The Changing Landscape of Privacy Protection
Privacy protection for consumer data changes on a regular basis. Certainly, those doing business in California and the European Union (EU) need to be cognizant of their data collection practices, but Colorado, Connecticut, Utah, and Virginia are U.S. states that have also recently enacted privacy regulations. Companies doing business in these states need to understand the rules and regulations that apply for collecting consumer data.
Illinois does not yet have its own comprehensive privacy law. Cases alleging violations of the Biometric Information Protection Act (BIPA) (740 ILCS 14/15(b)) have significantly increased since the Illinois Supreme Court’s decision in Cothron v. White Castle System, Inc., 2023 IL 128004 (Feb. 17. 2023). In this case, each scan of a person’s biometric information without consent was a separate violation of BIPA. This decision came just two weeks after the Illinois Supreme ruled against one-year statute of limitations for claims under BIPA. Those entities who obtain biometric information should ensure consent is obtained before collecting the data. Failure to obtain prior consent could result in significant damages.
Effective July 2023, California expanded its privacy regulations with the enactment of the California Privacy Rights Act (CPRA). This created a new agency, the California Privacy Protection Agency (CPPA), whose responsibility is to enforce privacy regulations in California.
On July 10, the European Commission approved the EU-U.S. Data Privacy Framework (Framework). The Framework will make it easier for companies to ensure that cross-border data transferred between the U.S. and EU is compliant with the laws of both jurisdictions. U.S. companies can certify their participation in the Framework by committing to comply with a detailed set of privacy obligations. The U.S. Department of Commerce supervises the program. Compliance will be enforced by the Federal Trade Commission (FTC).
The sanctions determining if failure to comply with privacy regulations has occurred vary from jurisdiction to jurisdiction. Before asking if a violation has occurred; first determine which state’s regulations may apply to the specific scenario. Levin Ginsburg can help you find the answer. Please reach out to Kevin Thompson, CIPP/US, at 312-368-0100 for a consultation.