BiometricsIn the Face of Huge Settlements, BIPA May Soon Be Losing Its Bite

In the Face of Huge Settlements, BIPA May Soon Be Losing Its Bite

Illinois lawmakers are considering a bill which has the potential to dramatically rein in the state’s strict Biometric Information Privacy Act (“BIPA”).  On March 9, 2021, the Illinois House judiciary committee advanced House Bill 559 (the “Bill”) which would amend BIPA.  The Bill has a couple of key amendments that may impact your business.

First, the Bill changes BIPA’s “written release” requirement to instead simply require “written consent”.  Thus, under the Bill, businesses would no longer be required obtain written release, but instead could rely on electronic consent.

Second, whereas BIPA currently requires that a business in possession of biometric identifiers draft and provide a written policy regarding its handling of biometric data to the general public, under the Bill, businesses would only be required to provide this written policy to affected data subjects.

Third, the Bill creates a one-year statute of limitations for BIPA claims.  Moreover, the Bill provides that prior to initiating a claim, a data subject must provide a business with 30 days’ written notice identifying the alleged violations.  If the business cures these violations within the 30 day window, and provides the data subject an express written statement indicating the issues have been corrected and that no further violations shall occur, then no action for individual statutory damages or class-wide statutory damages can be taken against the business.  If the business continues to violate BIPA in breach of the express written statement, then the data subject can initiate an action against the business to enforce the written statement and may pursue statutory damages.  Therefore, not only does the Bill finally create a statute of limitations, but also provides a mechanism by which businesses can respond to alleged violations of BIPA prior to engaging in costly litigation.

Fourth, the Bill modifies BIPA’s damages provisions.  Currently BIPA provides that prevailing plaintiff is entitled liquidated damages of $1,000 or actual damages, whichever is greater, when a business is found to have negligently violated BIPA.  The Bill would limit a prevailing plaintiff’s recovery to only actual damages.  Similarly, in its current form, BIPA provides that a prevailing plaintiff is entitled to liquidated damages of $5,000 or actual damages, whichever is greater, when a business is found to have willfully violated BIPA.  The Bill would limit a prevailing plaintiff’s recovery to actual damages plus liquidated damages up to the amount of actual damages.  Therefore, the Bill would limit a businesses exposure in BIPA claims to what a prevailing Plaintiff can demonstrate as actual damages.

Finally, the Bill provides that BIPA would not apply to a business’ employees if the those employees were covered by a collective bargaining agreement.  Something which has been at issue in recent BIPA litigation as discussed here.

BIPA litigation has increased dramatically and resulted in a number of recent high-profile settlements, including TikTok’s $92 million dollar settlement and Facebook’s $650 million dollar settlement.  This Bill has the potential to greatly curtail this spiral of litigation and high settlement figures.  Beckage will continue to monitor any developments regarding the Bill and will update its guidance accordingly.  Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also handle any resulting litigation.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

Meal KitCalifornia Automatic Renewal Laws and Recent Litigation

California Automatic Renewal Laws and Recent Litigation

Automatic renewal contracts have become ubiquitous in our everyday lives; however, few give thought to the laws and regulations governing them.  Whereas the federal government has regulations governing automatic renewal contracts[1], most states, similarly, have laws governing automatic renewal contracts, or automatic renewal laws (“ARL”).  Perhaps unsurprisingly, in 2009 California enacted one of the strictest ARLs intended to end the practice of charging consumer credit cards without a customers’ explicit consent for ongoing shipments of product or deliveries of a service.[2]

What is an Automatic Renewal under the Under California’s Automatic Renewal Law?

An “automatic renewal” is defined as “a plan or arrangement in which a paid subscription or purchasing agreement is automatically renewed at the end of a definite term for a subsequent term.”[3]  Similarly, a “continuous service” is defined as “a plan or arrangement in which a subscription or purchasing agreement continues until the consumer cancels the service.”[4]  While these definitions may appear to be esoteric, we encounter a number of automatic renewals or continuous services in our everyday lives – everything from meal kit boxes such as HelloFresh and Blue Apron, to monthly subscription boxes like Birchbox or LootCrate, to digital subscription services like Netflix, Hulu, Apple Music, or Spotify.

What Does California’s Automatic Renewal Law Require?

If a business wants to offer an automatically renewing contract it must:

  1. Clearly and conspicuously disclose, before a contract is fulfilled, the “automatic renewal offer terms” or “continuous service offer terms” of the contract;
  2.  Obtain the “affirmative consent” of a costumer to the “automatic renewal offer terms” or “continuous service offer terms”;
  3. Disclose any cancellation policies; and
  4. Provide notice of any “material changes” to the terms of the “automatic renewal offer terms” or “continuous service offer terms”[5]

What Terms Must Be Disclosed Under California’s Automatic Renewal Law?

