuse of collected data. Jose Castaneda, a spokesman for Google, reiterated the company's stance that data collected during Incognito mode browsing is not associated with individual users and is never utilized for personalization purposes. The settlement, valued by plaintiffs' lawyers at up to $7.8 billion, does not entail monetary damages from Google to the plaintiffs. However, it permits individual users to pursue legal action against the company for damages related to privacy infringements.

    Spokeo, Inc. v Robins (2016)

    Spokeo, Inc. v Robins was a landmark case in privacy that reached the U.S. Supreme Court in 2015. Spokeo, Inc. operated a website that disclosed “personally identifiable information, including contact data, marital status, age, occupation, economic health, and wealth.” Thomas Robins filed a lawsuit against the company after Spokeo, Inc. published untrue information about him, alleging a violation of the federal Fair Credit Reporting Act. The Supreme Court found that because the Ninth Circuit “failed to consider both aspects of the injury-in-fact requirements -- an injury in fact must be both concrete and particularized”, it held that “whatever statutory violation may have occurred, a plaintiff must suffer an injury-in-fact that is concrete and particularized to satisfy Article III standing”.

    Even though the case arose under the Fair Credit Reporting Act, it has a wider implication for putative privacy class actions brought under other federal laws like the Video Privacy Protection Act (VPPA), the Telephone Consumer Protection Act (TCPA), and other statutes that created privacy rights of action and statutory damages to compel regulatory compliance.

    Future Outlook

    As laws related to privacy and data protection develop, it is crucial for companies, organizations, and the insurance industry to continually reassess data privacy and security regulations to guarantee compliance. The Internet of Things and modern technology will continue to evolve, therefore expanding the circulation of private information. Privacy will remain a consequential issue for insurers and reinsurers over the next few decades.

    In the News

    2024

    • Fitness app Strava gives away location of Biden, Trump and other leaders, French newspaper says - Sylvie Corbet, The Associated Press (10/28/2024)
      An investigation by French newspaper Le Monde found that the highly confidential movements of U.S. President Joe Biden, presidential rivals Donald Trump and Kamala Harris, and other world leaders can be easily tracked online through a fitness app that their bodyguards use. But the U.S. Secret Service told the newspaper that it doesn’t believe the protection it provides was in any way compromised.
    • LinkedIn hit with 310 million euro fine for data privacy violations from Irish watchdog - The Associated Press (10/24/2024)
      European Union regulators slapped LinkedIn on Thursday with a 310 million euro ($335 million) fine for violations of the bloc’s stringent data privacy rules. Ireland’s Data Protection Commission reprimanded the Microsoft-owned professional social networking site over concerns about the “lawfulness, fairness and transparency” of its personal data processing for advertising purposes.
    • FCC expands cooperation with states on data security, privacy enforcement - David Jones, Cybersecurity Dive (10/22/2024)
      The FCC has taken an active role in enforcing cybersecurity and data protection, as companies in the telecommunications sector have access to enormous volumes of consumer data. State attorneys general play a critical role in enforcing data protection for consumers in their individual states. The cooperation allows the FCC to work with states on numerous elements of investigations, including fielding consumer complaints, interviewing witnesses and conferring with outside experts.
    • Appeals court reinstates Indiana lawsuit against TikTok alleging child safety, privacy concerns - The Associated Press (10/01/2024)
      The Indiana Court of Appeals has reinstated a lawsuit filed by the state accusing TikTok of deceiving its users about the video-sharing platform’s level of inappropriate content for children and the security of its consumers’ personal information. In a 3-0 ruling issued Monday, a three-judge panel of the state appeals court reversed two November 2023 decisions by an Allen County judge which dismissed a pair of lawsuits the state had filed in December 2022 against TikTok.
    • Meta fined $101M in Ireland after failing to encrypt user passwords - Simon Druker, UPI (09/27/2024)
      Ireland's Data Protection Commission on Friday fined Meta more than $100 million for privacy law violations related to failing to properly encrypt and store passwords of the tech giant's users.
    • Social media platforms engaged in ‘vast surveillance’ and failed to protect young people, FTC finds - Queenie Wong, The Los Angeles Times (09/19/2024)
      Major social media platforms and video streaming services that gather a “staggering” amount of data from their users have failed to protect young people and safeguard online privacy, the Federal Trade Commission said Thursday. “These surveillance practices can endanger people’s privacy, threaten their freedoms, and expose them to a host of harms, from identity theft to stalking,” FTC Chair Lina Khan said in a statement. “Several firms’ failure to adequately protect kids and teens online is especially troubling.”
    • Oracle settles suit over tracking your data. How to file a claim - Cora Lewis, The Associated Press (09/13/2024)
      Tech behemoth Oracle has agreed to settle a class action lawsuit for $115 million over allegations that it tracked consumer activity both on and offline. The suit alleges Oracle captured, compiled, and sold individuals’ data to third parties without their consent. Oracle maintains its practices were lawful, that it disclosed its activities, and it admitted no wrongdoing.
    • Sensors can read your sweat and predict overheating. Here’s why privacy advocates care - Cathy Bussewitz, The Associated Press (08/24/2024)
      As the world experiences more record high temperatures, employers are exploring wearable technologies to keep workers safe. New devices collect biometric data to estimate core body temperature - an elevated one is a symptom of heat exhaustion - and prompt workers to take cool-down breaks. But there are concerns about how the medical information collected on employees will be safeguarded. Some labor groups worry managers could use it to penalize people for taking needed breaks.
    • Privacy lawsuit over Chrome 'Sync' feature gets new life - AFP (08/20/2024)
      A federal appeals court on Tuesday breathed new life into a lawsuit by Chrome users who say Google gathered data even though they did not "Sync" to their accounts. A panel of judges in California ruled that a lower court was wrong to toss the case on the grounds that Chrome users had agreed to Google's privacy policy, and that the lawsuit should head for trial.
    • Justice Department sues TikTok, alleging it broke child privacy law - Drew Harwell, The Washington Post (08/02/2024)
      The Justice Department sued TikTok and its China-based owner, ByteDance, saying they had violated a children’s privacy law by collecting data on millions of Americans younger than 13, a move that will further inflame tensions between federal officials and the Chinese owner of one of the country’s most popular apps.
    • Meta to pay record $1.4 billion to settle Texas facial recognition suit - Naomi Nix, The Washington Post (07/30/2024)
      Meta reached a $1.4 billion deal to settle claims brought by the Texas attorney general over allegations that the social media giant flouted state privacy laws when it collected millions of users’ biometric data without their consent.
    • In U-turn, Google sticks with tracking ‘cookies’ - The Business Times (07/23/2024)
      GOOGLE on Monday said it was ditching its long mooted plan to block tracking “cookies” on its Chrome browser after years of resistance from online publishers and questions from regulators. Cookies are snippets of code that allow third-party companies to track Chrome users’ movements across the web. Information gleaned from them is used by third party publishers and websites to sell their own advertising.
    • EU tells Meta to address consumer fears over ‘pay for privacy’ - AFP (07/22/2024)
      EU consumer authorities told Facebook owner Meta on Monday to take action to assuage European consumer groups' fears over its new "pay or consent" model or face further action. EU consumer authorities told Facebook owner Meta on Monday to take action to assuage European consumer groups' fears over its new "pay or consent" model or face further action.
    • HIV diagnoses, patient data released in Florida health department hack - Lawrence Mower, Tampa Bay Times (07/12/2024)
      Floridians’ recent HIV test results, detailed doctors’ notes and immunization and virus testing records were among thousands of state health department files seized by hackers — and released on the dark web last week. Posted online are more than 20,000 files with some Floridians’ most sensitive information: lab results, signed medical release forms, workers compensation records and COVID-19 diagnoses. One file included a photo of a person’s passport. Another file is a woman’s negative mammogram result.
    • Facial recognition startup Clearview AI settles privacy suit - Kathleen Foody, The Associated Press (06/21/2024)
      Facial recognition startup Clearview AI reached a settlement Friday in an Illinois lawsuit alleging its massive photographic collection of faces violated the subjects’ privacy rights, a deal that attorneys estimate could be worth more than $50 million.
    • TikTok faces investigation into alleged child privacy violations - Anthony Cuthbertson, The Independent (06/19/2024)
      TikTok is facing a fresh investigation in the US into potential violations of children’s privacy. A complaint about alleged violations of children’s privacy was referred by the Federal Trade Commission to the Justice Department on Tuesday.
    • Vermont governor vetoes data privacy bill, saying state would be most hostile to businesses - Lisa Rathke, The Associated Press (06/14/2024)
      Vermont’s governor has vetoed a broad data privacy bill that would have been one of the strongest in the country to crack down on companies’ use of online personal data by letting consumers file civil lawsuits against companies that break certain privacy rules.
    • BetterHelp customers begin receiving refund notices from $7.8M data privacy settlement, FTC says - The Associated Press (05/08/2024)
      Many current and former BetterHelp customers have begun receiving refund eligibility notices spanning from a $7.8 million settlement reached with the online therapy provider last year over allegations that it shared sensitive health data with advertisers.
    • Class action suit: Tech school didn't protect personally identifiable data of more than 89,000 people - Nicholas Malfitano, Pennsylvania Record (05/06/2024)
      A class action complaint alleges that a local technical school failed to safeguard the personally identifiable information of its students, employees and applicants, leading to a data breach where over 89,000 individuals were impacted. Luke Heflin (individually and on behalf of all others similarly-situated) filed suit in the York County Court of Common Pleas on April 26 versus the York County School of Technology. Both parties are of York.
    • Illinois Senate advances changes to state’s biometric privacy law after business groups split - Hannah Meisel, Capitol News Illinois (04/11/2024)
      It’s been more than a year since the Illinois Supreme Court “respectfully suggest(ed)” state lawmakers clarify a law that’s led to several multi-million-dollar settlements with tech companies over the collection of Illinoisans’ biometric data. On Thursday, a bipartisan majority in the Illinois Senate did just that, approving the first major change to Illinois’ Biometric Information Privacy Act since it was originally passed in 2008.
    • Wow Bao says never scanned customer faces, letting biometrics class action continue would be 'injustice' - Jonathan Bilyk, Cook County Record (04/10/2024)
      Fast food chain Wow Bao has asked a Cook County judge to end the class action lawsuit they face under Illinois' biometrics privacy law, as the restaurant chain says it never actually scanned any of faces of customers using the self-serve kiosks placed in their restaurants in Chicago or elsewhere.
    • Google faces deluge of new $10,000 Incognito mode lawsuits after class-action deal - Ethan Baron, The Mercury News (04/09/2024)
      Google’s legal troubles over whether the search giant duped users into believing its “Incognito” browsing mode was truly private aren’t over yet: A week after settling a federal class-action suit, the Mountain View company is facing an avalanche of new lawsuits in San Jose from thousands of users who claim Incognito broke their trust by snooping on their secrets.
    • Federal judge says exclusions bar BIPA class-action coverage - Shane Dilworth, Business Insurance (02/28/2024)
      A federal judge in Illinois Tuesday sided with a Hanover Insurance Group unit in finding two exclusions in a policy relieve it from defending a condiment maker against a suit alleging violations of the state’s Biometric Information Privacy Act.
    • Biometric privacy settlements spark insurance coverage battles - Lisa Burden, Legal Dive (02/26/2024)
      Companies that have settled lawsuits for millions of dollars under the Illinois Biometric Privacy Act are now having to battle their insurance providers to get their costs reimbursed. Facebook agreed to pay $650 million in 2021 to settle a class action lawsuit alleging that the app violated the state’s biometric privacy law by using facial recognition technology until November 2021. In similar cases, Google agreed to pay $100 million, TikTok $92 million and Snapchat $35 million.
    • Some states are trying to protect health care data so it isn’t used against people seeking abortions - Geoff Mulvihill, The Associated Press (02/17/2024)
      Some state governments and federal regulators were already moving to keep individuals’ reproductive health information private when a U.S. senator’s report last week offered a new jolt, describing how cellphone location data was used to send millions of anti-abortion ads to people who visited Planned Parenthood offices.
    • Dutch watchdog fines Uber 10 mln euros over privacy regulations infringement - Reuters (01/31/2024)
      The Dutch data protection authority (DPA) on Wednesday fined Uber 10 million euros ($11 million) for infringement of privacy regulations regarding its drivers' personal data. The DPA found that Uber had not specified in its terms and conditions for how long it retained its drivers' personal data, or how it secured the data when sending it to entities in countries, which it had not named, outside the European Economic Area (EEA).
    • Meta offers Canadian Facebook users $51M in class-action lawsuit - Ashley Joannou, The Canadian Press (01/12/2024)
      A multimillion-dollar settlement proposed by Meta sends a message to other companies about the importance of paying attention to the country’s privacy laws, says a lawyer representing Canadians in the class-action lawsuit against the social media giant.
    • Estee Lauder beats biometric class action over virtual 'try-on' tool - Diana Novak Jones, Reuters (01/10/2024)
      Estee Lauder and several of its well-known cosmetics brands on Wednesday dodged a proposed class action claiming its virtual "try-on" tool violates Illinois’ biometric privacy law, after a judge said the plaintiffs provided no proof that the company could connect facial scans to customers' identities.
    • People who opted out of $100M settlement hit Google with new lawsuit for Photos face scans - Jonathan Bilyk, Cook County Record (01/02/2024)
      A group of individuals who previously opted out of Google's $100 million settlement under Illinois' biometrics privacy law have filed a collective action lawsuit against the tech giant, seeking a big payday of their own.

