Dechert Cyber Bits

Illinois Courts Split over Whether Biometric Privacy Law Amendment Applies Retroactively

Two federal judges in the Northern District of Illinois have taken conflicting views on the issue of whether the Illinois legislature’s recent amendment to the Biometric Information Privacy Act (“BIPA” and the “Amendment”) applies retroactively. BIPA provides penalties of up to $5,000 per violation when a company collects or discloses biometric information without providing proper notice and obtaining consent from an Illinois resident.

By way of background, in 2023, the Illinois Supreme Court held in Cothron v. White Castle Systems, Inc. that a separate BIPA violation occurs each time biometric information about an individual person is collected or disclosed. Under that approach, for example, a separate violation would arise each and every time a person provides their biometric information (e.g., a thumbprint to be granted entry into a secure area) or a company uses their biometric information (e.g., for AI applications or training).

The Amendment to BIPA, which was signed into law on August 2, 2024, clarified that the repeated collection of the same biometric information, from the same person, in the same manner, constitutes a single violation (rather than multiple violations as the court in Cothron had previously held). However, the Amendment did not specify whether the change would apply retroactively to violations that occurred before August 2, 2024, or only prospectively.

Two courts now have addressed this question and reached opposing conclusions. In Edwards v. Central Transport LLC, decided November 13th, Judge Elaine Bucklo held that the Amendment applied retroactively, meaning that all of the fingerprint scans for a single employee together constituted a single alleged BIPA violation, even for scans occurring before August 2, 2024. Judge Bucklo reasoned that, as passed, BIPA was ambiguous, and the Illinois Legislature passed the Amendment to clarify what it always intended.

By contrast, just nine days later, Judge Georgia Alexakis reached the opposite conclusion in Schwartz v. Supply Network Inc., finding that the Amendment should not apply retroactively and instead prospectively only. In essence, Judge Alexakis concluded that the pre-Amendment statute was not ambiguous and Cothron represented a definitive state-law interpretation of what constituted a “violation” under BIPA. She reasoned that the Amendment overturned Cothron by changing BIPA, but, under general principles of statutory interpretation, it should not have retroactive effect since amendments are presumed to change, not clarify, the law as it previously existed.

Takeaway: This summer’s Amendment to BIPA is a major win for businesses involved in BIPA litigation. Edwards and Schwartz leave room for plaintiffs to argue that it is murky whether the Amendment limits liability for alleged violations that occurred before the Amendment was signed on August 2, 2024. Companies will want to closely track how this question is treated by subsequent courts, as it has implications both for assessing worst-case scenario damages and for determining whether existing BIPA cases satisfy the federal amount in controversy requirement.  

FTC Announces Proposed Settlement with AI Weapons-Screening Business to Settle Allegations that its AI Claims Mislead Customers

The U.S. Federal Trade Commission (“FTC”) announced a proposed settlement with Evolv Technologies (“Evolv”), a Massachusetts-based software company that offers AI-enabled security products for schools, hospitals, and event venues, alleging that the company violated the FTC Act by making false efficacy claims and failing to disclose material information concerning the company’s “AI-powered” Express security system (“Express”).

The FTC’s complaint (“Complaint”) details Evolv’s marketing and promotional efforts that include, among other claims, that Evolv: (i) directed marketing to educators, parents, and others presenting Express as an AI solution to gun violence; (ii) disseminated promotional materials that represented Express’s AI as offering the “highest degree of weapons detection accuracy”; and (iii) touted Express as an AI-powered solution that was ten times faster than traditional metal detectors and “drastically reduce[d] false alarm rates.” According to the FTC, Evolv knew that Express regularly failed to detect dangerous weapons such as knives and firearms while nonetheless alerting operators about harmless items, like students’ lunchboxes and water bottles. The FTC also alleged that while Evolv represented that Express was independently tested by a third-party, Evolv failed to disclose its close relationship with that third party and used that relationship to undertake actions it should not have, which included influencing the design of testing and removing negative information from a draft of the third-party’s report. According to the Complaint, Evolv never conducted testing on Express and never had the system tested by United States government agencies. According to its press release, Evolv denied any wrongdoing in the matter and stated that it disagrees with the FTC’s allegations.

