Privacy Recent Case Harv. L. Rev. 1724

Hunstein v. Preferred Collection & Management Services, Inc.

Eleventh Circuit Tightens TransUnion's Standing Requiremnents for Statutory Harms.

Comment on: 48 F.4th 1236 (11th Cir. 2022)

Download
See Footnotes

The robust doctrine known as Article III standing derives from the Constitution’s limit that federal courts may decide only “Cases” and “Controversies.”1 In 2021, the Supreme Court decided TransUnion LLC v. Ramirez,2 holding that violations of statutory rights alone are not always sufficient to establish standing.3 To meet standing’s concrete injury requirement, an alleged statutory harm must be closely analogous to a harm traditionally recognized at common law.4 Recently, in Hunstein v. Preferred Collection & Management Services, Inc.,5 the Eleventh Circuit interpreted TransUnion to require plaintiffs to meet each of the “essential element[s]”6 of the common law analogue.7 While the court acceptably applied TransUnion, the decision reflects a trend in which the judiciary has made it increasingly difficult for plaintiffs to establish standing in privacy litigation. As new technologies transform in ways that either evolve faster than or do not comport with existing invasion of privacy torts, the effect of Hunstein’s strict “essential elements” test is to close off federal courts as an important remedial route for enforcing federal privacy rights.

Following his son’s medical treatment at Johns Hopkins All Children’s Hospital, Richard Hunstein failed to pay the resulting hospital bill.8 The hospital transferred the debt to a collection agency, Preferred Collection and Management Services.9 Preferred, in turn, hired a commercial mail vendor, CompuMail Information Services, Inc., to communicate with Hunstein.10 Preferred provided CompuMail with personal information about Hunstein, including his name, his son’s name, and the amount due.11 CompuMail used this information to populate a form, which it then mailed to Hunstein in a letter.12

Upon receiving the letter, Hunstein sued Preferred, alleging that it violated the Fair Debt Collection Practices Act13 (FDCPA) by disclosing personal information about his debt to CompuMail.14 The FDCPA forbids communicating, “in connection with the collection of any debt, with any person other than the consumer.”15 Hunstein argued that Preferred had violated this provision by transmitting “sensitive medical information” to a third-party vendor.16

The district court granted Preferred’s motion to dismiss for failure to state a claim.17 The court found that Hunstein had not sufficiently alleged that Preferred’s actions violated the FDCPA because the data transmission did not qualify as a communication “in connection with the collection of any debt.”18

On the first appeal, a panel of the Eleventh Circuit requested supplemental briefing on standing.19 The panel agreed with the district court that Hunstein had standing20 but reversed the dismissal for failure to state a claim.21 However, after the Supreme Court issued TransUnion,22 the panel vacated its own opinion, though it issued a new opinion that ultimately reached the same result.23 The Eleventh Circuit then voted to take the case en banc.24

The Eleventh Circuit vacated and remanded.25 Writing for the majority, Judge Grant26 held that Hunstein failed to allege a concrete harm and thus lacked standing.27 She explained that TransUnion requires that a new harm be “similar to an old harm.”28 While an exact duplicate is not required, new allegations “cannot be missing an element ‘essential to liability’ under the comparator tort.”29 Judge Grant concluded that Hunstein’s new alleged harm (disclosure to a private party) was insufficiently similar to the cited traditional harm (disclosure to the public).30

Judge Grant began by outlining the constitutional foundations for standing.31 Article III’s “‘Cases’ and ‘Controversies’” limitation requires injury in fact and not merely injury in law.32 While Congress can elevate intangible harms to legally cognizable injuries by enshrining them in statutes,33 courts cannot hear causes of action based on legal violations that are inherently nonharmful.34 TransUnion managed this separation of powers tension by comparing new statutory causes of action with traditional common law harms.35 Judge Grant interpreted this rule as requiring an element-by-element comparison.36

