It is a new year, and the privacy efforts in the United States are not letting up. In 2024 alone, three new privacy laws will take effect (i.e., Montana, Oregon and Texas), and more laws are on the horizon. The latest update to the U.S. privacy landscape took place on January 16 when New Jersey governor Phil Murphy signed Senate Bill 332 (the “Act”) into law – making New Jersey the 13th state to enact a comprehensive privacy law. The Act takes effect January 15, 2025, and mirrors several other U.S. privacy laws, with a few unique distinctions. Here is what you need to know.

Continue Reading The Garden State Joins the Privacy Party – New Jersey Becomes the Latest State to Adopt a Comprehensive Data Privacy Law

Tuesday, Jan. 30, 2024

11 a.m. – 12 p.m. ET

You read the news every day and maybe even receive notices yourself: data security and privacy compliance is a growing area of concern and risk for businesses. With security incidents on the rise across various industries of all sizes, as well as increased regulation of privacy and security-related issues, evaluating and addressing your current data governance program is a crucial step in protecting your business in the new year. Just like getting in shape or starting that diet, NOW is the time to get started on finally enacting a plan to not only address risks and compliance requirements, but identify opportunities that lie within your company’s data.

In this quick-moving and engaging session, “10 Privacy and Security Resolutions in the New Year,” Taft’s Privacy and Data Security attorneys Scot GanowZenus Franklin, and Jordan Jennings will provide a review of the legal and security landscape and provide you with a plan to get started on finally managing those obligations.

Topics include:

  • An update on the current privacy and regulatory risk landscape.
  • Universal best practices for sound data governance.
  • A practical set of tools to complement your current practices.

Just. Get. Started. Register today!

On Dec. 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (PHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Additionally, this settlement comes just a handful of weeks after OCR announced a settlement with a Massachusetts medical management company in connection with a large breach report regarding a ransomware attack that affected the PHI of 206,695 individuals – becoming the first ransomware agreement OCR has reached as well.

Continue Reading OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

In August, India passed its long-awaited Digital Personal Data Protection Act, 2023 (“the Act”). Initially introduced in 2019, the draft bill went through several iterations before being approved by India’s Union Cabinet earlier this year. Although the Act shares many similarities to other privacy legislation, such as the EU’s GDPR and the United Kingdom’s UK GDPR, there are a few notable distinctions. While no official effective date for the law has been announced, companies should start familiarizing themselves with this new privacy law and its requirements. Here is a breakdown of what you should know.

Continue Reading Breaking Down India’s Digital Personal Data Protection Act, 2023

On October 6, 2023, Snap Inc. and Snap Group Ltd. (collectively, “Snap”) received a preliminary enforcement notice from the U.K. Information Commissioner’s Office (ICO) due to a potential failure to properly assess the privacy risks posed by its generative AI chatbot, My AI.

Continue Reading Snap Receives Preliminary Enforcement Notice Related to Privacy Risks Posed by AI Chatbot

The EU is gearing up for massive reform concerning the use and accessibility of health data, and Germany is taking note. Recently, Germany proposed several draft legislation focusing on the use of health data. The Health Data Use Act, (Gesundheitsdatennutzungsgesetz, (GDNG)); The Digital Act, and A Law to Promote the Quality of Inpatient Care through Transparency (Hospital Transparency Act) are just a few of the newest pieces of proposed legislation designed to improve the use and accessibility of health data for German citizens. This move by the German Federal Ministry of Health is part of an EU-wide reform effort under the European Commission’s (“Commission”) European Health Data Space (EHDS).

Germany’s new legislation is designed to align with EHDS principles and these laws not only impact healthcare providers and hospitals in Germany but also companies that collect the health data of German residents. Below are the main takeaways of these proposed laws and what U.S. companies can expect moving forward.

Continue Reading Germany’s Gearing up for European Health Data Space (EHDS) Compliance

On September 18, 2023, the U.S. District Court for the Northern District of California granted technology trade association NetChoice, LLC’s request for a Preliminary Injunction in NetChoice LLC v. Bonta, a lawsuit challenging the constitutionality of the California Age-Appropriate Design Code Act (CAADCA), which the California Legislature passed last year. In granting the Preliminary Injunction, the court found that the law’s restrictions on commercial speech likely violate the First Amendment. 

Drawing inspiration from the UK Age-Appropriate Design Code, the CAADCA regulates covered businesses and their practices with respect to the collection, storage, and processing of personal data collected from children under the age of 18. CAADCA requires that the most restrictive default privacy settings be implemented for younger users and that any community standards, terms of service, and privacy settings be freely accessible and enforced. Following the September 18 ruling, the future of the CAADCA is uncertain. At the very least, the CAADCA is unlikely to be enforced on its intended effective date of July 1, 2024, as the injunction remains in place throughout the course of litigation.

Continue Reading Pumping the Brakes: Federal Judge Grants Preliminary Injunction Blocking California Children’s Digital Privacy Law From Taking Effect

Last year, we discussed the growing focus and increased regulation on data brokers nationwide, including bills in California, Delaware, Massachusetts, Oregon, and Washington. Now, California has a new bill (S.B. 362) that would revamp its requirements on data brokers and provide California residents new rights over their personal information. The bill is now on California Governor Gavin Newsom’s desk for signature. The purpose of this bill is to address differences between existing data broker requirements and the California Consumer Privacy Act (CCPA).

Continue Reading California’s New Data Broker Requirements

In July of 2023, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published a joint letter cautioning hospitals, health app developers, and telehealth providers about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties. Additionally, the two agencies sent the joint letter to approximately 130 hospital systems and telehealth providers to remind them of the regulatory risks associated with using such technologies.

Continue Reading A Cautionary Tale: FTC and OCR Publish Warning Letters Regarding the Use of Third-Party Tracking Technologies

Oregon has become one of the latest states to adopt a comprehensive data privacy law. The Oregon Consumer Privacy Act (“OCPA” or the “Act”) takes effect July 1, 2024, and mirrors its other U.S. privacy law counterparts, with a few unique distinctions. Here is what you need to know.

Scope. The OCPA applies to (i) any person or entity who conducts business in Oregon or provides products or services to residents in Oregon and (ii) during a calendar year, controls or processes:

  • The personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the completion of a payment transaction) or
  • The personal data of 25,000 or more consumers while deriving 25 percent or more of annual revenue from selling personal data.
Continue Reading 12 Down, 38 to Go: Oregon Becomes One of the Latest States to Enact a Comprehensive Data Privacy Law