United States: The Download September 2019

Last Updated: October 16 2019
Article by Venable LLP

Introduction

In this issue, we highlight inquiries sent to education technology companies from three senators on the collection of student data. We also detail settlements between the Federal Trade Commission (FTC) and multiple technology companies regarding alleged Children's Online Privacy Protection Act (COPPA) violations and false claims related to Privacy Shield participation. We look at the Ninth Circuit's holding regarding the Computer Fraud and Abuse Act (CFAA), and we discuss privacy legislation that passed in New York and Illinois. Lastly, we report on the passing of European Data Protection Supervisor (EDPS) Giovanni Buttarelli and cover former EDPS Assistant Supervisor Wojciech Wiewiórowski's new role as acting EDPS.

Heard on the Hill

Senators Write to EdTech and Data Collection Companies About Use of Student Data

On August 12, 2019, Democratic Senators Dick Durbin (D-IL), Ed Markey (D-MA), and Richard Blumenthal (D-CT) sent letters to dozens of education technology (EdTech) companies and data collection firms, asking questions about their practices and voicing concerns over the amount of student data that is being collected and how it is being used. The senators cited a Federal Bureau of Investigation Public Service Announcement issued last year and the hacking of Slate, a college admissions database, as major sources of concern. Last year's Public Service Announcement warned that the malicious use of student data could result in socihttp:al engineering, bullying, and identity theft.

The senators sent different letters to EdTech companies and data collection companies. In the letter to EdTech companies, the senators requested that the companies explain how long student data is being held, how it is being deleted, whether students and parents can opt-out of data collection, whether data is used or sold for advertising, and whether hackers have accessed any student data. In the letter to the data collection companies, the senators point to a Fordham University Law School report that found some firms were selling information that included grade point average, ethnicity, religion, and wealth. Both letters instructed the firms to respond within three weeks with details about how they collect information, the categories of data they gather, the disclosures made to third parties, and any known data breaches.

Around the Agencies and Executive Branch

Technology Companies Settle With FTC Regarding Alleged COPPA Violations

On September 4, 2019, the Federal Trade Commission (FTC) announced a settlement that included $170 million in penalties with a technology company and one of its subsidiaries (referred to collectively as the "companies") to resolve alleged violations of the FTC's Children's Online Privacy Protection Act (COPPA). In the complaint, the FTC and the New York Attorney General alleged that the companies had actual knowledge that they were collecting information from users of "child-directed channels" and that the defendants failed to provide parental notice or obtain verifiable parental consent as required under COPPA. The settlement represents the largest monetary penalty in the history of COPPA enforcement. The complaint also expressed the FTC's view that commercial operators of child-directed channels on YouTube are "operators" subject to COPPA in connection with this activity. Following the announcement of the settlement, the FTC warned that they will be conducting a sweep of child-directed channels.

As previously reported in the Download, the FTC published a Request for Public Comment in the Federal Register on July 25, 2019 to solicit public comment on potential revisions to the current iteration of the COPPA Rule, and will convene an event, "The Future of the COPPA Rule: An FTC Workshop", on October 7, 2019.

FTC Settles with Companies Over Privacy Shield Misrepresentations

The Federal Trade Commission (FTC) announced earlier this month that it settled with five companies over allegations of misrepresenting participation in the EU-U.S. Privacy Shield data transfer framework.

The Privacy Shield allows participants to transfer personal data from the European Union (EU) to the United States while complying with EU privacy and data protection laws. In order to participate, companies must annually self-certify compliance with seven Privacy Shield Principles (and sixteen Supplementary Principles) designed to ensure "adequate" protection for personal data.

The FTC alleged that four of the companies had falsely claimed on their websites that they were certified under the Privacy Shield, despite never having completed the certification process. The FTC also claims that the fifth company allowed its Privacy Shield certification to lapse in 2018, but failed to remove the Privacy Shield certification from its website; failed to comply with the Privacy Shield Principles; and failed to affirm with the Department of Commerce that it would continue to apply the Privacy Shield protections to personal data collected during its participation in the program. The consent agreements prohibit the companies from misrepresenting their participation in government, self-regulatory, and similar privacy or security programs and impose FTC reporting requirements. Violations of the consent agreements can carry penalties of up to $42,350.