The California automatic renewal law requires that “automatic renewal offer terms” and “continuous service offer terms” be disclosed in a clear and conspicuous manner before the contract is made or fulfilled and must include:

  1. That the subscription or purchasing agreement will continue until the consumer cancels;
  2. A description of the cancellation policy that applies to the offer;
  3. That reoccurring charges that will be charged to the consumer’s credit or debit card or payment account with a third party as part of the automatic renewal plan or arrangement and the among of the charge;
  4. The length of the automatic renewal term; and
  5. The minimum purchase obligation[6]

In 2018, the California ARL was amended to include that if the offer included a free gift or free trial than it must clearly and conspicuously notice the customer of the price that they will be charged and when the free trial expires.

What Happens If My Business Does Not Comply with California’s Automatic Renewal Law?

The California ARL does not provide for a private right of action, meaning a California resident cannot directly sue a business for violating the automatic renewal law.  The law simply provides that “all available civil remedies that apply to a violation of [the California ARL] may be employed.”[7] 

That is not to say that the California ARL is without teeth.  To be sure, an organization known as the California Auto Renewal Task Force (CART), made up of District Attorneys from a variety of Californian counties, has filed numerous actions against businesses for allegedly violating the ARL.  An action brought by CART recently settled with the business agreeing to pay $400,000 in penalties and an additional $150,000 in restitution for violating California ARL by failing to get the customers’ affirmative consent as outlined above.[8]

Are There Any Other Concerns If My Business Engages in Automatic Renewal Contracts?

In addition to California, the federal government may impose regulatory requirements regarding automatic renewal contracts of which your businesses should be aware. Under Restore Online Shoppers’ Confidence Act (ROSCA), the Federal Trade Commission is tasked with investigating businesses who fail to:

  1. Clearly and conspicuously disclose material terms of contract such as whether it is reoccurring;
  2. Obtain the consumer’s express and informed consent before making a charge; and
  3. Provide a simple mechanism to stop reoccurring charges.[9]

A recent case involving a California based company, Age of Learning, Inc. d/b/a ABCmouse, resulted in a $10,000,000 settlement after FTC alleged that ABCmouse failed to provide a sufficiently simple mechanism to stop the reoccurring charges for educational content.[10]

As transparency remains a cornerstone of compliance initiatives, whether under California’s ARL or ROSCA, it is critical for businesses to have great foundation for their business before scaling to avoid potential settlements or fines.  Our experienced litigation and compliance attorneys at Beckage can help your business navigate the complexities of drafting appropriate notices, or handling litigation resulting from California’s or any other states’ ARL.

*Attorney Advertising: Prior results do not guarantee a similar outcome. 

Subscribe to our newsletter. 


[1] See e.g. Section 5 of the FTC Act, 15 U.S.C. § 45(a) (regulating unfair or deceptive practices); Restore Online Shopper’s Confidence Act (ROSCA), 15 U.S.C. § 8403 et seq (prohibiting charging customers unless there has been clear disclosure of, and express consent to, the material terms).

[2] Cal Bus & Prof Code § 17600 et seq.

[3] Cal Bus & Prof Code § 17601(a).

[4] Cal Bus & Prof Code § 17601(e).

[5] Cal Bus & Prof Code § 17602.

[6] Cal Bus & Prof Code § 17601(b)(1-5).

[7] Mayron v. Google LLC, 54 Cal. App. 5th 566, 570 (2020); Cal Bus & Prof Code § 17604(a)

[8] DA Announces Consumer Protection Settlement In Auto-Renewal Case (Mar. 7, 2021 at 5:48pm), https://patch.com/california/santacruz/da-announces-consumer-protection-settlement-auto-renewal-case

[9] 15 U.S.C. §§ 8401-8405 et seq.

[10] See FTC, 10 million ABCmouse settlement: Avoiding auto-renewal traps (Sep. 2, 2020 at 12:10pm), https://www.ftc.gov/news-events/blogs/business-blog/2020/09/10-million-abcmouse-settlement-avoiding-auto-renewal-traps

UtahUtah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

Utah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

On March 11, 2021, Utah Governor Spencer Cox signed the Cybersecurity Affirmative Defense Act (the “Act”) into law.  The Act creates affirmative defenses to certain causes of action arising out of a breach of system security.  See generallyUtah Code Ann. §78B-4-701 et seq. 

