February Privacy Report: FTC Expands Its Use of “Unfairness” Authority in GoodRx Matter

Headlines that Matter for Privacy and Data Security.

US News:

GoodRx Faces Million Dollar Proposed Penalty from FTC in First Enforcement Action Under the Health Breach Notification Rule

Settlement reveals views on application of unfairness authority to sharing of sensitive information

On February 1, 2023, the Federal Trade Commission (FTC) filed an order against the digital health company, GoodRx, proposing that it pay a civil penalty of $1.5 million for violating the Health Breach Notification Rule (HBNR). The HBNR requires that companies notify consumers, the FTC, and the media about a company’s unauthorized disclosure of individually identifiable health information to third-party advertisers and advertising platforms. In its complaint, the FTC alleged that GoodRx:

  • Shared personal health information with third-party advertising companies and advertising platforms;
  • Monetized personal health and medication-specific information to target users with ads;
  • Allowed third parties to share data for their own internal purposes;
  • Misrepresented its Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance;
  • Did not maintain sufficient policies to protect its users’ personal health information.

In addition to the $1.5 million penalty for violating the HBNR, the FTC’s proposed order also requires GoodRx to stop sharing health data for ads, obtain user consent for any data sharing, direct third parties with which they shared data to delete that data, and implement a comprehensive privacy program.

Notably, the FTC’s complaint also used Section 5 of the FTC Act’s unfairness prong to allege that the sharing sensitive health data — and, by extension, perhaps any sensitive data — for advertising purposes may require opt-consent. The FTC also pleaded that the company’s alleged failure to have policies in place to prevent unauthorized sharing of sensitive personal information was in and of itself unfair, in violation of Section 5 of the FTC Act.

You can find the Health Breach Notification Rule here. You can find the FTC’s press release here. You can find the FTC’s complaint here and the proposed order here.

CA AG Begins Mobile App Investigative Sweep

On January 27, 2023, the California Attorney General (AG) announced a new investigative sweep under the California Consumer Privacy Act (CCPA). AG Rob Bonta sent letters to businesses with mobile apps that may violate the CCPA in three main ways. They may (1) fail to comply with consumer opt-out request; (2) not provide mechanisms for consumers looking to prevent their data from being sold; or (3) not process consumer requests submitted via authorized agent. This newest sweep reflects a recognition of the elevated risk mobile applications pose to consumer data. Mobile apps must pay particular attention to receiving and processing consumer privacy requests communicated by consumers via automated digital tools. The California Privacy Rights Act (CPRA) sets out purpose limitation and data minimization standards that are important when looking at the sensitive nature of data found in mobile apps. The Attorney General’s press release is here.

California Approves CPRA Regulations

On February 3, 2023, the California Privacy Protection Agency (CPPA) voted to approve the final text of the CPRA regulations and opened a preliminary comment period on a proposed rulemaking on cybersecurity audits, risk assessments, and automated decision making. The final text of the CPRA regulations does not substantively differ from the draft regulations from November 2022. These regulations effectuate fleshed-out requirements for opt-out preference signals, notice, requests to correct and limit, third-party contacts, among other things. If approved by California’s Office of Administrate law, the regulations could be in effect as soon as April.

The final text of the CRPA regulations can be found here. The CPPA’s Statement of Reasons accompanying this version is here. The invitation for preliminary comments on the proposed rulemaking on cybersecurity audits, risks assessments and automated decision making can be found here.

Updates in the Colorado Privacy Act Rulemaking Process

As of February 3, 2023, the Colorado Department of Law is no longer accepting written comments on the Colorado Privacy Act (CPA) draft rules. The revised draft rules modify the original draft rules in a few major ways. A few of those changes are as follows:

  • The draft rules no longer requires that privacy notices describe each data processing purpose, to remove some burden on controllers.
  • The draft rules eliminate the 15-day requirement for alerting consumers to material changes to privacy notices before they go into effect.
  • The requirements for data protection assessments have narrowed, eliminating five topics for consideration.
  • Controllers now only have to refresh consent for processing sensitive information when the user has not interacted with the controlled in the prior 12 months, as opposed to once a year.