Applying this rule to the facts of Hunstein’s case, Judge Grant rejected Hunstein’s comparison with the common law tort of public disclosure because Hunstein’s case lacked the essential element of being “public.”37 She found nothing in Hunstein’s complaint indicating that Hunstein’s personal information would reach any party besides CompuMail.38 Rather, the information went straight back to his own home.39 Further, the information was automatically populated into a standard form, suggesting that even CompuMail employees, despite having access, may not have read the information.40 Therefore, Judge Grant characterized the facts as “an electronic transfer between two companies.”41 Hunstein was “simply no worse off” from Preferred’s actions, and thus there was no harm.42

Judge Grant concluded by briefly responding to the dissent’s accusation that this holding would create a circuit split.43 She highlighted that some of the dissent’s cited cases preceded TransUnion while others were decided afterwards.44 Further, the cited cases differed in their facts, alleged harms, and common law analogues, so the dissent’s assertion that they employed a uniform test was faulty.45

Chief Judge William Pryor concurred.46 He wrote separately to reject the dissent’s assertion that the only element in dispute was “publicity.”47 Instead, he argued that all three elements of the traditional harm of public disclosure were absent from Hunstein’s case.48 Taken together, Hunstein’s injury was a “mere personal offense.”49

Judge Newsom dissented.50 First, Judge Newsom argued that the majority’s holding conflicted with TransUnion.51 He began by emphasizing the difference in procedural posture.52 TransUnion was a ruling on the merits whereas Hunstein’s case was on a motion to dismiss, requiring the court to accept the facts alleged by Hunstein as true and draw reasonable inferences in his favor.53 Instead, the court chose to assume that no CompuMail employees saw his information, despite Hunstein not having had the benefit of a trial to negate this inference.54 Judge Newsom also argued that the majority’s “essential element” framework would be functionally equivalent to the “exact duplicate” test rejected by TransUnion.55 Further, he criticized the majority for never convincingly explaining why the near falsity (misleading information) in TransUnion was “close enough,” but Hunstein’s near publicity was not.56 Second, Judge Newsom outlined the “kind-degree” framework employed by sister circuits,57 arguing that this framework better preserves congressional flexibility than does the majority’s “essential elements” test.58 Finally, Judge Newsom emphasized that Preferred had “disclosed information . . . to the employees of an unauthorized third-party mail house.”59 This fact was key to Judge Newsom’s argument that there had been public disclosure of private information because a large number of employees at the mail vendor could have seen or did see Hunstein’s private information.60

While Hunstein’s “essential elements” test for injury in fact falls within the acceptable scope of TransUnion’s rule, it reflects the larger trend of increasingly stringent standing requirements that make it difficult for plaintiffs to seek remedial action in the federal courts.61 The ramifications are especially salient in privacy litigation, where invasive new technologies and data-collection practices transform faster than privacy torts in common law can accommodate. TransUnion, as applied in Hunstein, creates a test for standing that is likely to leave victims of violations of federal privacy statutes without a cause of action in federal courts.

TransUnion’s rule statement on Article III standing is vague, specifying only that a new statutory harm must be “close enough” to a traditional common law harm.62 In TransUnion itself, the Supreme Court held that misleading statements were close enough to the false statements required for defamation, but that their lack of dissemination failed defamation’s publicity requirement.63 But as the application of TransUnion in Hunstein shows, the contours of the Court’s reasoning are unclear. For example, how does a court determine which elements of a traditional harm are “essential” and which are not?64 And once the essential elements are defined, is “close enough” a descriptive term for when a new harm meets all the essential elements? Or is “close enough” a standard to strive toward for each of the individual essential elements? The Court did not announce a definitive standard, and so Hunstein’s interpretation — which is that “close enough” is a descriptive term for meeting all the essential elements65 — is not a misapplication of TransUnion but instead a natural consequence.