These settlements serve as a reminder that the FTC's mandate covers misrepresentations relating to the Privacy Shield. Participants in the Privacy Shield must complete the certification process and annually recertify with the Department of Commerce in order to take advantage of the Privacy Shield's protections. In addition, participants are subject to lasting obligations, as even former Privacy Shield participants must comply with the Privacy Shield Principles for all personal data that is transferred under the program, for as long as they process that data.

In the Courts

Ninth Circuit Rules That LinkedIn Can't Halt HiQ's "Web Scraping"

On September 9, 2019, in the case of HiQ Labs, Inc. v. LinkedIn Corp., the Ninth Circuit Court of Appeals affirmed a district court's preliminary injunction prohibiting Defendant LinkedIn from denying Plaintiff HiQ, a data analytics company, access to LinkedIn members' publicly available profiles.1 The Court addressed whether professional networking website LinkedIn can prevent competitor HiQ from collecting and using information that LinkedIn users have shared on their public profiles, and that is available for viewing by anyone with a web browser.2 Because the case came to the Ninth Circuit as an appeal of a preliminary injunction, the Court did not address or resolve all of the legal and factual disputes in the case. In the opinion, the Court affirmed the preliminary injunction and discussed whether HiQ raised "serious questions on the merits of the factual and legal issues."3

According to the Court, HiQ used automated bots to "scrape" information that LinkedIn members included on their public pages.4 "Scraping" is a term defined by the Court to describe extracting data from a website and copying it into a structured format, allowing for data manipulation or analysis.5 As the Court stated, LinkedIn sent HiQ a cease-and-desist letter, asking HiQ to stop accessing and copying data from LinkedIn's server. HiQ filed suit, seeking injunctive relief based on California law and a declaratory judgment that LinkedIn could not lawfully invoke the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act, California Penal Code § 502(c) (computer crimes), or the common law of trespass.

In affirming the preliminary injunction against LinkedIn, the Ninth Circuit found that the district court did not abuse its discretion and noted that HiQ was able to prove irreparable harm to its business by showing that the entire business depended upon the company's ability to access public LinkedIn member profiles. The Court also considered the balance of equities and found that LinkedIn's interest in preventing HiQ from scraping the profiles was not more significant than HiQ's interest in continuing its business derived from the public LinkedIn pages.6

The Court addressed HiQ's likelihood of success on the merits for some of HiQ's claims, notably, tortious interference with contract, and the CFAA claim. On both claims, the court found that HiQ raised questions of merit. With respect to the tortious interference of contract claim, the Court did not find that LinkedIn could demonstrate a legitimate business purpose that could justify the intentional inducement of a contract breach. Regarding the CFAA claim, one of the most common claims for web scraping cases, the Court held that because the information accessed by HiQ was limited to publicly available information, HiQ was not accessing the information "without authorization," one of the required elements of a CFAA claim.7 The Court here viewed "without authorization" to mean "circumvent[ing] a computer's generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer."8

The case was remanded to the district court for further proceedings.

In the States

New York's Amended Breach Notification Law Goes into Effect in October

New York recently expanded existing cybersecurity and breach notification laws under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The SHIELD Act amends New York's current breach notification law and effectively expands the scope of breaches that will require notification. The breach notification amendments go into effect on October 23, 2019, and the effective date for the new cybersecurity requirements is March 21, 2020.

The most prominent amendment under the SHIELD Act is the broadened definition of "private information." Under the SHIELD Act, the definition now includes: (1) account numbers and credit or debit card numbers, even without additional identifying information, if the number can be used to access an individual's financial account; (2) biometric information; and (3) a user name or e-mail address in combination with a password or security question and answer.

The SHIELD Act also expands the breach notification statute to capture access to, as opposed to the acquisition of, private information. According to the statute, businesses will now be required to notify persons where a system containing unencrypted private information has been accessed, even where the data has not been copied, downloaded, or acquired by an unauthorized user. This amendment aligns New York with a small number of jurisdictions that require notification for access (as opposed to acquisition).9 To determine whether unauthorized access has occurred, a business may consider "indications that the information was viewed, communicated with, used or altered."