    2023

    2022

    2021

    • Law firms seek $427K in worker fingerprint scan lawsuit vs Hyatt Hotels; Workers slated to get $1,500 each - Dan Churney, Cook County Record (12/28/2021)
      A group of Chicago lawyers want $427,000 in fees for pressing a lawsuit against Chicago-based Hyatt Hotels, about 40% of a settlement fund established to end litigation against the hotel chain for allegedly improperly requiring workers to scan their fingerprints when punching the clock at work, allegedly breaching Illinois' biometric privacy law.
    • Norway fines dating app Grindr $7.16M over privacy breach - Jan M. Olsen & Kelvin Chan, The Associated Press (12/15/2021)
      Norway’s data privacy watchdog on Wednesday fined gay dating app Grindr 65 million kroner ($7.16 million) for sending sensitive personal data to hundreds of potential advertising partners without users’ consent — a breach of strict European Union privacy rules.
    • Shoreline Sightseeing targeted by class action lawsuit over worker fingerprint scans - Jonathan Bilyk, Cook County Record (11/19/2021)
      The company that operates many of Chicago’s famed architecture river tours, and other popular sightseeing excursions, has become one of the latest employers targeted by a class action lawsuit under Illinois’ biometrics privacy law.
    • Facebook to shut down face-recognition system, delete data - Matt O'Brien & Barbara Ortutay, The Associated Press (11/03/2021)
      Facebook said it will shut down its face-recognition system and delete the faceprints of more than 1 billion people amid growing concerns about the technology and its misuse by governments, police and others.
    • DC attorney general wants to hold Mark Zuckerberg personally responsible for Cambridge Analytica scandal - Lauren Feiner, CNBC (10/20/2021)
      Facebook CEO Mark Zuckerberg is now listed as a defendant in a complaint over the Cambridge Analytica scandal that District of Columbia Attorney General Karl Racine first brought against Facebook in 2018, the regulator’s office announced Wednesday.
    • Facebook Should Clarify Terms of Service, Irish Privacy Regulator Says - Catherine Stupp, The Wall Street Journal (10/15/2021)
      A draft ruling from Ireland’s privacy regulator would require Facebook Inc. to change how it informs users about its data processing but disregards complaints that the social-media giant needs to obtain direct consent for its activities.
    • California Legislature Passes New Key Privacy Laws, Expected to Be Signed Next Week - Natalie Prescott, JD Supra (10/05/2021)
      California lawmakers wrapped up this year’s legislative session, passing roughly 900 bills this year. Among those were only a few privacy initiatives, which we outline below.
    • What U.S. Companies Need To Know About China's New Privacy Law - David M. Strauss & Yuefan Wang, Mondaq (10/02/2021)
      Effective November 1, 2021, China will become the latest country to enact a national data privacy law akin to Europe's General Data Protection Regulation (GDPR). The new law - entitled the Personal Information Protection Law of the People's Republic of China or "PIPL" - will require foreign companies, including U.S. companies, operating in China (and in some cases, operating purely outside of China) to undertake new compliance efforts.
    • Flying Microchips The Size Of A Sand Grain Could Be Used For Population Surveillance - Scott Neuman, NPR (09/23/2021)
      It's neither a bird nor a plane, but a winged microchip as small as a grain of sand that can be carried by the wind as it monitors such things as pollution levels or the spread of airborne diseases.
    • Ireland to investigate Tik Tok over child, China data concerns - Olafimihan Oshin, The Hill (09/15/2021)
      “The first inquiry will examine TikTok’s compliance with the GDPR’s data protection by design and default requirements as they relate to the processing of personal data in the context of platform settings for users under age 18 and age verification measures for persons under 13,” the DPC said in a statement on Wednesday, referring to General Data Protection Regulation, a 2016 European Union privacy law.
    • DoorDash sues New York City over rights to customer data - Dee-Ann Durbin, ABC News (09/15/2021)
      DoorDash is suing New York City over a new law that requires delivery companies to share customer data with restaurants.
    • Departing U.K. Privacy Regulator Wants Global Consensus on Data Disputes - Catherine Stupp, The Wall Street Journal (09/15/2021)
      Elizabeth Denham will step down next month as the U.K.’s data protection regulator, a post she has held since 2016. Ms. Denham has overseen the country’s implementation of the European Union General Data Protection Regulation in 2018 and after its exit from the EU last year.
    • ‘Tattleware’: From Childish Chatter to Sinister Supervision‘Tattleware’: From Childish Chatter to Sinister Supervision - Ben Zimmer, The Wall Street Journal (09/10/2021)
      “Bosses turn to ‘tattleware’ to keep tabs on employees working from home,” warned a widely shared article published earlier this week in the Guardian. As the report details with alarm, the pandemic has seen a boom in surveillance software that allows supervisors to monitor workers’ every move, logging webcam screenshots, keystrokes, and browsing history.
    • U.S. and EU Advance Talks to Preserve Data Transfers - Sam Schechner & Daniel Michaels, The Wall Street Journal (09/10/2021)
      U.S. and the European Union officials are making progress on keeping data flowing across the Atlantic, according to people familiar with negotiations that are vital to Facebook Inc. and thousands of other companies.
    • UK to overhaul privacy rules in post-Brexit departure from GDPR - Alex Hern, The Guardian (08/26/2021)
      Britain will attempt to move away from European data protection regulations as it overhauls its privacy rules after Brexit, the government has announced.
    • Nevada lawmakers push data privacy rules for gov’t websites - Sam Metz, The Associated Press (05/14/2021)
      Following reports that Nevada’s vaccine information website planted more third-party cookies and ad trackers than any other state in the country, Republicans in the statehouse have introduced a bill to tighten the restrictions on how personal data can be collected from websites operated by government entities or other groups contracted to work on their behalf.
    • State Data Privacy Bills Stumble - David Uberti, The Wall Street Journal (05/07/2021)
      Florida Republicans making last-minute changes to internet privacy legislation that died last week ran into a similar stumbling block as Democrats who failed to pass a law in Washington last month: how to enforce it.
    • Some Amazon delivery drivers say new surveillance cameras in their trucks can offer protection, despite concerns over constant monitoring - Avery Hartmans & Kate Taylor, Business Insider (04/22/2021)
      Some Amazon delivery drivers are chafing at a new camera system that watches them inside their vans. But the driver-facing cameras are becoming more common across the industry — and drivers also say there are some key advantages to the new monitoring system.
    • TikTok faces claim for billions in London child privacy lawsuit - Kirstin Ridley, Reuters (04/21/2021)
      TikTok, the wildly popular video app, and its Chinese parent ByteDance could face a damages claim worth billions of pounds (dollars) in London's High Court over allegations they illegally harvested the private data of millions of European children.
    • California-style data privacy law gets Florida support - Mary Ellen Klas, Tampa Bay Times (04/07/2021)
      In an attempt to “put consumers in the driver’s seat” of their data privacy, Florida legislators are giving bipartisan support to legislation that imposes new disclosure requirements on companies that collect information on their customers and sell it to data brokers.
    • Court Rulings Spur Debate on How European Privacy Law Regulates AI Decisions - Catherine Stupp, The Wall Street Journal (03/31/2021)
      Recent court rulings in the Netherlands raise questions over how European privacy rules intersect with automated technologies and the treatment of personal data, lawyers and privacy advocates say.
    • Tesla's in-car cameras raise privacy concerns: Consumer Reports - Reuters Staff, Reuters (03/23/2021)
      Tesla Inc’s use of in-car cameras to record and transmit video footage of passengers to develop self-driving technology raises privacy concerns, influential U.S. magazine Consumer Reports said on Tuesday.
    • Wave of Legal Appeals Challenges How European Regulators Enforce Privacy Rules - Catherine Stupp, The Wall Street Journal (03/15/2021)
      Nearly three years after a sweeping privacy law took effect in Europe, regulators are seeing more sanction decisions challenged and overturned as companies file appeals.
    • Arizona high court: Man can sue for health privacy breach - Bob Christie, The Associated Press (03/08/2021)
      Warehouse store chain Costco can be sued for privacy violations by a Phoenix-area man who alleges a pharmacist joked with his ex-wife about an erectile dysfunction prescription he had twice canceled, the Arizona Supreme Court ruled Monday.
    • At Dubai airport, travelers’ eyes become their passports - Isabel Debre, The Associated Press (03/07/2021)
      Dubai’s airport, the world’s busiest for international travel, can already feel surreal, with its cavernous duty-free stores, artificial palm trees, gleaming terminals, water cascades and near-Arctic levels of air conditioning.
    • DePaul University targeted by class action over facial recognition tech used in online exam proctoring - Jonathan Bilyk, Cook County Record (03/05/2021)
      DePaul University has become the latest Illinois university targeted under the state’s biometrics privacy law over online monitoring of students taking exams. On March 3, attorney Brian K. Murphy, of the firm of Murray Murphy Moul & Basil, of Columbus, Ohio, filed suit in Cook County Circuit Court against DePaul. The lawsuit claims the university violated the Illinois Biometric Information Privacy Act (BIPA), in the way it required students to take exams online.
    • Virginia's Consumer Data Protection Act: Not Quite The CCPA - Scarlett Scanlan, Jill Szewczyk, Mondaq (03/04/2021)
      Though it seems Virginia is following California's lead by becoming the second state with its own comprehensive data privacy legislation, Virginia's Consumer Data Protection Act (CDPA) diverges from the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) in that it is far more business-friendly and does not have the “teeth” that the CCPA does.
    • Virginia governor signs comprehensive data privacy law - Rebecca Klar, The Hill (03/02/2021)
      Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law.
    • TikTok owner ByteDance to pay $92M in US privacy settlement - The Associated Press, The Associated Press (02/25/2021)
      TikTok’s Chinese parent company ByteDance has agreed to pay $92 million in a settlement to U.S. users who are part of a class-action lawsuit alleging that the video-sharing app failed to get their consent to collect data in violation of a strict Illinois privacy law.
    • TikTok Settles Privacy Lawsuit For $92 Million - Joe Walsh, Forbes (02/25/2021)
      TikTok owner ByteDance has agreed to pay $92 million to settle a lawsuit alleging it hoarded users’ facial recognition data, the plaintiffs said Thursday, resolving the latest accusations of privacy violations by the embattled but rapidly growing app.
    • Virginia lawmakers advance Consumer Data Protection Act - Hyung Jun Lee, The Associated Press (02/18/2021)
      The General Assembly is advancing legislation that allows Virginia consumers more protection with their online data, though opponents say the measure does not include the ability for people to file private lawsuits against companies that breach the proposed law.
    • Aiming to Cash In on Data, European Firms Grapple With Privacy Laws - Catherine Stupp, The Wall Street Journal (02/16/2021)
      Companies in Europe want to share the personal data of consumers with other firms or turn it into business applications without violating privacy rules, but there is no consensus on how to avoid revealing such potentially sensitive information.
    • Class action: Northwestern's online test proctoring wrongly collected face scans, other biometric identifiers - Jonathan Bilyk, Cook County Record (02/05/2021)
      Northwestern University has become one of the latest Illinois institutions targeted under the state’s biometrics privacy law, as a new class action accuses the university of using facial recognition and other tools used in its online testing and instruction programs to improperly capture and store students’ biometric data.
    • IL Supreme Court green lights appeal to decide if employers can use workers' comp law to beat biometrics class actions - Jonathan Bilyk, Cook County Record (01/29/2021)
      The Illinois Supreme Court will take up the question of whether employers in the state can use Illinois’ workers’ compensation law to win some relief from an ever-heightening blitz of class action lawsuits brought under a state biometric privacy law.
    • European-style data privacy bill returns, as Washington state lawmakers ponder new regulations - Joseph O'Sullivan, The Seattle Times (01/23/2021)
      The 21st century has been kind to the companies that collect and profit off people’s personal digital data.
    • Salvation Army to pay $898K to settle class action over worker fingerprint scans; Lawyers to get $299K - Jonathan Bilyk, Cook County Record (01/21/2021)
      The Salvation Army will pay nearly $900,000 to settle a class action lawsuit accusing it of violating an Illinois biometrics privacy law for the way the organization – one of the country’s largest charitable providers of human services - required workers to scan their fingerprints when punching the clock.
    • Nearly 22,000 Illinois Walmart workers could get share of $10 million privacy settlement - Lauren Zumbach, The Chicago Tribune (01/19/2021)
      Walmart will pay $10 million to some Illinois employees to settle allegations it used a palm scanning device that violated their privacy rights.
    • United States: Don't Smile At The Camera — New Biometric Data Laws - Gary Kibel, Oriyan Gitig, Mondaq (01/15/2021)
      Biometric data is seen as a preferred means of identification by many businesses. Unlocking a smartphone using facial recognition and other biometric identifiers, for example, gives users the feeling as if they are more protected (e.g., less risk of identity theft). However, similar to the boom in privacy developments and legislation related to the collection and use of more traditional personal information, the growth of biometric data use by businesses, law enforcement, employers and other organizations has given rise to renewed privacy concerns and legal developments.
    • EU court opinion leaves Facebook more exposed over privacy - Kevlin Chan, The Associated Press (01/13/2021)
      Any EU country can take legal action against companies like Facebook over cross-border violations of data privacy rules, not just the main regulator in charge of the company, a top court adviser said Wednesday.
    • Second-hand devices are an absolute privacy nightmare - Joel Khalili, Tech Radar Pro (01/13/2021)
      The latest and greatest technology certainly doesn’t come cheap; a flagship smartphone, for example, will likely run you well beyond $1,000. So it’s easy to understand why many people choose to pick up devices on the second-hand market instead.
    • Flo gets FTC slap for sharing user data when it promised privacy - Natasha Lomas, Tech Crunch (01/13/2021)
      The FTC has reached a settlement with Flo, a period and fertility tracking app with 100 million+ users, over allegations it shared users’ health data with third-party app analytics and marketing services like Facebook despite promising to keep users’ sensitive health data private.
    • Employers Take Note – New York Introduces A Biometric Information Privacy Bill Identical To The Illinois BIPA - Thomas Ahlering et al, Mondaq (01/11/2021)
      What can otherwise be characterized as BIPA 2.0, New York proposed and introduced its own "Biometric Privacy Act" on January 6, 2021. New York's proposed "Biometric Privacy Act" is a carbon copy of the Illinois BIPA, including identical definitions of both biometric identifiers and biometric information. The proposed law prohibits private entities from capturing, collecting, or storing a person's biometrics without first implementing a policy and obtaining written consent. Most notably, the proposed bill provides for identical remedies to BIPA, whereas an aggrieved person under the proposed bill will be afforded a private right of action with the ability to recover $1,000 for each negligent violation, $5,000 for each intentional or reckless violation, and reasonable attorneys' fees and costs.
    • Global Privacy Roundup: The World Beyond Europe And California - Adam Connolly et al, Mondaq (01/05/2021)
      Since Europe's General Data Protection Regulation took effect in May 2018, a growing number of legislatures around the world have introduced comprehensive data protection laws that emulate the GDPR or have updated existing laws to align with it. California became the first major non-European economy to catch the GDPR wave with the enactment of the California Consumer Privacy Act of 2018 in June 2018. Since then, the GDPR and the CCPA have dominated the privacy compliance agendas of most businesses and may continue to do so given the challenges posed by the Schrems II decision and California's recent adoption of the California Privacy Rights Act of 2020. However, other major economies are catching up, and the late-2020 developments summarized in this post have made clear that the privacy world beyond Europe and California will demand increasing attention from businesses in 2021 and beyond.