Hunstein’s holding, however, limits access to federal courts for plaintiffs suing for breaches of federal data privacy rights. By requiring that plaintiffs demonstrate each of the individual essential elements of common law claims, the Eleventh Circuit has entrenched the standing inquiry in the form of common law that is “traditional” — that is, what has already been written into black letter law.66 Existing privacy torts, however, do not adequately cover new technology-enabled harms.

The four traditional privacy torts are (1) public disclosure of private facts, (2) publicity that places a person in a false light in the public eye, (3) intrusion upon seclusion, and (4) appropriation of a person’s name or likeness for the defendant’s advantage.67 New privacy harms are fundamentally different in kind from these existing privacy torts because of the rapidly evolving capacity of data aggregation, which, rather than a discrete invasion, is more akin to long-term and broad-reaching surveillance.68 The following paragraphs explain the insufficiency of the four existing torts in turn, using Flo as an illustrative example.

Flo, a consumer app, collects users’ menstrual health and fertility data, which can then be used to calculate and predict myriad behavioral patterns on an individual and aggregate scale.69 Flo Health, the company behind the app, sold access to its users’ data to third parties, which led to enormous backlash from the public70 and a settlement with the FTC.71 Under Hunstein, Flo users likely could not pursue private rights of action under federal law because the company’s actions do not meet the essential elements of the four traditional privacy torts.

The first and second torts — public disclosure of private facts and publicity placing a person in a false light — both require publicity to establish a viable cause of action.72 Thus, private data transfers, even massive exchanges of user data between large corporations like Flo Health and third-party advertisers, would not be sufficient to establish concrete injury for standing under Hunstein.

The third tort — intrusion upon seclusion — protects the right to stay out of the public eye.73 One of its essential elements, secrecy, requires that the information into which the defendant is alleged to have pried be strictly private.74 The tort typically requires an intentional intrusion into a private space, conversation, or data source without the plaintiff’s permission.75 Under this view, since the users voluntarily provided their information to Flo Health, Flo Health cannot be found to have intruded without permission into the users’ space. Even under a broader conception of this tort that includes disclosures to third parties, however, “[m]any courts have found that the collection — and even disclosure to certain third parties — of personal information about the users . . . may not constitute a sufficiently ‘egregious breach of social norms’” to make out an intrusion upon seclusion claim.76 As a result, the secrecy requirement would not be satisfied, and a plaintiff could not establish standing under this tort.

Finally, the fourth tort — appropriation of likeness — protects the commercial interests of an individual in their name or likeness.77 For example, this tort prevents a business from using a photograph of an individual’s face without their consent in an advertisement. This tort has gained traction in recent years as an avenue of protection for consumer privacy.78 However, an essential element of this tort is the appropriation of a trait that can identify the plaintiff, such as by depicting a unique trait of the plaintiff’s, like a name or face.79 This would not adequately cover the menstrual and fertility data collected by Flo Health, nor other forms of highly sensitive data like geolocation information, religious convictions, political beliefs, and so on.80 However, while these individual data points are not enough to identify a person, companies can aggregate them to predict and shape future behaviors without ever crossing the threshold of associating the data with a specific individual.81

In sum, existing privacy torts are insufficient to cover harms posed by modern data-collection and bartering practices. As the example of Flo Health illustrates, Hunstein’s holding has the effect of closing off federal courts as a venue for remedying violations of federal privacy rights. While there are enforcement mechanisms that are not private rights of action under federal law, such as settlement with executive agencies and statutory remedies under state law, federal private rights of action are nevertheless important avenues for redress. Not all states have consumer privacy statutes,82 and federal administrative enforcement is both constrained by resources and dependent on policy preferences of the presidential administration.83

The Eleventh Circuit’s interpretation of TransUnion in Hunstein falls within the acceptable scope of the Supreme Court’s standing doctrine. However, the decision reflects the judiciary’s trend of creating increasingly high hurdles for plaintiffs to surmount in establishing standing in privacy suits. The traditional causes to which statutory privacy causes of action might be analogized are insufficient to capture modern harms, particularly as conceptions of privacy rights evolve with new technologies at speeds too fast for the common law to adequately keep up with. The slew of new state privacy laws84 and FTC enforcement actions85 in the past five years is an indication of dissatisfaction with gaps in common law. In a post-TransUnion world, circuit court decisions like Hunstein indicate that plaintiffs seeking to vindicate privacy rights likely will not be able to turn to federal courts.

