On February 28, 2023, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2023 (the “Opinion”) on the draft adequacy decision of the European Commission regarding the EU-U.S. Data Privacy Framework (“DPF”). The DPF aims to ensure that personal data transferred from the European Union to the U.S. receives an adequate level of protection. The framework is based on the principles of transparency, accountability, and oversight, and it includes safeguards to protect the data privacy rights of individuals.

In the Opinion, the EDPB noted substantial improvements in the proposed DPF compared to the former Privacy Shield, but also expressed concerns regarding the level of protection provided by the draft adequacy decision. Key takeaways from the EDPB’s Opinion are:

  • The EDPB welcomed the updates to the DPF Principles, but opined that the Principles to which the DPF organizations have to adhere remain essentially unchanged from the Privacy Shield, and the concerns previously raised by the Article 29 Working Party and the EDPB in relation to the Privacy Shield principles remain unaddressed. In particular, these concerns relate to the rights of data subjects, the absence of key definitions, the lack of clarity in relation to the application of the DPF Principles to processors, and the broad exemption for publicly available information.
  • The EDPB opined that the structure and complexity of the DPF makes it difficult for data subjects and relevant stakeholders to understand, and that some key definitions are missing from the text and terminology usage is not consistent.
  • Regarding the level of protection of individuals whose data is transferred, the EDPB noted that protection must not be undermined by onward transfers from the initial recipient of the transferred data. The EDPB invites the European Commission to clarify that the safeguards imposed by the initial recipient on the importer in the third country must be effective in light of third-country legislation, prior to an onward transfer in the context of the DPF.
  • Regarding government access to data transferred to the U.S., the EDPB acknowledged the significant improvements brought by Executive Order 14086, which introduced concepts of necessity and proportionality with regard to U.S. intelligence-gathering of data (signals intelligence).
  • The Opinion recognized the specific safeguards provided by relevant U.S. law in different fields concerning automated decision-making and profiling by means of AI technologies. However, the EDPB pointed out that the level of protection for individuals seems to vary according to which sector-specific rules, if any, apply to the situation at hand. The EDPB maintained that specific rules concerning automated decision-making are needed in order to provide sufficient safeguards especially when AI decisions could significantly affect an individual.
  • The EDPB recommended clarification on the scope of exemptions, including on the applicable safeguards under U.S. law, in order to better identify their impact on data subjects. The Opinion also underlined that the European Commission should monitor the application and adoption of any statute or government regulation that would affect adherence to the DPF Principles. In relation to the list of exceptions to the right of access, the EDPB noted that some still tended to tip the balance towards the interests of DPF organizations, while the EDPB is concerned that there appears to be no requirement to consider the rights and interests of the individual.
  • The EDPB further addressed bulk data collection and asked for clarity regarding temporary bulk collection and the further retention and dissemination of such data. EDPB opined that collection of large quantities of data without discriminants (e.g., without the use of specific identifiers) presents higher risks for the individuals than targeted collection and thus requires additional safeguards to be adduced. The Opinion noted that the DPF lacks a requirement for prior authorization from an independent authority in advance of bulk data collection.
  • The EDPB highlighted that close monitoring, oversight, and enforcement of the DPF will be needed. The DPF continues to rely on a system of self-certification, although it recognizes commitments made by relevant agencies to investigate alleged DPF violations and monitor and enforce against entities making false or deception claims of participation.

Given the concerns expressed and the clarifications required, the EDPB suggests that these concerns should be addressed by the European Commission in future reviews. The EDPB further invites the European Commission to provide the requested clarifications in order to solidify the grounds for the draft adequacy decision and to ensure a close monitoring of the concrete implementation of this new legal framework, in particular the safeguards it provides. The draft adequacy decision will continue to make its way through the review and approval process. Once ratified, participating in the DPF will require that companies certify their adherence with the U.S. Department of Commerce.

We will continue to monitor the developments in this matter and keep you informed of any further updates.

In the past few years, privacy activists, consumers and national and European data protection authorities have become increasingly aware of the impact of cookies and other tracking technologies. As a result, most administrators of websites and mobile apps know that they have to provide users with a clear and prominent cookie banner. They also know that they should explain what cookies are being used and obtain the user’s consent before storing any non-essential cookies on their device. 

What they don’t know is how, exactly, this information should be conveyed. In theory, the conditions are straightforward and set forth in Directive 2002/58/EC (“ePrivacy Directive”) and Regulation (EU) 2016/679 (“GDPR”). In practice, however, requirements for obtaining consent for the use of cookies depend on the jurisdiction.

To address concerns regarding cookie banners and consent management on websites, the European Data Protection Board set up the “Cookie Banner Taskforce.” On January 17, 2023, the Cookie Banner Taskforce adopted a report detailing their findings. This report offers further guidance on the minimum requirements for transparency and efficiency of cookie banners and consent management practices within the European Union (“EU”).

The following are key takeaways from the report if you are a website or app owner:

  1. Ensure that your cookie banner includes a “reject button” on the first layer;
  2. Avoid using pre-ticked checkboxes for cookie consent;
  3. Provide a clear and direct option for users to reject, without using deceptive link designs;
  4. Avoid using deceptive button colors or deceptive button contrast;
  5. If you haven’t received consent for storing or accessing information through cookies, abstain from any further processing;
  6. Classify cookies as “essential” or “strictly necessary” only when they are truly required for your website to function; and
  7. Make it easy for users to withdraw their consent, such as by providing an icon that is visible at all times or a link placed on a visible and standardized place.

Despite the fact that they are not formally binding, the minimum requirements in the current report are expected to have a substantial impact on businesses and website owners operating within the EU. Consequently, they will have to ensure that their cookie banners and consent management practices meet the minimum thresholds set out in this report.

Unfortunately, the report only outlines minimum requirements. Website owners must still verify whether  additional national requirements (such as the ones specified by the French data protection authority) exist beyond the report’s minimum thresholds.

Additionally, please note that the ePrivacy Directive is currently being revised and a new, more harmonized, version is expected to be adopted in the near future. The new ePrivacy Directive is expected to introduce stricter rules on online tracking and data collection, particularly regarding cookies and other similar technologies which we will be sure to summarize upon its release.  

Source: Report of the work undertaken by the Cookie Banner Taskforce, January 17, 2023, https://edpb.europa.eu/our-work-tools/our-documents/other/report-work-undertaken-cookie-banner-taskforce_en

On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

Summary and Analysis

The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security and improve critical infrastructure defenses.  It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government. For example, the Strategy highlights improving the security of Internet of Things (IoT) devices and expanding IoT cybersecurity labels, investing in quantum-resisting systems, developing a stronger cyber workforce, evolving privacy-enhancing platforms, and adopting security practices that are aligned with the National Institute of Standards and Technology (NIST) framework are some other suggested approaches that the private sector could take.

The Strategy makes evident the Administration’s desire to shift the burden of cybersecurity (and its associated costs and liability) from individuals, small businesses, and local government to the entities with the greatest expertise and resources, e.g., large owners and operators of critical infrastructure, vendors and software developers. To that end, we should expect legislation regarding baseline cybersecurity measures and establishing new liabilities for providers of software products and services. Further, the Administration emphasizes its support for legislative efforts for data minimization and increasing protection for sensitive data, which puts additional pressure on Congress to pass a federal privacy law.

The Strategy builds on sustained efforts by the Biden Administration to protect the nation’s critical infrastructure, including:

  • The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) – expands the reporting obligations of covered entities;
  • The 2022 Creating Helpful Incentives to Produce Semiconductors (CHIPS) Act – reduces reliance on China-based suppliers of emerging technologies by providing a financial incentive for investment in U.S. semiconductor manufacturing and the creation of collaborative networks for research and innovation;
  • President Biden’s 2021 Executive Order – strengthens the nation’s cybersecurity defenses by mandating all federal agencies use basic cybersecurity measures (such as multifactor authentication and requiring new security standards for software makers that contract with the federal government); and
  • President Biden’s 2021 national security memorandum – directs his administration to develop cybersecurity performance goals for U.S. critical infrastructure.