    2020

    2019

    • TikTok accused in California lawsuit of sending user data to China - Reuters, NBC News (12/03/2019)
      A California college student has accused popular video-sharing app TikTok in a class-action lawsuit of transferring private user data to servers in China, despite the company’s assurances that it does not store personal data there.
    • Google almost made 100,000 chest X-rays public — until it realized personal data could be exposed - Douglas MacMillan, Greg Bensinger, The Washington Post (11/15/2019)
      Two days before Google was set to publicly post more than 100,000 images of human chest X-rays, the tech giant got a call from the National Institutes of Health, which had provided the images: Some of them still contained details that could be used to identify the patients, a potential privacy and legal violation.
    • Google’s ‘Project Nightingale’ Triggers Federal Inquiry - Rob Copeland, Sarah E. Needleman, The Wall Street Journal (11/12/2019)
      Google’s project with the country’s second-largest health system to collect detailed health information on 50 million American patients sparked a federal inquiry and criticism from patients and lawmakers.
    • Microsoft says it will follow California's digital privacy law in U.S. - Diane Bartz, Nandita Bose, Reuters (11/11/2019)
      Microsoft Corp said in a blog post on Monday that it would honor California’s privacy law throughout the United States, expanding the impact of a strict set of rules meant to protect consumers and their data.
    • Two Silicon Valley congresswomen propose a new federal agency to enforce online privacy rights - Lauren Feiner, CNBC (11/05/2019)
      Two congresswomen from Silicon Valley introduced a new online privacy bill Tuesday that proposes creating a federal enforcement agency to protect privacy rights.
    • Legislation Would Force Google and Rivals to Disclose Search Algorithms - John D. McKinnon, The Wall Street Journal (10/31/2019)
      Senate lawmakers proposed bipartisan legislation that would require search engines to disclose the algorithms they use in ranking internet searches and give consumers an option for unfiltered searches.
    • Bill Would Let Consumers Move Data Among Social Media - Ryan Tracy, The Wall Street Journal (10/22/2019)
      A bipartisan trio of senators proposed legislation aimed at boosting competition in the tech sector by loosening social-media platforms’ grip on users’ data.
    • California AG Unveils Draft Guidelines For Businesses To Comply With New Data Privacy Law - Marty Swant, Forbes (10/11/2019)
      California has unveiled its long awaited draft rules for enforcing the state’s sweeping—and impending—data privacy laws that will soon govern how companies collect and use consumer data.
    • Ex-employee suing Danville manufacturer over fingerprint scanners used for clocking in - Tracy Crane, The News-Gazette (09/26/2019)
      A Danville manufacturer is one of the latest of many Illinois companies facing class-action lawsuits alleging privacy-law violations regarding use of fingerprint scanners to clock workers in and out of their shifts.
    • Proposed 2020 ballot measure would tighten California data privacy law - John Myers, Los Angeles Times (09/24/2019)
      Californians would have more control over the collection of their health and financial data and there would be stiff penalties for companies that wrongly share and sell data about children under a November 2020 statewide ballot measure that will be submitted on Wednesday.
    • CVS agrees to pay $4.4 million for possibly ‘outing’ Ohioans with HIV - Marty Schladen, The Columbus Dispatch (09/12/2019)
      CVS has agreed to pay a multimillion-dollar settlement in connection with 2017 mailing on behalf of the state could have exposed the HIV-positive status of 4,500 Ohioans.
    • For first time, state’s highest court extends right to privacy to cellphone location data - John Ellement, Boston Globe (04/23/2019)
      The state's highest court for the first time on Tuesday extended the right to privacy to encompass real-time cellphone location data, but preserved the right of law enforcement to "ping" cellphones in emergencies, such as a search for an armed murder suspect.
      In a unanimous decision, the Supreme Judicial Court held that state constitutional protections against unwarranted and excessive government intrusion into personal lives must keep pace with technological innovations.
      Cellphones are "almost a feature of human anatomy," with tracking technology that police can "ping" to learn a person's current location without their knowledge, Justice Scott L. Kafker wrote for the court. "This extraordinarily powerful surveillance tool finds no analog in the traditional surveillance methods of law enforcement and therefore grants police unfettered access 'to a category of information otherwise unknowable.' "
    • Pregnancy tracking app raises questions about privacy - Janelle Nanos, Boston Globe (04/11/2019)

      Most women don't tell their bosses when they're trying to conceive. But what if an app did it for them? 

      Questions about such menstrual monitoring arose this week in relation to Ovia Health, a Boston-based maker of fertility, pregnancy, and parenting-tracking apps, and the data that it has been offering employers through partnerships with health insurance providers.

      For the past several years, Ovia has partnered with insurers to offer its apps as a benefit to employees. But a report in the Washington Post this week found that employers can access data about their employees through those insurance partnerships.

    • sWith fitness trackers in the workplace, bosses can monitor your every step — and possibly more - Christopher Rowland, Washington Post (02/16/2019)
      Devices worn on employees’ bodies are an increasingly valuable source of workforce health intelligence for employers and insurance companies. It’s fueling a boom in the use of wrist-borne health and fitness monitors such as those made by Fitbit, Garmin and Apple. . . . But the volume of highly sensitive health data scooped up from individual employees is exploding, too, raising privacy concerns and adding a new dimension to the relationship of workers and their employers. Often the information is not covered by federal rules that protect health records from disclosure. And when it’s combined with data such as credit scores, employees are giving up more insights about themselves than they realize. . . . The ever-more-sophisticated devices are measuring not just steps and distance walked but also the hours a worker spends in a sedentary state, 24/7 heart rate, and sleep duration and quality
    • Europe recalls children's smartwatch over hacking fears - Natasha Bernal, The Telegraph (02/05/2019)
      Children's smartwatches have been recalled in Europe over "serious" fears that they could expose their location and personal details to hackers. . . . The European Commission issued a recall alert for the Safe Kid One watch, manufactured by German firm Enox, earlier this week. . . . The EC said that the mobile application installed in the watch had unencrypted communications with its server, which could allow hackers to access children's stored data. . . . The EC said: "A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS."
    • German police storing bodycam footage on Amazon clouds - Chase Winter , Dw.com (02/03/2019)
      German Federal Police are storing video footage from body cameras on the servers of internet giant Amazon, unleashing a storm of criticism over security and privacy issues. The Neue Osnabrücker Zeitung newspaper reported on Saturday that Federal Police are using a cloud service from Amazon to store videos because the internet company is the only one in Germany with a certificate from the Federal Office for Information Security. "At the moment there is no state infrastructure available that meets the demand," the Federal Police said. . . . Benjamin Strasser, a lawmaker from the opposition Free Democrats who requested the information from the interior ministry, said that storing highly sensitive data with a private company posed "an incalculable risk." . . . . Even though the servers are located in Germany, US security and intelligence agencies could access the data, Strasser warned, demanding that the Federal Police expand its capacity "to preserve sovereignty over the core state function of internal security." . . . . The deputy chairman of the Greens parliamentary group, Konstantin von Notz, also has privacy concerns. . . . He noted that Amazon sells facial recognition software to US police that is used for analyzing bodycam videos. . . . "That this company is now to administer the bodycam recordings for the Federal Police leaves more than a bad feeling," said von Notz.

