Massachusetts’ Highest Court Signals Willingness to Scrutinize State Wiretapping Laws and Knock Out Claims at the Pleading Stage

For the past few years, hundreds of companies have been caught in a wave of privacy class actions relying on decades-old wiretapping laws to attack modern website technologies and business tools. Last week, Massachusetts’s highest court engaged in a thorough assessment of that state’s wiretap law and rejected plaintiff’s argument that commonly used website advertising and analytical tools intercepted “communications” in violation of the law. The basis for the suit is not novel — hundreds of similar cases have been filed in the past few years. But the Supreme Judicial Court’s willingness to engage in a deep analysis of the wiretapping law early in the case is noteworthy.

(more…)

New York Attorney General Publishes Guide to Avoid “Key Mistakes” Regarding Online Tracking Technologies

On July 30, 2024, New York Attorney General Letitia James announced website privacy guides for New York consumers and businesses. The guides, a business-focused Business Guide to Website Privacy Controls and a consumer-focused Consumer Guide to Tracking on the Web, are available on the Office of the New York State Attorney General’s (the “OAG’s”) website. The Business Guide to Website Privacy Controls is instructive for businesses operating websites available in the state. The OAG’s announcement is made amid increasing regulatory scrutiny, including by the FTC, as well as increased litigation centered on the use of online tracking technologies.

(more…)

A New Wave of Class Actions: The Genetic Information Privacy Act

Largely dormant for the last 25 years, Illinois’ Genetic Information Privacy Act (GIPA) has been sharing the limelight recently with its sibling, the Biometric Information Privacy Act. (BIPA). GIPA includes a number of restrictions related to the use and disclosure of genetic testing and genetic information, and it provides a private right of action and permits recovery of steep statutory damages. In 2023 alone, over 50 GIPA complaints were filed, and new suits continue to be filed in 2024. In this article, published on AML Law.com, Sidley lawyers Kathleen Carlson, Lawrence Fogel, and Colleen Brown explore some of GIPA’s emerging issues and unanswered questions.

(more…)

Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

(more…)

New Hampshire’s Comprehensive Data Privacy Legislation

As the state boasting the headquarters of the International Association of Privacy Professionals, many have been watching the development of the New Hampshire comprehensive consumer data privacy law with great interest, wondering if it may be a practical model for the nation. On March 6, 2024, Governor Chris Sununu signed SB 255-FN (“the Act”) into law. In some respects, New Hampshire’s privacy law is comparatively more moderate than some other state laws. For instance, the New Hampshire Secretary of State’s rulemaking authority under the Act is currently limited to establishing requirements for privacy notices. This narrow extension of rulemaking authority is a divergence from the broad rulemaking authority granted by California, Colorado, and other states. The New Hampshire law does not allow for a private right of action. There is a right to cure alleged violations through the first year the law is in force; afterwards, the opportunity to cure is left to the Attorney General’s discretion. The legislation will take effect on January 1, 2025.

(more…)

Regulatory Update: National Association of Insurance Commissioners Fall 2023 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Fall 2023 National Meeting (Fall Meeting) from November 30 through December 4, 2023. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Fall Meeting. Highlights include adoption of a new model bulletin addressing the use of artificial intelligence in the insurance industry, continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, and continued discussion of considerations related to private equity ownership of insurers.

(more…)

Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years

Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1

(more…)

Regulatory Update: NAIC Summer 2022 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Summer 2022 National Meeting (Summer Meeting) August 9–13, 2022. This post summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Summer Meeting. Highlights include a proposal for a new consumer privacy protections model law, continued discussion of considerations related to private equity ownership of insurers, continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, and initiatives to address climate risks in the insurance sector.

(more…)

Utah Joins the Comprehensive Privacy Law Club

Utah has become the fourth state, following California, Virginia and Colorado, to enact a comprehensive consumer data privacy law.  The Utah Consumer Privacy Act (“UCPA”), formerly known as Senate Bill 227, passed the Utah Senate and House with no opposition, and was signed by Governor Cox on March 24, 2022.

The UCPA shares many similarities with Virginia’s Consumer Data Protection Act (“VCDPA”) and the Colorado Privacy Act (“CPA”), and some similarities with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). That said, the UCPA is somewhat narrower and more business friendly than other state privacy law analogs. The UCPA will go into effect on December 31, 2023. (more…)

California AG’s First Formal CCPA Opinion Directs Businesses to Disclose Internally-Generated Inferences and Expresses Skepticism Around Trade Secret Claims

In its first formal opinion interpreting the California Consumer Privacy Act (the “Opinion”), the California Attorney General (OAG) has expansively interpreted CCPA to mean that inferences created internally by a business, including those based on data that is not included in the definition of personal information, constitute “specific pieces” of personal information “collected by a business” which must be produced to consumers upon request.  The Opinion, which was issued on March 10, 2022 in response to a request for clarification submitted by Assemblyman Kevin Kiley, also addressed arguments that such inferences could constitute trade secrets and signaled the OAG’s unwillingness to accept “blanket assertions” that inferences constitute trade secrets or proprietary information, requiring instead that businesses explain why an inference constitutes a trade secret with greater particularity.  We highlight below some of the more instructive elements of the opinion that provide insight into potential future enforcement. (more…)