The Five Pillars

Replacing the 2018 Trump Administration strategy, which focused on voluntary public-private partnerships and information-sharing practices, the new framework mapped out by the Strategy pushes for a more aggressive and comprehensive regulatory approach. Combining government actions with new requirements for the private sector, which owns the majority of the country’s critical infrastructure, the Strategy aims to tackle some of our nation’s most difficult and complex issues in cybersecurity, software liability, and regulatory programs by centering on the following five pillars:

  1. Defend Critical Infrastructure;
  2. Disrupt & Dismantle Threat Actors;
  3. Shape Market Forces to Drive Security and Resilience;
  4. Invest in a Resilient Future; and
  5. Forge International Partnerships to Pursue Shared Goals

I. Defend Critical Infrastructure

The Administration makes clear that this pillar “is vital to our national security, public safety, and economic prosperity.” This pillar focuses on private-public collaboration to equitably distribute risk and responsibility, and includes five strategic objectives:

  1. Establish Cybersecurity Requirements to Support National Security and Public Safety. Protecting critical services is essential to the American people’s confidence in the nation’s infrastructure and the economy, and the Strategy breaks out three categories of activity to accomplish this objective:
    • Establish Cybersecurity Regulation to Secure Critical Infrastructure. To the extent possible, the government plans to use existing authorities to create a set of “minimum expected cybersecurity practices” for the infrastructure sector that are performance-based and adaptable.  Where gaps in the law exist, the Administration plans to work with Congress to close them with the goal of ensuring that systems are designed to “fail safely and recover quickly.” The Administration plans to drive improvements in cybersecurity practices in the cloud computing industry and other essential services for these industry sectors.
    • Harmonize and Streamline New and Existing Regulations. A key goal of the Strategy is controlling the costs and other burdens of compliance for regulated entities to enable them to commit more resources to cybersecurity.  To that end, the Strategy calls for regulators to (1) seek to harmonize regulations, audits, and reporting requirements as they are developed—for example, by leveraging existing international standards where consistent with U.S. policy and law, and (2) work together to minimize instances where existing regulations are in conflict, duplicative, or overly burdensome.  
    • Enable Regulated Entities to Afford Security. The Strategy provides several strategies to accommodate critical infrastructure sectors with varying capacities to absorb such costs. This includes calling for regulation that will ensure a level playing field that bypasses competition to underspend peers on cybersecurity in sectors with a greater ability to absorb costs. The Strategy also describes how low-margin sectors will likely need incentives to invest in cybersecurity, for example through rate-making processes, tax structures, or other mechanisms.  
  2. Scale Public-Private Collaboration. The Strategy stresses the importance of creating a distributed network of cyber defense, developed by collaboration between defenders and enabled by the automated exchange of information. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) will employ Sector Risk Management Agencies (“SRMAs”) to coordinate with and support critical infrastructure owners to protect the assets they operate. The government plans to invest in developing SRMA capabilities to enable security and resilience improvements across critical infrastructure sectors and support maturation of third-party collaboration mechanisms. Additionally, information sharing and analysis organizations (“ISAOs”), sector-focused information sharing and analysis centers (“ISACs”), and similar organizations will be leveraged to facilitate cyber defense operations. The Strategy also acknowledges that machine-based solutions will be required to improve the sharing of information and coordination of defensive efforts. To accomplish this, CISA and SRMAs will explore technical and organizational mechanisms in partnership with the private sector to enhance and evolve data sharing, and the federal government will deepen its collaborative efforts with software, hardware, and managed service providers which have the capability to provide greater cybersecurity and resilience.
  3. Integrate Federal Cybersecurity Centers. Federal Cybersecurity Centers will serve as collaborative nodes that bring together capabilities across entities involved with homeland defense, law enforcement, intelligence, and diplomatic, economic, and military missions to drive intragovernmental coordination and support non-federal partners.
  4. Update Federal Incident Response Plans and Processes. The federal government will aim to present a unified, coordinated, whole-of-government response to cyber incidents when federal assistance is required, including, for example, that CISA will update the National Cyber Incident Response Plan (“NCIRP”). The Strategy discusses how these efforts will harmonize new requirements, such as CIRCIA’s to-be-finalized requirement that covered entities report cybersecurity incidents to CISA within hours in order to strengthen the collective defense, and current efforts by the Cyber Safety Review Board (CSRB), which is comprised of private and public sector cybersecurity leaders and will review incidents and guide industry remediation.
  5. Modernize Federal Defenses. The Administration will focus on long-term efforts to defend federal systems in accordance with zero-trust principles. In addition, it commits to develop plans to collectively defend federal civilian agencies, modernize federal technology systems, and defend national security systems.

II. Disrupt & Dismantle Threat Actors

Pillar 2 discussed the commitment to use “all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests,” focusing on heading off “sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.”  One of the ways to accomplish this is to make cyber-enabled campaigns unprofitable. There are five strategic objectives for disrupting and dismantling threat actors:

  1. Integrate Federal Disruption Activities. The Strategy outlines three commitments to integrate the federal government’s disruption efforts. First, the DOD will update its departmental cyber strategy so that it is aligned with “the National Security Strategy, National Defense Strategy, and [the] Strategy” to ensure that cyberspace operations are integrated into other strategic defense efforts. Second, the National Cyber Investigative Joint Task Force (“NCIJTF”) will “expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale and frequency.”  Third, the DOD and the intelligence community “commit[s] to bringing to bear their full range of complementary authorities to disruption campaigns.”
  2. Enhance Public-Private Operational Collaboration to Disrupt Adversaries. To enhance the collaboration between the public and private sectors, the Strategy “encourage[s]” private companies to organize cyber-disruption efforts “through one or more nonprofit organizations that can serve as hubs for operational collaboration with the Federal Government, such as the National Cyber-Forensics and Training Alliance (NCFTA).”  The Strategy also commits the government to lowering barriers in the interests of supporting and leveraging collaboration.
  3. Increase the Speed and Scale of Intelligence Sharing and Victim Notification. One aspect of disruption and dismantling threat actors is to increase the speed and scale of intelligence sharing, both to and from victims. The Strategy commits to “proactively warn cyber defenders and notify victims when the government has information that an organization is being actively targeted or may already be compromised.” Part of implementing this is to “review declassification policies and processes to determine the conditions under which extending additional classified access and expanding clearances.” The Strategy also calls on “SRMAs, in coordination with CISA, law enforcement agencies, and the [Cyber Threat Intelligence Integration Center (CTIIC)to] identify intelligence needs and priorities within their sector and develop processes to share warnings, technical indicators, threat context, and other relevant information with both government and non-government partners.”
  4. Prevent Abuse of U.S.-Based Infrastructure. The Strategy commits to working with cloud and infrastructure providers to address the full gamut of issues that they may face, from quickly identifying malicious use of such infrastructure, notifying the government in the event of such malicious use, making it easier for victims to report such abuse, and preventing the malicious use in the first place. This strategy also places an expectation on “[a]ll services providers” to “make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior.”
  5. Counter Cybercrime, Defeat Ransomware. The Strategy calls out ransomware in particular as a threat and identifies four processes to combat it: “(1) leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals; (2) investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (3) bolstering critical infrastructure resilience to withstand ransomware attacks; and (4) addressing the abuse of virtual currency to launder ransom payments.”  This effort includes contributions from the Counter-Ransomware Initiative (CRI) with 30 other countries and the Joint Ransomware Task Force. It also includes further consideration of international anti-money laundering and combating the financing of terrorism (AML/CFT) standards. To achieve these objectives, the Strategy focuses on mounting “disruption campaigns and other efforts that are so sustained, coordinated, and targeted that they render ransomware no longer profitable.”  Accordingly, the Strategy repeats the position that the U.S. government has held for years: “strongly discourag[ing] the payment of ransoms” and encouraging victims to report the incidents to law enforcement and other appropriate agencies.

