Photo of Thea McCullough

Thea McCullough

Thea McCullough counsels national and multinational companies across industries as a member of the Data Privacy and Cybersecurity, Litigation, and Public Policy practice groups.

Thea advises clients on a broad range of privacy issues, such as privacy policies and data practices, responses to regulatory inquiries, and compliance obligations under federal and state privacy regulations, including biometric privacy laws. She also represents clients before the Federal Trade Commission in privacy enforcement actions and in consumer protection litigation.

Thea draws on her past experience across all branches of government to inform her practice and to advise clients on public policy matters. Most recently, Thea served as a clerk for the U.S. District Court for the Eastern District of Texas. Prior to beginning her legal career, Thea served as the communications director for the White House National Space Council, where she spearheaded messaging campaigns for Presidential Space Policy Directives and the administration's civil, commercial, and defense space policy initiatives, and previously as the communications director for the U.S. House Committee on Science, Space, and Technology, where she managed the communications team and developed messaging strategies for policy and legislation covering several issue areas, including cybersecurity, advanced technologies, space, energy, environment, and oversight. She also served as a national spokesperson for President Trump's 2020 campaign.

Thea is admitted to the DC Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.

U.S. Senate Majority Leader Chuck Schumer (D-NY) yesterday, July 23, initiated procedural steps that will likely lead to swift Senate passage of the Kids Online Safety Act (“KOSA”) and the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”).  Both bills have been under consideration in the Senate and the House of Representatives for some time, which we have previously covered.  Schumer’s action will likely bring the two bills in a single package to the Senate Floor as soon as Thursday, June 25. The future of the legislation in the House, however, is less certain.

KOSA, led by Sens. Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.), would, in its current form (S.1409), require specified “covered platforms” to implement new safeguards, tools, and transparency for minors under 17 online.  These covered platforms:

  • Would have a duty of care to prevent and mitigate enumerated harms.
  • Must have default safeguards for known minors, including tools that: limit the ability of others to communicate with minors; limit features that increase, sustain, or extend use of the platform by the minor; and control personalization systems.
  • Must provide “readily-accessible and easy-to-use settings for parents” to help manage a minor’s use of a platform.
  • Must provide specified notices and obtain verifiable parental consent for children under 13 to register for the service.

KOSA also requires government agencies to conduct research on minors’ use of online services, directs the Federal Trade Commission (“FTC”) to issue guidance for covered platforms on specific topics, and provides for the establishment of a Kids Online Safety Council.  The FTC and state attorneys general would have authority to enforce the law, which would take effect 18 months after it is enacted.

In a press conference yesterday, Blumenthal and Blackburn touted 70 bipartisan Senate cosponsors and called for quick Senate passage of the bill without further amendment.Continue Reading KOSA, COPPA 2.0 Likely to Pass U.S. Senate

An Illinois federal court has dismissed a proposed class action alleging X Corp. violated the state’s Biometric Information Privacy Act (“BIPA”) through its use of PhotoDNA software to create “hashes” of images to scan for nudity and related content. The court held that Plaintiff failed to allege that the hashes identified photo subjects and therefore failed to allege that the hashes constituted biometric identifiers. Martell v. X Corp., 2024 WL 3011353, at *4 (N.D. Ill. June 13, 2024).

BIPA prohibits private entities from collecting or capturing “a person’s or a customer’s biometric identifier or biometric information” without first obtaining the subject’s informed consent, among other requirements. 740 ILCS 14/15(b). BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and defines “biometric information” as any information “based on an individual’s biometric identifier used to identify an individual.” 740 ILCS 14/10.

In dismissing the complaint, the court agreed with X’s arguments that Plaintiff failed to plausibly allege (1) that the PhotoDNA software collects scans of facial geometry and (2) that the hashes identified photo subjects. First, the court rejected Plaintiff’s “conclusory” assertion that the creation of a hash from a photo that includes a person’s face “necessitates” creating a scan of facial geometry, saying, “The fact that PhotoDNA creates a unique hash for each photo does not necessarily imply that it is scanning for an individual’s facial geometry when creating the hash.” Id. at *2. The court distinguished Plaintiff’s allegation from those that withstood dismissal in a different case in which the plaintiff alleged that scans of photos “located her face and zeroed in on its unique contours to create a ‘template’ that maps and records her distinct facial measurements.” Id. at 3 (quoting Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1091 (N.D. Ill. 2017)).Continue Reading Illinois Federal Court Dismisses BIPA Suit Against X, Holding “Biometric Identifiers” Must Identify Individuals