Footnotes

  1. ^ U.S. Const. art. III, § 2. Standing generally has three elements: (1) an injury in fact, (2) a causal link between the injury and the defendant’s alleged violation, and (3) an avenue for redress through judicial relief. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2203 (2021) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)).

    Return to citation ^

  2. ^ 141 S. Ct. 2190.

    Return to citation ^

  3. ^ Id. at 2205–06.

    Return to citation ^

  4. ^ Id. at 2204.

    Return to citation ^

  5. ^ 48 F.4th 1236 (11th Cir. 2022) (en banc).

    Return to citation ^

  6. ^ Id. at 1248.

    Return to citation ^

  7. ^ Id. at 1245.

    Return to citation ^

  8. ^ Id. at 1240; id. at 1257 (Newsom, J., dissenting).

    Return to citation ^

  9. ^ Id. at 1240 (majority opinion).

    Return to citation ^

  10. ^ Id. at 1257 (Newsom, J., dissenting).

    Return to citation ^

  11. ^ Id. at 1240 (majority opinion).

    Return to citation ^

  12. ^ Id.

    Return to citation ^

  13. ^ 15 U.S.C. §§ 1692–1692p.

    Return to citation ^

  14. ^ Hunstein, 48 F.4th at 1240.

    Return to citation ^

  15. ^ 15 U.S.C. § 1692c(b). The Act also permits communication with the consumer’s attorney, a consumer reporting agency (if otherwise permitted by law), the creditor, the creditor’s attorney, and the debt collector’s attorney. Id.

    Return to citation ^

  16. ^ Hunstein v. Preferred Collection & Mgmt. Servs., Inc., 17 F.4th 1016, 1021 (11th Cir. 2021).

    Return to citation ^

  17. ^ Hunstein v. Preferred Collection & Mgmt. Servs., Inc., No. 19-cv-983-T-60, 2019 WL 5578878, at *3 (M.D. Fla. Oct. 29, 2019).

    Return to citation ^

  18. ^ Id.

    Return to citation ^

  19. ^ Hunstein v. Preferred Collection & Mgmt. Servs., Inc., 994 F.3d 1341, 1345 (11th Cir. 2021).

    Return to citation ^

  20. ^ Id. at 1348–49. On Article III standing, Judge Newsom concluded that Hunstein’s FDCPA violation was sufficiently analogous to the tort of public disclosure of private facts because prior cases had recognized the general right to privacy, especially against disclosures by entities, like debt collectors, that hold sensitive personal information. Id. at 1347–48. The court also referenced the congressional purpose of the FDCPA as protecting against “invasions of individual privacy.” Id. at 1347 (quoting 15 U.S.C. § 1692(a)).

    Return to citation ^

  21. ^ Id. at 1352.

    Return to citation ^

  22. ^ Hunstein v. Preferred Collection & Mgmt. Servs., Inc., 17 F.4th 1016, 1020 (11th Cir. 2021).

    Return to citation ^

  23. ^ Id.

    Return to citation ^

  24. ^ Hunstein, 48 F.4th at 1241.

    Return to citation ^

  25. ^ Id. at 1250. The court vacated the dismissal for failure to state a claim and remanded with instructions to dismiss the case without prejudice for lack of standing. Id.

    Return to citation ^

  26. ^ Judge Grant was joined by Chief Judge William Pryor and Judges Tjoflat, Wilson, Branch, Luck, Lagoa, and Brasher.