An updated version of the draft rules incorporating feedback received through January 18, 2023, can be found here.

NIST Issues AI Risk Management Framework

The National Institute of Standards and Technology (NIST) has released the AI Risk Management Framework (AI RMF 1.0) along with a playbook, explainer video, roadmap, crosswalk, and various perspectives. The AI RMF is a guidance document for voluntary use by organizations designing, developing, or using AI systems, in hopes of managing the many risks posed by AI. The AI RMF comprises two main parts: outlining risks/characteristics of trustworthy AI systems and explaining the four functions (govern, map, measure, and manage) that will help organizations address the risks of AI systems. NIST plans to work with the AI community to update the framework and launch a Trustworthy and Reliable AI Resource Center. For more on the development of the AI RMF, click here.

Illinois BIPA Roundup

On February 2, 2023, the Illinois Supreme Court held that all claims under the Illinois Biometric Information Privacy Act (BIPA) are subject to a five-year statute of limitations, answering a question that has plagued BIPA cases for years.

For more information from the AFS team on this recent development, click here. You can find our alert on the use of BIPA in cases involving virtual try-on services here.

For more information on the rise of BIPA claims in 2022, read the AFS Class Action Year in Review alert here.

Chick-fil-A Targeted in VPPA Class Action

Chick-fil-A has been named as a defendant in a purported Video Privacy Protection Act (VPPA) class action lawsuit filed in the Northern District of California. The plaintiff has alleged violations under the VPPA, which stipulates that anyone who offers video tape or similar services cannot disclose personally identifiable information (PII) without informed, written consent. The complaint states that the fast food chain shared PII about the plaintiff’s video watching habits with Meta through the use of Facebook Pixel, a software code that allows website operators to monitor how visitors interact with the website, without plaintiff’s consent. Although this is not the first lawsuit in which a company’s use of Pixel to track website visitors has been the basis for VPPA claims, no court has yet decided whether using Pixel while streamlining content violates VPPA.

For more on VPPA Claims, read the AFS alert on VPPA class actions here. You can find more information on Pixel here.

State Privacy Law Developments: Indiana, Washington, New Hampshire, Maryland, Oregon, Massachusetts, and Washington

At least 19 US states are considering comprehensive privacy laws so far this year.

  • The Indiana Senate Committee on Commerce and Technology voted 11-0 to advance Senate Bill 5, an act addressing consumer data protection. The bill can be found here.
  • New Hampshire’s bill on the expectation of privacy has been referred to the state’s Senate Committee on the Judiciary. The bill, Senate Bill 255, can be found here.
  • House Bill 1616 was reintroduced in the state of Washington and has been referred to the state’s House Committee on Civil Rights and Judiciary. The Washington People’s Privacy Act can be found here.
  • Several privacy bills were filed in Maryland relating to online and biometric data privacy, children’s data privacy, and health data privacy. In early February, the Maryland Senate Finance Committee held a hearing on SB 169, a biometric privacy bill, but no vote was taken. You can find the recently filed bills relating to online and biometric data privacy here and here. You can find the bills relating to children’s data privacy here and here. You can find the bills relating to health data privacy here and here.
  • Two bills were introduced in Oregon: HB 2052, which provides that data brokers may not collect, sell, or license brokered personal data within the state, unless the data broker first registered with the Oregon Department of Consumer and Business Services; and SB 619, which permits, in part, consumers to obtain information on the categories of personal data being processed and a copy of all of a consumer’s person data that has been processed from controllers.
  • Lawmakers in Massachusetts have filed three separate data privacy bills. You can find the proposed Massachusetts Data Privacy Protection Act here, the proposed Massachusetts Information Privacy and Security Act here, and the proposed Internet Bill of Rights here.
  • A Washington bill addressing data brokers, HB 1799, underwent a public hearing on February 17 and is scheduled for an executive session on February 17. The People’s Privacy Act, found here, was introduced to the state House and a companion bill, found here, was introduced to the state Senate in late January.

