USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
nies’ terms of service against them. Specifically, by assembling hundreds or thousands of con - sumers through online advertising campaigns in bringing CIPA, VPPA or other privacy claims with statutory damages attached, these attorneys have used the threat of pursuing mass arbitra - tions to force exorbitant settlements based on the prohibitive cost of paying for individualised arbitrations – costs that largely fall on the com - pany. Even with claims that are dubious on the merits, settlement often makes sense because reaching the merits requires advancing signifi - cant fees to the arbitral forum. While companies have been fighting back by modifying their terms to allow for grouped or batched arbitrations where mass claims are threatened, the arbitral bodies have been slow to adjust to plaintiffs’ increased willingness to weaponise the arbitration process, and courts that have reviewed the new provisions have expressed skepticism relating to enforceability. 3. Data Regulation on IoT Providers, Data Holders and Data Processing Services 3.1 Objectives and Scope of Data Regulation The USA has not enacted a federal law like the EU Data Act, which aims to foster innovation and support the provision of services by making data more accessible and usable. Federal agencies and state legislatures have been active in this area, however. For instance, the CFPB recently issued its Personal Financial Data Rights rule (also frequently referred to as the “Open Bank - ing” rule or the 1033 rule after the section of the Consumer Financial Protection Act that it implements), which requires certain financial institutions to make transaction data available
to consumers (and third parties acting with con - sumers’ authorisation) in a standardised format that would enable use of that data by other enti- ties in the financial services ecosystem. In addi - tion, state privacy laws typically give consum - ers the right to obtain their personal data free of charge and in a format that enables portability so that they can transfer their personal data to another service. These laws are designed to fos - ter both competition and innovation in the digital economy. Regarding regulations governing internet of things (IoT) providers, the USA has focused more on the security of IoT devices than on the ability of such devices to make data available for use by others. For instance, the IoT Cybersecurity Improvement Act of 2020 directed the National Institute of Standards and Technology (NIST) to develop standards and guidelines for the federal government on the appropriate use and man - agement of IoT devices “owned or controlled by an agency and connected to information sys - tems owned or controlled by an agency, includ - ing minimum information security requirements for managing cybersecurity risks associated with such devices”. While this legislation regulates federal government procurement practices, it will nonetheless have an impact on the consum - er marketplace as manufacturers that sell such devices to the federal government adjust their practices according to NIST guidelines. In addition, two states – California and Oregon – have passed legislation mandating that man - ufacturers of IoT devices sold in those states ensure, among other things, that such devices have “reasonable security features” to protect the device and any information “from unauthor - ised access, destruction, use, modification or disclosure”. Other states have proposed similar legislation.
538 CHAMBERS.COM
Powered by FlippingBook