As seasoned data privacy and biometric litigators are already aware, the United States does not have a comprehensive federal law regulating the collection, processing, disclosure, and security of personal information (“PI”)—typically defined as information that identifies, or is reasonably capable of being linked to, an individual.  Rather, a patchwork of federal and state sectoral laws regulate the collection, processing, disclosure, and security of PI depending on the industry of the organization, the nature of the data in question, and other criteria.  Moreover, some states such as California have recently passed (or are considering passing) their own, comprehensive consumer privacy laws regulating the collection, processing, disclosure, and security of PI across sectors.  In many instances, these statutes include a private right of action with liquidated statutory damages, making them frequently relied upon by plaintiffs’ attorneys, including in the putative class action context.  The Illinois Biometric Information Privacy Act (“BIPA”) regulating the collection, processing, disclosure, and security of the biometric information of Illinois residents is just one example.

The net effect of this patchwork system is that data privacy and biometric litigation is constantly in a state of flux.  Experienced practitioners stay abreast of these developments in real time, for a complete understanding of their client’s litigation risk and the most up to-date arguments and strategies to defeat data privacy and biometric class actions and related disputes.  An overview of frequently litigated US data privacy and biometric laws is provided below.  Note that some statutes do not themselves include a private right of action, although they may be invoked by plaintiffs for reasons explained below.

Federal Privacy Laws

The US has several federal privacy laws that are limited in application either to specific industries or specific types of PI.  Several of these laws provide for a private right of action and the recovery of attorneys’ fees.  There are also laws at the federal level that generally prohibit unfair or deceptive practices, which can be applied to business practices in both the data privacy and biometric contexts.

Sectoral Privacy Laws

The following are brief descriptions of the most consequential federal sectoral privacy laws.

HIPAA: Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191

HIPAA establishes national standards to protect certain health-related PI from being disclosed without the patient’s consent or knowledge.  HIPAA is enforced by the Office of Civil Rights (“OCR”) within HHS, and OCR refers potential criminal violations of HIPAA to the US Department of Justice (“DOJ”).  The range of potential civil fines for violations of HIPAA depends on the covered entity or business associate’s degree of knowledge of the violation; the maximum penalty of willful violations is over $50,000 per violation with an annual cap of over $1.5 million for repeated violations.  Although HIPAA does not contain a private right of action, plaintiffs often use a business’s alleged failure to comply with HIPAA standards to support state law claims, such as negligence or breach of contract.  More information on litigation considerations related to HIPAA l is available here.

Securities Law: Securities Fraud and Shareholder Derivative Actions

Data privacy litigation also frequently arises in the securities context.  The first set of circumstances in which such disputes are brought concern application of the Securities and Exchange Commission (“SEC”) Rule 10b-5, 17 C.F.R. 240.10b-5.  Rule 10b-5 prohibits persons from making material misrepresentations or omissions in connection with the purchase or sale of a security.  The SEC has the power to enforce Rule 10b-5, but the litigation risk comes from potential shareholder suits: suits where a shareholder brings an action to recover the damages caused by a misrepresentation or omission—including in relation to an organization’s data privacy and cybersecurity practices.  he second set of circumstances in which disputes are brought in the data privacy and cyber arena concerns shareholder derivative actions.  In a derivative action, a shareholder—nominally asserting a right belonging to the corporation that the corporation failed to enforce—brings suit against a third party.  Most notably, derivative actions may be brought against a corporation’s directors or officers in their personal capacity for, for example, the directors or officers’ breach of fiduciary duty.  A recent trend in securities class actions has been derivative shareholder suits in the wake of data events and cyberattacks.  In these cases, shareholders allege that directors or officers breached their fiduciary duty by failing to implement proper data security prevention or investigation procedures, or delayed in reporting data events.

FCRA: Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.

The FCRA requires that “consumer reporting agencies” adopt reasonable procedures regarding the confidentiality, accuracy, relevancy, and proper use of PI included in consumer reports that are sold for determining eligibility for employment, for credit or insurance underwriting, and for certain other purposes described in the FCRA.  The FCRA also includes several protections for consumers, including the rights: to be told if PI in a credit report has been used against the consumer; to know what is in the file that a consumer reporting agency maintains about the consumer; to obtain the consumer’s credit score; and to dispute incomplete or inaccurate PI and to have such PI removed or corrected.  The FCRA imposes certain obligations on users of consumer reports and on furnishers of PI to consumer reporting agencies, to the extent such PI is intended to be used in a consumer report.  Importantly, the FCRA contains a private right of action which allows individuals to seek 1) actual damages between $100 and $1,000, 2) punitive damages, and 3) attorney’s fees.  15 U.S.C. § 1681n(a).  These incentives for private enforcement, along with the availability of the class action device, have made FCRA a frequently litigated data privacy law.  More information on developments in FCRA litigation is available here.