    2018

    • ‘It’s about time’: Facebook faces first lawsuit from U.S. regulators after Cambridge Analytica scandal - Tony Romm , Brian Fung , Aaron C. Davis and Craig Timberg , Washington Post (12/19/2018)
      Nine months after a whistleblower revealed Facebook had allowed outsiders to improperly access personal information about millions of its users, the social media giant faced its first major rebuke from regulators in the United States -- a lawsuit filed by the attorney general of the District of Columbia. . . . The lawsuit from Karl Racine on Wednesday targeted Facebook mainly for its entanglement with Cambridge Analytica, a political consultancy that harvested names, “likes” and other data from the social site without users’ permission. The incident, which affected more than 87 million users beginning in 2014, came to light this March, sparking investigations around the world. . . . The opening salvo from the D.C. attorney general ended a protracted silence on the part of many U.S. regulators, who have faced immense pressure -- from members of Congress and average web users -- to discipline Facebook for what many see as a reckless disregard for online privacy. Some of Silicon Valley’s toughest critics have urged the government to slap Facebook with severe fines and other penalties that might force it to rethink a business model that monetizes the most intimate details of consumers’ lives.
    • Facebook failed to monitor partners' handling of user data - STEVEN MUSIL, cnet.com (11/13/2018)
      Facebook failed to properly monitor device makers to which it granted access to the personal data of millions of its users, according to a previously unreported disclosure the social network made to Congress last month. . . .The social network's lax oversight was identified in 2013 by a privacy monitor approved by the government, but it was never revealed to Facebook users, most of whom hadn't given the company permission to share their information with third parties, the company said in a letter to Sen. Ron Wyden. The Oregon Democrat is a noted privacy advocate and frequent Facebook critic.
    • First Europe, Now the States: Big Changes Coming to State Data Privacy Laws - Foley Hoag LLP , (07/27/2018)
      With legislative activity last month in Louisiana, South Carolina, Vermont, and Colorado adding to activity in South Dakota, Arizona, Oregon, and Alabama earlier in the year, it appears that 2018 could be a significant year for state information privacy law reform. Much has been predicted in this area following the enactment in 2017 of significant regulations in New York and the passage of substantial amendments to a statute in Illinois both of which were aimed at protecting against data breaches. . . Even California is getting in on the action. . . . And some of this activity has been first of its kind—possibly indicating analogous activity to follow in other states
    • Uber evaluating policies in response to story on St. Louis driver's secret livestream - St. Louis Post-Dispatch (07/24/2018)
      The response to a Post-Dispatch report about a St. Louis-area Uber driver livestreaming his passengers without consent was so immediate that one woman found out while she was still his passenger.
    • Businesses Blast California’s New Data-Privacy Law - Marc Vartabedian, Georgia Wells and Lara O’Reilly, Wall Street Journal (07/01/2018)
      Businesses across the U.S. panned California’s new consumer-privacy legislation, saying it risked far-reaching damage to everything from retailers’ customer-loyalty programs to data gathering by Silicon Valley tech giants. . . . The bill, which was introduced one week before it was passed and was largely sold as a way to rein in big tech firms, sweeps up a range of businesses. It requires them to offer consumers options to opt out of sharing personal information, and it gives Californians the right to prohibit the sale of their personal data. . . . Companies late last week were working out what they now may need to do to strengthen their privacy practices, or, in the case of some Silicon Valley firms, preparing to lobby hard for changes to the law before it takes effect in 2020. One attorney said many law firms see the new bill as generating a “bonanza” in fees as companies rush to either comply or push for changes.
    • Prayers for the ill curbed in Scots Catholic churches due to new EU privacy rules - Martin Williams, The Herald (05/24/2018)
      PRAYERS for the sick are being restricted in Catholic churches in Scotland due to an EU shakeup of privacy rules. . . . Catholic churches across the country have begun banning the publication of the names of ill people in their bulletins, because it is feared it may breach the new personal data statutes. . . . The General Data Protection Regulation, which came into force on Friday is aimed at curbing US tech giants like Google and Facebook - but it has emerged that church leaders fear that they face crippling fines if they fall foul of the law.
    • Congress is a decade behind in overseeing DNA testing companies - STUART LEAVENWORTH, MCCLATCHY DC BUREAU (05/02/2018)
      Wall Street has plowed billions of dollars into DNA testing companies, one of the world's fastest-growing consumer services. By contrast, lawmakers in Washington have invested little oversight in to this brave new marketplace, leaving it to U.S. consumers to navigate it alone. . . . Despite consumer unease about their DNA privacy, Congress has made no moves up to update the 2008 Genetic Information Nondiscrimination Act (GINA), the lone law in this field. The law prevents employers and companies from using DNA data to deny employment or health insurance coverage, but it contains numerous loopholes. It also couldn't begin to anticipate the privacy risks as corporations quietly assemble DNA databases containing millions of personal records.
    • 'Mind-reading’ tech being used to monitor Chinese workers' emotions - Jamie Fullerton, The Telegraph (04/30/2018)
      Workers in China are being hooked up with brain-reading devices that feed information about their moods to their employers, raising concerns about the privacy of people’s most basic emotions. . . . Electronic sensors that fit into hats and helmets are being used in China on an “unprecedented” scale to read employees’ emotions, the South China Morning Post reports, in what firms say is part of a drive to increase efficiency and productivity, but the efforts to tap into the data is sparking concerns that powerful companies are reading the minds of their employees, with one Chinese psychology professor warning that the systems could represent a "whole new level" of privacy abuse.
    • Thousands of apps in Google Play Store may be illegally tracking children, study finds - Hamza Shaban, Washington Post (04/18/2018)
      Thousands of free, popular children's apps available on the Google Play Store could be violating child privacy laws, according to a new, large-scale study, highlighting growing criticism of Silicon Valley's data-collection efforts.
      Seven researchers analyzed nearly 6,000 apps for children and found that the majority of them may be in violation of the Children's Online Privacy Protection Act (COPPA). Thousands of the tested apps collected the personal data of children younger than 13 without a parent's permission, the study found.
    • Facebook and Cambridge Analytica face class action lawsuit - Owen Bowcott and Alex Hern, The Guardian (04/10/2018)
      British and US lawyers have launched a joint class action against Facebook, Cambridge Analytica and two other companies for allegedly misusing the personal data of more than 71 million people. . . . The lawsuit claims the firms obtained users’ private information from the social media network to develop “political propaganda campaigns” in the UK and the US. . . . Facebook, it is said, may initially have been misled, but failed to act responsibly to protect the data of 1 million British users and 70.6 million people in America. The data, it is suggested, was first used in the British EU referendum and then in the US during the 2016 presidential election. . . . As well as Cambridge Analytica, the two firms named in the legal writ are SCL Group Limited and Global Science Research Limited (GSR). . . . Steve Bannon, Donald Trump’s former campaign and White House adviser, led Cambridge Analytica in 2014, when the data was collected and extracted, the legal papers state.
    • Facebook shareholders sue as share price tumbles in wake of Cambridge Analytica scandal - Ben Chapman, Independent (03/21/2018)
      Facebook is being sued by US investors over the company’s tumbling share price after allegations that millions of users’ profile data had been harvested. . . . A class-action lawsuit was filed in federal court in San Francisco on Tuesday after Facebook shares fell as much as 5.2 per cent on Monday. By Wednesday the shares had crashed by 11 per cent, wiping more than $57bn (£41bn) off the company’s value as it deals with the erupting privacy scandal. . . . The undisclosed number of Facebook shareholders, led by Fan Yuan, say that they suffered losses after a whistleblower told The Observer that UK-based data company Cambridge Analytica had harvested and improperly used profile data of 50 million Facebook users.
    • Apple moves iCloud encryption keys for Chinese users to China - Romain Dillet, Techcrunch (02/25/2018)
      Apple told Reuters that the company had to comply with Chinese authorities and move iCloud data to Chinese data centers. Not everyone’s data is moving to China. This is only going to apply to residents of mainland China who chose China as their main country when they created their Apple account (not Hong Kong, Macau or Taiwan). . . . The Chinese government can now ask access iCloud data much more easily. Human rights activists are concerned because it could lead to arrests of democracy advocates. . . . Before this change, all encryption keys would be stored in the U.S. It means that authorities would have to go through the U.S. legal system to ask for user data stored on iCloud. Apple is partnering with a Chinese company for its Chinese data center.
