2021 was another busy year for data privacy regulatory enforcement and litigation. With some distance to reflect on last year, we have prepared this post identifying and describing important trends from 2021 that can help provide insight into what to expect in the data privacy landscape in 2022.
Data Privacy Regulatory Enforcement Trends
Federal Trade Commission (FTC) and state enforcement action in 2021 centered on several key areas, including protecting children.
An FTC enforcement action last year alleged that the maker of an online coloring book application violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information about children who used the app without notifying their parents and obtaining their consent. The allegations note that the app included a “Kids” category that was targeted to children. The FTC further claimed that the app’s social media features collected personal information from users and that some parents, lacking knowledge of these features, may have inadvertently permitted their young children to use the app.
State Attorney Generals have also actively enforced COPPA. The New Mexico Attorney General in August announced a federal lawsuit accusing the developer of the “Angry Birds” mobile gaming franchise of illegally collecting data under COPPA. The lawsuit alleged that the developer, Rovio, knowingly collects the personal information of children under 13 that play the game. The allegations also state that Rovio sends the information to third-party marketing companies.
Another key area of focus for the FTC was health apps. The FTC finalized a settlement with Flo Health Inc., following allegations that FloHealth shared the health information of its users with outside data analytics providers after promising the information would remain private. According to the allegations, Flo Health gave users’ health information to third parties, including Google, LLC and Facebook, Inc., through its Facebook Analytics tool. The allegations further state that Flo Health agreed to each company’s standard terms of service and allowed the third parties the ability to use users’ personal health information widely, including for advertising.
The FTC also focused on health apps outside of the enforcement context. In September, the FTC issued a policy statement requiring health apps and connected devices that collect or use consumers’ health information to comply with the Health Breach Notification Rule. The change requires health apps and connected devices to notify consumers and others when their health data is breached.
Data Privacy Litigation Trends
Major decisions in data privacy litigation in 2021 focused primarily on state law causes of action, with the Illinois Biometric Privacy Act (BIPA) and California Invasion of Privacy Act (CIPA) producing interesting litigation results.
Litigation under BIPA continued to keep courts busy in 2021, with significant decisions clarifying the scope of BIPA. In Tims v. Black Horse Carriers, Inc., an Illinois state appellate court clarified that the statutes of limitation applicable to BIPA claims vary depending on the nature of the claim. The court determined that the one-year limitation period applied to privacy actions that contained a “publication” element, but in contrast violations of Section 15(a)’s retention policy, Section 15(b)’s informed consent, and Section 15(e)’s data safeguarding requirements have a five-year limitation period. And in McGoveran v. Amazon Web Services, Inc the District of Delaware dismissed a BIPA claim against Amazon Web Services (AWS) and Pindrop Security on extraterritoriality grounds, holding that the plaintiffs’ location in Illinois where their biometric data was allegedly collected was not enough to establish conduct by defendants in Illinois.
In 2021, California courts grappled with interesting applications of CIPA. CIPA was originally conceived as a wiretapping statute but creative plaintiffs’ counsel are now testing the bounds of how CIPA may be applied to internet communications. In Brown v. Google, the Northern District of California denied a motion to dismiss a putative class brought against Google asserting violation of CIPA and the federal Wiretap Act over Google’s alleged collection of data from users browsing in incognito mode. In Silver v. Stripe the Northern District of California granted in part and denied in part Stripe’s motion to dismiss a suit alleging violations of California, Florida, and Washington wiretap laws due to Stripe’s role as a payment processer on Instacart’s website.
Several cases were litigated in 2021 involving CIPA Section 631 and session replay software, which collects data about a user’s interactions with a website that the website operator can later view. Plaintiffs have contended that this practice amounts to eavesdropping on communications between websites and their website users. The Northern District of California has dismissed three such cases — Graham v. Noom, Johnson v. Blue Nile, and Yale v. Clicktale — holding that the software companies are service providers serving as extensions of the website operators, and that they therefore fall under Section 631’s party exception. But the Central District of California in Yoon v. Lululemon and Saleh v. Nike held that the claims could proceed past the motion to dismiss stage. Until the Ninth Circuit weighs in, this area of the law remains unsettled.
The Inside Privacy Blog will continue to monitor data privacy regulatory enforcement and litigation, looking to identify the significant trends in 2022.