Troutman Pepper recently published its 2023 Privacy Year in Review, a comprehensive analysis of the year’s key developments in privacy, security, and artificial intelligence, which offers practical advice for companies navigating the bewildering number of virtual threats and technological advancements. This annual guide to global trends, risks, best practices, and detailed case studies is a collaborative effort of our Privacy + Cyber and Regulatory Investigations, Strategy + Enforcement (RISE) teams. It aims to serve as a vital resource to help companies address current cybersecurity, privacy, and data protection challenges and prepare for future ones.

Editor’s Note: In recent regulatory and enforcement developments, New Jersey became the latest state to enact a comprehensive privacy law, and the Connecticut Attorney General released the first report on CTDPA. The FTC entered into two privacy consent decrees, both of which centered on the sale of sensitive location data. In litigation, VPPA and wiretapping litigation continues to surge, including a denial of a motion to dismiss filed by Hearst. Internationally, the EU member nations unanimously voted to pass the AI Act, a Canadian government agency experienced a data breach, and the French data protection authority fined a data broker for failing to comply with GDPR.


U.S. Laws and Regulation

NIST Publishes Report on the Cybersecurity of Genomic Data. On December 20, 2023, the NIST National Cybersecurity Center of Excellence (NCCoE) published Final NIST IR 8432, Cybersecurity of Genomic Data. Informed by direction from Congress, this report discusses current practices, challenges, and potential solutions for securing genomic data. Based on this report’s findings, NCCoE has developed Draft NIST IR 8467, Cybersecurity Framework (CSF) Profile for Genomic Data, which provides actionable guidance to organizations that process genomic data to help these organizations manage and protect against cybersecurity risks. NCCoE is also in the process of developing a Privacy Framework Profile for Genomic Data to supplement the CSF. This Privacy Framework Profile will be publicly released later in 2024.

FTC Reaches First Data Broker Settlement. On January 9, the FTC reached its first settlement with a data broker involving the alleged collection and sale of location information that could be used to track individuals’ visits to places of worship, reproductive health clinics, and domestic abuse shelters. Under the proposed order, X-Mode Social, Inc. and its successor Outlogic, LLC will be prohibited from sharing or selling such data going forward. For a deeper analysis by our team, click here.

FTC Bans InMarket Media’s Sale of Precise Location Data. On January 18, the FTC announced another enforcement action focused on the collection and use of consumers’ sensitive location information. The FTC entered into a consent order with InMarket Media for the use or sale of the precise location data it collects for marketing and targeting advertising. InMarket Media must also provide an “easy-to-find way” for consumers to withdraw their consent to location data collection and for the ability to request the deletion of previously collected data. This proposed administrative complaint and consent decree is open for public comment until February 17.

Iowa AG Brings Suit against TikTok. On January 17, Iowa AG Brenna Bird filed a complaint in the Polk County District Court, alleging TikTok misrepresented that access to inappropriate content on its app by children is “infrequent.” In its description on Apple’s app store, TikTok is labeled as an app for individuals aged 12 and above with “infrequent/mild” access to inappropriate content. However, Bird alleges that, “[t]he TikTok app contains frequent and intense sexual content and nudity, profanity and crude humor, mature and suggestive themes, and alcohol, tobacco, and drug use and references.” TikTok has already been subject to scrutiny by other U.S. governmental authorities for ties to China and the app’s data and child safety measures.


U.S. Litigation and Enforcement

ReproSource Fertility Reaches Breach Settlement. On January 10, Massachusetts fertility test center ReproSource Fertility Diagnostics (a Quest Diagnostics company) reached a $1.25 million settlement resolving negligence claims related to an August 2021 ransomware attack that impacted approximately 350,000 patients. Although ReproSource cut off network connection immediately after discovering the unauthorized activity, threat actors were able to gain access to patients’ names, email addresses, dates of birth, and protected health information (PHI) like CPT and diagnosis codes, health insurance billing information, and physician information. Affected individuals were not notified until October 2021. Plaintiffs in the ensuing class action litigation alleged that ReproSource was negligent in failing to safeguard patient information, especially as health care organizations like ReproSource are frequent cyberattack targets. Plaintiffs also noted that ReproSource failed to notify impacted individuals within 60 days, as required by HIPAA for PHI breaches. The settlement allows class members to submit claims of up to $3,000 as reimbursement for out-of-pocket losses. Since the breach, ReproSource claims it has adopted more advanced data security measures, including additional cybersecurity measures, at its own expense.