    • Supreme Court to hear Microsoft case: A question of law and borders - Ellen Nakashima, Washington Post (02/25/2018)
      The Supreme Court is set to hear on Tuesday a case that could have far-reaching implications for law enforcement access to digital data and for U.S. companies that store customer emails in servers overseas. . . .What began as a challenge by tech giant Microsoft to a routine search warrant for a suspected drug dealer’s emails has become a marquee case over data access in the Internet age. . . . At issue is whether a U.S. company must comply with a court order to turn over emails, even if they are held abroad — in this case in a Dublin server. The litigation turns on a 1986 law, the Stored Communications Act, passed long before email became a ubiquitous way to communicate and before American firms began storing massive amounts of data outside U.S. borders.
    • My pacemaker is tracking me from inside my body - NETA ALEXANDER, THE ATLANTIC (01/27/2018)
      This might explain why the manufacturer of my pacemaker, the large medical-device company Medtronic, boasts that the device can be monitored remotely by health-care providers or worried family members. This tracking capacity could assuage anxiety, but it also raises some concerns about privacy and longevity. . . . Despite the growing number of pacemakers, not to mention the recent introduction of wireless cardiovascular devices like mine, their long-term effects, risks, and proprietary design are rarely discussed with new patients or their family members. Lior Jankelson, a physician at New York University’s cardiac-electrophysiology center, told me that every new pacemaker implanted in the United States is cloud-connected. “As a result,” Jankelson explains, “there are at least tens of thousands of Americans with cloud-connected devices that could be monitored from afar.” .
    • Companies race to gather a newly prized currency: Our body measurements - Drew Harwell, Washington Post (01/16/2018)
      Companies such as Indochino, Wantable and Stitch Fix, the latter of which counted nearly $1 billion in sales last year, gather dozens of data points on each customer, including weight, jobs and past pregnancies. They are being joined by Amazon.com, the online-retail giant that counts fashion among its fastest-growing businesses and now sells a bedroom camera that offers opinions on what a user wears. . . . But the corporate harvest of data about our bodies, including our faces, voices and fingerprints, also is raising privacy concerns about how much sharing is too much in service of better-fitting clothes. . . . “These body measurements look a lot like medical records,” said Peter Swire, a law professor at the Georgia Tech Scheller College of Business who coordinated with the White House in the 1990s during the shaping of the nation’s medical privacy law. . . . Those health privacy rules, Swire said, “would apply to this data if the measurements were taken at the hospital. It doesn’t apply when an online company puts them in an app.” . . . Companies value this data because it can lock customers in for life and make it easy to order customized clothes over the Internet without trying anything on. But some privacy experts question whether Americans have a clear idea of what they are handing over.

    2017

    • A Cute Toy Just Brought a Hacker Into Your Home - SHEERA FRENKEL, New York Times (12/21/2017)
      My Friend Cayla, a doll with nearly waist-length golden hair that talks and responds to children’s questions, was designed to bring delight to households. But there’s something else that Cayla might bring into homes as well: hackers and identity thieves. . . . Earlier this year, Germany’s Federal Network Agency, the country’s regulatory office, labeled Cayla “an illegal espionage apparatus” and recommended that parents destroy it. Retailers there were told they could sell the doll only if they disconnected its ability to connect to the internet, the feature that also allows in hackers. And the Norwegian Consumer Council called Cayla a “failed toy.” . . . . The doll is not alone. As the holiday shopping season enters its frantic last days, many manufacturers are promoting “connected” toys to keep children engaged. There’s also a smart watch for kids, a droid from the recent “Star Wars” movies and a furry little Furby. These gadgets can all connect with the internet to interact — a Cayla doll can whisper to children in several languages that she’s great at keeping secrets, while a plush Furby Connect doll can smile back and laugh when tickled
    • The Internet of Toys: Legal and Privacy Issues with Connected Toys - Dickinson Wright (12/05/2017)
      Most people have heard of the Internet of Things, or IoT. With the holidays fast approaching, and with the onslaught of new smart and Internet-connected smart toys, for parents and toy manufacturers, at least for the next few weeks “IoT” means the Internet of Toys. . . . Smart toys first sparked interest in 2015 when Hello Barbie a connected-smart doll was introduced. Hello Barbie came equipped with a microphone, voice recognition software and artificial intelligence that allowed a call-and-response function between the child user and the doll (think how Siri works). The backlash and hacking concerns loomed so large Hello Barbie got its own Twitter hashtag, #HellNoBarbie. . . . Since 2015 the technology and legal implications regarding these types of toys has only grown as the market now includes smart toys, such as Talk-to-Me Mikey, SmartToy Monkey, and Kidizoon Smartwatch DX; connected toys, such as SelfieMic and Grush; and other connected smart toys such as Cognitoys’ DINO, and My Friend Cayla. There is also a new crop of GPS-enabled wearables marketed as allowing parents to monitor and track their child’s movements, including Kidizoom Smartwatch DX, a smart toy. For those keeping track, that’s three separate types of toys: (1) smart toys; (2) connected toys; and (3) connected smart toys. . . . There are many reasons why these toys/wearables are problematic and the privacy issues for each are analyzed differently based on functionality. Some that function like the Amazon Echo, and unlike Smartphones, are always on, and blend into the background of their users’ daily lives. They also collect a significant amount of personal information, some of it legally-protected, especially in the context of information about children and/or from children. Many are so sophisticated they are able to adapt to a child user’s actions and process information from many sensors through the use of microphones, voice sensors, cameras, compasses, gyroscopes, radio transmitters, or Bluetooth. Connected toys connect to the Internet, which allows remote servers to collect data to power the toy’s intelligence functionality. . . . The other ever-developing aspect of this technology is that the technology has expanded outside the home to schools, to assist with educational functions, and to health care settings, to help stabilize child/patients emotions or to manage anxiety.
    • Why They Dox: First Large-Scale Study Reveals Top Motivations and Targets For this Form of Cyber Bullying - NYU Tandon School of Engineering (11/07/2017)
      Researchers at the New York University Tandon School of Engineering and the University of Illinois at Chicago (UIC) have published the first large-scale study of a low-tech, high-harm form of online harassment known as doxing. . . . Coined as an abbreviation of the word "documents," doxing involves collecting and publishing sensitive personal information online to exact revenge, seek justice, or intimidate victims. . . . The researchers created a custom text classifier that allowed them to identify and analyze dox files, which often include highly identifying personal information, including links to social media accounts. The study revealed that doxing exacts a significant toll on victims, who are far likelier than others to close or increase the privacy settings of social media accounts following an attack. However, new abuse filters deployed on Facebook and Instagram appear to be effective in making victims feel safer. The primary motivations for doxing are revenge and justice, with competition and politics far behind, at just over 1 percent each of the reasons discerned by the study.
    • HAZARDS AHEAD: UPTICK IN BIOMETRIC PRIVACY LAWS CAN PUT EMPLOYERS IN HOT SEAT - Seyfarth Shaw LLP, (10/03/2017)

      As biometric technology has become more advanced and affordable, more employers have begun implementing procedures and systems that rely on employees’ biometric data. “Biometrics” are measurements of individual biological patterns or characteristics such as fingerprints, voiceprints, and eye scans that can be used to quickly and easily identify employees.  However, unlike social security numbers or other personal identifiers, biometrics are biologically unique and, generally speaking, immutable.  Thus, unlike a bank account or a social security number, which can be changed if it is stolen, biometric data, when compromised, cannot be changed or replaced, leaving an affected individual without recourse and at a heightened risk for identity theft.  Given the serious repercussions of compromised biometric data, a number of states have proposed or passed laws regulating the collection and storage of biometric data.  And plaintiffs’ attorneys are taking notice, as the number of class action lawsuits in this area has surged in recent months.

