Major U.S. cities are becoming hotbeds for privacy enforcement.
Los Angeles’ recent lawsuit against IBM Corp. and its Weather Channel app for allegedly mining users’ location data without their consent highlights a growing list of cities that have sued some of the biggest tech companies in the nation for violating municipal and state privacy laws.
Chicago, New York, San Francisco, and Washington D.C. also have brought privacy lawsuits against Uber Technologies Inc., Equifax Inc., and Facebook Inc., among others, for their alleged mishandling of personal data.
Companies may start facing even more actions from city officials aiming to rein in rampant collection of consumer data amid a steady drumbeat of high-profile privacy scandals, attorneys told Bloomberg Law.
Cities are seeing that there “clearly are problems and failures in the protection of personal data,” Robert Braun, co-chair of Jeffer Mangels Butler & Mitchell’s privacy practice in Los Angeles, said. Local officials are taking the stance that personal information belongs to the person, not the big tech companies, he said.
Cities and municipalities want to curb alleged data misuses and inadequate post-breach consumer response, Cynthia J. Cole, special counsel at Baker Botts in Palo Alto, Calif. specializing in data protection issues, said. Cities are stepping in because there’s no federal regulator with broad authority to proactively police corporate data practices, she said.
“Local officials in cities that have traditionally moved the needle in privacy are taking up the mantle” and will continue to apply pressure, Cole said.
The cities are focused on corporate business practices that may not match consumer privacy expectations, Braun said. Each city will examine business practices that run counter to generally accepted data collection or privacy practices before they take action, he said.
Cities will concentrate on separate privacy issues, such as geolocation tracking or biometric data collection, because emerging technology companies set up their corporate headquarters in different locations, Braun said. Cities such as San Francisco and Los Angeles that have companies collecting geolocation data, will likely focus on those privacy concerns, he said.
Los Angeles took action against IBM because of geolocation data collection through the Weather Channel app. Los Angeles City Attorney Mark Feurer alleged that IBM, through the app, didn’t give clear notice to users that collected data was transferred to third parties for marketing purposes.
Feurer brought the claims because the app is one of the most downloaded weather applications and widely used by his city’s residents. IBM has denied the allegations.
New York’s Law Department declined to comment. Rob Wilcox, communications director for the Los Angeles city attorney, highlighted the recent Weather Channel lawsuit but declined to comment further.
City legal department officials for Chicago and San Francisco didn’t respond to Bloomberg Law’s email requests for comment.
Breach, Consent Focus
Cities likely will focus on consumer-focused companies that gather vast amounts of data without clear privacy notices, attorneys said. For example, mobile apps that collect user data and use it for other purposes could see city lawsuits or enforcement actions to rein in these practices, they said.
Local authorities will go after misrepresentations or fraud in privacy policies, failures to register certain business functions with the government agency, or failing to disclose certain data collection actions, Xiaoyan Zhang, privacy and cybersecurity counsel at Reed Smith LLP, told Bloomberg Law.
City officials won’t be shy to go after tech companies that bring privacy concerns with them, attorneys said. For example, Baltimore may boost enforcement efforts against the use of police surveillance, Austin against autonomous vehicle data collection, and Seattle for tech-sector privacy failures, Braun said.
The pressure on businesses will continue as cities attract more tech companies that innovate in their data collection efforts, attorneys said.
“With rapid digitalization, privacy nowadays concerns players in almost all industries that has customers, suppliers, or employees,” Zhang said. Specifically, “the Chicago privacy ordinance focuses on online businesses, data brokers, and cellular/mobile device retailers,” she said, adding “A business in any sector could fall into the regulated category there as long as they do business online.”
Privacy attorneys said companies can guard against such lawsuits by alerting authorities about data breaches and making sure they only collect data deemed necessary for business purposes.
Federal Privacy Gap
City officials are going after tech companies, in part, because Congress hasn’t enacted a broad data privacy law, attorneys said.
Privacy legislation, such as city ordinances and state-level laws, has been rising on the local level, Cole said. Consumer groups can mobilize around local privacy issues and pressure city officials to get things done, she said.
Companies should keep an eye on New York and New Jersey, where cities could start bringing privacy actions, Cole said. Both states are considering sweeping privacy legislation for the first time, and city officials may be interested in using any new powers to regulate tech companies, she said.