The Act defines a breach of system security as including “an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.”  Utah Code Ann. § 13-44-102(1)(a).  Similarly, the Act defines personal information as including a person’s first name and last name when combined with a social security number, financial account number in combination with a required security code, and a driver’s license.  Utah Code Ann. § 13-44-102(1)(a).

The Act provides that business that “creates, maintains, and reasonably complies with a written cybersecurity program” and that is “in place at the time of breach of system security” shall be afforded an affirmative defense to tort claims arising out of the business alleged “fail[ure] to implement reasonable information security controls that resulted in the breach of system security.”  Utah Code Ann. § 78B-4-702.

Whereas the Act requires a written cybersecurity program, it does not set forth a new technical cybersecurity standard.  Instead, the Act requires that a written cybersecurity program “shall provide administrative, technical, and physical safeguards to protect personal information” and that a cybersecurity program should “reasonably conforms to the current version of” NIST 800-171, NIST 800-53, ISO 2700, and the HIPAA Security rule.  Utah Code Ann. § 78B-4-702(4); Utah Code Ann. § 78B-4-703(1)(b).  Altogether this requirement for a written cybersecurity program is not entirely dissimilar to a business cybersecurity program requirements under New York’s “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act), which we further outlined here.

There are a couple other notable provisions to the Act.  First, the Act does not create a private right of action if a business failed to comply with the Act.  Utah Code Ann. § 78B-4-704.  Second, the Act provides that if an action is brought in another state, but is governed by Utah law, then the Act should apply.  Utah Code Ann. § 78B-4-705. As such, if a Utah business is sued in court for an alleged failure to implement information security standards and a resulting breach, it may rely on the Cybersecurity Affirmative Defense Act to the extent that it had and followed its written cybersecurity program.  Moreover, Utah isn’t alone in providing for an affirmative defense as Ohio adopted similar legislation in 2018.  See Ohio Rev. Code Ann. § 1354 et seq.

Beckage closely monitors for any and all changes in the law related to breaches of system security, data breaches, or other cyber security incidents.  Beckage’s team of attorneys and technologist are especially entuned with both responding to a data breach and understand what a robust written cyber security program would entail.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

VirginiaWhat You Need to Know About Virginia’s New Consumer Data Protection Act

What You Need to Know About Virginia’s New Consumer Data Protection Act

On March 2, 2021, Virginia enacted the Consumer Data Protection Act (the “CDPA”) with the goal of establishing a framework for controlling and processing the personal data of Virginia Residents. Where the CDPA resembles California’s Consumer Privacy Act (“CCPA”) in some regards and resembles the European Union’s General Data Privacy Regulation (“GDPR”) in others, the CDPA is likely the first step in a line of new state laws governing the processing of a consumers’ data.  As such, companies should use this time to familiarize themselves with the intricacies of the CDPA so as to begin to adapt to the intricacies of handling consumer data.

Who Does the CDPA Apply to?

The CDPA applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia, and that:

  1. during a calendar year, control or process personal data of at least 100,000 consumers; or
  2. control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. 

Equally important is who is exempted from the CDPA.  Va. Code Ann. § 59.1-572(A).  To that end, the CDPA does not apply to i) any governmental body within Virginia; ii) financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.); or iii) any covered entity or business associate governed by the privacy, security, and breach notification under HIPAA or HITECH.  Va. Code Ann. § 59.1-572(A).

What is “Sensitive Data” Under the CDPA?

Understanding what constitutes as “sensitive data” under the CDPA first requires an understanding of what is “personal data” under the CDPA.  The CDPA defines personal data as being “any information that is linked or reasonably associated to an identified or identifiable natural person”.  Va. Code Ann. § 59.1-571.  Nevertheless, personal data under the CDPA does not include de-identified data or “publicly available information”.  Id.

The CDPA more heavily regulates a covered business’ processing and handling of sensitive data.  Under the CDPA sensitive data is defined as including:

  1. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  3. the personal data collected from a known child; or
  4. the precise geolocation of an individual.  Va. Code Ann. § 59.1-571. 

Moreover, the CDPA provides certain exceptions for data which is not to be considered sensitive data, including, but not limited to:

  1. protected health information under HIPAA; information used only for public health activities under by HIPAA; information derived from any of the health care-related information that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA; patient identifying information for purposes of 42 U.S.C. § 290dd-2;  information created for purposes of the Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.) or  the Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.);
  2. information collected and maintained regulated and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.); and
  3. personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.).  Va. Code Ann. § 59.1-571(C).

What is My Business Required to Do if it is a Covered Business?