FCC Issues Notice of Proposed Rulemaking on Data Breach Reporting

The Federal Communications Commission (FCC) released a Notice of Proposed Rulemaking that seeks to update the rules on data breach reporting for telecommunications providers. “To better protect telecommunications customers and ensure that our rules keep pace with today’s challenges,” the FCC proposed a number of updates to their rule addressing telecommunications carriers’ breach notification duties. Those proposed updates include:

  • Expanding the definition of “breach” to include inadvertent disclosures of consumer information.
  • Requiring carriers to notify the FCC and FBI of any discovered breach.
  • Eliminate the mandatory waiting period before notifying consumers.

The FCC is looking for comment on, among other things, whether they should adopt minimum requirements for the content of customer breach notices and the impact of requiring reporting of accidental breaches may have on the number of reported breaches.

You can find the Notice of Proposed Rulemaking here. You can read more on the comment process here. Interested parties may file comments by accessing the Electronic Comment Filing System, found here.

FTC Finalizes Drizly Enforcement Action

On January 10, the FTC finalized its enforcement action against online alcohol marketplace Drizly and its CEO. The action was related to a data breach in 2020 that affected about 2.5 million consumers. The order requires, among other things, that Drizly:

  • Destroy any personal data it collected that is not necessary to provide its services;
  • Publicly detail the information it collects and why;
  • Implement a comprehensive information security program;
  • Establish security safeguards to prevent this kind of breach from occurring again.

The CEO himself must also implement an information security program at any future companies he may work at, if that business collects the information of more than 25,000 consumers. The FTC voted 4-0 to finalize the order against Drizly.

You can read more about the breach here. You can find the order here. You can find the press release here.

President Biden Calls on Congress to Pass Federal Privacy Regulations

President Biden called on Congress to pass comprehensive federal privacy legislation in an early January op-ed for The Wall Street Journal. As more states pass their own privacy laws, the President underscored the importance of “serious federal protections for Americans’ privacy.” On February 7, in his State of the Union Address, President Biden again called for stronger limits on the data collected by large tech companies. This call for increased privacy protections online follows rising concerns about the way in which the tech industry collects, shares, and often exploits personal data.

You can find the op-ed here. You can find the State of the Union address here.

Global News:

OPC Finds That Home Depot Failed to Obtain Consumer Consent before Data Sharing

The Office of the Privacy Commissioner of Canada (OPC) recently began an investigation into Home Depot and the company’s sharing of data from e-receipts without consumer consent or knowledge. The OPC’s investigation found that Home Depot had been collecting consumer email addresses from the check-out process and sending those email addresses and details about in-store purchases to Meta without notifying consumers. During the investigation, the company stated that it relied on implied consent from the information contained in its Privacy Statement. Importantly, the OPC rejected this argument saying that those privacy statements were not readily available to customers at the check-out counter, and that those customers would not have had any reason to seek them out. The OPC has made, and Home Depot has agreed to implement, the following recommendations:

  • Stop disclosing consumer information to Meta until Home Depot is able to implement measures to ensure valid consent.
  • Implement measures to obtain express, opt-in consent from customers prior to information sharing.
  • Strengthen its privacy statement to include an option to withdraw consent.
  • Include information regarding data sharing on its e-receipts.

You can find the press release here. You can find a report of the investigation’s findings here.

Draft Data Act adopted by the European Parliament Committee

The Industry, Research and Energy Committee of the European Parliament has adopted a draft Data Act. The proposed legislation clarifies who can access data and when, aims to empower public and private entities to share data, reflecting the understanding that technological innovation increasingly relies on data.

The Data Act incorporates the idea that consumers should have the right to access the data they contributed to generating and share it with a third party of their choice. As some member states have pointed out, the draft Data Act needs to clarify its relationship to the General Data Protection Regulation (GDPR).

You can find the text of the draft Act here. For more information on the legislative procedure, click here.

New Year Reminder

As we enter 2023 it is important to remember that new privacy laws have recently taken or are taking effect, including privacy laws in California (January 1, 2023), Virginia (January 1, 2023), Colorado (July 1, 2023), Connecticut (July 1, 2023), and Utah (December 31, 2023). On the international front, if your new contracts have not incorporated the revised Standard Contractual Clauses, the deadline was December 27.

Please contact the ArentFox Schiff Privacy Team if you would like compliance assistance.


Continue Reading