The Siskinds Privacy, Cyber and Data Governance team is focused on providing businesses and professionals with monthly updates and commentary on technology, privacy, and artificial intelligence (A.I.) laws in both the U.S. and Canada.
There have been big updates from south of the border, particularly from FTC enforcement against Adobe, the U.S. Supreme Court’s overturning of the Chevron decision, which could have big implications on privacy regulations and the Northern District of Texas vacating a HIPAA guidance on the use of Online Tracking Technology.
Microsoft controversies, Apple looks to preserve privacy with A.I., U.S. surgeon general calls for health warnings on social media and Kaspersky anti-virus sanctioned
May 28, 2024: The U.S. Justice Department’s chief antitrust enforcer Jonathan Kanter warned A.I. tech companies to find a way to properly compensate artists: “What incentive will tomorrow’s writers, creators, journalists, thinkers and artists have if AI has the ability to extract their ingenuity without appropriate compensation? …The people who create and produce these inputs must be properly compensated.”
This warning complements the ongoing negotiations between the Justice Department and the FTC on determining which agency may investigate which big A.I. tech company. As reported by Politico, “[a]s part of the arrangement, the DOJ is poised to investigate Nvidia and its leading position in supplying the high-end semiconductors underpinning AI computing, while the FTC is set to probe whether Microsoft, and its partner OpenAI, have unfair advantages with the rapidly evolving technology, particularly around the technology used for large language models.”
June 7, 2024: Due to privacy and security concerns (i.e., a backlash from the privacy and cybersecurity community), Microsoft announced that its upcoming Recall feature on newer Windows PCs will be available on an opt-in basis. In case you were unaware, Recall would take screenshots of your screen every five seconds and create an A.I. searchable database that would help users find something they’ve previously seen on their PC. I’m sure you can use your imagination to see where this could go wrong on both the privacy and cybersecurity context if the feature was enabled by default.
However, later, on June 13, 2024, coinciding with Microsoft’s president Brad Smith visit to testify in Congress, Microsoft announced that it is delaying the rollout of Recall, according to The Hacker News.
June 10, 2024: In the April Privacy Pulse, we discussed how Apple announced A.I. features to be run on the device; now, Apple has announced more details on how it will implement A.I. on the server-side in a privacy-conscious manner. As discussed on Hacker News, Apple has named the feature, “Private Cloud Compute” (PCC for short) that essentially offloads “complex requests that require more processing power to the cloud, [and] at the same time ensure that data is never retained or exposed to any third party, including Apple …” Apple has set up a page describing the technology more.
June 13, 2024: Microsoft’s president, Brad Smith, was at Congress testifying about Microsoft’s recent breaches affecting federal agencies. For example, in July, a China-backed hacking group accessed “60,000 U.S. State Department emails by breaking into Microsoft’s systems last summer, while Russia-linked cybercriminals separately spied on Microsoft’s senior staff emails this year…” See also the ProPublica investigative piece about how “Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says.”
June 14, 2024: Meta is pausing its efforts to train its A.I. on public content shared by adult users in the European Union on Facebook and Instagram following a request from the Irish Data Protection Commission.
June 17, 2024: Vice Admiral Vivek Murthy, MD (the US Surgeon General), calls for “health warnings on social media for younger uses.” See the recent ABC article discussing his call.
June 20, 2024: The US Department of Commerce prohibited Kaspersky Lab, Inc. from “providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons. Commerce reached this determination after an investigation found transactions involving the products and services of Kaspersky Lab, Inc. and its corporate family pose unacceptable risk to U.S. national security or the safety and security of U.S. persons, as outlined in E.O. 13873.”
Canada: 23andMe investigation for data breach of genetic testing and City of Toronto under scrutiny for lack of data minimization
June 4, 2024: The Office of the Privacy Commissioner (Canada) and the Office of the Information and Privacy Commissioner (British Columbia) have launched a joint investigation into Certn (Canada) Inc., a background check service company, to assess the company’s compliance with the Canadian and BC privacy laws.
June 6, 2024: The federal Liberals are proposing a new law to make health information more interoperate / portable between electronic medical records. This reminds me of the objectives of the U.S. HITECH Act that was passed more than a decade ago.
June 10, 2024: The Office of the Privacy Commissioner (Canada) (OPC) announced an exploratory consultation on the privacy implications of age-assurance systems. Responses are due September 10, 2024.
On the same day, the OPC announced an investigation into 23andMe to be conducted jointly with the United Kingdom Information Commissioner’s Office for the data breach of genetic testing. The investigation is to review “the extent to which genetic data was stolen and what company safeguards were in place to prevent such a cyberattack.”
June 21, 2024: The Supreme Court of Canada upheld a Court of Appeal decision that held that Ontario public school board teachers had Section 8 rights pursuant to the Canadian Charter of Rights and Freedoms to not be subject to unreasonable search and seizure in the workplace environment, and the teachers in question has a reasonable expectation to privacy to the contents of a private Google Docs document saved to the teacher’s private Google account that was accessible through the school’s computer. York Region District School Board v. Elementary Teachers’ Federation of Ontario, 2024 SCC 22.
