While Washington’s comprehensive data privacy bill (SB 6182) — inspired by California’s CCPA — died when legislators could not hammer out a compromise over enforcement mechanisms, the state legislature did reach agreement and Gov. Jay Inslee signed into law a facial recognition bill (SB 6280) that provides some important privacy and antidiscrimination provisions regarding state and local governmental use of the technology.

An interesting New York Times article last week posited that governments’ use of digital surveillance techniques for the COVID-19 response – such as the tracking of geolocation to gauge quarantine restrictions – would lead to more pervasive digital tracking in the future. On a related note, there have been reports of an increased use of facial recognition technologies as governments use digital tools to respond to the outbreak.

These developments bring to mind some interesting questions:

In the future, given our collective experience with this invisible foe, will there be a move away from contact-based security and access control systems to “germless” and “touchless” processes?

If so, what role will be played by facial recognition and other biometrics-based systems in that shift?

It is that time of year when we look back to see what tech-law issues took up most of our time this year and look ahead to see what the emerging issues are for 2020.

Data: The Issues of the Year

Data presented a wide variety of challenging legal issues in 2019. Data is solidly entrenched as a key asset in our economy, and as a result, the issues around it demanded a significant level of attention.

  • Clearly, privacy and data security-related data issues were dominant in 2019. The GDPR, CCPA and other privacy regulations garnered much consideration and resources, and with GDPR enforcement ongoing and CCPA enforcement right around the corner, the coming year will be an important one to watch. As data generation and collection technologies continued to evolve, privacy issues evolved as well.  In 2019, we saw many novel issues involving mobile, biometric and connected cars. Facial recognition technology generated a fair amount of litigation, and presented concerns regarding the possibility of intrusive governmental surveillance (prompting some municipalities, such as San Francisco, to ban its use by government agencies).
  • Because data has proven to be so valuable, innovators continue to develop new and sometimes controversial technological approaches to collecting data. The legal issues abound.  For example, in the past year, we have been advising on the implications of an ongoing dispute between the City Attorney of Los Angeles and an app operator over geolocation data collection, as well as a settlement between the FTC and a personal email management service over access to “e-receipt” data.  We have entertained multiple questions from clients about the unsettled legal terrain surrounding web scraping and have been closely following developments in this area, including the blockbuster hiQ Ninth Circuit ruling from earlier this year. As usual, the pace of technological innovation has outpaced the ability for the law to keep up.
  • Data security is now regularly a boardroom and courtroom issue, with data breaches, phishing, ransomware attacks and identity theft (and cyberinsurance) the norm. Meanwhile, consumers are experiencing deeper and deeper “breach fatigue” with every breach notice they receive. While the U.S. government has not yet been able to put into place general national data security legislation, states and certain regulators are acting to compel data collectors to take reasonable measures to protect consumer information (e.g., New York’s newly-enacted SHIELD Act) and IoT device manufacturers to equip connected devices with certain security features appropriate to the nature and function of the devices secure (e.g., California’s IoT security law, which becomes effective January 1, 2020). Class actions over data breaches and security lapses are filed regularly, with mixed results.
  • Many organizations have focused on the opportunistic issues associated with new and emerging sources of data. They seek to use “big data” – either sourced externally or generated internally – to advance their operations.  They are focused on understanding the sources of the data and their lawful rights to use such data.  They are examining new revenue opportunities offered by the data, including the expansion of existing lines, the identification of customer trends or the creation of new businesses (including licensing anonymized data to others).
  • Moreover, data was a key asset in many corporate transactions in 2019. Across the board in M&A, private equity, capital markets, finance and some real estate transactions, data was the subject of key deal points, sometimes intensive diligence, and often difficult negotiations. Consumer data has even become a national security issue, as the Committee on Foreign Investment in the United States (CFIUS), expanded under a 2018 law, began to scrutinize more and more technology deals involving foreign investment, including those involving sensitive personal data.
  • For more information about developments over the past year on data-related issues, and to keep abreast on new developments in the future, you may want to subscribe to Proskauer’s privacy blog, privacylaw.proskauer.com. You may also want to review our Practical Law article “Trends in Privacy and Data Security:2018” and get a hold of our update that will publish in winter 2020.

I am not going out on a limb in saying that 2020 and beyond promise many interesting developments in “big data,” privacy and data security.

In an important opinion, the Ninth Circuit affirmed a lower court’s ruling that plaintiffs in the ongoing Facebook biometric privacy class action have alleged a concrete injury-in-fact to confer Article III standing and that the class was properly certified. (Patel v. Facebook, Inc., No. 18-15982 (9th Cir. Aug. 8, 2019)). Given the California district court’s prior rulings which denied Facebook’s numerous motions to dismiss on procedural and substantive grounds, and the Illinois Supreme Court’s January 2019 blockbuster ruling in Rosenbach, which held that a person “aggrieved” by a violation of the Illinois Biometric Information Privacy Act (“BIPA”) need not allege some actual injury or harm beyond a procedural violation to have standing to bring an action under the statute, the Ninth Circuit’s decision was not entirely surprising. Still, the ruling is significant as a federal appeals court has ruled on important procedural issues in a BIPA action and found standing. The case will be sent back to the lower court with the prospect of a trial looming, and given BIPA’s statutory damage provisions, Facebook may be looking at a potential staggering damage award or substantial settlement.     