GLBA: Gramm-Leach-Bliley Act, Pub. L. No. 106-102 (1999)

GLBA, in addition to removing many prohibitions on combinations of financial institutions, regulates the collection, use, disclosure, and security of “nonpublic personal information” (“NPI”) collected by “financial institutions.”  “Financial institution” is defined to include, banks, insurance providers, mortgage lenders, credit counselors, and other businesses engaged in “financial activity.”  There are three components of the GLBA’s regulation of the privacy and security of NPI: the Financial Privacy Rule, the Safeguards Rule, and certain prohibitions on “pretexting.”  The GLBA does not have a private right of action, but affected individuals in some states may bring actions under laws forbidding unfair or deceptive acts or practices (described below) for a financial institution’s violation of its privacy notices or failure to keep NPI secure.

TCPA: Telephone Consumer Protection Act of 1991, 47 U.S.C. § 227

The TCPA regulates telemarketing calls, auto-dialed calls, prerecords and artificial voice, and text messages and unsolicited faxes.  Among other requirements, companies engaged in telemarketing must maintain an internal do-not-call registry and respect opt-out requests on the National Do Not Call Registry.  The TCPA is noteworthy in that it provides a private right of action and allows plaintiffs to recover the greater of actual damages or $500 for a violation.  This private right of action, along with the TCPA’s complex consent requirements and exceptions, has led to an avalanche of litigation in both state and federal courts.  For extensive coverage of TCPA litigation and insights into TCPA compliance, see our blog TCPAWorld.

ECPA: Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510, et seq.

The ECPA was passed as an update to the federal wiretap statute in order to apply to communications transmitted electronically.  Title I of the ECPA generally prohibits interception or recording of wire, oral, or electronic communications.  Title I also provides a process for law enforcement to intercept communications under judicial supervision.  Title II of the ECPA is known as the Stored Communications Act (“SCA”) and is concerned with access, rather than interception.  The SCA makes it unlawful to 1) access an “electronic communication service” without authorization or 2) exceed authorization to “obtain[], alter[], or prevent[] authorized access to a write or electronic communication while it is in electronic storage.”  18 U.S.C. § 2701.  The ECPA is a criminal statute, but affected individuals also have a private right of action under both Title I and Title II.  18 U.S.C. §§ 2520, 2707.  Plaintiffs may obtain actual or statutory damages per violation, punitive damages, and attorney fees.  Because of the ubiquity of technology monitoring by employers, among other practices, data privacy litigators should be familiar with the ECPA and the scope of its exceptions.  More information on developments in ECPA litigation is available here.

DPPA: Drivers Privacy Protection Act, 18 U.S.C. § 2721, et seq.

The DPPA prohibits a state’s department of motor vehicles and its contractors from disclosing a driver’s “personal information”—defined to include, among other things, an individual’s name, photograph, social security number, telephone number, and driver’s license number—for any reason other than a proper purpose as enumerated by statute.  The DPPA grants a private right of action to any person whose personal information is knowingly obtained, disclosed, or used for a purpose not permitted under the statute (which expressly authorizes use of driver information for insurance support organizations and for use by government agencies in carrying out their official functions, among others).  Plaintiffs may recover 1) minimum liquidated damages of $2,500, 2) punitive damages for willful or reckless violations, and 3) attorneys’ fees and costs.  More information on developments in DPPA litigation is available here.

VPPA: Video Privacy Protection Act, 18 U.S.C. § 2710

The VPPA was enacted to prevent the wrongful disclosure of video tape rental or sale records. The VPPA prohibits any “video tape service provider” from knowingly disclosing rental information outside the ordinary course of business, and certain other limited circumstances, absent express, time-limited, written consent, and limits data retention.  The VPPA has been interpreted to include internet video streaming services as “video tape service providers.”  Like the DPPA, the VPPA grants a private right of action to any person whose information is disclosed in violation of the act.  The VPPA similarly provides for 1) $2,500 in liquidated damages, 2) the potential for punitive damages, and 3) attorneys’ fees.

Prohibitions on Unfair or Deceptive Acts and Practices Relating to Privacy and Biometrics

FTC Act: Federal Trade Commission Act, 15 U.S.C. § 41, et seq.

