Website Tracking Technologies Under Scrutiny: A New Liability Frontier Under the DOJ Bulk Data Transfer Rule

Even though the DOJ Bulk Data Transfer Rule[1] does not contain a private right of action, plaintiffs continue to look for new ways to bring claims against companies for alleged violations of the Rule. A recently filed complaint in the Northern District of California continues the novel strategy for plaintiffs’ attorneys pursuing claims centered on website advertising and tracking technology.[2] The suit alleges that Lenovo’s use of common website tracking technologies funneled American consumer information into advertising systems and databases that eventually resulted in the data being available to companies based in the People’s Republic of China.

The trend-to-date has been for website tracking technology claims to be premised on the federal Electronic Communication Privacy Act,[3] state anti-wiretapping acts, privacy and consumer protection statutes, and traditional common law causes of action. The Lenovo complaint is notable for being one of the first of these types of actions to implicate the U.S. Department of Justice’s Bulk Data Transfer Rule (and its attendant civil penalties) in these types of actions.[4]

The DOJ Bulk Data Transfer Rule

The DOJ Bulk Data Transfer Rule aims to reduce national security risks from large‑scale transfers or access involving sensitive personal or U.S. government data to “countries of concern” or “covered persons.”[5] Among these “countries of concern” is the People’s Republic of China, to which Lenovo, a multinational technology conglomerate, has significant ties through its largest shareholders and founders.[6] The DOJ Bulk Data Transfer Rule mandates a Data Security Program and other strict requirements for any covered transaction.[7] Additionally, it imposes criminal and civil penalties. Here, violations of the DOJ Bulk Data Transfer Rule can result in civil penalties up to the greater of $386,136 or twice the amount of the transaction that is the basis of the violation.[8]

Adtech Plaintiff’s Cases and the DOJ Bulk Data Transfer Rule

Thousands of lawsuits have been filed against organizations premised on their websites’ usage of advertising and tracking technology.[9] Until recently, these cases primarily alleged violations of state privacy and consumer protection statutes with statutory penalties as the main driver of recovery for plaintiffs. Now, the DOJ Bulk Data Transfer Rule adds a statutory penalty for plaintiffs to pursue in actions centered on advertising and tracking technology.

Companies with ownership or operations in “countries of concern” — i.e., Cuba, Iran, North Korea, Russia, Venezuela and the People’s Republic of China, including Hong Kong and Macau (PRC) — are uniquely at-risk for these types of claims. In the Lenovo case, plaintiffs allege that Lenovo’s U.S. subsidiary’s use of advertising and tracking technology (including third-party tracking tools from major technology companies) results in data that is shared with Lenovo’s PRC parent company. Plaintiffs allege that Lenovo conducts the in-question “sharing” with China “through its automated advertising infrastructure and associated databases,” implying that any usage of third-party advertising technology (adtech) by U.S. entities affiliated with “countries of concern” would violate the DOJ Bulk Transfer Rule under plaintiffs’ theory. In sum, plaintiffs allege that the corporate organization of the company and the U.S. subsidiary’s use of tracking technology on U.S. data subjects violates the DOJ Bulk Data Transfer Rule.

Key Compliance Considerations for Companies

Companies potentially subject to the DOJ Bulk Data Transfer Rule can mitigate their risk by emphasizing several key compliance considerations in their processes and risk assessments:

• Review and assess the use of tracking pixels, software development kits or other tools on websites and mobile applications. In doing so, companies should review who is providing the tool (e.g., is the provider or vendor a “covered person?”), whether such usage could be considered a transaction or transfer of data that is subject to the DOJ Bulk Transfer Rule, and whether the tool is absolutely required. This review should also include regular assessment of such online tracking technologies and methods including approval of the addition of new technologies through the same framework.
• Assess vendor diligence policies and procedures to consider whether data flows may implicate covered persons or countries of concern and verify the identity of vendors. To the extent required, contracts governing the vendor relationship should incorporate contractual requirements and concepts to achieve compliance with the DOJ Bulk Data Transfer Rule.
• U.S. companies with affiliates in countries of concern should determine if they are engaging in restricted transactions. If so, companies should establish and maintain a Data Security Program — and its attendant Data Compliance Program (as set out in the Cybersecurity and Infrastructure Security Agency rules) — along with complying with the other Restricted Transfer framework mandates established by the DOJ Bulk Data Transfer Rule.
• Ensure that company websites and applications have proper disclosures on the use of cookies and other online tracking technology. Consents should be obtained when necessary to comply with state privacy and wiretapping laws. Depending on the jurisdiction, consent may need to be obtained before cookies or online tracking technology is enabled for a given user’s experience with the company website or application.

Paul Hastings’ Data Privacy & Cybersecurity practice regularly advises clients on compliance with privacy and AI laws/regulations. If you have any questions regarding the DOJ Bulk Data Transfer Rule or other privacy/AI compliance issues, please do not hesitate to contact a member of our team.