The first U.S. jury trial under the 2008 Illinois Biometric Information Privacy Act “ended with a bang” when the BNSF Railway was hit with a $228 million judgment Oct. 12 for “recklessly or intentionally” violating the statute, the Perkins Coie law firm said in a Tuesday update. Plaintiff Richard Rogers sued BNSF in April 2019. He was a truck driver who dropped off and picked up loads at BNSF-operated rail yards. He was required to register with an automated gate system and to provide his fingerprint each time he entered the railyard. Rogers didn't give written consent to the collection of his fingerprints, nor was he informed of how long his fingerprint data would be stored, as required under the BIPA, said Perkins Coie. Court records show about three dozen BIPA lawsuits at various stages of disposition. In one of the more recent cases, Amazon and Amazon Web Services said last month they “expressly deny” the allegations in a complaint in U.S. District Court for Northern Illinois that they violated the BIPA by using the company’s Rekognition facial-imaging technology to monitor employees in Amazon fulfillment centers (see [Ref:2209220050[).

The California Privacy Protection Agency board scheduled a second two-day meeting to consider draft changes to state privacy rules required by the 2020 California Privacy Rights Act. The CPPA will meet 9 a.m. PDT Oct. 28 and Oct. 29, said an agenda released Monday. The agency, which released modified draft rules earlier that day (see 2210170048), also plans to meet Friday and Saturday. “With four days of Board meetings already scheduled and another written comment period anticipated, the regulations are still open to change,” blogged Husch Blackwell privacy attorney David Stauss. “Even when these regulations are finalized, the Agency will need to engage in further rulemaking.”

The California Privacy Protection Agency (CPPA) board released modified draft regulations to implement changes to state privacy rules required by the 2020 California Privacy Rights Act. The CPPA posted the modified text and an explanatory document Monday, before a planned Friday-Saturday meeting (see 2210110013). “The purpose(s) for which the personal information was collected or processed shall be consistent with the reasonable expectations of the consumer,” said one addition. Such expectations are based on the relationship between the consumer and the business, the “type, nature, and amount of personal information that the business seeks to collect or process,” the information’s source and the business’ collection and processing method, the “specificity, explicitness, and prominence” of consumer disclosures and the “degree to which the involvement of service providers, contractors, third parties, or other entities in the collection or processing of personal information is apparent to the consumer.” A business’ collection, use, retention or sharing of personal data should be “reasonably necessary and proportionate,” said another addition. That takes into account whether a business collected the minimum amount of data needed, possible negative impacts to consumers, and safeguards to address possible problems, the updated rules said. Clarifying rules on dark patterns, the modified draft states, “A business’s intent in designing the interface is not determinative in whether the user interface is a dark pattern, but a factor to be considered.” Future of Privacy Forum Senior Counsel Keir Lamont tweeted, “Be on high alert for the board to approve these modified regulations, triggering a public comment period, potentially lasting as little as 15 days.”

The Aug. 22 decision at the 5th Circuit U.S. Appeals Court in U.S. v. Morton giving law enforcement broad discretion in searching individuals’ cell phones, was “a setback to the privacy protections for cell phones recognized” in the 2014 Supreme Court case Riley v. California, blogged Jennifer Lynch, Electronic Frontier Foundation surveillance litigation director. “Cell phones contain deeply personal information that should be afforded strong protections by the Fourth Amendment,” said Lynch. “Courts should not allow law enforcement to have limitless authority in executing search warrants on cell phones,” she said. They should follow the approach of “numerous other courts” and require cellphone warrants “that are narrowly tailored to the crime under investigation,” she said.

The FTC extended the deadline for comments on the agency’s advance notice of proposed rulemaking on commercial surveillance and data security until Nov. 21 (see 2208190031 and 2210130079). The commission voted 4-0-1, with Commissioner Christine Wilson abstaining. “Mass surveillance has heightened the risks and stakes of data breaches, deception, manipulation, discrimination, and other abuses,” the agency said Friday.