    Return to citation ^

  27. ^ Hunstein, 48 F.4th at 1250.

    Return to citation ^

  28. ^ Id. at 1242 (quoting Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 931 (11th Cir. 2020)).

    Return to citation ^

  29. ^ Id. (quoting TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2209 (2021)).

    Return to citation ^

  30. ^ Id.

    Return to citation ^

  31. ^ See id.

    Return to citation ^

  32. ^ Id. (quoting U.S. Const. art. III, § 2).

    Return to citation ^

  33. ^ Id. at 1243 (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 578 (1992)).

    Return to citation ^

  34. ^ See id.; TransUnion, 141 S. Ct. at 2220 (Thomas, J., dissenting) (quoting Summers v. Earth Island Inst., 555 U.S. 488, 496–97 (2009)). In other words, while statutes are instructive for courts, they do not warrant total deference.

    Return to citation ^

  35. ^ Hunstein, 48 F.4th at 1243 (citing TransUnion, 141 S. Ct. at 2204).

    Return to citation ^

  36. ^ See id. at 1244 (quoting TransUnion, 141 S. Ct. at 2209–10); id. at 1245, 1248.

    Return to citation ^

  37. ^ Id. at 1245.

    Return to citation ^

  38. ^ See id. Hunstein chose not to amend his complaint to allege more than a pure statutory violation. See id. at 1247.

    Return to citation ^

  39. ^ Id. at 1248.

    Return to citation ^

  40. ^ Id. at 1247.

    Return to citation ^

  41. ^ Id.

    Return to citation ^

  42. ^ Id. at 1250.

    Return to citation ^

  43. ^ Id. at 1249.

    Return to citation ^

  44. ^ Id.

    Return to citation ^

  45. ^ Id.

    Return to citation ^

  46. ^ Id. at 1250 (W.H. Pryor, C.J., concurring). Chief Judge Pryor was joined by Judge Tjoflat.

    Return to citation ^

  47. ^ Id.

    Return to citation ^

  48. ^ Id. The three elements are (1) that an individual actually read the private information, (2) that the information reached the public, and (3) that the disclosure would be “highly offensive” to a reasonable person. Id. (quoting Restatement (Second) of Torts § 652D (Am. L. Inst. 1977)).

    Return to citation ^

  49. ^ Id. at 1256.

    Return to citation ^

  50. ^ Id. (Newsom, J., dissenting). Judge Newsom was joined by Judges Jordan, Rosenbaum, and Jill Pryor. Of note, Judge Newsom wrote the panel opinion that the en banc court vacated. Hunstein v. Preferred Collection & Mgmt. Servs., Inc., 17 F.4th 1016, 1020 (11th Cir. 2021).

    Return to citation ^

  51. ^ Hunstein, 48 F.4th at 1259 (Newsom, J., dissenting).

    Return to citation ^

  52. ^ Id. at 1260.

    Return to citation ^

  53. ^ See id. at 1260, 1270.

    Return to citation ^

  54. ^ See id. at 1260.

    Return to citation ^

  55. ^ Id. at 1261.

    Return to citation ^

  56. ^ Id. at 1262.

    Return to citation ^

  57. ^ Id. at 1264 (citing Hunstein v. Preferred Collection & Mgmt. Servs., Inc., 17 F.4th 1016, 1024–26 (11th Cir. 2021)).

    Return to citation ^

  58. ^ Id. Under this test, a plaintiff must show similarity in kind but not identicality in degree of harm. Id.

    Return to citation ^

  59. ^ Id. at 1269.

    Return to citation ^

  60. ^ See id. at 1269–71.

    Return to citation ^

  61. ^ See Ignacio Cofone, Privacy Standing, 2022 U. Ill. L. Rev. 1367, 1371–75 (“[N]umerous privacy cases have turned on standing, often being dismissed for lack of injury-in-fact based on a narrow definition of concrete injury . . . .” Id. at 1374.).