III. Shape Market Forces to Drive Security and Resilience

Pillar 3 of the Strategy focuses on shaping market forces to reduce risk and strengthen our digital ecosystem to keep our country resilient and secure. To drive broader adoption of best practices in cybersecurity, market forces are important, but the Administration will shape the long-term security and resilience of the digital ecosystem by: increasing accountability, driving development of more secure connected devices, reshaping existing laws, using federal purchasing power to incentivize security, and stabilizing insurance markets against catastrophic risk with the following six strategic objectives:

  1. Hold the Stewards of our Data Accountable.The Administration supports legislative efforts to protect consumers by imposing limitations on technologies that collect personal information. Failures to protect personal information pass the harm on to consumers, and often the greatest harm falls upon the most vulnerable populations. To protect consumers, legislation should provide strong protections for personal and sensitive data and set national requirements to secure data consistent with the standards and guidelines developed by NIST.
  2. Drive the Development of Secure IoT Devices.Many IoT devices today are vulnerable to cybersecurity threats and exploitation by bad actors. The Administration will continue to improve IoT cybersecurity through research and development and risk management efforts under the 2020 IoT Cybersecurity Improvement Act and security labeling programs under Executive Order 14028, “Improving the Nation’s Cybersecurity” (the “Cybersecurity Executive Order”) The goal is to expand IoT security labels, allowing consumers to compare protections for different IoT products, and create market incentive for greater security for IoT devices.
  3. Shift Liability for Insecure Software Products and Services.The Administration will begin to shift liability onto entities that fail to take reasonable precautions to secure their software while at the same time recognizing that even advanced software security programs cannot prevent all vulnerabilities.  Legislation will be designed to prevent manufacturers and software publishers from fully disclaiming liability and establish higher security standards, while also providing a safe harbor for companies that do securely develop and maintain their software products and services. These so-called safe harbor provisions will draw from current best practices, such as the NIST Secure Software Development Framework, but will also need to be flexible enough to evolve over time to keep up with technological advancements. The Administration also encourages coordinated vulnerability disclosures and further development of Software Bill of Materials (SBOMs), as well as processes for identifying and mitigating the risk of unsupported software used by critical infrastructure.
  4. Use Federal Grants and Other Incentives to Build in Security.The Administration is committed to investing in programs to improve infrastructure and the digital ecosystem supporting it, and balancing cybersecurity requirements. The federal government will collaborate with State, Local, Tribal and Territorial (“SLTT”) entities, private sector stakeholders, and other partners to drive investment in secure and resilient products and to fund cybersecurity research, development, and demonstration programs.
  5. Leverage Federal Procurement to Improve Accountability.One successful method of improving cybersecurity has been to implement specific contracting requirements for federal government vendors. The Cybersecurity Executive Order expands cybersecurity requirements for contracts, ensuring that such standards are strengthened and standardized across federal agencies. The Department of Justice’s (“DOJ’s”) Civil Cyber-Fraud Initiative (CCFA) will hold accountable entities that knowingly: put data at risk through deficient cybersecurity products or services, misrepresent cybersecurity practices or protocols, or violate obligations to monitor and report cyber incidents and breaches.
  6. Explore a Federal Cyber Insurance Backdrop.The Administration will assess the need for and the potential structure of a federal response to a catastrophic cyber event, which will include analyzing current cyber insurance offerings.  Input will be sought from Congress, state regulators, and industry stakeholders to determine if a plan is necessary and how to structure a response to stabilize and aid recovery to prepare for a catastrophic cyber event before one occurs.

IV. Invest in a Resilient Future 

The Strategy’s fourth pillar relies on the following five strategic objectives to accomplish the Administration’s commitment to investing in the concept of resilience in the face of near-certain cyber-attacks:

  1. Cybersecurity Research & Development. The Strategy recognizes that cyber adversaries have been weaponizing American innovation and using it against our country to steal intellectual property, sow dissent, interfere with elections, and undermine our national defenses. Because of this, the Strategy recommends that investment and innovation must go hand-in-hand with cybersecurity efforts, and that it will be critical for our government to harness emerging technologies for cybersecurity purposes as those technological advancements are made. 
  2. Securing the Technical Foundation of the Internet. Acknowledging that the very foundation of the Internet has inherent vulnerabilities that need to be addressed (specifically mentioning the Domain Name System and Border Gateway Protocol), the Strategy prioritizes protection of the multistakeholder model of Internet governance and standards development. Principles such as transparency, openness, and consensus are at the core of our nation’s values and will drive the evolution of more secure technical standards and technologies. Because of the rapid pace at which technologies are advancing, the Strategy advocates for the Federal Research and Development enterprise to direct projects to advance cybersecurity and resilience in areas such as encryption, the protection of industrial control systems, and artificial intelligence.
  3. Preparing for a Post-Quantum Future. The Strategy recommends preparation for a post-quantum future to protect the encryption systems that undergird the methods by which we protect data, authenticate users, and certify the accuracy of information. The means transitioning the nation’s cryptographic systems to interoperable quantum-resistant systems and advancing the notion of cryptographic agility to address unknown threats arising from quantum computing. This is one area of the Strategy that specifically recommends that the private sector follow the government’s Strategy to prepare for a post-quantum future.
  4. Development of a Digital Identity Ecosystem. Data breaches, COVID-19 fraud, and identity theft have caused billions in losses for the federal government because we do not yet have a comprehensive, secure, and accessible digital identity system. The Strategy promotes investment in strong, verifiable, privacy-enhancing digital identity platforms that comport with the values of transparency and accountability. 
  5. Strengthen Our Cyber Workforce. Great efforts will be made to address unfilled vacancies for cybersecurity positions in workforces across the nation. The need for cybersecurity professionals across industries means that the federal government will be coordinating a comprehensive strategy for cyber education and training pathways for all persons who wish to develop a career in cybersecurity, with a particular focus on the public’s need to develop and recruit cybersecurity talent to protect critical infrastructure. The Strategy is also committed to addressing the lack of diversity in the nation’s cybersecurity workforce as “both a moral necessity and strategic imperative.” 

V. Forge International Partnerships to Pursue Shared Goals

Pillar 5 consists of five strategic objectives that aim to “scale the emerging model of collaboration by national cybersecurity stakeholders to cooperate with the international community” using the following five strategic objectives:

  1. Build coalitions to counter threats to our digital ecosystem. The U.S. will leverage existing partnerships, intergovernmental forums, and trade agreements to advance shared goals in cyberspace.  This includes using a variety of mechanisms, including the Declaration for the Future of the Internet (DFI), the Quadrilateral Security Dialogue (the Quad), the Indo-Pacific Economic Framework for Prosperity (IPEF), the U.S.-EU Trade and Technology Council (TTC), and the Americas Partnership for Economic Prosperity (APEP), among others. Coordination and collaboration with allies and partners are important, particularly in sharing cyber threat information, exchanging model cybersecurity practices, comparing security-specific expertise, driving secure-by-design principles, and coordinating policy and incident response activities.
  2. Strengthen international partner capacity. As the U.S. builds a coalition to advance shared goals, it will also strengthen capacity of allies and partners that support shared interests in cyberspace. To achieve this goal, the U.S. will “marshal expertise across agencies, the public and private sectors, and among advanced regional partners to pursue coordinated and effective” cyber capacity. The Strategy emphasizes the importance of working with law enforcement and explains distinct actions in which the DOJ, the DOD, and the Department of State (“DOS”) will engage. Specifically, the DOJ will work with law enforcement for more robust cybercrime cooperation, the DOD will strengthen military-to-military relationships to bolster collective cybersecurity posture, and the DOS will coordinate with the whole-of-government to ensure that federal capacity, as well as U.S., allied, and partner interests are strategically aligned.
  3. Expand U.S. ability to assist allies and partners. The U.S.  will provide support to allies and partners to investigate, respond to, and recover from cyberattacks. The U.S. will also establish policies to determine when such support is in the national interest, develop mechanisms to identify and deploy this support, and, when needed, “rapidly seek to remove existing financial and procedural barriers to provide such operational support.”
  4. Build coalitions to reinforce global norms of responsible state behavior. The U.S. will reinforce political commitments that every member of the United Nations has made to endorse peacetime norms and refrain from cyber operations that may “intentionally damage critical infrastructure” by holding irresponsible states accountable through meaningful and collaborative consequences, such as “diplomatic isolation, economic cost, counter-cyber and law enforcement operations, or legal sanctions, among others.”
  5. Secure global supply chains for information, communications, and operation technology products and services. The strategy recognizes that complex and globally interconnected supply chains are critical to the nation’s economy. Our dependency on foreign products and services introduces a degree of risk, which must be mitigated through long-term, strategic collaborations between public and private sectors in the U.S. and abroad. The federal government will work with allies and partners to “implement best practices in cross-border supply chain risk management and work to shift supply chains to flow through partner countries and trusted vendors,” making supply chains “more transparent, secure, resilient, and trustworthy.” 

