New Data Regulation
Updated: May 10
The regulation of data collection and its use marches on. Recent examples include:
Illinois has a new law that took effect on January 1. Under it, law enforcement officials cannot get household electronic data from third parties without a warrant or consent. The law protects data provided to devices primarily intended for use in a single- or multi-family dwelling. It does not include personal computers, smartphones, tablets, modems, routers, wireless access points, or cable set-top boxes. Specific exceptions to the prohibition on access apply in emergencies, but law enforcement must apply for a search warrant within 72 hours.
Information obtained in violation of the Act will be presumed inadmissible. Persons who provide household electronic data to law enforcement must take steps to protect the confidentiality, integrity, and security of the data during transmission and limit production to what is responsive to the request.
The New York City Council has enacted a law on access to customer data submitted through online food-delivery services. Under it, a food-delivery service must provide a conspicuous way for customers to request that their data not be shared. The delivery service must provide the customer data to a food-service establishment upon request unless the customer requested that their information not be shared. A food-service establishment can request customer data from the food-delivery service. Still, it cannot sell, rent, or disclose the customer data unless the customer consented to when the data was collected.
When sharing customer data, the food-delivery service must provide the data in a machine-readable format, disaggregated by the customer, on at least a monthly basis. The service cannot prevent the food-service establishment from downloading, retaining, or using the data for marketing or other purposes. The law took effect in December 2021.
Biometric Information Privacy Act
Last September, the U.S. Court of Appeals, 7th Circuit, held that a business that entered into a Collective Bargaining Agreement (“CBA”) governed by the Labor Management Relations Act (“LMRA”) might look to the CBA to determine whether the union has consented regarding how the business acquires and uses fingerprint information of its employees subject to the CBA.
A state Biometric Information Privacy Act (“BIPA”) requires private entities to obtain consent before collecting or using biometric information, including fingerprints. The lawsuit said that in 2011 the employer began requiring workers to use their fingerprints to clock in and out of work. The lower court held that the LMRA preempts a state law claim if the resolution of the claim requires the interpretation of a CBA. The appeals court affirmed.
Employers who have a unionized workforce and use, or plan to use, biometric data in connection with their employees, should determine whether the CBA addresses the employer’s use of biometric data impacting their employees.