Data Privacy Laws

Subscribe to Data Privacy Laws via RSS

The Federal Trade Commission’s Bureau of Competition and the Department of Justice Antitrust Division released a joint statement reiterating document preservation obligations for companies and individuals that are the subject of government investigations and litigations, emphasizing messaging platforms, such as Slack and Google Chats, that automatically delete communications. Both agencies announced updated language in their standard preservation letters, specifications for “second requests” used in pre-merger review under the Hart-Scott-Rodino Act, voluntary access letters, and grand jury subpoenas, to address these instant messaging platforms. The agencies emphasized that companies’ obligation to preserve information on such platforms is nothing new, explaining their clarification is to prevent companies from feigning ignorance if communications are not preserved after preservation obligations are triggered.

With great promise comes great scrutiny. As artificial intelligence (“AI”) has become part of industries’ and individuals’ daily repertoire, it has also come under focus by antitrust regulators. The DOJ, in its so-called “Project Gretzky,” is gearing up with data scientists and others to be a tech-savvy version

This year has seen a tremendous spike in the number of cases alleging violations of the Video Privacy Protection Act (“VPPA”), 18 U.S.C. § 2710, a statute enacted in 1988 in response to the Washington City Paper’s publication of a list of films that then-Supreme Court nominee Robert Bork had rented from a video store. The statute was originally intended to “allow[] consumers to maintain control over personal information divulged and generated in exchange for receiving services from video tape service providers.”

Class action lawsuits accusing companies of violating the Illinois Biometric Information Privacy Act (“BIPA”) have more than doubled following a February 2023 ruling by the Illinois Supreme Court, which found, based on a plain reading of the statute, a separate claim accrues each time a person’s biometric identifier is scanned in violation of the statute.  

Increasing oversight of tech companies, particularly in the realm of consumer privacy, has been a rare example of bipartisan agreement. Despite data privacy being a growing concern for consumers, however, there has been relatively little federal policymaking. To counteract this lack of action, some states have stepped in to fill this void—and have enacted policies that could have large impacts on how businesses operate. The rapid rate at which these laws are being enacted – eleven have been enacted– indicates states are taking an increasingly protective view of consumers’ data privacy. Businesses need to be prepared to comply with these new mandates, or risk costly enforcement measures.

On November 25, 2020, a shareholder of First American Financial Corporation (“First American”) filed suit against the company and its officers and directors over a massive data security breach that exposed hundreds of millions of sensitive customer records. The shareholder derivative action, filed by Norman Hollett in Delaware federal court, alleges breaches of fiduciary duties, unjust enrichment, abuse of control, gross mismanagement, waste of corporate assets, and multiple violations of the Securities Exchange Act of 1934, all relating to the failure to contain and timely disclose the breach.