Importantly, the SHIELD Act expands the territorial scope of New York's current breach notification law. Whereas the law previously limited applicability to entities conducting business in New York, it now includes any entity that experiences a breach involving New York residents' information. New York is one of a few states that use residency to define the territorial scope of their breach notification laws.10

The SHIELD Act includes a number of exemptions to the breach notification provisions. For example, if notification is required under the Health Insurance Portability and Accountability Act of 1996 or the Gramm-Leach-Bliley Act, additional notification is not required under the SHIELD Act. Furthermore, notification is not required if the entity determines the breach "will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials[.]" To invoke this exception, however, the determination "must be documented in writing and maintained for at least five years" and such a determination must be provided to the attorney general within ten days if the breach affects more than 500 New York residents.

Illinois Student Online Personal Protection Act Amended

On August 23, 2019, Illinois Governor J.B. Pritzker signed into law House Bill 3606, the Student Online Personal Protection Act (Act). The Act amends Illinois' existing online personal protection statute to include parental privacy rights over "student data" collected by schools,11 and requires schools and operators to further safeguard "student data." The law becomes effective on July 1, 2021.

The Act provides the parent (as defined in the Illinois School Student Records Act) of a student enrolled in a school the right to inspect and review the student's covered information,12 regardless of whether it is held by a school, the State Board of Education, or an operator;13 request a correction of the student's covered information; and request a paper or electronic copy of the student's covered information from the school.

The Act states that it will also expand the duties of operators, as defined by the statute. According to the text of the Act, operators must implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards made to protect covered information from unauthorized access, destruction, use, modification or disclosure. In addition, except for a nonpublic school, the Act's text requires that any operator who receives covered information from a school, school district, or the State Board of Education must enter into a written agreement with the school, school district, or the State Board of Education. The Act notes that these written agreements must be made available to the public and include information such as the categories of covered information to be provided to the operator, a statement by the operator that any collected information will be used only for authorized purposes and disclosed to third parties with consent from the school, and a description of actions that must be taken after a data breach.

Under the Act, schools must ensure that their practices address new prohibitions and duties regarding covered information. The Act's text prohibits schools from selling, leasing, or trading covered information. Sharing, transferring, disclosing or providing access to a student's covered information to an entity or individual other than the student's parent, school personnel, or State Board of Education, is also prohibited by the Act without a written agreement in place between the school and the student's parent, unless required by law.14 The Act also requires that a school provide, via either its website or an alternative accessible format available upon request, an explanation of the categories, use, and purposes for which it collects, maintains, or discloses covered information. Other duties required of schools under the Act include adopting a policy for designating school employees authorized to enter into written agreements with operators, disclosing a list of the operators with whom the school has written agreements, and for each operator, listing any subcontractors to whom covered information may be disclosed. The Act's text mandates that schools update such information no later than 30 calendar days following the start of a fiscal year and no later than 30 days following the beginning of a calendar year.

The Act addresses the handling of data breaches by both schools and operators. A "breach" is defined by the Act as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of covered information maintained by an operator or school. Schools are required by the Act to notify the parent of any student whose covered information is involved in a breach no later than 30 calendar days after the determination of the breach. The Act provides that the notice include the date of the breach, a description of the covered information compromised in the breach, and contact information for consumer reporting agencies and the Federal Trade Commission. The law notes that operators must disclose in an agreement with the school how, if the breach is attributed to the operator, any costs and expenses incurred by the school will be allocated between the operator and the school.

International

EDPS Giovanni Buttarelli Passes Away, and Former EDPS Assistant Supervisor Wojciech Wiewiórowski Assumes Role of Acting EDPS

Former European Data Protection Supervisor (EDPS) Giovanni Buttarelli passed away on August 20, 2019. Shortly after on August 26, 2019, it was announced that pursuant to Article 100(4) of the Regulation (EU) 2018/1725, Mr. Buttarelli's former deputy, EDPS Assistant Supervisor Wojciech Wiewiórowski, has begun serving as acting EDPS.

The EDPS leads the European Union (EU) authority of the same name, which is responsible for ensuring that EU government entities and companies conducting business in the EU protect the privacy and data protection rights of EU citizens. EDPS terms last five years, and Acting EDPS Wiewiórowski will serve the remainder of Mr. Buttarelli's scheduled term, which will expire on December 5, 2019. Mr. Buttarelli served as the second EDPS, following the tenure of the EDPS's inaugural leader, Peter Hustinx, who served as EDPS from 2004 to 2014.

