In July of 2023, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published a joint letter cautioning hospitals, health app developers, and telehealth providers about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties. Additionally, the two agencies sent the joint letter to approximately 130 hospital systems and telehealth providers to remind them of the regulatory risks associated with using such technologies.

Continue Reading A Cautionary Tale: FTC and OCR Publish Warning Letters Regarding the Use of Third-Party Tracking Technologies

Oregon has become one of the latest states to adopt a comprehensive data privacy law. The Oregon Consumer Privacy Act (“OCPA” or the “Act”) takes effect July 1, 2024, and mirrors its other U.S. privacy law counterparts, with a few unique distinctions. Here is what you need to know.

Scope. The OCPA applies to (i) any person or entity who conducts business in Oregon or provides products or services to residents in Oregon and (ii) during a calendar year, controls or processes:

  • The personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the completion of a payment transaction) or
  • The personal data of 25,000 or more consumers while deriving 25 percent or more of annual revenue from selling personal data.
Continue Reading 12 Down, 38 to Go: Oregon Becomes One of the Latest States to Enact a Comprehensive Data Privacy Law

Over the last few years, there has been an increased focus on the collection of children’s personal information in the United States. For example, many states have begun passing laws that significantly increase regulation for businesses collecting personal information from children, see our previous discussion on California’s Age-Appropriate Design Code Act. Additionally, at the federal level, the Federal Trade Commission (FTC) has increased its focus on the Children’s Online Privacy Protection Act (COPPA), specifically in the educational context.

Continue Reading Children’s Online Privacy Protection Act Update! FTC Enforcement and New Parental Consent Proposal

On November 16, 2022, the Digital Services Act (DSA) took effect across the European Union (EU). The DSA establishes new regulations applicable to “online intermediaries,” such as online marketplaces, social network platforms, and internet service providers. The DSA was implemented to encourage market growth and establish clear and transparent accountability for digital spaces. Although the DSA has been in effect for nearly eight months, the European Parliament (“Parliament”) has allowed for a transitional period before full application. This transitional period ends on February 17, 2024. Beginning on this date, organizations must have the requisite procedures in place to address DSA requirements.

Continue Reading Full Steam Ahead: EU’s Digital Services Act Creates Global Impact

Last week, the US Securities and Exchange Commission (SEC) voted 3-2 on a series of rules relating to cybersecurity disclosures, including a new requirement for public companies to publicly disclose “significant impacts” of cyber-attacks within four days. Public companies would be well-served to review the new requirements immediately to form a plan of action to address the newly approved rules.

Continue Reading SEC Approves Transformative Cybersecurity Disclosure Requirements

On June 30, 2023, California Superior Court Judge James P. Arguelles held that the California Privacy Protection Agency (the “Agency”) cannot enforce any violation for the Agency’s regulations issued on March 29, 2023, under the California Consumer Privacy Act (CCPA), as amended by the California Consumer Privacy Rights Act (CPRA) until March 29, 2024. This holding stems from a petition brought by the California Chamber of Commerce (the “Chamber”) against the Agency, arguing that based on a plain reading of the CPRA’s language, enforcement cannot begin until one year following issuance of the Agency’s regulations.

Although enforcement of the Agency’s regulations are delayed, the text of the CCPA, as well as regulations enacted prior to March 29, 2023, remain in effect and enforceable. The enforcement stay solely bars the Agency from enforcing its own issued regulations under the CPRA for one year after a particular regulation is finalized.

Continue Reading Not So Fast: California Superior Court Delays Enforcement of Certain CPRA Regulations

On May 19, 2023, Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (the “MTCDPA”) into law, becoming the ninth state to enact a comprehensive consumer privacy act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia with legislation that protects their residents’ personal data.

The MTCDPA will go into effect on October 1, 2024. In preparation for MCTDPA to be signed into law, companies doing business in Montana should start thinking of ways to incorporate the law’s requirements into their existing privacy policies and procedures.

Continue Reading Montana Enacts Privacy Law

Last month, Washington Governor Jay Inslee signed the My Health My Data Act (“MHMDA” or the “Act”) into law. While the Act is not a comprehensive privacy law, it extends many protections to Washington residents (“consumers”) regarding certain personal information. The MHMDA’s unique features are unlike any privacy law we have seen in the last few years – making this law arguably the most impactful U.S. privacy legislation since the CCPA. Here is what you need to know.

Continue Reading What You Need to Know About Washington State’s New “My Health My Data” Act

On May 18, 2023, the Federal Trade Commission (the “FTC”) issued a policy statement on the use of biometric information under its regulatory powers in Section 5 of the FTC Act (the “Statement”). The Statement is the strongest message the FTC has ever issued regarding how certain uses of biometric technology may, depending on the circumstances, constitute unfair and deceptive trade practices under Section 5.

The Statement provides significant insight into the FTC’s shifting priorities and focus on the regulation of the use of biometric technology, a topic that so far has been regulated by state and local law – or not at all. Companies should take heed of the FTC’s guidance for purposes of understanding potential exposure not only at the federal and state regulatory level but also in the form of potential civil lawsuits under state unfair and deceptive trade practice statutes.

Continue Reading The FTC Expands Its Regulatory Watch Over the Use of Biometric Technology

Here in the United States, companies face a patchwork of legal obligations that address information security and data privacy. For example, federal laws target certain market segments (such as health care, financial services, and education), state laws target certain types of information (such as personal financial or biometric information), and both state and federal laws target unfair or unreasonable business practices. This patchwork—and the lack of comprehensive nationwide privacy and security standards—can make compliance challenging and frustrating. Security professionals and legal counsel must work hard to keep up.

The Security and Exchange Commission (SEC) will soon add to the patchwork. The SEC’s new rules promise to add significant compliance obligations for public companies, and non-public companies will also want to take note.

Continue Reading The SEC’S Proposed Cybersecurity Rules: Is Your Company Ready?