    • Landmark European ruling heralds end of snooping bosses spying on workers' emails and instant chats - James Crisp, Telegraph UK (09/05/2017)

      A company that spied on an employee’s Yahoo Messenger account broke European human rights law guaranteeing privacy, judges ruled today in a landmark decision that will influence how employers monitor their staff’s use of electronic communication at work. . . . Bogdan Bărbulescu, a Romanian engineer at a sales company, was sacked after using his work Yahoo Messenger account for conversations with his fiancée and brother. . . . Mr Bărbulescu argued that, although the firm’s regulations banned the use of office resources for personal matters and he was told not to use the account for personal matters, it had infringed his rights by spying on his messages. . . . Judges sitting in the Grand Chamber of the European Court of Human Rights, the highest court of appeal, agreed by 11 votes to six.

    • Spokeo lawsuit highlights challenge of protecting privacy in digital age - David Lazarus, Los Angeles Times (08/29/2017)

      For anyone who feels powerless about controlling their personal information in a world of search engines and public databases, take heart. A recent court ruling suggests you might have more muscle than you thought. . . . The case involves a Pasadena company called Spokeo, which operates a “people search” website that instantaneously pulls together information from publicly available sources. . . . The company says it helps users “know more about the people in their lives.” It does this by providing “access to social-media profiles, court records, criminal records, names, addresses, phone numbers, email addresses, marital status and more.” . . . Spokeo (rhymes with Tokyo) is one of dozens of such online services that have turned once difficult-to-obtain data into a readily available commodity, making it much harder for people to keep sensitive or embarrassing personal info under wraps.

    • ‘Right to Be Forgotten’ Online Could Spread - Farhad Manjoo, New York Times (08/05/2017)

      More than a year ago, in a decision that stunned many American Internet companies, Europe’s highest court ruled that search engines were required to grant an unusual right — the “right to be forgotten.” Privacy advocates cheered the decision by the European Court of Justice, which seemed to offer citizens some recourse to what had become a growing menace of modern life: The Internet never forgets, and, in its robotic zeal to collect and organize every scrap of data about everyone, it was beginning to wreak havoc on personal privacy. . . . Under the ruling, Europeans who felt they were being misrepresented by search results that were no longer accurate or relevant — for instance, information about old financial matters, or misdeeds committed as a minor — could ask search engines like Google to delink the material. If the request was approved, the information would remain online at the original site, but would no longer come up under certain search engine queries. . . . Search engines and free speech advocates, calling the ruling vague and overbroad, warned of dire consequences for free expression and the historical record if the right to be forgotten was widely enacted. Now, they say, their fears are being realized. . . . Recent developments — including a French regulator’s order that all of Google’s sites, including American versions, should grant the right to be forgotten — suggest the new right may not end with Europe. Under the banner of privacy, some free-speech watchdogs say, a huge and unwieldy eraser is coming for Google results across the globe — even the ones in the United States.

    • Cars Suck Up Data About You. Where Does It All Go? - John R. Quain, NY Times (07/27/2017)

      Cars have become rolling listening posts. They can track phone calls and texts, log queries to websites, record what radio stations you listen to — even tell you when you are breaking the law by exceeding the speed limit. . . . Automakers, local governments, retailers, insurers and tech companies are eager to leverage this information, especially as cars transform from computers on wheels into something more like self-driving shuttles. And they want to tap into even more data, including what your car’s video cameras see as you travel down a street. . . .Who gets what information and for what purposes?

    • Your Roomba May Be Mapping Your Home, Collecting Data That Could Be Sold - MAGGIE ASTOR, New York Times (07/25/2017)

      Your Roomba may be vacuuming up more than you think. . . . High-end models of Roomba, iRobot’s robotic vacuum, collect data as they clean, identifying the locations of your walls and furniture. This helps them avoid crashing into your couch, but it also creates a map of your home that iRobot is considering selling to Amazon, Apple or Google. . . . Colin Angle, chief executive of iRobot, told Reuters that a deal could come in the next two years, though iRobot said in a statement on Tuesday: “We have not formed any plans to sell data.”

    • Google Wants to Increase Government Access to Customer Data to Help Combat Terror Attacks - Aatif Sulleyman, The Independent (06/22/2017)
      Google wants to make it easier for governments to access customer data stored on overseas servers.
    • Secrets from smart devices find path to US legal system, - Rob Lever, phys.org (03/19/2017)

      An Ohio man claimed he was forced into a hasty window escape when his house caught fire last year. His pacemaker data obtained by police showed otherwise, and he was charged with arson and insurance fraud.

      In Pennsylvania, authorities dismissed rape charges after data from a woman's Fitbit contradicted her version of her whereabouts during the 2015 alleged assault.. . . Vast amounts of data collected from our connected devices—fitness bands, smart refrigerators, thermostats and automobiles, among others—are increasingly being used in US legal proceedings to prove or disprove claims by people involved. . . .In a recent case that made headlines, authorities in Arkansas sought, and eventually obtained, data from a murder suspect's Amazon Echo speaker to obtain evidence. . . . The US Federal Trade Commission in February fined television maker Vizio for secretly gathering data on viewers collected from its smart TVs and selling the information to marketers. . . . The maker of the smartphone-connected sex toy We-Vibe meanwhile agreed in March to a court settlement of a class-action suit from buyers who claimed "highly intimate and sensitive data" was uploaded to the cloud without permission—and shown last year to be vulnerable to hackers.

    • Car lenders are using remote shut-off to collect delinquent payments - Megan Woolhouse, Boston Globe (03/14/2017)
      Auto financing companies increasingly are using electronic devices to remotely shut down vehicles in Massachusetts and other states when an owner falls behind on loan payments, raising concerns about the safety, privacy, and fairness of the practice. . . .  Companies that cater to high-risk borrowers say the so-called payment assurance devices — typically installed under a dashboard — give them a way to quickly recover cars from delinquent borrowers, using the technology to modernize work otherwise carried out by repo men.
    • US police agencies with their own DNA databases stir debate - MICHAEL BALSAMO, AP (ABC News) (03/04/2017)
      Dozens of police departments around the U.S. are amassing their own DNA databases to track criminals, a move critics say is a way around regulations governing state and national databases that restrict who can provide genetic samples and how long that information is held. . . . The local agencies create the rules for their databases, in some cases allowing samples to be taken from children or from people never arrested for a crime. Police chiefs say having their own collections helps them solve cases faster because they can avoid the backlogs that plague state and federal repositories
    • Watchdog to launch inquiry into misuse of data in politics - Jamie Doward, Carole Cadwalladr, and Alice Gibbs, The Guardian (03/04/2017)
      The UK’s privacy watchdog is launching an inquiry into how voters’ personal data is being captured and exploited in political campaigns, cited as a key factor in both the Brexit and Trump victories last year. . . . The intervention by the Information Commissioner’s Office (ICO) follows revelations in last week’s Observer that a technology company part-owned by a US billionaire played a key role in the campaign to persuade Britons to vote to leave the European Union. . . . It comes as privacy campaigners, lawyers, politicians and technology experts express fears that electoral laws are not keeping up with the pace of technological change. . . . “We are conducting a wide assessment of the data-protection risks arising from the use of data analytics, including for political purposes, and will be contacting a range of organisations,” an ICO spokeswoman confirmed. “We intend to publicise our findings later this year.”
    • Recorded messages spoken to teddy bears could pose privacy risks for children - Selena Larson, cnn.com (02/27/2017)
      A security vulnerability allowed anyone to view personal information, photos and recordings of children's voices from CloudPets toys. And at one point, some people tried to hold all of that information for ransom. . . . According to a report compiled by security researcher Troy Hunt, over 820,000 user accounts were exposed. That includes 2.2 million voice recordings. . . . "I suspect one of the things that will shock people is that they probably didn't think through the fact that when you connect the teddy bear, your kids voices are sitting on an Amazon server," Hunt said. . . . CloudPets toys connect to mobile apps and let parents and loved ones send messages to their children that are played through the stuffed animals. When you create an account with CloudPets, you give it your child's name, an email address and a photo.
    • Microsoft's victory in email-seizure case stands, hailed as win for privacy - Matt Day, Seattle Times (01/24/2017)
      A federal appeals court has declined to review Microsoft’s refusal to comply with a U.S. search warrant seeking a customer’s emails stored abroad, letting stand a ruling hailed by civil-liberties groups and technology industry boosters as a victory for privacy. The 2nd U.S. Circuit Court of Appeals, in a 4-4 vote announced on Tuesday, declined take up the Justice Department’s appeal of Microsoft’s July victory before a three-judge panel in the same court. The case is among the highest profile of technology-industry challenges to the reach of law enforcement in cyberspace.

