The Office for Civil Rights (OCR) recently issued a bulletin (the “Bulletin”) addressing the use of online tracking technologies by HIPAA-covered entities and business associates (collectively “regulated entities”). The Bulletin highlights the regulated entities’ obligations under the HIPAA Privacy, Security, and Breach Notification Rules (collectively the “HIPAA Rules”) when using tracking technologies. This blog post provides the key information regulated entities should know about their obligations under HIPAA when they, or their business associates, use tracking technologies.

Continue Reading Cookies and HIPAA Don’t Always Mix: OCR Issues Guidance on HIPAA and Tracking Technologies

Artificial Intelligence (AI) is a broad term that generally refers to computer systems that can receive and process information to make decisions without human input. AI is widely considered an era-defining technology in the way electrical and computer technology came to define the 1800s and 1900s respectively. Just as regulation of computer security lagged behind the increasingly pervasive use of computers in the late 1980s, we are seeing today that regulation of AI has likewise lagged behind the expansion of the technology. 

U.S. federal, state, and international authorities are increasingly monitoring and regulating AI. Regulating AI is no simple task, with the technology finding growing applications in a myriad of areas such as autonomous vehicles, the military, law enforcement, art, music, creative writing, social media, and even corporate recruitment.

Continue Reading A Primer on Artificial Intelligence and the Law in 2023

On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.

Continue Reading Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision

As you consider the end of the year and beginning of a new year, we in Taft’s Privacy and Data Security Practice thought to provide you with a simple list of data protection resolutions you might consider, both professionally and personally.

1.  Get strong!  Now is a good time to make a change in passwords for your accounts, and specifically make them strong passwords (i.e. ten characters or more, including an upper and lower case letter, number, and special character).

2.  Multiply!  In addition to a strong password, you should make sure to add that second layer of authentication and make sure all your sensitive accounts have multifactor authentication turned on.  This will further deter password thieves from gaining access to your accounts and systems. 

3.  Plan!  Have a plan for how you will comply with the numerous privacy laws coming into effect in 2023 in California, Virginia, Colorado, Utah, and Connecticut(Yes, they may still apply to your business even if it is not located in those states). And don’t forget to update your Standard Contractual Clauses should your business process personal data from Europe.  Planning also means implementing or updating policies, procedures, and contracts to account for privacy and security requirements (both as a matter of law and best practice).  

 4.  Lose Weight!  Delete unneeded data from your systems and your hard copy storage in accordance with a record retention policy or best practice.  The best defense against your data being stolen is not keeping it around unnecessarily.  

5.  Stay Informed!  Keep up to date on both legal issues and best practices in the privacy and security space.  Download our PDS mobile app and sign up for Taft’s Privacy and Data Security Insights! Happy New Year to all and best wishes for 2023! 

Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.

The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses. Continue Reading Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance

We recently provided an update regarding the California Privacy Protection Agency’s modified regulations (the “Regulations”) for the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the “CCPA”). In that update, we briefly discussed new requirements regarding website popups, including cookie banners.

The Regulations require Businesses to design and implement methods for consumers submitting CCPA requests and “obtaining consumer consent” that incorporate the following principles:

  • Language that is easy to understand;
  • Symmetry in choice, meaning the business shall not make it more difficult to exercise a more privacy-protective option than a less privacy-protective option;
  • Avoids language that is confusing to the consumer;
  • Avoids using choice architecture that impairs or interferes with the consumer’s ability to make a choice; and
  • Designed in a way that it is easy to execute.

Continue Reading Cookie Banners under the CCPA/CPRA

With less than three months until the California Privacy Rights Act goes into effect on January 1, 2023, the California Privacy Protection Agency (the “Agency”) released updated proposed regulations on October 17, 2022 (the “Regulations”).  The Regulations govern compliance with the California Consumer Privacy Act of 2018, which will be amended by the California Privacy Rights Act (collectively, the “CCPA”). The Regulations modify the initial proposed regulations that were released on July 8, 2022. We discuss the key changes from both versions below.

Important: The written comment period will not end until November 21.  Accordingly, it is possible these Regulations may change again. Continue Reading Rush to the Finish Line: The California Privacy Protection Agency Releases CPRA Modified Regulations

On October 24, 2022, in a rare occurrence, the Federal Trade Commission (FTC) issued a proposed order against Drizly, an online alcohol ordering and delivery service provider, that specifically holds the company’s CEO as liable for the company’s failure to maintain appropriate security safeguards that led to a second data breach. Continue Reading FTC: Drizly Executive Held to Be Individually Liable for 2018 Data Breach

The Colorado Attorney General (AG) recently published proposed rules for the Colorado Privacy Act (CPA). These draft rules shed light and clarify how the Attorney General plans to carry out the CPA when it goes into effect on July 1, 2023. These proposed CPA rules are a draft that is not yet finalized and therefore are subject to change. In the upcoming months, the Colorado AG will engage with key stakeholders and the public on feedback regarding these proposed rules. While the draft CPA draft rules are months away from finalization, the proposed rules are intended to help entities understand the AG’s requirements for when the CPA becomes effective. Below are a few key highlights of the draft CPA rules as they currently stand, which supplement the AG’s prior guidance from April 2022.

Continue Reading Colorado AG Publishes CPA Proposed Rules

Once again, California is setting trends in the world of privacy laws. On September 15, 2022, California’s Governor signed the first comprehensive state law to protect children’s online safety. A week later, on September 23, 2022, the New York Senate introduced a similar bill.

New York’s newly introduced Bill, S9563, the Child Data Privacy and Protection Act (“Bill”), largely mirrors the newly passed California law but has some added protections and procedures that online products targeting children must follow if the law is enacted. Continue Reading From Coast to Coast: New York Introduces New Bill Aiming To Enhance Protections For Children Online a Week After California Enacts Similar Law