Burger King Franchisee Says Insurance Carrier Owes Defense Costs for BIPA Suit. In a lawsuit filed on January 17, Burger King franchisee Tri City Foods Inc. (Tri City) claims that its insurance carrier owes the franchisee coverage for a class action alleging violations of Illinois’ Biometric Information Privacy Act (BIPA). The underlying class action was initiated in 2018 by a former employee of Tri City who claimed that Tri City tracked his time worked by requiring him to scan his fingerprint at the beginning and end of each shift. The plaintiff alleged that Tri City violated BIPA by failing to inform him of any biometric data retention policy and failing to obtain a written release for the collection and storage of his fingerprints. This underlying action remains ongoing.

Hearst’s VPPA Claim Continues. On January 11, a judge denied a media company’s motion to dismiss a putative class action under the Video Privacy Protection Act (VPPA). The plaintiffs allege that the company disclosed their personally identifiable information (PII), including a record of every video they viewed on Hearst’s mobile applications, to third parties in violation of the VPPA. The court found that the plaintiffs plausibly alleged that they were consumers, the company was a video tape service provider, and that there was a knowing transmission of PII, as defined under the statute. The court also found that the plaintiffs did not need to plead actual damages and may proceed without alleging any specific pecuniary loss. Further, the court rejected the company’s argument that the ordinary course of business exception applies because the alleged uses of plaintiffs’ information (marketing, advertising, and analytics) does not fall within the exception’s narrow list of permissible uses. Lastly, the court found that the allegations involve commercial speech, so the VPPA satisfies the intermediate scrutiny test in accordance with the First Amendment.

Carnival’s Wiretap and Invasion of Privacy Claims Proceed. On January 19, a judge granted in part and denied in part, defendant Carnival Corporation’s motion to dismiss plaintiffs’ federal and state wiretap and invasion of privacy claims. Plaintiffs allege that the travel company enlists third-party companies to embed session replay software on its website, which collects information about the user’s system and “all mouse movements, clicks, scrolls, zooms, window resizes, keystrokes, text entry (even if deleted), and numerous other forms of a user’s navigation and integration through the website.” The court found the company’s argument that it provided the consumers notice of its recording policy through a cookie policy banner displayed at the bottom of its website and that consumers assented to the terms of that policy through their continued use of the website to be premature. Specifically, the court noted that the banner’s text is smaller than the rest of the bolded large text on its homepage and the company has not demonstrated that the banner appears immediately or that it persists for a user’s entire visit. Thus, the court held that the plaintiffs plausibly alleged the interception of their communications without consent. However, the court dismissed the Consumer Fraud and Abuse Act claim without prejudice because plaintiffs’ allegations of damage or loss were entirely conclusory.

Fidelity National Financial Reveals Data Breach Affected 1.3M Consumers. Insurance company Fidelity National Financial Inc. revealed it suffered a cyberattack in November that affected 1.3 million consumers. Ransomware gang ALPHV (or BlackCat) claimed responsibility for the attack in a post on its dark web leak site. At this time, Fidelity is providing credit monitoring and identity theft restoration services to consumers after also reporting it was hit with several lawsuits in the wake of the attack.

Papa John’s Faces Putative Class Action in California Web Tracking Suit. Popular pizza chain, Papa John’s, was unable to dismiss in full a class action lawsuit, alleging the pizza chain illegally tracked users’ online activity on its website. The court held that plaintiffs adequately alleged that Papa John’s had violated the California Invasion of Privacy Act (CIPA). Papa John’s was successful, however, in dismissing the plaintiff’s bid for injunctive relief as well as claims that the company had intercepted telephone communications under CIPA. The court found that there was no threat of future harm for injunctive relief and that CIPA applied only to communications between two certain types of telephones, not the internet, which the complaint failed to allege. The claims were dismissed with leave to amend.


International Regulation and Enforcement

EU Members Unanimously Vote to Advance the AI Act. On February 2, EU Members reached a political agreement on the Artificial Intelligence (AI) Act (the Act). Two parliamentary committees (the internal market and civil liberties committees) will vote on February 13 and a full plenary vote is expected either April 10 or 11. The Act will create new rules and obligations for providers and users of AI depending on the level of risk from AI. The Act will ban unacceptable risks, such as social scoring or biometric identification, and will require other AI, such as generative AI to comply with transparency requirements. Once adopted, the AI Act will enter into force 20 days after publication. The AI Act contains several application dates, including those for high-risk AI systems and prohibited AI Systems.