    2016

    • Boston police set to buy social media monitoring software - Jan Ransom , Boston Globe (11/26/2016)
      The Boston Police Department is on the verge of buying new software that will scan social media and the Internet for criminal activity and threats to public safety — a step that civil liberties groups say is a worrisome risk to free speech and privacy. The software would be able to search blogs, websites, chat rooms, and social media platforms such as Facebook, Twitter, Instagram, and YouTube. It would provide law enforcement officials with an address of where the content was posted and allow police to create a “geo-fence” that would send alerts when new posts are made within an area that meets specified search criteria.
    • Facebook blocks Admiral from using profiles to price car insurance - James Titcomb, The Telegraph (11/02/2016)
      Facebook has blocked Admiral from scouring social media profiles to set car insurance prices, forcing the company into a hasty climbdown. The internet giant said that Admiral’s contravened Facebook’s privacy policies, preventing the launch of the technology just hours before it was due to be launched. Admiral had planned to use Facebook status updates and “likes” to build up a “risk assessment” of first-time motorists, offering insurance discounts to those likely to be safer drivers… The move represents a setback for the insurance industry, which hopes to gather growing amounts of data about its customers to set prices in future.
    • EU Issues Data-Protection Warning to WhatsApp, Yahoo - Natalia Drozdiak, The Wall Street Journal (10/28/2016)
      European privacy regulators on Friday fired a warning shot to Facebook Inc.’s WhatsApp and Yahoo Inc., saying they sent letters to the companies expressing concerns about possible violations of the bloc’s data-protection rules. A European Union body representing national data-protection authorities from the bloc’s 28 states said it sent WhatsApp a letter expressing “serious concerns” about the messaging service’s new terms that allow it to share user information including phone numbers with its parent, Facebook. The regulators urged the company to pause the data sharing until “legal protections” could be assured.
    • Unsecure files lead to HIPAA fine for St. Joseph Health - Joseph Goedert , HealthData Management (10/19/2016)
      St. Joseph Health, a 14-hospital delivery system serving parts of California, Texas and New Mexico, is the latest organization to agree to implement a corrective action plan with the HHS Office for Civil Rights following a breach of protected health information. Along with the corrective actions, St. Joseph Health will pay a settlement fine of $2,140,500. The organization reported a breach February 2012 after files created for its electronic health record meaningful use program were accessible on the Internet for about half of that month. “The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an Internet connection to access them,” according to an OCR statement. “Upon implementation of this server and the file sharing application, SJH did not examine or modify it.
    • Companies Try Out Selfies as Password Alternatives - Trisha Thadani , The Wall Street Journal (10/17/2016)
      Selfies, long derided as a symbol of narcissism and oversharing, have found a more serious purpose. Companies and government agencies—ranging from the ride-hailing service Uber Technologies Inc. and credit-card giant MasterCard Inc. to the Alabama Department of Revenue—are asking people to snap self-portraits on their smartphones as proof of identity. As the quality of smartphone cameras improves and facial-recognition software becomes more affordable, the digital future might involve fewer convoluted passwords and more selfies. But there’s a downside: some cybercrime experts worry that people might be too quick to offer up their smiling faces, saying the technology is rife with privacy and security concerns.
    • Yahoo helped the U.S. government spy on emails, report says - Paresh Dave and Brian Bennett , Los Angeles Times (10/04/2016)
      Yahoo Inc. reportedly built a program allowing the U.S. government to scan millions of customers’ emails for a specific phrase last year, raising questions in the tech industry about why Yahoo didn’t fight the demand. Generally, tech firms have sought to bring more transparency to government surveillance orders across the world. But Yahoo not only secretly complied with the broad demand to search all incoming messages, but also dedicated its own staff to craft custom software to help facilitate the investigation, the news agency Reuters reported Tuesday.
    • Worker Privacy and Security in an Internet of Things - The National Law Review (10/03/2016)
      The Internet of Things (IoT) refers to the phenomenon of everyday objects like phones, refrigerators, and cars connecting to the internet in order to send and receive data. While the IoT promises a future of convenience and control over our daily lives, it also presents challenges outpacing the current body of employment law. For example, security badges are becoming smarter than passive magnetic strips, bring your own device (BYOD) policies connected to employer-run servers are blurring the lines between work life and personal life, and the explosion of wearable devices utilized in wellness programs is a proverbial Pandora’s box of privacy and security concerns.
    • Brexit and Data Protection: The Impact on GDPR Compliance - Wilmer Cutler Pickering Hale and Dorr LLP , Lexology (09/29/2016)
      As we wait for the UK to decide what arrangement it will seek with the European Union (the "EU") when it leaves, it may be useful to focus on what Brexit may mean for data protection. Two months after the European Parliament voted on the new EU General Data Protection Regulation (“GDPR”, available here), the UK voted to leave the EU. This has generated much uncertainty, as many companies that were preparing to comply with the GDPR are now wondering what they should do, especially with regard to transfers of personal data between the remaining 27 EU countries and the UK after Brexit.
    • Preliminary Approval of $10.5M TCPA Class Action Settlement Granted - Julie D. Hoffmeister and David N. Anthony , Troutman Sanders' Consumer Financial Services Law Monitor (09/29/2016)
      On September 28, the United States District Court for the Central District of California preliminarily approved a $10.5 million Telephone Consumer Protection Act class action settlement against Dun & Bradstreet Credibility Corporation (“DBCC”). According to the class action complaint that was originally filed in April 2015, DBCC, a seller of credit-building and credibility solutions for businesses, repeatedly contacted the named Plaintiff on his cell phone even after Plaintiff requested that he be placed on the do-not-call list. The settlement class consists of “all persons within the United States who, between April 28, 2011 and January 31, 2016, received a nonemergency call from or on behalf of Dun & Bradstreet Emerging Businesses Corp., or its predecessor entities, Dun & Bradstreet Credibility Corp., Credibility Corp. and Brad Acquisition Corp. to a cellular telephone through the use of an automatic telephone dialing system [“ATDS”].” The class consists of approximately 1.1 million individuals.
    • Lawsuit claims smartphone-enabled massage device violated privacy - Robert Channick, Chicago Tribune (09/13/2016)
      A Chicago-area woman is suing the maker of We-Vibe, claiming the smartphone-enabled personal massager secretly transmitted "highly intimate and sensitive data" of her usage to the company in real time. The lawsuit, filed this month in a Chicago federal court, seeks class-action status for "tens of thousands" of We-Vibe users, whose data allegedly was collected without consent by Standard Innovation, the device's Canadian manufacturer, in violation of privacy and consumer fraud laws.
    • Multinational Companies Remain Wary of U.S.-EU Data-Transfer Pact - Dana Heide , The Wall Street Journal (09/06/2016)

       A survey shows multinational companies remain wary of a new international data-transfer agreement between the U.S. and the European Union, and many are relying on contract provisions that could be invalidated by Europe’s highest court. The survey of 600 privacy professionals, conducted in June and July, found only 34% say they plan to use the agreement, known as Privacy Shield, which allows businesses to transfer personal data on European citizens to the U.S… In the survey, by the International Association of Privacy Professionals and the consulting firm EY, 81% of respondents said they are relying on model contract clauses approved by the EU to transfer personal data on EU citizens. But those clauses are considered likely to be invalidated by the European Court of Justice, which would again expose companies to sanctions for moving data improperly.

    • State challenges ruling on State Farm secrecy - Ron Hurtibise , Sun-Sentinel (08/22/2016)

      A Leon County circuit judge should have required insurance giant State Farm to prove its policy-count data was valuable to competitors before allowing the company to hide the data from the public, the Florida Office of Insurance Regulation argued in its appeal. . . . State Farm, once Florida's top home insurer, canceled hundreds of thousands of policies and stopped writing new ones when in 2013 it announced plans to sell new policies in Florida again.

    • EU watchdogs demand revisions to Safe Harbour replacement - Leo Kelion, BBC News (04/13/2016)
      A panel of EU privacy watchdogs has demanded changes to a pact meant to govern cross-Atlantic data transfers.
    • Turkey passes long-awaited data protection law - AFP (04/07/2016)
      A long-awaited new data protection law came into force in Turkey on Thursday, just days after it emerged that private details about some 50 million citizens had been leaked.
    • Hackers Divulge Information on Millions of Turks - AP (04/04/2016)
      Hackers have posted a database online that appears to contain the personal information of nearly 50 million Turkish citizens in what is one of the largest public leaks of its kind.
    • After massive 'Panama Papers' document leak, rich and powerful around the world deny wrongdoing - Tracy Wilkinson, LA Times (04/04/2016)
      The documents from a Panamanian law firm were obtained by several international news outlets and published over the weekend. They appear to show how a who’s who in the global political and business elite — and maybe drug traffickers — have mounted complex systems to hide money in offshore accounts.
    • EU unveils details of data privacy pact with US - Anonymous, Yahoo News (03/29/2016)
      The EU on Monday unveiled details of a new deal with the US to curb government spying on the personal Internet data of European citizens, but critics said it fell short and threatened fresh legal action.
    • U.S. and Europe in ‘Safe Harbor’ Data Deal, but Legal Fight May Await - Mark Scott, New York Times (02/02/2016)
      European officials on Tuesday agreed to a deal with the United States that would let Google, Amazon and thousands of other businesses continue moving people’s digital data, including social media posts and financial information, back and forth across the Atlantic.
    • U.S. and Europe in ‘Safe Harbor’ Data Deal, but Legal Fight May Await - Mark Scott, New York Times (02/02/2016)
      European officials on Tuesday agreed to a deal with the United States that would let Google, Amazon and thousands of other businesses continue moving people’s digital data, including social media posts and financial information, back and forth across the Atlantic.
    • Webcam search engine raises privacy concerns for connected devices - Peter Henderson, The Canadian Press (01/27/2016)
      Shodan, a search engine that indexes computers and devices rather than information, now allows users to pull screenshots from nanny cams, security cameras and other connected devices around the world that don't ask for a username or password.