On February 17, 2023, the Illinois Supreme Court ruled 4-3 that violations of the Biometric Information Privacy Act (“BIPA”) (the country’s first biometric privacy legislation) accrue for each incident of capture or dissemination of biometric information, and not only once for each data subject. Cothron v. White Castle Systems found based on the plain language of the statute that violations for collecting or disclosing biometric information occur at every scan or transaction. Cothron v. White Castle Sys., 2023 IL 128004. The court reached this conclusion while admitting the “absurd” implications, including that the ruling could result in damages of $17 billion. Id. at ¶ 40.

Cothron follows the recent decision in Tims v. Black Horse Carriers, Inc., which applying a uniform 5-year statute of limitations for all claims under BIPA. Tims et al. v. Black Horse Carriers Inc., case number 127801. Taken together, Cothron and Tims create a minefield of liability for organizations collecting biometric information and may significantly increase the number of plaintiffs, claims, and possible damages under BIPA.


Latrina Cothron filed a proposed class action against White Castle System, Inc. (“White Castle”), her former employer, which required employee fingerprint scans to access computer systems and pay stubs. The scans were sent to a third-party vendor to verify and authorize access.  The White Castle policy, instituted in 2004, preceded the 2008 enactment of BIPA, but White Caste did not seek consent after BIPA’s enactment until 2018.  Cothron alleged that White Castle violated BIPA sections 15(b) and 15(d) by collecting and distributing her fingerprint identifier without prior consent. 

White Castle moved for judgment on the pleadings, arguing that Cothron’s action was time barred because it accrued in 2008, when it first obtained her biometric data after BIPA took effect. Cothron responded that a new claim accrued each time White Castle sent her biometric data to its third-party authenticator, and argued her action was timely as to the unlawful scans and transmissions that occurred within the statutory period.

To resolve the issue, the Court considered whether section 15(b) and 15(d) claims accrue each time an entity “scans a person’s biometric identifier and each time an entity discloses a scan to a third party, or only once, upon the first scan and transmission.” Cothron at ¶ 1. The relevant BIPA section, 15(b), states that a private entity may not “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first” obtains consent from the data subject. 740 ILCS 14/15. Section 15(d) states that a private entity in possession of a biometric identifier may not “disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” there is consent or the disclosure is required by law. Id.

When 15(b) and 15 (d) claims accrue has important implications for both the limitations period and calculating damages because statutory damages under BIPA accrue per violation.  A company that negligently violates a provision of BIPA is liable for damages of $1,000 per violation, while a company that intentionally or recklessly violates a provision is liable for damages of $5,000 per violation. 740 ILCS 14/20.

Illinois Supreme Court Decision

The Illinois Supreme Court held that “the plain language of section 15(b) and 15(d) demonstrates that such violations occur with every scan or transmission.” Cothron at ¶ 30.

For BIPA section 15(b), the court examined the plain text meaning of “collect” and “capture.” Id. at ¶ 23. The court found that information can be captured or collected more than once, explaining that each time the employee used their fingerprint to access pay stubs or computer systems, the system collected the fingerprint anew. Id. Therefore, each new capture constitutes a separate claim under BIPA.

For BIPA section 15(d), the court analyzed the plain meaning of “disclose” and “redisclose.” Id. at ¶ 27. It held that “redisclose” included repeated transmission to the same third-party. Id.  The court further pointed to the statutory catch-all language in BIPA providing that a violation occurs when entities “otherwise disseminate” the biometric information.  Thus, each disclosure represents a new violation. Id.

The majority in Cothron recognized the decision’s impact, stating “this court has repeatedly recognized the potential for significant damages awards under the Act.” Id. at ¶ 41. The court defended the decision as consistent with legislative intent, explaining that a “substantial potential liability” would give private entities “the strongest possible incentive to conform” to the statute. Id.  The court acknowledged that “if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion.” Id. at ¶ 40.

Key Takeaways

Far reaching consequences

Biometric information comes in many forms, and any time it is collected from Illinois residents, it must be handled consistently with the broad proscriptions of BIPA.  Critically, fingerprinting is not the only biometric information that falls under BIPA—its reach is broad.  BIPA claims have involved facial recognition features used to “tag” users in photos, collecting customers’ voices in drive-throughs, remote proctoring tools for online schooling, customer hotlines, vending machines, donation centers, and even virtual glasses try-on software. In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016), Carpenter v. McDonald’s Corp.  580 F. Supp. 3d 512 (N.D. Ill. 2022), Doe v. Nw. Univ., No. 21 C 1579 (N.D. Ill. 2022), Dorian v. Amazon Web Servs., Inc., No. 2:22-CV-00269 (W.D. Wash. 2022).  

Potential increase in damages and settlement amounts

Liability will now depend on the number of subjects from which organization collects data, as well as how that collection occurs.  An amusement park scanning fingerprints on entry may only accrue a handful of claims per data subject, whereas an employer scanning fingerprints for each employee several times per shift, as in Cothorn, may accrue hundreds of claims per subject. See Rosenbach v. Six Flags Entm’t Corp.,129 N.E.3d 1197 (2019). Companies that passively collect biometric information could see an astronomical number of claims. 

This increased liability risk under BIPA reinforces that companies must understand how they collect, store, use, and ultimately delete biometric information, to ensure that each step complies with BIPA.

Reduce Liability through Transparency – CONSENT IS KEY!

Organizations may be able to significantly mitigate risk through thoughtful and transparent implementation of biometric data collection.  Most recent biometric litigation has centered on notice and consent.  Organizations wishing to reduce liability and increase transparency can (1) obtain consent from employees before collecting biometric information and (2) maintain and publish a robust privacy policy outlining the use and retention of employee biometric information.  Businesses may significantly reduce their risk of BIPA exposure by establishing a culture of transparency throughout the organization.

* * *

Crowell & Moring LLP has a robust and highly experienced team advising organizations of all sizes on compliance with biometric privacy laws. Crowell also has an extensive library of resources associated with the Illinois Biometric Privacy Act, including:

BIPA Claims Uniformly Have a 5-Year Statute of Limitations

A Statute of Limitations for BIPA Claims? We May be One Step Closer

Ninth Circuit Rejects Facebook’s Article III Argument; Biometric Lawsuit Will Proceed

Illinois’ First Settlement under Biometric Law; AMA Adopts Principles for Mobile Health Apps; Ecuador to Enact Data Privacy Law

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Earlier this month, two courts, one in California and one in Massachusetts under two different scenarios, opined on the enforceability of browsewrap and hybridwrap agreements, providing important warnings for companies relying on such agreements to obtain legally required consent for activities such as telemarketing or to otherwise impose terms and conditions on website users. Many cases turn on the enforceability of such agreements, and companies should evaluate their use of browsewrap agreements (e.g., terms of use available through a hyperlink at the bottom of a webpage) and hybridwrap agreements to determine whether changes are appropriate to improve enforceability and mitigate legal risk.


Numerous companies rely on agreements, such as terms of use, that they form online with website users to meet legal requirements (e.g., to obtain consent), define rules for use of the website, and otherwise help limit the company’s liability. Courts generally categorize such agreements into two major groups. Clickwrap agreements require users to take an affirmative step (e.g., checking a box that says “I Agree”) to agree to the proposed terms. In contrast to browsewrap agreements, courts regularly uphold clickwrap agreements. Browsewrap agreements typically refer to those that are available as a hyperlink at the bottom of a webpage and require no affirmative action from the user indicating their assent. Instead, browsewrap agreements attempt to bind users solely because they appear on the visited webpage. Courts often find these agreements unenforceable unless the website owner can show the user had actual or constructive notice of the terms and conditions.

According to the Ninth Circuit in Berman, absent actual notice, a website owner can show constructive notice by demonstrating that (1) the website provides “reasonably conspicuous notice” of the terms to which the consumer will be bound; and (2) the consumer takes some action, such as clicking a button or checking a box, that unambiguously manifests his or her assent to those terms.[1]

The Berman court created a two-part test for determining whether terms of use presented on a website constitute “reasonably conspicuous notice.” First, the notice must be displayed in a font size and format such that the court can fairly assume that a reasonably prudent Internet user would have seen it. For example, in Berman, the challenged language did not meet this standard as it was in “tiny gray font” and surrounded by significantly larger text and other visual elements. Second, if the terms are presented via hyperlink rather than on the webpage itself, the fact that a hyperlink is present must be readily apparent. Simply underlining words or phrase will generally be insufficient to alert a reasonably prudent user to the presence of a clickable hyperlink. Use of a contrasting font color or all capital letters is more likely to draw attention to the hyperlink.