June 27, 2024: The Toronto Star published an article noting that the City of Toronto continues to make “public residents’ phone numbers, addresses, email addresses and signatures” when such residents apply for variances through the City’s committee of adjustment. The City should take a page out of the principle of data minimization and review what disclosures are actually necessary to fulfill the purposes of why they make such information public.
United States: ARPA debates ongoing, Costco building ad network using customer data, and FTC warnings regarding A.I services
As discussed in the April Privacy Pulse newsletter, there are many stakeholders fighting over the proposed American Privacy Rights Act (APRA), and there are debates raging over many issues, such as the issue on preemption. As noted in the previous newsletter, many states (especially those with comprehensive privacy laws) want the APRA to set a baseline standard to which they may exceed, whereas many tech. groups are pushing back and are calling for total pre-emption “to eliminate the patchwork of laws that is…making it really hard for businesses…to comply.”
June 6, 2024: According to the Marketing Brew, “Costco is building out an ad network built on its trove of loyalty membership data, using its 74.5 million household members’ shopping habits and past purchases to power targeted advertising on and off its website.” Although I have not heard of this ad network coming to Canada, I am curious how Costco wants to roll this out throughout all fifty states, especially with navigating all the new comprehensive privacy laws with their various requirements, including any mandatory opt-outs of targeted advertising.
June 10, 2024: The U.S. Supreme Court agreed to hear a private securities fraud lawsuit accusing Meta (Facebook) of misleading investors in 2017-18 about Cambridge Analytica’s wrongful acquisition and misuse of Facebook consumer data.
June 11, 2024: The Federal Trade Commission (FTC) warned businesses that employ A.I. chatbots to not do the following: misrepresent what the A.I. services are or what they can do; offer these A.I. services without adequately mitigating the risk of harmful output; insert ads into the chat interface without clarifying that it’s paid content; use an anthropomorphic service to manipulate people to steer them a certain way; and violate consumer privacy rights.
June 13, 2024: Liberty Latin America Limited settled with the Federal Communications Commission to pay a $100,000 civil penalty due to failing to file a breach report after a data breach “pursuant to the Commission’s rules and to notify the Department of Justice of the breach pursuant to a national security mitigation agreement.”
June 17, 2024: The FTC took action against Adobe, the maker of Photoshop and Acrobat, and two of its executives for allegedly (1) pushing “consumers toward the “annual paid monthly” subscription without adequately disclosing that cancelling the plan in the first year could cost hundreds of dollars” (i.e., Adobe prominently showed the monthly cost during enrollment but allegedly “burie[d] the early termination fee and its amount”; and (2) “use[d] the ETF to ambush consumers to deter them from cancelling their subscriptions.” The FTC also alleged that, when “consumers reach out to Adobe’s customer service to cancel, they encounter resistance and delay from Adobe representatives. Consumers also experience other obstacles, such as dropped calls and chats, and multiple transfers.” The FTC charged Adobe with violating the Restore Online Shoppers’ Confident Act. See the Complaint against Adobe.
This is another lesson for businesses: ensure all material terms of your subscription are clear and are posted conspicuously to ensure consumers understand the terms of the subscription.
June 18, 2024: The FTC has also referred a complaint against TikTok to the Department of Justice, likely alleging that the TikTok app is “violating or about to violate the FTC Act and the Children’s Online Privacy Protection Act (COPPA)”, as Lina Chan noted on X.
June 20, 2024: In the HIPAA world, the Proscribed Combination, as set forth in the Health and Human Services (HHS) Bulletin of March 18, 2024 (i.e., the Online Tracking Technologies Bulletin), was vacated by a federal judge in Texas. American Hospital Association v. Xavier Becerra, No. 4:23-cv-01110-P (N.D. Tex. 2024). For those that don’t know, the Proscribed Combination is where an online technology connects (1) an individual’s IP address with (2) a visit to an unauthenticated public webpage addressing specific health conditions or healthcare providers. The bulletin barred HIPAA covered entities from using online tracking technologies that monitored certain users on unauthenticated webpages.
June 28, 2024: The US Supreme Court (SCOTUS) struck down Chevron v. Natural Resources Defense Council, 467 U.S. 837 (1984). Read the decision here: Loper Bright Enterprises v. Raimondo and a related case, Relentless Inc. v. Department of Commerce, Nos. 22–451 and 22–1219.
This is big. For Canadian lawyers, the equivalent would be if the Supreme Court of Canada struck down Canada (Minister of Citizenship and Immigration) v. Vavilov, 2019 SCC 65, and its associated reasonableness review.