The California Privacy Protection Agency board will meet Oct. 21-22 to discuss and possibly take action on rules to implement changes to state privacy rules required by the 2020 California Privacy Rights Act, said a CPPA agenda posted Monday. The Friday-Saturday meeting has start times of 2 p.m. PDT Oct. 21 and 9 a.m. PDT Oct. 22.

Colorado Attorney General Phil Weiser (D) submitted draft rules Saturday to implement the state’s privacy law, and scheduled a Feb. 1 partially virtual rulemaking hearing. The Colorado Privacy Act (CPA) draft rules will be posted in the Colorado Register Oct. 10, said the Department of Regulatory Agencies’ rulemaking page. Colorado's draft rules “address several important issues that were notably absent from the draft California regulations, including regulations on profiling, data protection assessments … and the universal opt-out mechanism,” Ballard Spahr lawyers blogged. Draft rules appear more “principle-guided” than “hyper-prescriptive,” they said. Husch Blackwell’s David Stauss blogged that the draft rules “are a complex and lengthy set of regulations that, if adopted without substantial modification, will significantly expand the CPA’s requirements and require controllers to carefully consider their compliance obligations.” After the Feb. 1 hearing, the state will have 180 days to file adopted rules, which would take effect 20 days after publication in the Colorado Register, said Stauss.

A Michigan comprehensive privacy bill by nine state senators surfaced Tuesday. Sen. Rosemary Bayer (D) introduced SB-1182 “to establish the privacy rights of consumers.” The bill was referred to the Senate Energy and Technology committee. SB-1182 would apply to any business that, during a calendar year, either controls or processes personal data of at least 100,000 consumers or of at least 25,000 consumers if it derives more than half its gross revenue from sale of their data. It would include exemptions for state agencies and political subdivisions, financial institutions covered by the Gramm-Leach-Bliley Act, entities covered by the Health Insurance Portability and Accountability Act, and higher education institutions. Michigan’s attorney general would enforce the measure.

Expect California privacy law enforcement to escalate once the California Privacy Rights Act (CPRA) takes over from the California Consumer Privacy Act (CCPA) on Jan. 1, said Carlton Fields attorney Christina Gagnier on a Tuesday webinar. Enforcement will shift from Attorney General Rob Bonta (D), who already has been more aggressive than predecessors, to the new California Privacy Protection Agency, said the privacy lawyer for businesses. One takeaway from Bonta’s recent $1.2 million action against cosmetics store Sephora under the CCPA (see 2208240067) is that “enforcement is industry agnostic,” said Gagnier. “Any company could be a target.” 2023 will be a big year for privacy with other state laws taking effect in Colorado, Connecticut, Virginia and Utah, said the same law firm’s Eden Marcu. Note that those are four very different states, said Gagnier, predicting four or five more could enact privacy laws next year. Two-thirds of states have considered comprehensive privacy bills, said Gagnier: States currently in session with privacy bills include Michigan, New York and Ohio. "It's something that you're going to see pop up state by state over the next couple years" until most states have comprehensive laws, she said. Don't bet on a federal law soon, said Gagnier, saying she doesn't expect Congress's American Data Privacy and Protection Act to go anywhere.

California Gov. Gavin Newsom (D) signed children’s privacy legislation Thursday. AB-2273, which opponents say would violate free speech and hurt the internet (see 2208120039), would require social media companies with child users to follow “age-appropriate” design principles. The bipartisan Age-Appropriate Design Code Act sets up a working group to report to the legislature by January 2024 on best practices for implementation. “We’re taking aggressive action in California to protect the health and wellbeing of our kids,” said Newsom. California will be “the first state in the nation to require tech companies to install guardrails on their apps and websites for users under 18,” said sponsor Assemblymember Buffy Wicks (D) in the same news release. Republican co-sponsor Assemblymember Jordan Cunningham said “protecting kids online is not only common sense, it will save lives.” Newsom signed an industry-opposed bill earlier this week to establish transparency requirements for social media platforms’ content moderation practices (see 2209140050).