Canadian Government Agency Experiences Data Breach. On January 30, Global Affairs Canada announced an “unplanned IT outage” to address the discovery of malicious cyber activity. The Canadian Broadcasting Corporation (CBC) reported that an internal email stated that the internal systems were vulnerable between December 20, 2023 and January 24, 2024. Global Affairs Canada manages diplomatic and consular relations, promotes Canadian international trade, and leads Canada’s international development and humanitarian assistance.

French Data Protection Authority Fines Data Broker €75,000. On January 30, the Commission Nationale de L’informatique et des Libertés (CNIL) announced it had fined data broker Tagadamedia €75,000. During the investigation, the CNIL discovered Tagadamedia failed to comply with the obligation to have a legal basis for processing data and that the forms used by the company failed to provide consumers with free, informed, and unambiguous choices. The CNIL also stated that Tagadamedia’s record of processing activities was shared with a second company, but the record of processing activity did not specify which company was acting as a data controller.


Troutman Pepper Team Spotlight: Sadia Mirza

Photo of Sadia Mirza

Sadia was recently promoted to partner in the firm’s Privacy + Cyber practice, effective January 1. Located in the firm’s Orange County office, she leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues.

She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.

She dedicates her practice to counseling clients on complex data security and privacy issues. Capitalizing on her extensive experience guiding clients through security incidents, she handles pre-incident planning and readiness, breach investigations, and litigation matters. Sadia leverages her 360-degree knowledge of the incident response lifecycle to ensure clients can present a positive and defensible narrative to plaintiffs or regulators.

An active and respected voice in the privacy and data security bar, she writes and speaks frequently on trends and developments affecting clients and consumers. Sadia has been a panelist on numerous privacy and cybersecurity panels across the U.S. and is a member of the Program Committee for the Law Track for the RSA Conference.

Sadia provides ongoing analysis and commentary on developments in the consumer financial services industry, with a focus on privacy law, through the Consumer Financial Services Law Monitor blog at cfslawmonitor.com. She frequently publishes in Bloomberg Law and Law360.


Upcoming Webinars, Podcasts, and Events

Past Webinars, Podcasts, and Events

Recent Troutman Pepper Publications


Interested in comprehensive legislative and regulatory tracking services focused on consumer financial services? Troutman Pepper offers weekly reports on developments in consumer collection, consumer reporting/FCRA case law, and privacy and data security. Contact Stefanie Jackman (stefanie.jackman@troutman.com), Kim Phan (kim.phan@troutman.com), or Michael Bevel (michael.bevel@troutman.com) for more information and to request a free trial.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Molly DiRago Molly DiRago

Molly litigates complex commercial matters, focusing on biometrics and privacy, class actions, partnership and shareholder disputes, and consumer fraud. Molly takes a results-oriented approach and finds creative solutions for her clients, whether through litigation or extrajudicial procedures.

Photo of Robyn Lin Robyn Lin

Robyn is a privacy and data security attorney who focuses on helping clients understand and maintain data compliance.

Photo of Natasha Halloran Natasha Halloran

Natasha is an associate in the firm’s Privacy + Cyber practice, where she assists clients with privacy-related issues such as reviewing privacy policies, regulatory compliance, and commercial litigation including under the Fair Credit Reporting Act (FCRA) and Video Privacy Protection Act (VPPA).

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of James Koenig James Koenig

Jim co-chairs the firm’s Privacy + Cyber Practice Group. For the past ten years, he has represented global clients in the financial services, energy, retail, pharmaceutical/health care, cable, telecommunications, car rental, airline, social media, technology, and manufacturing industries, including 35% of Fortune 100-listed companies.

Photo of Kim Phan Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Photo of Linnea Kelly Linnea Kelly

Linnea is an associate in the firm’s Health Sciences Department, resident in the Philadelphia office. They graduated from Temple University Beasley School of Law where they completed their J.D. and served as an articles editor for the Temple Law Review. While in…

Linnea is an associate in the firm’s Health Sciences Department, resident in the Philadelphia office. They graduated from Temple University Beasley School of Law where they completed their J.D. and served as an articles editor for the Temple Law Review. While in law school, Linnea served as a certified legal intern at the Defender Association of Philadelphia.

Safvet Theodore Mews Besen

Safvet is an associate in the firm’s Corporate practice.