    Return to citation ^

  62. ^ TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2221 (2021) (Thomas, J., dissenting). Other Supreme Court cases and Eleventh Circuit precedent do not provide much more guidance. See, e.g., Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016) (holding that a “bare procedural violation” does not constitute actual harm); Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 925 (11th Cir. 2020) (explaining that, for statutory violations to qualify for standing, the statute must create an entitlement from the government to a private plaintiff).

    Return to citation ^

  63. ^ See TransUnion, 141 S. Ct. at 2208–09.

    Return to citation ^

  64. ^ Under the facts of TransUnion, was the Court’s conclusion that falsity is not an essential element? Or that falsity is an essential element, but misleading statements are similar enough to false statements to satisfy the common law test? This question is part of the confusion raised by Judge Newsom in his dissent. See Hunstein, 48 F.4th at 1262 (Newsom, J., dissenting).

    Return to citation ^

  65. ^ Id. at 1248 (majority opinion).

    Return to citation ^

  66. ^ Cf. Muransky, 979 F.3d at 931.

    Return to citation ^

  67. ^ See Restatement (Second) of Torts § 652A (Am. L. Inst. 1977).

    Return to citation ^

  68. ^ See Cofone, supra note 61, at 1389–91 (describing a “continuum” of privacy loss, id. at 1389); Hannah Harris, Comment, Intrusion upon Seclusion and Data Privacy: Shifting the Analysis for a New Problem, 23 Tul. J. Tech. & Intell. Prop. 101, 109 (2021).

    Return to citation ^

  69. ^ Alisha Haridasani Gupta & Natasha Singer, Your App Knows You Got Your Period. Guess Who It Told?, N.Y. Times (Jan. 28, 2021), https://www.nytimes.com/2021/01/28/us/period-apps-health-technology-women-privacy.html [https://perma.cc/WHX5-HDD4]; see also Rina Torchinsky, How Period Tracking Apps and Data Privacy Fit into a Post–Roe v. Wade Climate, NPR (June 24, 2022, 3:06 PM), https://www.npr.org/2022/05/10/1097482967/roe-v-wade-supreme-court-abortion-period-apps [https://perma.cc/F6B9-WLHH].

    Return to citation ^

  70. ^ See Jessy Edwards, Menstrual App Flo Accused of Sharing Private Health Info with Facebook, Google in Third Lawsuit, Top Class Actions (Sept. 9, 2021), https://topclassactions.com/lawsuit-settlements/privacy/menstrual-app-flo-accused-of-sharing-private-health-info-with-facebook-google-in-third-lawsuit [https://perma.cc/W6U4-P42R].

    Return to citation ^

  71. ^ See Press Release, FTC, FTC Finalizes Order with Flo Health, A Fertility-Tracking App that Shared Sensitive Health Data with Facebook, Google, and Others (June 22, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/06/ftc-finalizes-order-flo-health-fertility-tracking-app-shared-sensitive-health-data-facebook-google [https://perma.cc/L66S-KY83].

    Return to citation ^

  72. ^ Restatement (Second) of Torts § 652D (Am. L. Inst. 1977) (defining public disclosure of private facts as “giv[ing] publicity to a matter concerning the private life of another” (emphasis added)); id. § 652E (defining publicity placing a person in a false light as “giv[ing] publicity to a matter concerning another that places the other before the public in a false light” (emphasis added)).

    Return to citation ^

  73. ^ See, e.g., Lovgren v. Citizens First Nat’l Bank of Princeton, 534 N.E.2d 987, 989 (Ill. 1989) (“[T]he core of [intrusion upon seclusion] is the offensive prying into the private domain of another.”).

    Return to citation ^

  74. ^ See Harris, supra note 68, at 108–09.

    Return to citation ^

  75. ^ See Opperman v. Path, Inc., 87 F. Supp. 3d 1018, 1058–59 (N.D. Cal. 2014) (listing examples of intrusion upon seclusion).

