December 2022 AFS Privacy Report: Pandora's Virtual Try-On Tool Leads to BIPA Class Complaint

Headlines that Matter for Privacy and Data Security.

US News

Pandora’s Virtual Try-On Tool Leads to BIPA Class Complaint

On November 15, 2022, a group of plaintiffs brought a purported class action against Pandora Jewelry LLC, claiming that its virtual try-on tool violates Illinois’ Biometric Information Privacy Act (BIPA). The tool, which is the result of a partnership with Tangiblee, a digital product experience and eCommerce SaaS company, allows website visitors to upload photos of themselves to try-on jewelry virtually. As part of this process, the plaintiffs allege, the try-on feature captures users’ facial geometry. Plaintiffs claim that by not securing users’ written, informed consent, Pandora’s feature violates BIPA. Though the complaint does not list a specific amount of damages, BIPA allows $1,000 for each negligent violation and $5,000 for each reckless violation. Find the complaint here.

LinkedIn Successfully Advances Breach of Contract Claims in Ongoing Data Scraping Case

In a decision released on November 4, 2022, the US District Court for the Northern District of California aligned with LinkedIn, upholding its assertions that hiQ Labs, Inc., violated LinkedIn’s terms of use by scraping content from its website. The hiQ vs. LinkedIn data scraping case, which recently settled, had been ongoing since LinkedIn sent hiQ a cease-and-desist letter in May 2017. The letter demanded that hiQ stop accessing and copying data from LinkedIn’s servers in violation of LinkedIn’s terms of use. Relying on the argument that the information was publicly available, hiQ continued to collect the information and used it to make predictions about when individuals were likely to seek new jobs. After years of back and forth, and a remand by the US Supreme Court, the US District Court for the Northern District of California issued its opinion in the case. Ignoring Computer Fraud and Abuse Act claims, the court instead focused on the contractual issues and held that hiQ had violated LinkedIn’s terms of use by scraping information from LinkedIn’s website and directing contractors to log onto LinkedIn’s services with false identities. The court decided that hiQ agreed to the terms of use when: (i) its agents created accounts on LinkedIn, agreeing to the terms of service during the account creation flow; and (ii) hiQ ran advertisements on LinkedIn and signed up for subscriptions.

Pennsylvania Governor Signs An Act Amending the Breach of Personal Information Notification Act of 2005

Pennsylvania Governor Tom Wolf signed Senate Bill 696, An Act Amending the Breach of Personal Information Notification Act of 2005 (the Act). The 13-page Act expands the definition of personal information, provides an updated breach notice requirement that includes a carveout for the Health Insurance Portability and Accountability Act (HIPAA), and allows for electronic notification. Under the Act, personal information now includes medical information, health insurance information, and usernames or email addresses, in combination with password or security question information. Further, all entities that handle personal information must provide notice without unreasonable delay upon the determination, not discovery, that a breach to the security of the systems used in maintaining, storing, or managing the personal information of any Pennsylvania resident has occurred. However, the Act provides that HIPAA-covered entities that follow HIPAA’s privacy and security standards are deemed compliant. The Act also requires entities to use encryption to protect the transmission of personal information via the internet.

NIST Publishes Data De-Identification Guidance

The National Institute of Standards and Technology (NIST) has published draft guidance for government agencies that wish to de-identify data. De-identification removes identifying information from a data set in such a way that the remaining information cannot be traced back to a specific person. NIST’s latest publication, found here, includes a comprehensive list of references and specific de-identification tools available. The draft is open for comments until January 15, 2023. 

Global News

FTC Isn’t the Only Regulatory Body Paying Close Attention to Twitter; Irish DPC Places The Social Media Platform on Watch and Questions Its Use of GDPR’s OSS

The Irish Data Protection Commission (DPC) is reported to be questioning whether, following a reorganization and the departure of key employees including Damien Kieran, Twitter’s first and only Data Protection Officer, Twitter’s “main establishment” remains in Ireland. Since the reorganization, US-Ireland operations are reported to have essentially ceased. 

This is particularly important because the Ireland establishment allows the company to use the GDPR’s one-stop-shop. Without the ability to claim main establishment in Ireland, the company would be regulated by the data protection authorities from all 27 Member States, making GDPR compliance much harder to achieve. Because the GDPR does not outline specific criteria for assessing main establishment, this decision will ultimately be based on the DPC’s investigation and analysis. 

Quebec Passes Act to Modernize the Protection of Personal Information:

Quebec recently passed Bill 64, an Act to Modernize Legislative Provisions as Regards the Protection of Personal Information. The Act adds new obligations for organizations doing business in Quebec and makes up for the gaps in the previous Act Respecting the Protection of Personal Information in the Private Sector. Updates are split into three different categories: (i) 2022 obligations, (ii) 2023 obligations, and (iii) a 2024 obligation. In addition to the requirement that all businesses appoint a privacy officer, the 2022 obligations require the same to notify the Commission d’acces a I’information of data security incidents that present a serious risk of injury to individuals. The 2023 obligations are more extensive, as they introduce new disclosure, Privacy Impact Assessment, consent, and cross-border transfer requirements. The 2024 obligation creates a data portability right.

UK’s Information Commissioner’s Office Offers New Guidance on Telephone and Email Marketing

The UK Information Commissioner’s Office (ICO) has released new guidelines on electronic mail and live call direct marketing that serve to remind companies of best practices to avoid the ICO’s hefty fines (up to £500,000). The new guidelines are largely a restatement of points already covered in the ICO’s comprehensive draft code of practice from March 2020; however, the guidelines offer two noteworthy updates. First, the revised guidelines make it unlawful to launch campaigns that encourage customers to forward marketing to others. Second, the revised guidelines introduce the possibility of reminding unsubscribed customers of their marketing preferences with instructions on how they can update their preferences. Plans to finalize the marketing code itself remain in limbo, so for now, the ICO’s guidance and drafts remain an important reference for UK companies’ marketing compliance strategy.

New UK Compliance Checklists for Marketers Wishing to Avoid Unlawful Children Advertising 

The UK Committee of Advertising Practice (CAP) updated its previous guidance on age-restricted advertising from 2021 as it catches up with the growth of digital media. The new guidance offers practical checklists and examples to help advertisers avoid the advertising of age-restricted products to children.

India’s Proposed Digital Personal Data Protection Act

India’s Ministry of Electronics and Information Technology has drafted the Digital Privacy Data Protection Act in the hopes that it can assist business growth while keeping personal data safe. The proposed Act narrows the scope of privacy protection laws to focus on individuals’ personal data, allowing other forms of data to be used more freely. In addition, the Act removes all criminal penalties and replaces them with civil penalties. The Act would also increase cross-border data flow by approving trusted foreign data flows with “certain notified countries and territories,” but does not provide further context on this point.


Continue Reading