    2015

    • Smart cars that share revealing info about drivers catch privacy watchdog's eye - Jim Bronskill, The Canadian Press (12/24/2015)
      With cars collecting and even sharing more personal data, Canada's privacy watchdog is quietly trying to ensure manufacturers, retailers and insurance companies avoid bumps on the virtual highway.
    • Nursing home workers have been posting abusive photos of elderly on social media - Charles Ornstein, Washington Post (12/21/2015)
      Nursing home workers across the country are posting embarrassing and dehumanizing photos of elderly residents on social media networks such as Snapchat, violating their privacy, dignity and, sometimes, the law.
    • Ashley Madison Data Breach Lawsuits Pose Privacy Test - Jacob Gershman, WSJ LawBlog (12/15/2015)
      The class-action litigation over the Ashley Madison data breach is testing how much privacy courts are willing to grant plaintiffs who sue companies for failing to protect their personal information.
    • New federal requirements on cellphone surveillance - Erick Tucker, AP (09/03/2015)
      Federal law enforcement officials will be routinely required to get a search warrant before using secretive and intrusive cellphone-tracking technology under a new Justice Department policy announced Thursday.
    • Employers Need Policies on Searching Worker Smartphones - Suhaill Morales, Daily Business Review (08/26/2015)
      In the wake of NFL quarterback Tom Brady destroying his cell phone in the midst of the NFL Deflategate investigation, the incident took a turn from sports scandal into a question of workplace privacy.
    • Surveillance Society: New electric meters can report usage in real time - Chris Potter, Pittsburgh Post-Gazette (08/10/2015)
      Under a 2008 state law, utilities have been installing so-called “smart meters” statewide. Unlike traditional meters, which compile a running total of monthly electricity usage, smart meters can track usage nearly in real time, and transmit it to the utility multiple times an hour.
    • Google defies France in privacy law dispute - Jacques Brignon, New York Times (07/31/2015)
      Google is gearing up for a fight in France. The company said late Thursday that it would not comply with demands from the country’s privacy regulator, which has said Google must apply a European data protection ruling to all of its global domains.
    • Old or Broken Phones an ID Theft Concern - Rachel Murray, Dayton Daily News (06/13/2015)
       Smartphone exchanges, resales and swaps have become a billion-dollar business, but such transactions are raising concerns about the security of consumer data after those devices change hands.
    • IRS Taking Steps to Combat Taxpayers' Identity Theft - Alan Fram, AP, Seattle Times (06/11/2015)
      The IRS is joining with states and private industry to combat identity theft by sharing more data about how tax returns are filed, officials announced Thursday.
    • 2015 Locke Lord: Everyone's Nightmare_Privacy and Data Breach Risks_A Locke Lord Privacy White Paper - Locke Lord, (06/01/2015)
      A 214-page paper providing a global overview of privacy issues, particularly “Insurance Company Exposures” (page 162) and “Privacy Litigation in the US” (page 183).
    • Suit Questions Use of App Allowing 24/7 Tracking of Employee Smart Phones - Andrea Peterson , The Washington Post (05/17/2015)
      When Myrna Arias discovered that her employer could track her movements even when she was off duty, she decided to remove the GPS-enabled app on her company smart phone that facilitated the monitoring. That got her fired, according a suit filed by Arias.
    • All cars must have tracking devices to cut road deaths, says EU - Dan Hyde, Telegraph (04/28/2015)
      Under EU laws passed on Tuesday the [emergency alert] technology will be compulsory from 2018 and fitted as standard in every model of car and small van.
    • FTC Finalizes First Privacy Settlement Against a Retail Tracking Firm - D. Reed Freeman, Jr., Nicole Mansker, WilmerHale (04/24/2015)
      In a first-of-its-kind enforcement action, the Federal Trade Commission (FTC) on Thursday voted along party lines to settle deception allegations against Nomi Technologies (Nomi), a company whose technology allows retailers to track the movement of customers within stores.
    • For most Americans, online privacy still hasn't hit home - NewsOK (04/21/2015)
      A poll released last week — two years after startling revelations about the government’s digital surveillance capabilities — shows nine out of 10 Americans recognize their digital lives aren’t secret.
    • Global uptake of biometrics expected to rise in 2015 - ATM Marketplace (03/27/2015)
      ABI Research forecasts $3.1 billion global revenues in 2015 for biometrics in the consumer and enterprise sectors, with much of the growth coming from smartphone solutions, according to recent reports published by the firm.
    • Bankrupt RadioShack wants to sell off user data. But the bigger risk is if a Facebook or Google goes bust. - Andrea Peterson, Washington Post (03/26/2015)
      After filing for bankruptcy in early February, RadioShack is currently making its way through the painful process of  figuring out how creditors will be paid back -- auctioning off real estate and trademarks.
    • Verizon’s Mobile ‘Supercookies’ Seen as Threat to Privacy - Natasha Singer, Brian X. Chen, New York Times (01/25/2015)
      For the last several months, cybersecurity experts have been warning Verizon Wireless that it was putting the privacy of its customers at risk. The computer codes the company uses to tag and follow its mobile subscribers around the web, they said, could make those consumers vulnerable to covert tracking and profiling.
    • More consumers say 'no way' to driver-monitoring programs - Becky Yerak, Chicago Tribune (01/15/2015)
      More consumers are resistant to signing up for driver-monitoring programs in exchange for potential discounts on their car insurance, according to a study released this week.

    2014

    • FCC Releases Massive Study On Mobile Phone Theft, Asks Wireless Companies To Start Making Changes - Kate Cox, Consumerist (12/05/2014)
      Smartphones are… amazingly good targets for theft: tiny, portable, expensive, and full of personal information.
    • Student computer use raises privacy questions - Lisa Black , Chicago Tribune (09/28/2014)
      School districts moving to "one-to-one" programs, which provide students with computers they can take home, increasingly find their officials navigating new cyber territory, aiming to keep students safe while juggling privacy issues as advances in technology increase their ability to monitor their students' online work at all hours.
    • Apple stores personal data in China despite security risks - Oliver Duggan, The Telegraph (08/15/2014)
      Apple has triggered concerns over the security of customers’ data by becoming the first tech giant to start storing personal information about users on servers in mainland China.
    • US Supreme Court to police: To search a cell phone, 'get a warrant' - Warren Richey, Christian Science Monitor (06/25/2014)
      In a major affirmation of privacy in the digital age, the US Supreme Court on Wednesday ruled that police must obtain a warrant before searching digital information on a cell phone seized from an individual who has been arrested.
    • Cellphone data spying: It's not just the NSA - USA Today, John Kelly (06/13/2014)
      Armed with new technologies, including mobile devices that tap into cellphone data in real time, dozens of local and state police agencies are capturing information about thousands of cellphone users at a time, whether they are targets of an investigation or not, according to public records obtained by USA TODAY and Gannett newspapers and TV stations.

    Additional Items

    By far and away the most well rounded and useful Cat-focused industry conference out there. Perfect for all levels within the industry. From the conference content, the presenters and the attendees, this conference is a can’t miss for those interested in expanding their knowledge and learning more about cat related insurance and reinsurance modeling topics Nick DiMuzio, Everest

    "Fantastic, enriching conference - brilliantly planned and run, illuminating talks and excellent opportunities for networking across multiple areas of catastrophic risk.” Gary Ackerman, University at Albany

    “From a treaty underwriter's point of view, RAA presented relevant topics related to today's macro events. Scientific presentations provided insight that I can incorporate in underwriting and share with my clients.” Eric B. Silberman, Munich Re

    "Great conference with some of the biggest names in the business presenting their work. What more could you ask for?” Ron Nash, Nash Consulting

    “A perfect introduction to the world of reinsurance. Relevant topics, great speakers and the opportunity to network with industry peers makes this a must go event.”
    Tom Barrett, Everest Re

    Demystifying Reinsurance was an excellent tool to clearly understand and break down the basics. Very good class and recommend it for beginners and even as a refresher course for the intermediate student.”
    Chenessia West, TransRe

    “Re Basics is the ideal opportunity whether an industry professional or student of insurance to understand the in and outs of reinsurance while being able to network with persons spread across the whole industry.”
    Darius Zuill, Bermuda Monetary Authority

    “This has been the best reinsurance seminar that I have been to! Whether a reinsurance seasoned vet or new to the field, this is an engaging seminar that addressed specific issues of the reinsurance market.”
    Michelle Thimm, Church Mutual Insurance 

    “Re Underwriting provided a comprehensive and interesting overview of underwriting in the current market with a major (and interesting) focus on trends. Very useful for underwriting and non-underwriting alike.”
    DeVika Bourne, PartnerRe

    “Very informative experience, and a great way to keep up to date on current underwriting events and trends.”
    Steven Whalen, Aspen Re

    “Time well spent in learning the updated underwriting business and networking!”
    Christine Chen,  Everest Re 

    “The panels and presentations were thought provoking and fascinating as numerous topics were covered affecting the industry. I’m leaving the conference with a greater insight of the future market.”
    Brittany de Frias, AXIS Capital 

     

    “RAA Re Finance was the first RAA seminar I attended, and I was thoroughly impressed with the speakers and content. I learned a great deal from the presentations and intend to bring some new ideas back to my company and share with the team!”
    Taylor Robinson, ICW Group

    “Fantastic slate of instructors who thoughtfully walked us through financial reporting and other aspects of reinsurance finance. They used terminology that non finance people (lawyers) could understand. Really great program.”
    Steven Bazil, The Bazil Group

    “If you are in Reinsurance Accounting/Finance, you need to take this course to help you with your job.”
    Frank Borawski, Markel  

    “The speakers were excellent! There is something to be said about a person, and in this case a group of people, who can take time away from their busy schedules and explain to everyone something they feel passionate about in a manner that's understandable. My only complaint is that I wish we had more time with them.”
    Jessica Mieles, Sompo International

    “The RAA ReContracts is the most comprehensive reinsurance contract wording training available in the U.S. market.”
    David Kragseth, Guy Carpenter   

    “The course was very helpful in addressing different viewpoints and important things to consider in contract design and review.”
    Andy Martin, AmericanAg 

    “The RAA contract course was very informative and interesting. It covered a wide range of Reinsurance Contracts Types. In my Reinsurance Career, I have had the opportunity to work on a limited type of contracts, so I learned a lot.”
    Vivian Castro, Arch Insurance Company 

    “The RAA Contracts course provides the opportunity to engage with relevant topics, taught by industry experts, in both seminar and small group environments. The course material and industry experts provide an understanding on a wide range of subjects.” 
    Kevin English, LMRe

    “Participation in Re Claims should be mandatory for all P&C reinsurance underwriters. It’s truly an eye-opener, providing an in-depth look from a claims manager’s perspective on what happens to the business that we underwrite. There are lots of do’s and don’ts to pay attention to. Re Claims answers all the hard questions."  Michael Delacruz, China Re P&C

    “I absolutely love this program. I learned so many new things. Reinsurance from the industry’s top executives, interactive activities, interesting panels, and innovating presentations makes for an intriguing few days. Well worth the time and money.” Chenessia West, TransRe

    “As a reinsurance attorney I find Re Claims highly valuable to stay abreast of emerging issues. Also, being walked through practical case studies is extremely helpful in creating a thorough understanding of how contracts work.” Steven Bazil, The Bazil Group

    Become a Re Scholar!

    The Re Ed Institute's Re Scholar Program seeks to recognize those who achieve a high standard of reinsurance education by completing the Re Scholar curriculum. Learn More.


    Become a Re Ed Sponsor

    The RAA’s Reinsurance Education Institute programs attract professionals from the world’s leading insurance/reinsurance companies, brokers, law firms and consulting firms. Interested in sponsoring? Contact Carolyn Fahey.