U.S. Supreme Court Requires Warrant for Law Enforcement Requests for Location Information from Third Parties

By Edward Holman and Brett Weinstein on July 24, 2018 Posted in Privacy

The U.S. Supreme Court has handed down a major decision, Carpenter v. United States,¹ concerning the Fourth Amendment’s application to the rapidly evolving technological landscape. The 5-4 decision dramatically alters the status quo concerning government requests for data about individuals that is collected and held by third parties. Under Carpenter, personal location information maintained by a third party that the government could previously obtain with a subpoena or similar order will now require a warrant meeting the standards of the Fourth Amendment.

By finding that information held by a third party is—in at least some circumstances—protected by the Fourth Amendment, the Supreme Court has upended decades of precedent in an effort to keep the amendment relevant in the digital age. Although portrayed by the court as a narrow decision, like other recent Supreme Court decisions concerning privacy and the Fourth Amendment, Carpenter will likely result in a broad reconsideration of what information law enforcement can properly obtain without a warrant. Companies will now have to carefully consider their statements regarding the sharing of data with law enforcement, and how they will respond to law enforcement agencies’ requests for data without a warrant. Continue Reading

Feeling BLU: What You Need to Know About Overseeing Your Service Providers

By Tracy Shapiro on July 24, 2018 Posted in Cybersecurity, Litigation, Regulatory

On April 30,2018, the Federal Trade Commission (FTC) announced a settlement with mobile phone manufacturer BLU Products and its owner over allegations that the company failed to implement appropriate procedures to oversee their service providers’ security practices, which allowed the service provider to install software containing commonly known security vulnerabilities on consumers’ mobile devices and to collect detailed personal information about consumers, such as text messages and location information, without consumers’ notice and consent.

According to the FTC’s complaint, BLU and its owner contracted with China-based ADUPS Technology to preinstall certain security software on BLU devices. The complaint alleged that, unbeknownst to consumers, the ADUPS software on BLU devices transmitted their personal information to ADUPS servers, including contents of text messages, real-time location data, call and text message logs, contact lists, and a list of applications installed on the device. The FTC did not allege that ADUPS used or disclosed consumers’ personal information.

Facebook Biometric Suit Moves Forward

By Libby Weingarten on July 24, 2018 Posted in Privacy, Regulatory

The U.S. District Court for the Northern District of California recently ruled that a certified class action on behalf of Illinois Facebook users alleging that the social network unlawfully collects biometric data from photo tagging will go forward, denying both parties’ summary judgment motions. This case is one of the first major tests of the scope of Illinois’s Biometric Information Privacy Act (BIPA).¹ The litigation was originally filed in 2015, in response to Facebook’s launch of its “Tag Suggestions” feature, which used facial recognition algorithms to deliver suggested names for individuals in photos. Specifically, Facebook’s Tag Suggestions feature matched photos of an individual against other photos the individual was tagged in to suggest the name of the individual in the photo.

Illinois’s BIPA is one of only three state biometric privacy statutes on the books in the U.S., and the only one that allows for a private right of action.² BIPA, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s biometric information unless it satisfies certain notice, consent, and data retention requirements. For example, entities must notify the person that their biometric information is being collected and stored; state the purpose for collecting, storing, and using the biometric information; and state the length of time the biometric information will be retained. The entity must also obtain written consent from the individual before it obtains the biometric information. Biometric information is defined as a retina or iris scan, fingerprint, voiceprint, or scan of face geometry. BIPA authorizes damages of $1,000 per violation for negligent violations of the law, and $5,000 per violation for intentional or reckless violations. Damages in the Facebook case could amount to billions.

WashingTECH Tech Policy Podcast: Privacy Law After LabMD

By Lydia Parnes on July 5, 2018 Posted in Privacy

In the latest episode of the WashingTECH Tech Policy Podcast, one of the leading national podcasts focused on tech law and policy debates driving the technology and communications sectors, Lydia Parnes, chair of the privacy and cybersecurity practice at Wilson Sonsini Goodrich & Rosati, discusses the state of privacy law after the Eleventh Circuit’s recent decision to vacate the Federal Trade Commission’s order directing LabMD to create and implement a variety of privacy protections.

Click here to hear the podcast.

Click here to read our complete WSGR Alert on the Eleventh Circuit’s LabMD decision.

California Enacts Sweeping Privacy Law to Avert Potential Ballot Measure

By Lydia Parnes, Edward Holman, Tracy Shapiro, Matthew Staples and Brett Weinstein on July 3, 2018 Posted in Privacy, Regulatory

In a surprising twist, the California legislature rushed last week to pass one of the most comprehensive privacy laws in the country. The bill was introduced only a week prior, and within hours of passage, it was signed into law by Governor Jerry Brown. As strict as the act is, it was enacted to avoid an even more restrictive ballot initiative, which the initiative’s sponsor agreed to withdraw.

The California Consumer Privacy Act of 2018 requires covered businesses to make new disclosures to consumers about their data collection, use, and sharing practices; allows consumers to opt out of certain data sharing with third parties; and provides a new cause of action for consumers and the California Attorney General to bring lawsuits against companies that suffer data breaches. In some respects, the act may well go beyond the requirements of the European Union’s General Data Protection Regulation (GDPR), which recently came into force. The act takes effect on January 1, 2020, and, without revisions, may upend the ad-supported business model that underlies much of the modern digital economy.

Click here to read our complete WSGR Alert discussing the new law.

Eleventh Circuit LabMD Decision Significantly Restrains FTC’s Remedial Powers in Data Security and Privacy Actions

By Lydia Parnes and Edward Holman on June 18, 2018 Posted in Privacy, Regulatory

The U.S. Court of Appeals for the Eleventh Circuit recently released its highly anticipated decision in the long-running case pitting the now-defunct medical laboratory LabMD against the Federal Trade Commission (FTC), vacating the FTC’s data security order. In reaching its conclusion, the court held that the order’s requirement that LabMD establish a comprehensive information security program was unenforceable. This holding has broad implications for the FTC’s remedial powers in data security and privacy actions going forward, as requirements to establish a comprehensive security or privacy program have become common in FTC security and privacy settlements over the past 16 years. If the court’s decision stands, the FTC will likely need to enjoin specific acts or practices in its security and privacy orders, rather than relying on broad requirements that companies implement comprehensive security or privacy programs.

Click here to read our complete WSGR Alert on the Eleventh Circuit’s LabMD decision.