Under the FTC’s proposed decision and order (“Proposed Order”), Evolv would be prohibited from making misleading claims about its products and, notably, would require the company to allow customers to cancel their contracts with Evolv. Commissioner Andrew N. Ferguson issued a separate statement concurring with the Proposed Order but cautioning the FTC that it “is on the very edge of its authority” by including the provisions allowing customers to cancel their contracts with Evolv. Commissioner Melissa Holyoak also issued a separate statement in which she provided that she did not support the cancellation provisions, arguing the FTC exceeded its authority in relation to those requirements.

Takeaway: This enforcement action builds upon the FTC’s stated mission to ensure that companies’ AI claims are properly substantiated and not misleading. Companies providing or using AI tools should continue to take care to scrutinize past, present, and planned marketing and promotional materials to steer clear of marketing speak that overstates the ability of AI in its products, solutions, and services. The Proposed Order is also notable given the FTC’s aggressive requirement that Evolv must permit its customers to cancel their contracts, particularly given the requirement was openly called into question by two Commissioners as potentially exceeding the FTC’s authority (which it almost certainly does). The FTC is far less likely to use its leverage to test the limits of its “lawmaking through enforcement” approach under the incoming administration, which is good news for companies caught in the crosshairs of the aggressive enforcement posture of the past four years.

First Sector-Owned UK GDPR Code of Conduct

The UK Information Commissioner's Office (the “ICO”) has approved and published the first sector-owned code of conduct under the UK GDPR–the UK GDPR Code of Conduct for Investigative and Litigation Support Services (the “Code”). The Code was developed by the Association of British Investigators Limited (“ABI”) and aims to enable private investigators to demonstrate compliance with specific areas of data protection law in the provision of investigative and litigation support services.

Codes of conduct are voluntary, but adhering to them can help an organization demonstrate that it follows the UK GDPR requirements that have been agreed as sector good practice. Compliance is monitored by a monitoring body and code membership can be withdrawn if an organization is found to no longer meet the requirements of the code.

The Code includes advice and practical examples on:

• roles and responsibilities when acting as an independent controller, joint controller, and/or processor;
• conducting Data Protection Impact Assessments, for example, when carrying out covert surveillance which is considered “invisible processing”;
• identifying lawful bases for processing personal data, recognizing that legitimate interests is most commonly relied upon;
• performing legitimate interests assessments; and
• obtaining consent for sharing information when tracing individuals.

Takeaway: The approval of the Code marks a significant step in promoting data protection compliance within sector-specific circumstances in the UK. It also has broader practical application for companies generally, as the Code contains detailed examples that may provide guidance, particularly in relation to invisible processing which is a complex and high-risk area.

Failure to Disclose Duration of Smart Device Software Updates May Violate FTC Act and Magnuson Moss Warranty Act

In advance of the holiday shopping surge, U.S. Federal Trade Commission (“FTC”) staff issued a new memo that warns consumers that a significant number of “smart” products (i.e., consumer products that connect to the internet) fail to disclose for how long such products will receive software updates. The FTC reviewed product webpages for 184 smart devices, including carbon monoxide detectors, blood glucose monitors, home security systems, exercise equipment, and entertainment systems, and it found that almost 90% of those web pages failed to disclose how long the products’ manufacturers would update the accompanying software. Even in instances where manufacturers provide such information, the FTC stated that it is often elusive and buried in technical specifications, support pages, footnotes, or other hard-to-find locations.

Given the potential harm to consumers, the FTC staff memo asserts that manufacturers’ product-specific information may risk violating the FTC Act in two ways: (i) “if a manufacturer makes an express or implied representation regarding how long the product will function or be useable, it may be a deceptive practice if the manufacturer fails to disclose how long it will provide necessary software updates”; or (ii) the failure to provide software updates or the failure to disclose the duration of software support may violate the FTC Act when such conduct “is likely to cause substantial injury that could not be reasonably avoided by consumers and the injury is not outweighed by any offsetting consumer or competitive benefits that the sales practice also produces.” The staff memo also suggests that the failure to inform prospective purchasers about the duration of software updates for products sold with written warranties may violate the Magnuson Moss Warranty Act.