UPDATE:  Both bills failed to be reported out of committee by March 28, 2019 and were not debated during this year’s legislative session.

In the wake of the Illinois Supreme Court decision that held that claimants need only allege a procedural violation to have standing to bring an action under the Illinois Biometric Information Privacy Act (BIPA) and the continued wave of BIPA-related litigation, the Illinois legislature is considering an amendment to BIPA that would strip the statute of its private right of action. SB2134, as currently written, would amend BIPA by deleting the private right of action and instead provide for enforcement under the Department of Labor (for violations concerning employment-related biometric data collection) or generally by the state attorney general under the state’s consumer protection statute. The end result would be a statute similar to Texas and Washington’s biometric privacy bills which may only be enforced by the respective state attorney general. [Note: There is also another BIPA amendment pending, HB3024, which would expand the definition of “biometric identifier” to include “an electrocardiography result from a wearable device” in an effort to keep up with the latest technologies].

Senators Brian Schatz (D) and Roy Blunt (R) recently introduced S.847, the “Commercial Facial Recognition Privacy Act of 2019,” a bill that would, subject to certain important exceptions,  generally prohibit the commercial use of facial recognition technology to identify and track consumers without consent. The bill, as drafted would place limitations on the third-party sharing of collected faceprint data, as well as require covered entities to meet certain minimum data security standards. As this bill wends its way through Congress (it has been referred to the Committee of Commerce, Science and Transportation), it is worth watching because it is a bipartisan bill with a narrow scope that has garnered the early conceptual support of Microsoft and other technology companies.

UPDATE:  Subsequent to the introduction of the New York City Council biometric privacy bill, on March 5, 2019 members of the Florida legislature introduced the “Florida Biometric Information Privacy Act” (SB 1270).  The statute generally follows the Illinois Biometric Information Privacy Act (BIPA) regarding notice and consent requirements and notably provides for a private right of action and the availability of statutory damages.  As with the New York City bill, we will follow the progress of the Florida bill, as well as other pending biometric privacy legislation (e.g., Montana’s HB 645, which was introduced on March 1, 2019 and is another BIPA-like bill, but only allows enforcement by the state attorney general).

UPDATE: Both the Florida and Montana bills died in committee this past spring.

In light of the recent decision by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), it is worth remembering that late last year, New York City Council members Ritchie Torres (and additional co-sponsors) introduced a bill for the city council to consider that would regulate the use of biometric technology in New York City. Bill Int. No. 1170 (the “Bill”) would amend Section 1, Chapter 5 of Title 20 of the Administrative Code of the City of New York and require businesses (but not governmental actors) to give notice to customers if they are collecting “biometric identifier information.” The Bill, which contains some similar provisions to the Illinois Biometric Information Privacy Act (“BIPA”), includes a private right of enforcement but avoids the statutory standing issue litigated in Rosenbach by providing that “any person who[se] biometric identifier information was collected, retained, converted, stored or shared in violation of [the law] may commence an action.”  If enacted, this bill could lead to a deluge of individual and class action suits in New York based on biometric activity.

Last Friday, the Illinois Supreme Court ruled in the long-awaited Rosenbach case that an individual does not have to plead an actual injury or harm, apart from the statutory violation itself, in order to have statutory standing to sue under the Illinois Biometric Information Privacy Act (BIPA).  The Illinois Supreme Court ruling will allow procedural BIPA violations to proceed (and multiply) in state court – and has reportedly already prompted parties to settle such actions.  However, recent rulings in federal court have offered a divergent interpretation of the related, but different Article III standing issue.

In a long-awaited decision, the Illinois Supreme Court issued its ruling in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), on whether a person “aggrieved” by a violation of the Illinois Biometric Information Privacy Act (“BIPA”) must allege some actual injury or harm beyond a procedural violation to have standing to bring an action under the statute.  Since the Court took the appeal in May 2018, businesses have been waiting for the answer to this important question, as the robust wave of Illinois biometric privacy suits against Illinois-based employers and other businesses continued apace and several Illinois courts issued disparate interpretations about what it means to be “aggrieved” under the statute.

In a disappointment to many of the defendants in pending cases, a unanimous Court in Rosenbach reversed the appellate court and ruled that an individual does not have to plead an actual injury or harm, apart from the statutory violation itself, in order to have standing to sue under BIPA. The outcome was not a complete surprise, as previous courts (such as a California federal court and an Illinois appellate court) had ruled or expressed in dicta that mere technical violations of BIPA were sufficient under the statute.