News Alerts and Breach Report for Week of January 16, 2023

Massachusetts Privacy Bill Moves Forward

The Massachusetts Information Privacy and Security Act (MIPSA) won’t just apply to businesses based in the commonwealth, it’ll apply to any data controller that collects, processes or sells data belonging to commonwealth citizens. That’s if they earn more than $25 million in gross global annual revenues from the processing of data belonging to at least 100,000 citizens or collect and sell the data of at least 10,000 citizens. Violators will have to pay $7,500 for each violation, and $500 per day for failure to register under the law (up to $100,000 per year). The prescriptions of the bill generally mirror that of California’s CPRA. The bill currently includes a private right of action.

FTC Digs Deeper on Dark Patterns

The Federal Trade Commission (FTC) is prosecuting companies for using dark patterns and violating children’s privacy. Those two issues were at the center of two separate cases the FTC settled in December with Epic Games, which makes the popular multiplayer online children’s game Fortnite. The FTC imposed a $275 million penalty for violating the Children’s Online Privacy Protection Act, and a $245 million fine for dark pattern activities, specifically, according to Bloomberg, that Epic “used design tricks or dark patterns to deter consumers from canceling or requesting refunds for unauthorized charges.”

Biometric Lawsuits Set to Increase

Though Illinois is a vanguard for biometric privacy legislation, other states are playing catch up. Global law firm Cooley predicts a continuing uptick in biometric privacy lawsuits and legislation. Those rising trends could contribute–or grow alongside–a proliferation of biometric privacy laws, which per Bloomberg include a evaluating commercial surveillance and data security law by the Federal Trade Commission, cybersecurity disclosure regulations by the Security and Exchanges Commission,regulations for cyber incident and ransom payment reporting from the Cybersecurity and Infrastructure Security Agency, pipeline and rail cybersecurity rulemaking from The Transportation Security Administration, and The Federal Energy Regulatory Commission’s rulemaking rules and incentives for utilities voluntarily investing in cybersecurity improvements.

Predictive Policing Finds Loopholes

Many data privacy laws prohibit government and law enforcement agencies from collecting and processing citizens’ personal data. But those laws don’t yet stop authorities from purchasing personal data from third-party data brokers in order to make “predictive” policing decisions (where information including “past activities, legal records, personal associations, and even ZIP codes to determine the risk that a person will break the law or conduct illegal activity.”) According to Dark Reading, “Law enforcement data brokers” including RELX and Thomson Reuters “Have used technology to expand the scope of public surveillance far beyond traditional surveillance means [and] provide vast amounts of information to the US Immigration and Customs Enforcement (ICE) Agency, which it then uses to target immigrants. This has led to a collective public outrage that has produced petitions, lawsuits, and increased interest in how law enforcement and the government obtain and use data.”

Breach Report:

• Saif Corporation

• Twitter

• Upper Peninsula Power Company (UPPCO)

• Consulate Healthcare

• LastPass (update)

• Monarch of North Carolina

* * * * * * *

To read our article discussing how compliance officers can avoid personal liability using Uber’s recent breach as an example, click here.

To read our article discussing whether Meta’s change in Terms of Service for Facebook and Instagram users forced such users to give consent to Meta allowing processing of their personal data, click here.

Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!

Our most recently released episodes:

84 | Internet Archive Project Related to Russia’s War with Ukraine (With guest Mark Graham)

83 | Geofence Warrants and January 6: Constitutional and Privacy Issues (with guest Matthew Esworthy)

82 | A Look at the Consequences of the Uber and Twitter CISO Cases (with guest Ron Raether)

To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.