To put it all simply, Chevron required courts to use a two-step framework to determine how to review an administrative agency’s interpretation of a law: (1) whether Congress has directly spoken to the precise question at issue (if the intention is clear, that is the end of this inquiry); but if the court determines that the law is ambiguous, then the court proceeds to the second step: (2) defer to the agency’s interpretation if it is based on a permissible construction of the law.
Why does this matter? Because, in contrast to Canada, most of the seminal privacy rules come from US administrative agencies like the FTC, HHS, FCC, and so on, and this SCOTUS decision will likely result in more court challenges to how these administrative agencies regulate and update privacy rules. This SCOTUS decision underscores how important it for the debated American Privacy Rights Act to be passed (even though it suffered a big set back a few days ago when its markup was cancelled in the Congress House Committee on Energy and Commerce). This decision will surely keep the US Fifth Circuit hard at work…
Texas: Investigation into car manufacturers’ collection and sale of drivers’ data
June 6, 2024: Texas A.G. Ken Paxton has “opened an investigation into several car manufacturers after widespread reporting that they have secretly been collecting mass amounts of data about drivers directly from their vehicles and then selling that data to third parties—including to insurance providers.” Recall the previous March Privacy Pulse newsletter that discussed General Motors’ OnStart services that shared drivers’ driving habits with insurance companies.
Amidst the controversy around the data collection practices of vehicles, according to Suzanne Smalley at The Record, one data broker, Verisk, disclosed that “it has stopped accepting data from car makers and no longer sells the information to insurers.” Perhaps avoiding the public spotlight is good for business.
June 18, 2024: In Texas, like in California, data brokers must register with the state A.G. by March 1, 2024. Apparently, over one hundred data brokers have failed to do so, and the Texan A.G. has issued letters notifying such companies of their failure.
New York: SAFE for Kids Act and the Child Data Protection Act
June 20, 2024: The Stop Addictive Feeds Exploitation (SAFE) for Kids Act aims to restrict a child (under 18) from accessing addictive social media fees without parental consent. Additionally, the Child Data Protection Act will “prohibit online sites from collecting, using, sharing or selling personal data of anyone under the age of 18, unless they receive informed consent or unless doing so is strictly necessary for the purpose of the website.”
Vermont: Governor vetoes comprehensive privacy law
May 31, 2024: Monique Priestley, a Vermont State Representative, wrote an opinion piece detailing the efforts big technology companies took to lobby the Vermont state legislature to either halt or water down the recently passed comprehensive Vermont privacy law.
June 13, 2024: In my May Privacy Pulse Newsletter, I discussed how the Vermont legislature passed a comprehensive privacy law. As is with the risk of discussing proposed laws, the Vermont governor vetoed the proposed law. We will see in the coming months whether the legislature will override the veto.
California: A.G. settles $6.71 million with Blackbaud for its unlawful data security practices, and $500,000 with Tilting Point Media for illegally collecting and sharing children’s personal information
June 13, 2024: The California AG settled with Blackbaud for the following alleged offences: (1) “failure to implement reasonable data security” (2) the making of “misleading statements about the sufficiency of its data security efforts”; and (3) after a data security breach, the making of misleading statements “about the extent of the breach to its…customers and the public”. The AG alleges that “[t]hese actions violated the Reasonable Data Security Law, Unfair Competition Law, and the False Advertising Law related to data security.” The settlement amount is fixed at $6.71 million.
June 18, 2024: The California AG settled with Tilting Point Media LLC “resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and the federal Children’s Online Privacy Protection Act (COPPA) by collecting and sharing children’s data without parental consent in their popular mobile app game “SpongeBob: Krusty Cook-Off.”
The settlement was in the amount of $500,000—an inordinate amount to pay for failing to get parental consent. Businesses, if you’re collecting children’s personal information—get parental consent.
Rhode Island: Passes latest comprehensive privacy law
June 29, 2024: The Rhode Island Data Transparency and Privacy Protect Act was passed into law, which an effective date on January 1, 2026. The RIDTPPA appears based on the Virginia privacy model, but weaker. For example, on first read, there appear to be no required opt-out links or universal opt-out mechanisms, which distinguishes it from other similar, recent US privacy laws. There also appears to be no language regarding data minimization. With that being said, what seems unique is the fact that the Data Controller shall “[i]dentify all third parties to whom the controller has sold or may sell customers’ personally identifiable information”. 6-48.1-3(a)(2) (Information Sharing Practices). First, although there is a definition of personal data, there is no definition of “personally identifiable information”. Second, what is the scope of “…may sell…”? This language could potentially be problematic when businesses attempt to draw up that list for posting with their Privacy Notice.
Putting privacy first: Your path to compliance starts here
It is crucial for businesses to establish a comprehensive privacy program. Siskinds Privacy Concierge offers custom subscription programs.
To discover how Siskinds can assist you in meeting your privacy compliance needs, or if you have any questions related to this blog post, contact myself, Savvas Daginis at [email protected], or a lawyer on our Siskinds’ Privacy, Cyber & Data Governance Team.