    Return to citation ^

  76. ^ In re Google Assistant Priv. Litig., 457 F. Supp. 3d 797, 830 (N.D. Cal. 2020) (citing In re Google, Inc. Priv. Pol’y Litig., 58 F. Supp. 3d 968, 988 (N.D. Cal. 2014); Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012)); see also Harris, supra note 68, at 108–11. Some may argue that a terms-of-use agreement would suffice to hinder companies from bartering data, as plaintiffs could sue under breach of contract. However, this would still leave companies the option not to create terms of use to begin with. A federal privacy statute imposing such duties upon companies would help close this loophole.

    Return to citation ^

  77. ^ See Restatement (Second) of Torts § 652C (Am. L. Inst. 1977).

    Return to citation ^

  78. ^ See, e.g., Lisa Raimondi, Note, Biometric Data Regulation and the Right of Publicity: A Path to Regaining Autonomy over Our Commodified Identity, 16 U. Mass. L. Rev. 198, 218–24 (2021) (suggesting that the “right of publicity action,” id. at 224, could be used to protect consumers’ data); Jason M. Schultz, The Right of Publicity: A New Framework for Regulating Facial Recognition, 88 Brook. L. Rev. (forthcoming 2023) (manuscript at 4–5), https://ssrn.com/abstract=4243000 [https://perma.cc/M4ZM-BDSW].

    Return to citation ^

  79. ^ See Restatement (Second) of Torts § 652C cmt. a (Am. L. Inst. 1977); see also Note, In the Face of Danger: Facial Recognition and the Limits of Privacy Law, 120 Harv. L. Rev. 1870, 1877–78 (2007).

    Return to citation ^

  80. ^ While unprotected by traditional privacy torts, these forms of data are increasingly seen as highly sensitive and personal, as evidenced by their inclusion in the General Data Protection Regulation of the European Union (EU). See What Personal Data Is Considered Sensitive?, Eur. Comm’n, https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/sensitive-data/what-personal-data-considered-sensitive_en [https://perma.cc/69V5-Y8RC] (listing sensitive data categories, including “political opinions” and “religious or philosophical beliefs,” for the EU’s General Data Protection Regulation).

    Return to citation ^

  81. ^ See, e.g., Kate Kaye, Recent FTC Chair Signals Push for Rules on Data Collection and Dark Patterns that Sidestep Congress, Digiday (June 18, 2021), https://digiday.com/marketing/recent-ftc-chair-signals-push-for-rules-on-data-collection-and-dark-patterns-that-sidestep-congress [https://perma.cc/775B-43EV].

    Return to citation ^

  82. ^ Anokhy Desai, US State Privacy Legislation Tracker, IAPP (Feb. 10, 2023), https://iapp.org/resources/article/us-state-privacy-legislation-tracker [https://perma.cc/3VH5-KE5H].

    Return to citation ^

  83. ^ See, e.g., The State of Privacy: Does the US Need a Federal Privacy Law?, Legal 500: GC Mag., https://www.legal500.com/gc-magazine/feature/the-state-of-privacy [https://perma.cc/J9W7-CXMU].

    Return to citation ^

  84. ^ See, e.g., California Consumer Privacy Act, 2018 Cal. Stat. 1807 (codified at Cal. Civ. Code §§ 1798.100–.199.100 (West 2022)); Colorado Privacy Act, 2021 Colo. Sess. Laws 3445 (codified at Colo. Rev. Stat. §§ 6-1-1301 to -1313 (2022)).

    Return to citation ^

  85. ^ See Privacy and Security Enforcement, FTC, https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement [https://perma.cc/M8V5-EL4J] (listing enforcement actions within the last five years pursued by the FTC under privacy and data security).

    Return to citation ^
Download
Topics:

April 9, 2023

More from this Issue

See Full Issue