By Ronald J. Hedges, JD and Gail L. Gottehrer, JD
Recent large-scale high-profile data breaches have increased consumer awareness of both the amount of personal data about them that is being collected and the ways in which that data is being used. The seemingly daily reports of new data breaches have led to ongoing public dialog about privacy and data loss, and to demands for legislators to address these issues. In the absence of federal consumer privacy legislation, states are stepping in to fill the void and enact digital privacy laws. While HIPAA, one of the sectoral privacy laws at the federal level, regulates certain data security issues, it does not cover all the data that providers might have. For example, although personal health information may not be within the scope of these statutes, employee information and other information collected by providers presumably is. Accordingly, it is important for providers to be aware of these state privacy laws and evaluate the potential impact of this trend on them.
This article will discuss the key features of some of the state initiatives. The General Data Protection Regulation (GDPR) and the California Consumer Protection Act will not be addressed, other than to note that some of their provisions are reflected in the privacy frameworks in the states of Washington, Utah, Illinois, and Pennsylvania.
Washington’s data privacy legislation would incorporate the GDPR’s right of access, rectification, erasure, objection to and restriction on processing, and data portability. A distinguishing feature of the Washington Privacy Act (WPA) is its regulation of facial recognition technology. The law requires companies to obtain consumer consent to use facial recognition technology; provides that the technology cannot be used to discriminate and that its capabilities and limitations must be disclosed to consumers; and mandates “meaningful human review” where facial recognition technology is used for profiling or automated decision-making. In order for the government to use facial recognition technology for public surveillance, exigent circumstances must exist, or the government must have a law enforcement purpose and court order. While the WPA did not become law during this legislative session, it is likely to be re-introduced next year.
By contrast, Utah’s data privacy law focuses on privacy interests in data held by third parties in the context of criminal proceedings. Subject to certain exceptions, the Electronic Information or Data Privacy Act requires law enforcement to obtain a warrant before it can access electronic data held by a third party. The warrant requirement applies to geolocation data, which can reveal information about an individual’s location that is transmitted by an electronic device, and subscriber records of electronic communication services, that can reveal an individual’s name, address, network address, and session time and duration.
Unlike data privacy laws in other states, the Illinois Biometric Information Privacy Act (BIPA) provides aggrieved individuals with a private right of action. The law covers the collection, use, and retention of biometric identifiers such as retina scans, iris scans, fingerprints, and voiceprints, as well as any information based on an individual’s biometric identifier that can be used to identify that individual. BIPA requires companies to provide individuals with notice, and to obtain their written consent, before collecting their biometric data, and to disclose to them the lawful purpose for the collection of the data and the amount of time for which the data will be kept. Earlier this year, the Illinois Supreme Court held that actual harm does not have to be alleged in order to sue under BIPA. The Court explained that a plaintiff whose biometric data was collected in violation of BIPA is injured within the meaning of the statute and can bring an action for statutory damages. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Sup. Ct. Jan. 25, 2019).
Notably, within the past year, Pennsylvania data privacy law was shaped by case law, rather than legislation. In Dittman v. UPMC d/b/a University of Pittsburgh Med. Ctr., 196 A.3d 1036 (2018), the Supreme Court of Pennsylvania held that an employer has a common law duty to use reasonable care to safeguard its employees’ personal data stored on internet-accessible computers. As a result of this decision, negligence claims can be premised on allegations that a data breach resulted from a company failing to implement adequate cybersecurity measures to protect personal data.
These state-level approaches to data privacy likely encompass data collected and maintained by providers that falls outside the scope of HIPAA. Hospitals and other medical facilities may use facial recognition technology for security purposes. Biometric identifiers such as iris or retina scans and fingerprints may be used to grant certain employees access to restricted locations and information. Data used for research studies, even if anonymized or aggregated, may contain “biometric information” as defined by BIPA. Personal information obtained through employee wellness programs or from employees’ wearable devices may be protected under these digital privacy laws. Ambulances, patient transport vehicles, fleet vehicles, and medical devices may collect geolocation information that is retained and used by providers. All providers in Pennsylvania likely have personal data of their employees stored on internet-accessible computers which, under Dittman, they have a duty to use reasonable care to protect.
A challenging feature of these approaches is that they mandate “reasonable” conduct by data controllers and processors but do not define the word “reasonable” or specify what qualifies as reasonable conduct. Clarity may come from regulations and judicial decisions. In the interim, by adopting data minimization policies and procedures—such as focusing on the personal data they collect, collecting only what is necessary, knowing where the personal data is stored, keeping the data only as long as it is needed, destroying the data in an effective manner, and documenting these efforts—providers can establish a basis to argue that they took reasonable steps to protect personal data and prevent data breaches.
Ron Hedges (firstname.lastname@example.org) is a former US Magistrate Judge in the District of New Jersey and is a writer, lecturer, and consultant on topics related to electronic information. He is a senior counsel with Dentons US LLP. Gail Gottehrer (email@example.com) is the founder of the Law Office of Gail Gottehrer LLC.