Posts Tagged: "data privacy"

With each new year comes an uptick in purchases of workout equipment, blenders, gym memberships and wearable devices of all shapes and sizes. Plans are made and uploaded to a wearable device—including smart rings, shoes and bands—and its accompanying app to track progress. These devices and apps share information with each other and across platforms, tracking a person’s diet, sleep or even sexual activity.

On June 28, a group of 16 individuals filed a class action complaint in the Northern District of California against generative artificial intelligence (GAI) developer OpenAI on several alleged violations of federal and state law on privacy, unfair business practices and computer fraud. The class action lawsuit’s discussion on property interests in consumer data underscores the intellectual property issues that have arisen since the advent of generative AI platforms like ChatGPT, which scrapes personal data and IP-protected material to train its GAI systems.

International cosmetics retailer Sephora has agreed to pay $1.2 million to settle allegations that the company failed to cure violations of the California Consumer Privacy Act (CCPA). The settlement is the first CCPA enforcement action resulting in financial penalties from the California Attorney General’s office and elucidates the Attorney General’s view of how the use of website analytics and advertising trackers involve “sales” of personal information.

High-stakes artificial intelligence (AI) is becoming even higher risk in the European Union, where AI regulation efforts are underway that could cost your company up to 6% of its total worldwide revenues—more than the potential penalties for privacy violations under the EU’s General Data Protection Regulation (GDPR). On April 21, 2021, the European Commission proposed rules for regulating AI (the “AI Act” or “Act”), to which the European Parliament recently released proposed amendments on April 20, 2022. The Act may undergo a series of additional amendments, but a final text is nearing completion and European countries are starting to act in anticipation of the regulation. Companies should plan for the comprehensive act to become law and begin implementing best practices now to ensure a competitive advantage. Below is an overview of the AI Act’s key provisions that takes into account the Parliament’s recent changes.

In Part I of this series, we discussed the Federal Trade Commission’s (FTC’s) case against Everalbum as just one example where companies may be required to remove data from their machine learning models (or shut down if unable to do so). Following are some additional pitfalls to note. A. Evolving privacy and data usage restrictions Legislators at the international, federal,…

While the COVID-19 pandemic has changed every aspect of our lives, digital transformation in healthcare has accelerated above others. The pandemic has changed the healthcare delivery paradigm from human to digital platforms faster than Klaus Schwab could have imagined. In 2016, the World Economic Forum chairman coined the phrase “Fourth Industrial Revolution,” envisioning the combination of fourth industrial-era technologies in hardware, software, and biology, or cyber-physical systems. These new technologies, leveraging advances in communication, connectivity, and computing power, would usher in a more efficient way to live, work, and socialize. Who knew how the horrific circumstances triggered by a global pandemic could accelerate an evolution that might have taken 20 years and condensed into a single year. Healthcare has gone digital, and there is no going back now.

In these times, businesses are increasingly data driven and privacy regulations are continually being updated to keep pace. As an entrepreneur, of the many operational checkpoints that come with starting and growing a business, managing your privacy notices and programs is something that can fall by the wayside. But given the increasing scrutiny from a privacy standpoint from investors, regulators, and the public at large, early attention to and investment in sustainable privacy practices can pay dividends as you grow and avoid some potentially disastrous pitfalls.

Notwithstanding its negative effects on the world at large, COVID-19 quarantine has been a boon to a growing group of entertainment-based apps and services. Netflix, Amazon, Zoom, and Instagram are a few of the best-known apps that many have used to break the monotony of pandemic-induced isolation. TikTok is also on the list of apps experiencing a growth surge, though chances are that your kids are more likely to have participated in a viral TikTok dance challenge than you. Unfortunately for the Chinese-owned company, this popularity among the tween-and-under set is the source of its ongoing struggles with privacy advocates and regulators.

In 2018, after years of planning, the General Data Protection Regulation (GDPR) was introduced by authorities across Europe. It aimed to modernize the laws that protect individuals’ private information; laws which hadn’t been updated for nearly two decades. The GDPR was designed to give formidable power to data protection authorities. The threat of fines of up to €20 million or up to 4% of an organization’s global annual turnover (depending on which is greater) had been established. Two years on, although there have been over 160,000 data breaches reported, only a small number of companies have been issued with a punishment…. Enforcement has indeed varied widely across countries, and last year we caught a glimpse of what the data breach landscape may look like in terms of fines in the UK. The Information Commissioner’s Office (ICO) has issued intentions to fine British Airways £183 million, in addition to a potential £3 billion compensation pay-out, after the personal data of around 500,000 customers was exposed from their website and app. Marriott have also been issued with an intention to fine in the sum of £99m. In comparison, almost a third of countries reportedly have yet to issue a single fine.