Some courts have also defined a third category of agreements, hybridwrap, falling between browsewrap and clickwrap agreements. Hybridwrap agreements incorporate elements of both browsewrap and clickwrap agreements, providing greater notice of the terms and the website owner’s intent to bind the user to such terms while stopping short of requiring affirmative assent.

Heather Gaker v. Citizens Disability, LLC—Massachusetts

In Gaker,[2] Heather Gaker alleged that Citizens Disability (“Citizens”) violated the Telephone Consumer Protection Act (“TCPA”) by placing telemarketing calls to her cell phone without her prior consent despite registering her number on the Do Not Call Registry. Citizens, a Massachusetts for-profit corporation that assists persons with disabilities in claiming Social Security benefits, argued that Ms. Gaker provided consent to receive telemarketing calls when she provided her personal information through a sweepstakes website (“Sweepstakes Website”) that offered a chance to win $50,000. At the bottom of the Sweepstakes Website was a box to “CONFIRM YOUR ENTRY” in addition to the following terms (“Terms”):

By clicking confirm your entry I consent to be contacted by any of our Marketing Partners, which may include artificial or pre-recorded calls and or text messages, delivered via automated technology to the phone number(s) that I have provided above including wireless number(s) that I have provided including wireless number(s) if applicable regarding financial, home, travel, health, and insurance products and services. Reply ‘STOP’ to unsubscribe from SMS service. Reply ‘Help’ for help. Standard Message & data rates may apply. I understand these calls may be generated using an autodialer and may contain pre-recorded messages and that consenting is not required to participate in the offers promoted. I declare that I am a U.S. resident over the age of 18 and agree to this site’s terms.

The words “Marketing Partners” contained a hyperlink to a page containing a list of companies, which included Citizens. A marketing vendor provided Citizens the information submitted through the Sweepstakes Website, after which Citizens placed seven calls to Ms. Gaker’s phone regarding the company’s disability services.

The TCPA prohibits telephone solicitations to a number registered on the national Do Not Registry unless the solicitor has obtained “prior express invitation or permission,” which must be evidenced by a “signed, written agreement between the consumer and seller which states that the consumer agrees to be contacted by this seller and includes the telephone number to which the calls may be placed.”[3] Further, the TCPA defines “prior express written consent” as

an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice, and the telephone number to which the signatory authorizes such advertisements or telemarketing messages to be delivered.[4]

The agreement must contain a clear and conspicuous disclosure informing the person signing it that the person is authorizing the telemarketing calls and that signing the agreement is required as a condition of purchasing any property, goods, or services.[5] According to guidance from the Federal Communications Commission, when a question arises about whether a consumer has given consent, the telemarketer bears the burden to demonstrate that “a clear and conspicuous disclosure was provided and unambiguous consent was obtained.”[6]

Thus, the central question before the U.S. District Court for the District of Massachusetts was whether the Sweepstakes Website adequately disclosed the Terms such that Ms. Gaker gave “unambiguous consent” to be bound by the Terms. Relying on precedent on online terms and conditions, the court sided with Ms. Gaker and ordered Citizens to pay $500 per violation for a total of $3,500. The court concluded that Citizens had not met its burden to establish that “a clear and conspicuous disclosure was provided and unambiguous consent was obtained.” Salient factors in the court’s decision included the following:

  • The Terms were presented in a font smaller than other language on the page.
  • The Terms were also displayed in blue font against a blue background, with only slight variation in color between the two. No other language on the Sweepstakes Website was presented as inconspicuously, and all promotional language was presented in clearly contrasting colors.
  • The Terms appeared below the “CONFIRM YOUR ENTRY” box such that a user could click the button without ever reaching the Terms at the bottom of the page.
  • The Sweepstakes Website included images of gold coins and dollar signs in addition to other headlines and advertisements in large and legibly colored font, distracting visitors from the Terms at the bottom of the page.

Citizens argued that appearance of the language “By clicking confirm your entry I consent to be contacted by any of our Marketing Partners” on the Sweepstakes Website, without requiring the visitor to click a hyperlink, should have sufficed to constitute clear and conspicuous disclosure. The court determined that this was insufficient due to the “totality of the page,” given the factors above, indicating an intent to distract a reasonable user from the terms. For these reasons, the court also determined that the Terms did not meet the Ninth Circuit’s Berman test.

In addition, Ms. Gaker was not required to indicate that she had read the Terms before submitting her information (e.g., by checking a box). Therefore, the Terms did not meet the court’s definition of a clickwrap agreement, which would carry some presumption of validity. Instead, the court characterized the Terms as a browsewrap or hybridwrap agreement, which does not carry a presumption of validity.

Arisha Byars v. The Goodyear Tire and Rubber Co., et al.— California

At the heart of Byars[7] were allegations that The Goodyear Tire and Rubber Co. (“Goodyear”) engaged in wiretapping activities in violation of the California Invasion of Privacy Act. Of relevance to this client alert, however, is the decision’s discussion of browsewrap agreements in evaluating whether Ms. Byars consented to Goodyear’s forum selection clause.

Goodyear’s Terms of Use contain a forum selection clause stating that visitors to Goodyear’s website consent to litigating claims arising from use of the website in Ohio. Goodyear argued that Ms. Byars was on notice of its Terms of Use because Goodyear’s website displays a pop-up banner to all visitors that contains three hyperlinks: one to Goodyear’s Privacy Policy, one to view “Cookie Settings,” and one to “Accept [the] Cookies.” Goodyear also argued that there is a hyperlink to its Terms of Use at the bottom of every webpage. Ms. Byars argued that she was on neither actual nor constructive notice of the Terms of Use and therefore did not consent to the forum selection clause.

After examining Ninth Circuit precedent on clickwrap and browsewrap agreements, the court sided with Ms. Byars. According to the court, Goodyear’s Terms of Use “plainly” fell into the browsewrap agreement category as Goodyear’s website does not ask visitors to accept the Terms of Use, such as through the inclusion of an “I Agree” box. In addition, the court found the location of a Terms of Use hyperlink at the bottom of every page (where the website user might not look) consistent with the Ninth Circuit’s description of browsewrap agreements.

Because the court categorized Goodyear’s Terms of Use as a browsewrap agreement, it was only enforceable if Ms. Byars had actual or constructive knowledge of the Terms of Use. Goodyear failed to persuade the court that Ms. Byars had any reason to scroll to the bottom of the webpage or otherwise viewed the Terms of Use, and Ms. Byars affirmatively alleged that she did not see the Terms of Use. For these reasons, the court determined that Ms. Byars did not consent to the Terms of Use and its forum selection clause.


Gaker and Byars underscore the reluctance of courts to enforce browsewrap and hybridwrap agreements that use illegible text and place the challenged language at the bottom of the webpage. In the case of Gaker, this includes where the agreement is used to obtain TCPA-required consent to place telemarketing calls. In the case of regimes like the TCPA, which provides for a private right of action and potentially very significant damages – $500 per call and possible treble damages – using a browsewrap agreement may be very costly. Fortunately for the defendant in Gaker, the defendant only placed seven telemarketing calls to the plaintiff so the court awarded a total of $3,500 in damages, but for many other organizations heavily reliant on telemarketing to reach potential clients, the outcome could have been very different. Enforceability of terms of use is an issue that regularly comes up, and Gaker and Byars highlight the importance of presenting terms of use in a clear and conspicuous manner.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Key Takeaways

  1. While the CDA and DMCA are separate statutes, they work together to regulate online services
  2. Section 230 reform efforts could impact how Courts and commentators treat the DMCA
  3. The efforts to repeal or substantially reduce the protection for internet service provider under Section 230 raise questions for practitioners about potential corollary effects on use of the DMCA to advocate for users and websites.

Section 230 of the Communications Decency Act (CDA, codified at 47 U.S.C. § 230) and Section 512 of the Digital Millennium Copyright Act (DMCA, codified at 17 U.S.C. § 512) are separate legal structures that work together to uphold certain protections for online service providers against claims arising out user-generated content.