Under the CDPA, a covered business is required to:

  1. adopt data minimization practices;
  2. disclose their privacy practices through a “meaningful privacy notice”;
  3. implement data security measures;
  4. refrain from discriminating against consumers who exercise their rights under the CDPA; and
  5. obtain consent prior to processing sensitive data, as defined below.  Va. Code Ann. § 59.1-574. 

Moreover, a covered business may be required to conduct risk assessments on their data protection practices.  These risk assessments must be taken where the covered business activities involve:

  1. the processing of personal data for purposes of targeted advertising;
  2. the sale of personal data;
  3. the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk;
  4. the processing of sensitive data; and
  5. any processing activities involving personal data that present a heightened risk of harm to consumers.  Va. Code Ann. § 59.1-576.

Does the CDPA Provide Any Rights to Virginians?

Under the CDPA, Virginians are provided certain individual rights including:

  1. the right to access their data;
  2. the right to amend their data;
  3. the right to delete their data;
  4. the right to transfer their data; and
  5. the right to opt out of certain uses of their personal data.  Va. Code Ann. § 59.1-573(A)(1-5). 

What Happens If My Business Violates the CDPA?

CDPA does not contain a private right of action.  Va. Code Ann. § 59.1-579(C).  As such, enforcement is the exclusive jurisdiction of the Virginia Attorney General.   Va. Code Ann. § 59.1-579(A).  Under the CDPA, the Virginia Attorney General is required to provide the covered business a letter outlining the provisions of the CDPA that have been, or are alleged to have been, violated.   Va. Code Ann. § 59.1-579(B).  The covered business than has 30 days to cure any alleged violations.  Id.  If the covered business cures the alleged violations of the CDPA “and provides the consumer an express written statement that the alleged violations have been cured and that no further violations shall occur” then Virginia Attorney General is not to seek statutory damages against the covered business.  Id.  Nevertheless, if the covered business fails to cure the alleged violations of the CDPA, it may be “subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation.  Va. Code Ann. § 59.1-580(B).

When Will the CDPA Become Effective?

The CDPA will become effective on January 1, 2023.  Va. Code Ann. § 59.1-581.  Moreover, in contracts to the new California Consumer Privacy Rights Act (“CPRA”), the CDPA does not contain a twelve-month lookback period, and thus compliance with the CDPA will only be required moving forward.

What Do I Do Next?

Now is the time to prioritize developing a robust, scalable data privacy program within your organization.  First and foremost, conducting an assessment to determine what laws and regulations, such as the CDPA, CCPA, or GDPR, apply to your organization is a great starting place. Your business may be required to make additional disclosures surrounding your data collection practices and how consumers can exercise certain rights to that data.

Beckage’s dedicated data privacy attorneys routinely provide guidance on various consumer data privacy regulatory regimes and are especially adept to help your business adapt to the changing legal landscape.  We recommend reviewing all cookie consent banners and just in time notices to evaluate whether they provide the necessary opt out consent for targeted advertising as required by the CDPA and other evolving laws.  Based on the above, if you believe that the CDPA may impact your business, reach out to Beckage for assistance.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.

PrivacyVirginia, Oklahoma, and Florida Join Growing List of States With Proposed Privacy Legislation

Virginia, Oklahoma, and Florida Join Growing List of States With Proposed Privacy Legislation

Since California’s Consumer Privacy Act (CCPA) was passed in 2018, Beckage has seen a slew of other states follow suit in proposing and enacting their own comprehensive data privacy bills. Most recently, lawmakers in Virginia, Oklahoma, and Florida have joined the growing list of states with proposed privacy bills. So far this year, New York, Washington, and Minnesota have also introduced legislation governing the ways companies collect, store, use, and share consumer data and we expect to see other laws emerging in the coming months with still no federal data privacy bill in sight.  

Working with experienced privacy counsel can help build out data privacy programs that stand the test of time and contemplate emerging legislation.   

Below is an overview of the Virginia and Oklahoma proposed bills, their requirements, and their potential impact on the data privacy landscape. 

Virginia Consumer Data Protection Act (SB 1392) 

The Virginia proposal is quickly moving through the Virginia state legislature and is likely to be the next comprehensive state data privacy law on the books. This bill passed the Virginia House of Delegates on January 29th by a wide margin and was unanimously approved in the Senate on February 3rd. Assuming Governor Northam signs it into law, the Virginia Consumer Data Protection Act is set to go into effect on January 1, 2023. 

Who Does It Apply To? 

Companies that conduct business in Virginia or “produce products or services that are targeted to” Virginians would have to comply with the Virginia Consumer Data Protection Act if they: 

  • Control or process the personal data of at least 100,000 Virginians; or 
  • Control or process the personal data of at least 25,000 Virginians and derive over 50% of their gross revenue from the sale of that data. 

