Get Started

March 3, 2023

Issue 16: Is BIPA, like, super jelly of CCPA?

Oh hey! Welcome to the Privacy Beat Newsletter!

Here’s the gist: Come here for insights on the hottest topics in privacy according to our peers’ tweets so you can walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you.

BIPA's big week

BIPA’s been trending on social media platforms recently. There’s so much going on there. And what’s really got privacy peeps stroking those laptop keys is the decision in a case against White Castle that could have a wild impact on BIPA claims going forward. In Cothron v White Castle, an employee took the burger chain to task for collecting her fingerprint every time she clocked in, and that she was due damages for every time White Castle collected or disclosed.

As Zwillgen reported, White Castle said a person “loses control of their biometric data upon the first collection or disclosure,” so the claims can only be based on the first alleged violation, not every subsequent BIPA violation.

The court sided with Cothron, 4-3, saying her interpretation was correct, and the violations occurred each time the biometric information was disclosed, even if it was repeated disclosures to the same party.

Obviously, the implication is that if you get sued for BIPA, you’re facing $1,000 to $5,000 per violation. But if each violation means every time the practice repeated itself, that’s big money.

BIPA to CCPA: Why not me?

In the meantime, BIPA’s kind of turning into the new CCPA, you know? Here’s what I mean: All sorts of BIPA copycats are cropping up in U.S. states lately. Remember when the CCPA passed, and everyone just stood there with their mouths gaping open for awhile and then GOT MOVING on compliance? After some time and coping, other states started dropping their own versions of CCPA – five of them successfully.

Similarly, thanks to a push from the ACLU, 17 states have introduced biometric privacy bills so far this year. The ACLU, coming fresh off of its BIPA-related settlement against Clearview AI last year, has introduced a draft model bill that looks a lot like BIPA. As Cyberscoop reports, 11 of the 17 states with biometrics bills on the table adopted the ACLU’s model.

EU DPAs (still) not thrilled with Privacy Shield replacement

People keep telling me this deal on cross-border data transfers between the U.S. and the EU is robust, fully addresses the EU’s concerns, and is sure to succeed. But then every time I hear a soundbite from Europe, they’re like, “Yeah this still isn’t where we need it to be, friends.”

Obviously, we’re going to work it out, but, here’s where we’re at now, if you’re keeping score at home.

U.S. President Joe Biden signed an Executive Order in October 2022 to implement the EU-U.S. Data Privacy Framework. Then, The European Commission said in December that the U.S. had done enough to protect EU citizens from unfair American intelligence agency access and use of their data. I was shocked we’d gotten there, personally. Because I’ve been at those national security hearings on the Hill, and I’ve heard our intelligence agencies tell Congress how important access to wide swaths of communication data is to fighting terrorism.

Anyway, the latest is that the European Data Protection Board now says “more should be done to protect Europeans’ privacy rights.” Ruh-roh. The EDPB echoed the concerns Max Schrems has voiced about the new agreement: the independence of the court that’s supposed to handle EU citizens’ grievances, the “scope of exemptions” to surveillance rules, and onward transfers, Reuters reported this week.

So, the ball bounces back to the U.S. for now.

In the meantime:

So, there's that. But we'll see?

Loading GTM...