Enacted into law in 1996, Section 230 serves as a foundation of internet law, allowing major social media networks, blogs, digital marketplaces, and other websites to flourish.  Section 230 provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”  47 U.S.C. § 230(c)(1).  The law was written at a time when the internet was still in its infancy, and allowed the internet to grow, as one commentator has stated, from “baby to … behemoth.”

In 2011, Section 512 was adopted to provide an affirmative defense to copyright infringement claims arising out of certain content displayed online at the direction of a user.  Section 512 only applies if the conditions for safe harbor have been met.  Specifically, Section 512 explains that “[a] service provider shall not be liable for monetary relief, […] injunctive or other equitable relief, for infringement of copyright […] if the service provider […] upon notification of claimed infringement, […] responds expeditiously to remove, or disable access to, the material that is claimed to be infringing or to be the subject of infringing activity.” 127 U.S.C. § 512(c).  While the DMCA focuses on copyright infringements, its safe harbor provision mirrors protections offered by Section 230.

These are important statutes impacting companies and users of online services right now.  In the context of copyright law and the DMCA, a jury in the Eastern District of Virginia found that an internet service provider did not sufficiently implement DMCA requirements and awarded Plaintiffs a $1 billion verdict, which may encourage Plaintiffs to make such arguments with more frequency.  See Sony Music Entm’t v. Cox Comm’s, Inc., No. 1:18-cv-00950 (E.D. Va. Jan. 12, 2021).  In addition, on December 30, 2022, BackGrid USA filed a copyright complaint against Twitter in U.S. District Court for the Central District of California.  BackGrid USA identifies itself as a “premier celebrity-related photograph agency,” which “provides highly sought-after images of celebrities around the world to top news and lifestyle outlets.” Complaint at 6, BackGrid v. Twitter, No. 2:22-cv-09462-KS (C.D. Cal. Dec. 30, 2022).

In its complaint, BackGrid USA makes two copyright claims:

  1. Twitter Does Not Terminate Repeat Infringers as Required for Safe Harbor Protection Under 17 U.S.C. § 512(i); and
  2. Twitter Does Not Expeditiously Remove Infringements as Required for Safe Harbor Protection Under 17 U.S.C. § 512(b)-(d).  

According to BackGrid USA, “[d]espite sending more than 6,700 DMCA takedown notices [to Twitter], not a single work was taken down and not a single repeat infringer was suspended.”  BackGrid USA’s claims that Twitter’s inability to “expeditiously … remove, or disable access to, the material that is claimed to be infringing or to be the subject of the infringing activity” means they can no longer rely on Section 512 safe harbors.  See 17 U.S.C. § 512(e).

As technology practitioners that take on cases where Section 230 and the DMCA are at issue, there are two notable takeaways related to these statutes:

First, while the CDA and DMCA are separate statutes, they work together to regulate online services.

The exemption in 47 U.S.C. § 230(e)(2) explicitly states that Section 230 has “no effect on intellectual property law.”  According to the statute, “nothing in this section shall be construed to limit or expand any law pertaining to intellectual property.”

This has been affirmed across the United States.  Federal appellate courts recognize that “federal district courts have held that § 230(e)(2) unambiguously precludes applying the CDA to immunize interactive service providers from trademark claims.”  Almeida v. Amazon.com, Inc., 456 F.3d 1316, 1322 (11th Cir. 2006).  And in Perfect 10, Inc. v. CCBill LLC, the Ninth Circuit explained that “the immunity created by § 230(c)(1) is limited by § 230(e)(2), which requires the court to ‘construe Section 230(c)(1) in a manner that would neither ‘limit or expand any law pertaining to intellectual property.’”  Gucci Am., Inc. v. Hall & Assocs., 135 F. Supp. 2d 409, 413 (S.D.N.Y. 2001) (quoting § 230(e)(2)).  As a result, the CDA does not clothe service providers in immunity from ‘law[s] pertaining to intellectual property.’  See Almeida, 456 F.3d at 1322.” 488 F. 3d 1102, 1118 (9th Cir. 2007).

In the Gucci case, the U.S. District Court explained that “Section 230 does not automatically immunize [Internet service providers (ISPs)] from all intellectual property infringement claims.  To find otherwise would render the immunities created by the DMCA from copyright infringement actions superfluous.”  135 F. Supp. 2d at 417.  The Court explained that, “[s]imilarly, in UMG Recordings, Inc. v. Escape Media Group Inc., the New York Supreme Court denied Defendant’s argument that ‘plaintiff’s claims are barred by the “safe harbor” provision set forth in Section 512 of the [DMCA] … and that plaintiff’s claims are preempted by Section 230 of the [CDA]…’” 948 N.Y.S.2d 881, 884 (2012).

Second, Section 230 reform efforts could impact how Courts and commentators treat the DMCA. 

The last few years have ushered in efforts to amend Section 230.  For example, Senator Mark Warner (D-VA) introduced S. 299, the SAFE TECH Act, which “limits federal liability protection that applies to a user or provider of an interactive computer service (e.g., a social media company) for claims related to content provided by third parties.”  Representative Paul Gosar (R-AZ) introduced H.R. 7808, the Stop the Censorship Act, which “eliminates immunity for restricting content that is otherwise objectionable and applies such immunity when a company restricts content that is unlawful or that promotes violence or terrorism” and confers immunity to “actions taken that provide users with the option to restrict access to any material, regardless of whether such material is constitutionally protected.”  Most recently, Senator Lindsey Graham (R-SC) introduced S. 2972, a Bill to Repeal Section 230, which would eliminate Section 230 in its entirety.

In addition, President Biden announced core principles for Enhancing Competition and Tech Platform Accountability, which included removing “special legal protections for large tech platforms” and called for “fundamental reforms to Section 230.”

The efforts to repeal or substantially reduce the protection for internet service provider under Section 230 raise questions for practitioners about potential corollary effects on use of the DMCA to advocate for users and websites.

Could reforms to Section 230 change the way courts and practitioners use the DMCA or put Section 512’s safe harbor protections at risk?  Repealing Section 230 would mean that online service providers—such as social media companies, search engines, review boards, blogs, and other sites that share user-generated content—could more readily be held liable for the content they host.  In turn, the scope of liability could force them to consider limiting or excluding certain material that may be construed as illegal. While the DMCA provides a “safe harbor” to providers who remove content after being notified that it may infringe on federal copyright law, it also provides a process for users to challenge the notice and allows the web platform to restore the content.

Would repealing Section 230 increase the reliance on copyright claims and potentially overwhelm courts with a flood of litigation on challenged content?  The DMCA’s protections would only insulate ISPs from liability if they met the notice and takedown provisions of the Act and impact another’s copyrights.  A repeal of Section 230 or a substantial carve-out would reduce in whole or in part one of the twin protections currently provided to online service providers.  Without Section 230, many internet services used by billions on a daily basis may become more costly.  It would increase liability exposure, which would in turn lead to rising provider costs.  It has been argued by Section 230 proponents that the loss of the protections could lead to a reduction in the current ability for users to post comments, engage with social media, or rate products found online.  Some services may opt to shut down.

The CDA and DMCA have been critical to the internet’s expansion to date.  How Courts construe and legislators act with respect to these laws could have lasting impacts on how the internet develops over the next decade.

For more information on Section 230 please watch Crowell & Moring LLP’s webinar, which is available online here.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Key Takeaways

  1. A Potential Increase in Claims, Costs, and Damages
  2. Reduce Liability Through Transparency

On February 2, 2023, the Illinois Supreme Court ruled that all Biometric Information Privacy Act (“BIPA”) claims are uniformly subject to a five-year statute of limitations, expanding liability for businesses collecting biometric information.[1] In Tims v. Black Horse Carriers, Inc., the court found that a longer, uniform statute of limitations for all claims under BIPA best fulfilled the legislative intent to hold private entities accountable and provide redress for data subjects.[2] The Tims decision partially reversed an appellate court’s interlocutory decision that applied a one-year statute of limitations to some sections of BIPA, while applying a five-year statute of limitations to others.[3] This highly anticipated decision will allow companies to understand and manage their liability risk and will also likely fuel the growth of future BIPA lawsuits. 


The matter arises from a class action lawsuit filed by Jorome Tims against his former employer, Black Horse Carriers, Inc. (“Black Horse”), alleging that when Black Horse scanned his fingerprints, the company violated BIPA sections 15(a), 15(b), and 15(d).