The Legislation does provide exemptions for financial institutions governed by the Gramm-Leach-Bliley Act, entities subject to HIPAA or HITECH, non-profits, and educational institutions. 

What Is Included? 

Included in this Bill are several requirements not covered under the CCPA or any other U.S. privacy law. One such obligation requires entities that control personal data to conduct protection assessments of any activities that use personal data for specific purposes, such as targeted advertising. These data protection assessments may be requested and evaluated by the attorney general to ensure compliance. 

This Act would afford Virginia consumers with several rights regarding their personal data, including the right to opt-out of the sale or use of their information for targeted advertising or profiling. It would also allow consumers to delete their data, move their data, correct inaccuracies in their data, and confirm if their data is being processed upon request.  

Notably missing is a private right of action through which consumers could seek damages for alleged violations. Instead, enforcement of the Act would be left exclusively to the attorney general, who may seek up to $7,500 per violation. 

Oklahoma Computer Data Privacy Act (HB 1602) 

Introduced on January 19, 2021 by Representatives Josh West (R) and Collin Walke (D), this Bill has bipartisan support in the Oklahoma House of Representatives. Its intended purpose is to give Oklahomans more online privacy by taking aim at tech companies. If passed, the Oklahoma Computer Data Privacy Act would go into effect on November 1, 2021. 

Who Does It Apply To? 

If passed, this act would apply to companies that operate in the state of Oklahoma and collect Oklahoman’s personal information or have information collected on their behalf, determine the purpose for and means of processing that information, and satisfy one of the following thresholds: 

  • Has an annual gross revenue exceeding $10 million; 
  • Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or 
  • Derives 25% or more of their annual revenue from the sale of personal data. 

What Is Included? 

Companies subject to this legislation would be required to disclose what personal information they hold on a consumer and allow for the deletion of that information upon the consumer’s request. This proposal also mandates consumers opt-in to providing their personal data, which differentiates it from most other state privacy laws, like the CCPA. The Oklahoma Computer Data Privacy Act also differs from the CCPA in its inclusion of a broad private right of action through which Oklahoma residents could seek damages up to $7,500 for violations. 

Florida House Bill 969 (HB 969) 

Introduced on February 15th by Representative Fiona McFarland (R), House Bill 969 would place several requirements on businesses that deal with Florida residents’ private information. If passed, it would go into effect on January 1, 2022. 

Who Does It Apply To? 

For-profit companies that do business in Florida and collect personal information about consumers, have personal information collected on their behalf, or determine the process and means of processing personal information will have to comply with this Bill’s requirements if they satisfy one of the following thresholds: 

  • Has an annual gross revenue exceeding $25 million; 
  • Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or 
  • Derives 50% or more of their annual revenue from the sale of personal data. 

What Is Included? 

HB 969 would require that applicable businesses notify consumers about their data collection and selling practices before or at the point of data collection. Under this Bill, consumers would also have the right to request their data be disclosed, corrected, or edited and the right to opt-out of having their personal information disclosed or sold to a third party. 

Applicable businesses would be required to implement reasonable security protocols to protect their consumer’s personal data. Also included is a private right of action through which a consumer “whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access” may seek damages for violations of the Bill. The Department of Legal Affairs would be authorized to bring other enforcement actions, up to $2,500 per unintentional violation and $7,500 per intentional violation. 

Potential Impact 

Currently, the data privacy landscape in the United States is a patchwork of enacted and proposed laws, all with their own requirements and consumer rights, creating a confusing web for companies operating in more than one jurisdiction. While advocates of these state privacy laws argue for the protection of consumers’ data in an increasingly digitally-driven world, opponents argue that the potential risk of operating within states who have enacted comprehensive privacy laws may deter businesses from expanding their operations there. 

A federal privacy law that could rectify the many differences between individual state laws would simplify this landscape, making it easier for companies to protect their consumers’ data and operate efficiently while complying with regulations.  

Beckage is closely monitoring these, and other emerging privacy laws. In the meantime, companies that collect personal data should start thinking about privacy compliance by conducting a baseline privacy assessment and starting to develop relevant policies and procedures. Beckage attorneys, who are also technologists and certified privacy professionals, are happy to help counsel your business on compliance with the CCPA, GDPR, and other pending and enacted privacy legislation.  We work with clients of all sizes to build out data privacy programs and address compliance matters.  

Subscribe to our newsletter. 

*Attorney advertising – prior results do not guarantee future outcomes. 

1 2