Takeaway: The FTC’s staff memo puts manufacturers of smart devices on notice that they are expected to publicize and adhere to software update commitments. Companies will want to review their existing product-specific information and, if necessary, adopt new disclosure practices that prioritize disclosure of technical specifications and software update details in a clear and conspicuous manner.  

CPPA Inks First Settlement with Data Brokers

Last month, the California Privacy Protection Agency (“Agency”) announced settlements with two data brokers, Growbots Inc. (“Growbots”) and UpLead LLC (“UpLead”), for failing to register as required by the Delete Act. The Agency’s enforcement actions mark the first set of monetary penalties issued by the Agency.

The Delete Act shifts responsibility for overseeing and enforcing California’s existing data broker registration requirements (which require businesses that collect and sell personal information belonging to consumers with whom they don’t have a direct relationship (i.e., data brokers) to register with the Agency and pay an annual fee) to the Agency. The fees help fund the California Data Broker Registry and the development of a novel deletion mechanism, called the Data Broker Requests and Opt-Out Platform (“DROP”), that will allow a consumer to direct all data brokers to delete their personal information in a single request.

Data brokers can face fines of $200 per day for failing to register with the Agency. Growbots and UpLead will collectively pay almost $70,000 to resolve claims that the companies failed to register between February and July 2024. In addition to the fines, both companies agreed to injunctive terms, including agreeing to pay the Agency’s attorney fees and costs resulting from any non-compliance.

Takeaway: These settlements follow the Agency’s recent announcement that it was conducting a “public investigative sweep” of data broker registration compliance under the Delete Act. Taken together, the Agency’s actions appear to signal an aggressive enforcement posture against data brokers. Such an aggressive posture may eventually carry over into the Agency’s enforcement of the California Consumer Privacy Act (“CCPA”). Data brokers will want to take care to adopt practices and policies designed to show compliance with the Delete Act.

Dechert Tidbits

President-Elect Trump to Appoint Andrew Ferguson as New FTC Chair

President-Elect Trump has announced that he will appoint current FTC Commissioner Andrew Ferguson to lead the Commission, replacing the current FTC Chair Lina Khan. Commissioner Ferguson joined the FTC in April of this year after his appointment by President Biden and confirmation by Congress. Before his FTC appointment Commissioner Ferguson served as Virginia's Solicitor General and, earlier, as chief counsel to former Senate Majority Leader Mitch McConnell.

EU Cyber Resilience Act Becomes Law

The EU Cyber Resilience Act entered into force on December 10, 2024, subject to an implementation period with its main provisions effective from late 2027. However, certain manufacturer reporting obligations will start from September 11, 2026. For more information, see our write up in Issue 65.

CPPA Commences Latest Formal Rulemaking Initiative

On November 22, 2024, the California Privacy Protection Agency opened the formal comment period for its proposed regulations concerning cybersecurity audits, risk assessments, automated decision-making technology (“ADMT”), and insurance companies. Written public comments can be emailed to regulations@cppa.ca.gov, until January 14, 2025.

The Network Advertising Initiative Updates Location Privacy Standards

The Network Advertising Initiative (“NAI”) has updated its Voluntary Enhanced Standards for Precise Location Information Solution Providers (“Enhanced Standards”), initially released in June 2022. The Enhanced Standards prohibit the use, sale, and transfer of U.S. consumer precise location information related to sensitive points of interest. The updates are intended to clarify the use of industry classification systems for identifying sensitive points of interest and aim to improve the administrability of the Enhanced Standards. As of the date of the NAI’s announcement, five NAI members have already committed to adhere to the Enhanced Standards.

EDPB Publishes Guidelines on Data Sharing with Third Country Authorities

The European Data Protection Board has published draft guidelines on data transfers to non-EU (third country) authorities. The proposed guidelines are intended to clarify if and how organizations can respond to such requests in compliance with the GDPR. The guidelines are open for public consultation until January 27, 2025.