The Illinois Biometric Information Privacy Act is the country’s first comprehensive biometric privacy legislation. BIPA contains five obligations for private entities collecting biometric information: 

  • 15(a) requires entities to develop and make public an information retention policy; 
  • 15(b) prohibits a private entity from collecting biometric information without first obtaining informed consent from the data subject;
  • 15(c) prohibits a private entity from profiting from the sale of biometric information; 
  • 15(d) prohibits disclosure of biometric information without the consent of the subject; and
  • 15(e) requires entities to protect biometric information from disclosure.[4] 

Statutory damages can be steep and add up quickly, accruing per violation.[5] A company that negligently violates a provision of BIPA is liable for damages of $1,000 per violation, while a company that intentionally or recklessly violates a provision is liable for damages of $5,000 per violation.[6] Plaintiffs are also entitled to pursue attorney fees, and actual damages in the event the actual damages are higher than the statutory amount.[7] The courts are currently evaluating what is considered a violation under BIPA, in particular, whether BIPA liability accrues per data subject or per incidence – in other words, per scanned employee or per fingerprint. At up to $5000 per violation, a per incident accrual would significantly increase possible damages for entities collecting biometric data and make even small businesses liable for huge sums. 

Illinois Supreme Court Decision

The Illinois Supreme Court relied on legislative intent to determine the statute of limitations for BIPA claims in Tims.[8] The court declined to apply two different limitations as to “reduce uncertainty and create finality and predictability.”[9] The court contemplated the practical impact of multiple time constraints, noting that “[t]wo limitations periods could confuse future litigants about when claims are time-barred, particularly when the same facts could support causes of action under more than one subsection of [BIPA].” Considering “the intent of the legislature, the purposes to be achieved by the statute, and the fact that there is no limitations period in [BIPA],” the court found that the five-year catchall limitation period would best apply.[10] The court believed policy considerations were best served by a longer limitation period because of “the fears of and risks to the public surrounding the disclosure of … biometric information.” The longer limitation period would enhance the ability for an aggrieved party to seek redress and lengthen the time a company could be held liable of noncompliance.[11] 

Key Takeaways

A Potential Increase in Claims, Costs, and Damages

The expansion of liability resulting from the extended five-year statute of limitations will open the door to an increased number of BIPA actions, expanding both the number of possible plaintiffs and the number of possible claims. All BIPA cases that had been stayed awaiting the Tims decision will now be allowed to proceed under the expanded statute of limitations. Additional cases may be brought that had previously been outside the one-year limitation. Further, cases that would have once excluded claims under 15(c) and 15(d) due to the one-year limitation may now be expanded to include such claims. Litigation under the expanded statute of limitations may be costlier given the likely increase in claims. Additionally, because damages accrue per violation under each claim, defendants may see damages increase significantly. 

Reduce Liability Through Transparency

Organizations contemplating the use of biometric technologies for personnel management should be thoughtful about transparency in their implementation, for example by (i) providing employees with the opportunity to consent to biometric data capture, and (ii) publishing a robust privacy policy that outlines the use and retention of their biometric information. A majority of the biometric litigation filed over the past two years have largely been based on the issue of notice and organizations can significantly mitigate their risk by establishing a culture of transparency in their business.

* * *

Crowell & Moring LLP has a robust and highly experienced team advising organizations of all sizes on compliance with biometric privacy laws. Crowell also has an extensive library of resources associated with the Illinois Biometric Privacy Act, including:

A Statute of Limitations for BIPA Claims? We May be One Step Closer

Ninth Circuit Rejects Facebook’s Article III Argument; Biometric Lawsuit Will Proceed

Illinois’ First Settlement under Biometric Law; AMA Adopts Principles for Mobile Health Apps; Ecuador to Enact Data Privacy Law

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

[1] Tims et al. v. Black Horse Carriers Inc., case number 127801, at 10.

[2] Id.

[3] Tims v. Black Horse Carriers, Inc., 184 N.E.3d 466 (2021).

[4] 740 ILCS 14/15.

[5] 740 ILCS 14/20.

[6] Id.

[7] Id.

[8] Tims et al. v. Black Horse Carriers Inc., case number 127801.

[9] Id at 5.

[10] Id at 11.

[11] Id at 13.

This has not been a joyful winter for energy industry executives. They have repeatedly awoken to alerts that substations in the Northwest and Southeast have been physically attacked and that a major engineering firm was the subject of a ransomware cyberattack that may have compromised utility data.

Federal regulators are taking notice. On December 7, the Federal Energy Regulatory Commission (FERC) and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) held a joint technical conference to discuss supply chain risk management in light of increasing threats to the Bulk Power System. Multiple government participants identified the possible need to normalize the use of software bill of materials and hardware bill of materials in the electric industry. Several days later, FERC directed the North American Electric Reliability Corporation (NERC) to re-examine its Physical Security Reliability Standard, CIP-014-1. Congress, for its part, responded to growing cybersecurity threats to energy infrastructure by increasing CESER’s budget by almost 7.5% in the recent omnibus appropriations bill and appropriating $20 million for the Cyber Testing for Resilient Industrial Control Systems program.

Cybersecurity attacks on distributed energy resources (DERs) including electric vehicles are also proliferating. In its recent report, Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid, CESER identified the cybersecurity threat to DER operators, vendors, developers, owners and aggregators as posing a significant and growing risk. The Department of Energy will also soon release a report, mandated by Congress in the Infrastructure Investment and Jobs Act, identifying policies and procedures for enhancing the physical and cybersecurity of distributed resources and the electric distribution system.

The recent physical and cybersecurity incidents targeting critical infrastructure have exposed significant vulnerabilities of some companies, and both customers and the federal government are pushing the private sector to mitigate those threats as a condition for doing business.  The federal government, in particular, expects their private sector partners to adopt better security hygiene, assess supply chain risks, and prepare for quick responses to incidents, including rapid notifications to customers, regulators and the public.  Here are some best practices for energy sector companies to have on their radar for 2023:

  • Compliance with NERC’s Critical Infrastructure Protection (CIP) Standards. Violations of applicable NERC CIP reliability standards subject users, owners and operators of bulk power system facilities to civil penalties of up to $1,496,035 per violation, per day.
  • Comprehensive Assessments of Key IT and OT Systems. Conducting comprehensive assessments of current and potential system vulnerabilities is a leading cybersecurity industry practice that energy sector companies may consider adopting. They can do so by, for example, engaging in regular inventory of Information Technology and Operational Technology systems, including by assessing patch management processes, performing information security and physical risk assessments, and documenting and regularly reviewing system security plans and related operational documents.
  • Clear Roles and Responsibilities. Establishing clear cybersecurity-related roles and responsibilities can help position the enterprise to respond efficiently and effectively to cyber risk, for example by ensuring that corporate executives, the legal team, and key personnel such as the as the Chief Information Security Officer, the Chief Information Officer, the Chief Compliance Officer, and the Chief Privacy Officer are on notice of their respective roles and have clear guidance as to their duties both during “business as usual” operations and in the event that a potential cybersecurity incident occurs. 
  • Cybersecurity Incident Response Plans. Developing a cybersecurity Incident Response Plan (or “IRP”) is a leading cybersecurity industry practice and may even be a regulatory requirement for certain companies. IRPs are “playbooks” that are developed prior to a cybersecurity incident occurring to provide guidance for responsible stakeholders to respond to a potential incident and guide the company through that response in an organized and effective way.  IRPs typically include key components, such as individuals’ and teams’ roles and responsibilities, contact lists, details about the internal escalation process (e.g., regarding notifications to government entities), and guideposts for technical teams.  Companies may supplement their IRPs with supporting materials, for example check lists for key executives and personnel, and take steps to integrate their IRPs with other related policies, such as all-hazards crisis management plans and communications plans.
  • Cybersecurity Tabletop Exercises. Tabletop exercises are simulations designed to test a company’s response to a potential cybersecurity incident and application of their Incident Response Plan.  These exercises are often facilitated by counsel and conducted under privilege.  Notably, the Ponemon Institute, in a report issued by IBM Security, reported that companies that had incident response teams and tested their Plans with tabletop exercises or simulations incurred an average of $2.66 million less in data breach-related costs than those that did not. 
  • Supply Chain Risk Mitigation. A company’s supply chain can heighten exposure to cyber threats, including data leaks, supply chain breaches, and malware attacks; however, strategies to mitigate these risks are available, for example implementing protocols to continually assess and monitor third-party risk, understanding and controlling who has access to the company’s most valuable and sensitive data, and ensuring that third-party contracts include cybersecurity requirements.  The federal government has acknowledged the importance of addressing such supply chain risk, and 2021 Executive Order 14028, Improving the Nation’s Cybersecurity, and a 2022 OMB Memorandum both impose standards on governmental entities for the security and integrity of the software supply chain, and also require third-party software suppliers to comply with standards issued by the National Institute of Standards and Technology whenever their software is used on government information systems or affects government information, including that shared with government contractors.
  • Information Sharing Opportunities. Last March, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requiring critical infrastructure to report significant cyber incidents and ransomware payments to the Cybersecurity & Infrastructure Security Agency (CISA) within tight time frames.  Although CISA has not yet promulgated the rules to implement CIRCIA, it has provided stakeholders with guidance about sharing cyber event information that emphasized the importance of information sharing to our collective defense and for strengthening cybersecurity for the nation. In addition to federally mandated information sharing requirements, companies may also consider sharing information in a trusted setting, including with their Information Sharing and Analysis Centers (ISACs). 

