Can unionized employees sue their employers in court for violations of Illinois’ Biometric Information Privacy Act (BIPA)? In a rare victory for BIPA defendants, the Illinois Supreme Court unanimously ruled they cannot.
Continue Reading Illinois Supreme Court Finds Federal Law Labor Preempts Union Members’ BIPA Claims

Companies are continuing to find it hard to navigate the legal landscape of website accessibility. Plaintiff’s lawyers argue that “inaccessible” websites or mobile apps fail to comply with the Americans With Disabilities Act or similar state laws. This despite the absence of standards for website accessibility in these laws. Similarly, while the Department of Justice does not have a regulation setting out detailed website accessibility standards, the Department’s position has been that the Americans with Disabilities Act’s general nondiscrimination and effective communication provisions apply to web accessibility. …
Continue Reading The Rough Waters of Website Accessibility

Three days. Starting September 1, 2023, that is all federally insured credit unions will have to report cyber incidents.
Continue Reading 72 hours: The NCUA’s New Cyber Incident Reporting Requirement

February 2023 was a momentous month for Illinois’ Biometric Information Privacy Act (BIPA). Just two weeks after imposing a 5-year time limit for all BIPA claims, the Illinois Supreme Court resolved another pressing issue. In Cothron v. White Castle System, Inc., the Illinois Supreme Court considered whether a BIPA claim accrues every time a company scans or transmits a person’s biometric identifier (e.g., fingerprint) without consent. In a closely divided 4-3 ruling, the Court answered “yes.”…
Continue Reading Illinois High Court Rules “Per-Scan” Damages Can Be Awarded Under BIPA

The California Privacy Protection Agency (CPPA) Board recently met and unanimously voted to finalize the proposed final CPRA regulations. This approved version was first released in January and updated those released in November 2022. Along with the proposed final CPRA regulations, the CPPA published a draft final statement of reasons and appendices containing responses to the comments received during the public comment periods.
Continue Reading CPRA Update: Moving Toward Finalization

The California AG announced an investigative sweep of mobile apps, as we reported in our sister blog. The investigative focus is on companies in the retail, travel and food service industries who may not be complying with the California Consumer Privacy Act (CCPA). As we have written previously, the California law requires entities to provide individuals with a myriad of rights, including as it relates to “sale” of personal information.
Continue Reading Mobile Apps Beware!: California AG’s Current Privacy Sweep

A plaintiff has her fingerprints forever. But she doesn’t have forever to file a lawsuit for improper retention, deletion, collection, or use of her fingerprints. For years, Illinois courts have been perplexed on what statute of limitations applies to different claims under the Illinois Biometric Information Privacy Act (“BIPA”). That left an unanswered question: how long does a plaintiff have to file a BIPA claim before losing it? The Illinois Supreme Court weighed in last week, siding with the plaintiffs’ bar. In Tims v. Black Horse Carriers, Inc., that Court held that plaintiffs have five years to file any…
Continue Reading Illinois High Court Allows Biometric Privacy Claims to Go Back Five Years

The UK’s new Code of Practice for App Store Operators and App Developers provides companies with privacy-related resources. It also highlights ICO privacy expectations. Participating in the code is done by voluntarily complying with it (it is not mandatory). The UK Department for Digital, Culture, Media, and Sport, though, is not only working with leading companies to participate in the code, but also is looking at whether current laws should be expanded and/or if code participation should become mandatory. …
Continue Reading UK App Code Provides Privacy and Security Compliance Direction

Two states recently passed laws with specific data security requirements for entities that are gaming operators or licensees. These new regulations in Nevada and Massachusetts add to the already complex set of data security laws that exist at the federal and state level. In the US, companies may be subject to certain data security laws because of the type of information they collect or because of the industry they are in (financial, healthcare, insurance, telecommunications, etc.). The gaming industry is the latest to add to the mix.
Continue Reading Gaming Operators Latest to See Specific Privacy & Cybersecurity Laws

The French Data Protection Authority capped off 2022 by terminating an investigation into Lusha Systems, Inc.’s compliance with GDPR. CNIL concluded that the law did not apply to the US company’s activities. As many know, since GDPR was passed US companies have been concerned about the extent the law applies outside of the EU: it applies not only to those entities with operations in the EU, but also those outside of the region who are either offering goods or services to people in the EU or monitoring individuals in the EU. Here, CNIL concluded that Lusha was not offering goods…
Continue Reading CNIL Weighs in On GDPR Applicability to US Company

The New York and Pennsylvania AGs settlement with Herff Jones from late last year provides guidance to businesses about expected security measures as we enter into 2023. The case arose after Herff Jones, producer and seller of graduation goods, suffered a breach resulting in the theft and sale of customer payment card information.
Continue Reading Graduation Goods Settlement: A Good Reminder of AGs’ Data Security Priorities

On Friday, February 3, the CPPA is scheduled to meet about current and forthcoming CPRA regulations. The Board had previously signaled that it expected to finalize the draft regulations in late January or early February 2023. The agenda confirms that the CPRA regulations will be discussed, including “possible adoption” or “modification” of the text.
Continue Reading Movement on CPRA Regulations Expected

To conclude our series of cybersecurity areas to focus on in 2023 for those who do business with the Federal government, we look at the FedRAMP and StateRAMP developments from 2022. For the rest of this series, see our prior articles (Part One, Part Two, Part Three, and Part Four).
Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Five- Further Adoption of FedRAMP & StateRAMP