The last few years have seen unprecedented changes in the legal landscape concerning data protection and privacy. The European Union General Data Protection Regulation (GDPR) became enforceable in May 2018. In July 2018, the California Consumer Privacy Act (CCPA) was enacted, and it became effective January 1, 2020. In response to the GDPR and the CCPA, many businesses are updating their privacy policies to comply with these laws. While crafting these updates, drafters should be cognizant of the effect such policies could have not only in the short term, but also down the road. For example, in the bankruptcy context, the content of a company’s privacy policy is important. If a privacy policy does not inform customers that their data may be sold in a bankruptcy proceeding, courts are likely to impose restrictions on the sale of that data. These restrictions can significantly decrease the value of such assets. Because of this reality, drafters should keep a few considerations in mind as they update privacy policies to comply with new laws and maximize the value of data assets.

We live in a world where data has become an increasingly valuable asset and huge companies are built on the collection and analysis of publicly available data. Yet, there is no federal statute that directly protects this type of information or even directly addresses how this information should be treated. Instead, businesses are often forced to rely on the Computer Fraud and Abuse Act (CFAA) in order to protect this valuable asset or commodity, which originally only provided criminal sanctions and was enacted to address computer hacking. Most recently, the Ninth Circuit in hiQ Labs, Inc. v. Linkedin Corp., 938 F.3d 985 (9th Cir. 2019), addressed under what circumstances a company may legally “scrape” data from another company’s website. There, the court determined on hiQ’s motion for preliminary injunction that “scraping” publicly available information from LinkedIn likely is not a violation of the CFAA because the LinkedIn computers are publicly accessible and hiQ thus did not access the computers “without authorization” as required by the CFAA. Under these circumstances, the court determined that it did not matter that LinkedIn had sent a cease and desist letter to hiQ prohibiting such access. This is a potentially very important decision for companies on both sides of this issue and for the general public, at least in the Ninth Circuit.

This week in Washington, D.C., the Senate Subcommittee on Intellectual Property holds a hearing to look at ways to reduce the number of fraudulent trademark application filings that have been making their way to the U.S. Patent and Trademark Office. Other Senate committee hearings will focus on legislative proposals to protect consumer data privacy and promote the availability of wireless spectrum for 5G networks. Over in the House of Representatives, the Artificial Intelligence Task Force will convene a hearing to look into concerns related to the use of artificial intelligence technologies in the financial services industry. Elsewhere in D.C., both The Brookings Institution and the Information Technology and Innovation Foundation will host events discussing the use of facial recognition technology in the public and private sectors. 

Imagine the following scenario: You have an idea for a new mobile application. As adoption of the app picks up, so does your business, and you hire more employees to provide sales and support assistance. You are on your way to transforming your startup into a successful business. Needing additional capital to scale the business more quickly, you identify a strategic partner interested in investing in your business. Before you can close on the funding, several employees report that they did not receive their paychecks through the direct deposit system. The investigation reveals that several months ago, your organization received a series of spear phishing emails. You learn that multiple employees opened the email and its attachment giving the cybercriminals access to your systems. Not only are you out the payroll money, but you also learn that in addition to your employees’ banking information, the criminals had access to your customer contact information and the source code for your app. A cyberattack is an unwelcome event for any company, but the effects can be especially detrimental to a startup, with 60% or more of small businesses that experience a data breach going out of business within a year of the breach. It is impossible for any size business to guarantee a system that is fully secure. However, not all companies have millions of dollars to invest in cybersecurity and by allocating even limited funds to assessing your data privacy risks, implementing a protection plan and creating an incident response plan, a startup can significantly improve its chances of surviving a cyberattack.

The House Subcommittee on Antitrust, Commercial, and Administrative Law yesterday heard from Joseph Simons, Chairman of the Federal Trade Commission, and Makan Delrahim, Assistant Attorney General in the Department of Justice’s Antitrust Division as part of the Subcommittee’s fourth hearing in its “Online Platforms and Market Power” series. The latest hearing focused on the perspectives of the antitrust authorities, while previous hearings have examined the effects of the big tech companies on innovation and entrepreneurship; online platforms’ effect on a free and diverse press; and the role of data and privacy in competition. While both Delrahim and Simons said they are aggressively investigating and monitoring dominant platforms like Facebook and Google, they warned against overreach. Subcommittee Chair David Cicilline (D-RI) expressed his concern that, over the past decade, the largest tech firms have acquired more than 436 companies, “many of which were actual or potential competitors,” without intervention from antitrust enforcement authorities. The last major monopolization case was brought in 2001 against Microsoft, Cicilline noted. “This has created a de facto antitrust exemption for online platforms.,” he said, questioning whether the failure lies in the need for congressional action to amend and strengthen existing laws, a lack of agency resources to effectively combat the problem, or simply a lack of will to enforce the laws on the books.