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

The European Commission launched the formal process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework on December 13, 2022. The framework will replace the Privacy Shield, which was invalidated by the Court of Justice of the European Union’s (“CJEU”) Schrems II ruling on July 16, 2020 (CJEU C-311/18, discussed in this client alert). The draft adequacy decision aims to foster transatlantic data flows and to address the concerns raised in Schrems II. The draft adequacy decision is therefore important for businesses on both sides of the Atlantic.

An adequacy decision is a formal decision by the European Commission which recognizes a comparable level of personal data protection to that of the European Union in a non-EU country, territory, or international organization. As a result of such decision, personal data can flow freely and safely from the European Economic Area (“EEA”) to that recognized location without being subject to any further conditions or authorizations.

The EU’s proposal to launch a formal process to adopt an adequacy decision follows President Biden’s decision to sign an Executive Order in October 2022 which introduced new binding safeguards that address concerns raised in Schrems II. In Schrems II, the CJEU held that the U.S. Privacy Shield did not provide protection that was “essentially equivalent” to that of the EU because EU residents did not have effective remedies for privacy violations and because U.S. intelligence agencies had access to the data that was too-broad. As a reaction to invalidating the Privacy Shield, the Executive Order now imposes limitations and safeguards on access to data by U.S. intelligence agencies and establishes an independent and impartial redress mechanism.

President Biden’s Executive Order forms an essential element of the draft adequacy decision and the European Commission’s assessment that the U.S. legal framework now ensures an adequate level of protection of personal data transferred from EU organizations to U.S. certified organizations.

More specifically, the European Commission considers that:

  • The EU-U.S. Data Privacy Framework Principles, including the Supplemental Principles, issued by the U.S. Department of Commerce (“Principles”, see annex I of the draft adequacy decision) ensures effective protection that is essentially equivalent to the protection guaranteed by the GDPR;
  • The effective application of the Principles is guaranteed by transparency obligations and the administration of the EU-U.S. Data Privacy Framework by the U.S. Department of Commerce;
  • The oversight mechanisms and redress avenues in U.S. law enable infringements of data protection rules to be identified and punished in practice and offer legal remedies to data subjects (including EU residents) to exercise their data subject rights; and that
  • Any interference in the public interest by U.S. public authorities, particularly for criminal law enforcement and national security purposes with the fundamental rights of data subjects will be limited to what is necessary and proportionate to protect national security, and that effective legal protection against such interference exists.

To benefit from the draft adequacy decision, U.S. companies will have to certify that they are participating in the EU-U.S. Data Privacy Framework on an annual basis.

The draft adequacy decision will now be reviewed by the European Data Protection Board, and by a committee composed of representatives of EU Member States under the comitology procedure. The European Parliament also has a right to scrutinize the draft adequacy decision and may do so. The European Commission can adopt the final version of the adequacy decision only after all these stakeholders have given a green light to the draft. Once the final decision is published, which is not expected before spring 2023, European companies will be able to rely on this framework for sharing data with certified companies in the U.S.

One final note: an adequacy decision is not the only mechanism to legitimize international data transfers. Companies can still rely on other transfer tools for transfers to the U.S., such as the standard contractual clauses for international data transfers adopted by the European Commission last year. The European Commission emphasizes that the safeguards that the U.S. Government has put in place in the Executive Order, namely the limitations and safeguards to data accessed by U.S. intelligence agencies will be available for all EU-transfers to U.S. organizations, regardless of the mechanism used for the specific transfer. Companies relying on the standard contractual clauses for their international transfers to the U.S. will consequently benefit from these provisions as well.

Crowell and Moring will continue to follow developments on these issues and provide ongoing updates.

On November 10, 2022 the European Parliament adopted a resolution on esports and video games. In this resolution the European Parliament calls on the Commission and the Council to acknowledge the value of the video game ecosystem as a major cultural and creative industry (“CCI”) with strong potential for further growth and innovation. The video game ecosystem has become a leading CCI all over the world, with an estimated European market size of EUR 23,3 billion in 2021, including more than 4 900 game studios and 200 game publishers. It has great potential for growth, innovation, creativity and triggering positive change for the whole CCI sector, but, the resolution suggests, would benefit from additional harmonized data, definitions and legal frameworks required to enable them to embrace their full potential.

The European Parliament envisages a long-term European video game strategy, which should benefit all actors involved fairly and adequately, while considering the particularities of video game competitions in order to support EU actors and EU start-ups in the sector. The resolution notes that European video game industry is mainly made up of small and medium-sized enterprises of vital importance to the European economy. In 2020, the industry deployed approximately 98 000 people in Europe, of whom only an estimated 20% are women. Getting more women into video games and esports is a strategic priority for the European Parliament.

Definition of esports

The resolution defines ‘esports’ as “competitions where individuals or teams play video games – typically in front of spectators – either in-person or online, for entertainment, prizes or money”. The definition of esports encompasses a human element (the players), a digital element (the games), and a competitive element (the competition).

Benefits of esports and video games

Esports are an increasingly popular entertainment activity. Owing to their wide audience and digital component, video gaming and esports have significant social and cultural potential to connect Europeans of all ages, genders and backgrounds, including older people and people with disabilities. Moreover, video games and esports have great potential to further promote European history, identity, heritage, values and diversity through immersive experiences, and the European Parliament believes that they also have the potential to contribute to the EU’s soft power.

Furthermore, the European Parliament recognizes the great potential of video games and esports for use in EU educational policies and lifelong learning. Video games in the classroom often encourage students to pursue careers in science, technology, engineering, arts and mathematics, and esports can help to develop several skills that are essential in a digital society. The European Parliament insists that video games and esports can be a valuable teaching tool for actively involving learners in a curriculum and for developing digital literacy, soft skills and creative thinking.

Challenges for a truly integrated European esports and video game sector

The European Parliament sets out different areas that could be addressed by the European Commission and the Council for the creation of a truly integrated European esports and video games sector. These include, amongst others:

  1. The need to safeguard esports from problems with match-fixing, illegal gambling and performance enhancement, including doping;
  2. The protection of data privacy and cybersecurity challenges, without losing sight of the esports phenomenon;
  3. Fair consumer monetization of video games through micro-transactions, in-game currencies and loot boxes to ensure robust consumer protection;
  4. The protection of video game IP and the cross-border enforcement of IP rights of game producers;
  5. The ongoing battle against stereotypical representation of women in video games, and in general, the promotion of a framework for attaining greater equality for women in all positions in the value chain.

Need for a charter to promote European values in esports

Finally, the European Parliament distinguishes esports from sports, not least because the video games used for competitive gaming (i.e. esports) are played in a digital environment and belong to private entities that enjoy full legal control and all exclusive and unrestricted rights over the video games themselves.

Howeverthe European Parliament stresses that it believes that both sectors can complement and learn from each other and promote similar positive values and skills, such as fair play, non-discrimination, teamwork, leadership, solidarity, integrity, antiracism, social inclusion and gender equality. To this end, the European Parliament calls on the Commission to develop a charter to promote European values in esports competitions, in partnership with publishers, team organizations, clubs and tournament organizers.

Crowell & Moring will continue to follow (e)sports-related initiatives and provide ongoing updates.