Section 5 of the FTC Act prohibits deceptive or unfair commercial practices by those subject to the jurisdiction of the FTC.  Under Section 5, the FTC has aggressively pursued privacy and data security cases in myriad areas, including against social media companies, mobile app developers, data brokers, ad tech industry participants, retailers, and companies in the “Internet of Things” space.   In order to prove a privacy or security allegation under Section 5, the FTC must show that a company’s conduct is either 1) “deceptive” or 2) “unfair.”  Although Section 5 contains no private right of action, it is frequently cited in support of negligence per se claims in data privacy litigations (among others) as evidence that a defendant’s data privacy practices fell short of industry standards.

State Privacy and Biometric Laws

The 2018 enactment of the California Consumer Privacy Act (“CCPA”), Cal. Civ. Code § 1798.100 et seq., introduced into American law a comprehensive data privacy regime similar to the EU’s General Data Protection Regulation (“GDPR”).  The CCPA, which went into effect in 2020, required most US businesses to engage in a meaningful review of their information management programs and data processing agreements with vendors and other third parties.  These data policy reviews have since only become more imperative with the enactment of two other state comprehensive privacy regimes.  Because there is no comprehensive federal privacy regime and most federal sectoral privacy laws have no preemptive effect, businesses must be prepared to comply with multiple states’ privacy regimes.

Similarly, the lack of a preemptive federal privacy law means that non-comprehensive privacy and security laws in the 50 states can impose requirements stricter than federal law or in areas unregulated by federal law.  Biometric information is one such area regulated by state law that presents a significant private litigation risk beyond state-monitored compliance requirements.

Comprehensive State Privacy Laws

Beginning with the CCPA, several states have enacted comprehensive privacy laws akin to the GDPR that grant rights to individual consumers for all consumer PI.  While these laws (and proposed legislation in other states) are similar, there are still significant differences, especially following the 2020 ballot initiative that amended the CCPA.  And in any event, California’s law continues to stand apart from other states through its inclusion of a private right of action for certain violations, as set forth below.

CPRA: California Privacy Rights Act, Cal. Civ. Code § 1798.100, et seq. (fully effective 2023)

The CPRA was enacted through a ballot initiative in 2020 as an amendment to the CCPA.  The CPRA, which will go into full effect on January 1, 2023, created new individual rights and strengthened enforcement efforts, and was seen as a victory for many privacy rights advocates.

Under the CCPA and CPRA, a “consumer”—a resident of California—has several rights regarding his or her “personal information”, defined broadly.  Under the CCPA, consumers have the right to: an initial privacy notice at or before the point collection; opt out of “sales” of data, broadly defined; request disclosure of a business’s PI practices, including categories of PI shared with third parties; access their PI in a useable format; request deletion of PI in many circumstances; and not be discriminated for exercise of any right under the CCPA.  The CPRA adds additional rights, including the right to: restrict the use of “sensitive information”, enumerated categories of PI; correct PI; have PI stored no longer than necessary; have only necessary categories of PI collected; and opt out of advertising use of precise geolocation data.  The CCPA applies to businesses that either 1) have annual revenue in excess of $25 million, globally (CCPA), 2) buy, sell, or share PI of at least 50,000 residents, households or devices, or 3) derive greater than 50% of their revenue from sale of PI.  The CPRA raises the second threshold to 100,000 residents or devices, but also includes business which derive greater than 50% of their revenue from selling or “sharing” PI.  Critically, the CPRA will also apply to the PI of employees, contractors, and persons in connection with a business-to-business transaction after an existing carve-out in the CCPA expires on January 1, 2023.

Currently, the CCPA as a general matter is enforced by the Attorney General, and businesses have a 30-day period to cure violations after notice from the Attorney General.  The passage of the CPRA, however, has established a new agency called the California Privacy Protection Agency that will be tasked with rulemaking and enforcement under the CPRA (similar to a Data Protection Authority under the GDPR).  The creation of an agency with dedicated funding and staffing, as well as the GDPR’s elimination of the 30-day cure period, has significantly increased the enforcement risk for businesses.  The CCPA and CPRA also provide a narrow right of action for data events.  California also became the first state to provide liquidated statutory damages—between $100 and $750 per individual per incident—for individuals whose PI was involved in a data event.  Read more information on developments in CCPA and CPRA.

Biometric Laws

While other jurisdictions, including Texas and New York City, have enacted biometric-specific laws, the most significant US law regulating the use of biometric information is Illinois’s Biometric Information Privacy Act (“BIPA”).

BIPA: Illinois Biometric Information Privacy Act 740 ILCS 14/1, et seq. (2008)

BIPA regulates the collection, storage, and sale of any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifiers (such as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry) and used to identify an individual.

Unlike most other biometric laws, BIPA provides for a private right of action for violations.  740 ILCS 14/20.  Plaintiffs can seek actual damages, liquidated damages of $1,000 per violation for negligent violations, or $5,000 per violation for intentional or reckless violations.  A court may also award reasonable attorney’s fees and litigation costs.  Due in part to these incentives and a series of plaintiff-friendly decisions from both the Illinois Supreme Court and the federal Courts of Appeals, BIPA litigation has significantly increased in recent years.  BIPA will continue to have a material impact on the privacy landscape because of the scope of biometric information it protects and the routine ways in which this data is now collected.  While BIPA actions have been brought against software and artificial intelligence developers, businesses in other industries—including fast food, trucking, and manufacturing—have also been subject to suits for their use of employee or customer biometric information to improve business operations.  Significant questions regarding BIPA’s statute of limitations and the possibility of federal preemption are still unresolved.  More information on developments in BIPA litigation is available here.

Other State Sectoral Privacy Laws

States have enacted numerous laws touching on data privacy to address particularized issues, including laws on call and video recording, passive monitoring, employee privacy, educational technology targeting students, automated license plate readers, collection of driver’s license or DMV data, certain purchase transactions, social media access, and geolocation tracking.  Some state laws are similar in scope to several of the federal laws discussed above—including HIPAA, ECPA, FCRA, and VPPA—that impose additional requirements not found in the analogous federal law.

The following are brief descriptions of the most consequential state sectoral data privacy laws.

CIPA: California Invasion of Privacy Act, Cal. Penal Code § 630 (1967)

Like Title I of the federal ECPA, the CIPA prohibits surreptitious interception and recordings of telephonic communications.  Unlike federal law, the CIPA requires the consent of all parties, not just one, before a communication can be recorded (subject to certain enumerated exceptions).  Because of “two-party consent” states like California, businesses recording phone calls announce at the beginning of every call that it may be monitored or recorded.  The CIPA provides for a private right of action, and plaintiffs may seek damages in the amount of either $5,000 per violation or treble actual damages.  Cal. Penal Code § 637.2.  Recent innovations in telecommunications technology, including smart home devices that constantly listen for an activation phrase in order record voice commands, have been the basis for several recently filed CIPA class actions.

CMIA: California Confidentiality of Medical Information Act, Cal. Civ. Code § 56, et seq.

The CMIA is a privacy law that applies to “medical information” in possession or derived from certain health care entities.  Like the HIPAA Privacy Rule, the CMIA prohibits disclosure of medical information by health care providers absent authorization or an exception.  The CMIA also grants patients the right to access a copy of their records.  The CMIA is broader than HIPAA in several respects, including the entities covered.  For example, businesses that offer software or hardware designed to maintain medical information are treated as a “provider of health care” subject to CMIA.  Cal. Civ. Code § 56.06(b).  And in stark contrast to HIPAA, CMIA provides for a private right of action for individuals whose date were disclosed in violation of the act, with the penalties differing depending on the defendant’s knowledge of the violation.  Some negligent violations entail a liquidated damages penalty of $1,000 per violation, while some willful violations can be up to $250,000.  Because of the CMIA’s significantly high penalties for defendants, the CMIA’s private right of action, and the number of California residents, the CMIA will likely continue be involved in many data events cases in the healthcare space.

Common State Privacy Laws

Known as Unfair and Deceptive Acts and Practices (“UDAP”) laws, all 50 states have statutes similar to Section 5 of the FTC Act.  While UDAP laws vary from each other in many respects, one key difference is that several states allow for private enforcement in addition to enforcement by the state’s Attorney General.  Combined with the possibility of the class action device, these UDAP laws significantly increase the litigation risk for any business that suffers a data event or fails to follow its published privacy notice.

With respect to data events, all states and territories have laws requiring notification under certain circumstances.  While these laws share common provisions, there are divergent requirements with respect to the timing, contents, and addressees of data event notices such that a state-by-state approach is necessary.  Some state laws, including California and Massachusetts, provide for a private right of action.  California also became the first state to provide liquidated statutory damages—between $100 and $750 per individual per incident—for individuals whose PI was subject to a data event.  Finally, a majority of states mandate that businesses implement procedures protecting the privacy of PI in connection with the disposal of PI.  Several of these statutes provide for a private right of action for individuals injured by a violation.