The UK ICO Issues Guidance on Data Minimization and Privacy Protection in Artificial Intelligence Systems

On August 21, 2019, the United Kingdom's (UK) Information Commissioner's Office (ICO) published a blog discussing techniques and best practices for artificial intelligence (AI) developers to engage in privacy-protective practices, including data minimization. In a blog post, the ICO's Research Fellow in AI, Reuben Binns, and Technology Policy Advisor, Valeria Gallo, discussed the importance of data minimization with regard to AI development and use within organizations. The ICO invited feedback as part of an ongoing call for input on the development of its framework for auditing AI.

The ICO noted that AI systems generally require large amounts of data but companies must comply with the data minimization principle under UK and European data protection law. In order to meet the requirements of these laws, the ICO noted that companies should train individuals who are responsible for AI development ondata minimization techniques, develop a risk management system, perform due diligence of AI systems that are procured for the organization, and work to ensure that data minimization does not create inaccurate or discriminatory AI models.

The ICO notes that the first step organizations should take is to map out AI systems and determine what personal data is used in those models. As part of this process, the ICO noted the following factors to assess when implementing data minimization in AI systems:

  • Feature selection: Consider whether certain parts of a data set are required, such as limiting the use of financial information when it is not needed to produce a given result.
  • Privacy-preserving methods: Consider modifying personal data to reduce the chance that it is traced back to a specific individual, such as by adding random "noise" into a data set.
  • Converting personal data: When personal data is used to create inferences about individuals, consider creating datasets that are not human-readable by hashing or otherwise converting the data.
  • Operate models locally: Consider running models on a device, rather than transferring the data to a centralized server.
  • Privacy-preserving queries: If data cannot be processed by AI locally on a device, reduce the amount of personal data sent to a server to only that which is necessary to operate the AI model.
  • Anonymization: Consider if data can be functionally anonymized or pseudonymized when processing an AI model.

The ICO noted that it would "genuinely welcome" any feedback on the thinking they laid out in the post and that this blog was just one part of the continued development of the ICO's auditing framework for AI.

Footnotes

1. HiQ Labs, Inc. v. LinkedIn Corp., 2019 U.S. App. LEXIS 27107 (9th Cir. 2019).

2. HiQ Labs, Inc. v. LinkedIn Corp., 2019 U.S. App. LEXIS 27107, 5 (9th Cir. 2019).

3. Id.

4. Id. at 8.

5. HiQ Labs, Inc. v. LinkedIn Corp., 2019 U.S. App. LEXIS 27107, n3 (9th Cir. 2019).

6. Id. at 18.

7. Id. at 39-40.

8. Id.

9. See, e.g., Conn. Gen. Stat. § 36a-701b(a); Fla. Stat. § 501.171(1)(a); N.J. Stat. § 56:8-163(a).

10. See, e.g., Fla. Stat. § 501.171(4)(a); Mass. Gen. Laws 93H § 1; Nev. Rev. Stat. § 603A.220(1).

11. "School" means (1) any preschool, public kindergarten, elementary or secondary educational institution, vocational school, special educational facility, or any other elementary or secondary educational agency or institution or (2) any person, agency, or institution that maintains school student records from more than one school. Except as otherwise provided in the Act, "school" includes a private or nonpublic school. 105 Illinois Compiled Statute (ILCS) 85/5 § 5.

12. According to bill text, "covered information" includes personally identifiable information or material that is not publicly available and that is either: (1) created by or provided to an operator by a student or the student's parent during use of an operator's site, service or application; (2) created by or provided to an operator by an employee or agent of a school or school district; or (3) gathered by an operator through the operation of its site, service, or application and personally identifies a student. 105 ILCS 85/5 § 5.

13. "Operators" are defined by the Act as entities that operate an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K through 12 purposes and was designed and marketed for K through 12 school purposes, who receive "covered information." 105 ILCS 85/5 § 5.

14. A written agreement is required unless the disclosure or transfer is (a) to the extent permitted by State or federal law, to law enforcement officials to protect the safety of users or others or the security or integrity of the operator's service; (b) required by court order or State or federal law; or (c) to ensure legal or regulatory compliance. 105 ILCS § 85/26.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions