On April 27, 2023, the state of Washington enacted a landmark privacy law aimed at protecting the privacy of health data not covered by HIPAA. While the 2023 legislative season has been busy for state “comprehensive” privacy...more
In this third post in our ongoing series, we examine the scope of the consent requirements under the recently enacted My Health My Data Act. (Visit here for information about the scope of the law and here for information...more
Utah’s breach notification requirements will change on May 3, 2023. The recently amended data breach notification law now requires companies to notify the Attorney General for a breach involving 500 or more state residents....more
The California Privacy Protection Agency (CPPA) Board recently met and unanimously voted to finalize the proposed final CPRA regulations. This approved version was first released in January and updated those released in...more
Two states recently passed laws with specific data security requirements for entities that are gaming operators or licensees. These new regulations in Nevada and Massachusetts add to the already complex set of data security...more
On Friday, February 3, the CPPA is scheduled to meet about current and forthcoming CPRA regulations. The Board had previously signaled that it expected to finalize the draft regulations in late January or early February 2023....more
The Colorado Attorney General recently released the second set of draft regulations to the Colorado Privacy Act (CPA). In this draft, the AG is seeking specific input on five different topics. There are also a number of...more
12/28/2022
/ Colorado ,
Consent ,
Data Privacy ,
Data Protection ,
Data Security ,
Notice Requirements ,
Opt-Outs ,
Policy Terms ,
Privacy Laws ,
Rulemaking Process ,
State and Local Government ,
State Attorneys General ,
State Privacy Laws
The FTC is closing out 2022 with additional guidance for mobile health app developers signaling its continued interest in this industry. Since 2021, we have seen several steps from the agency demonstrating a focus on...more
12/9/2022
/ Breach Notification Rule ,
Data Privacy ,
Data Protection ,
Digital Health ,
Electronic Medical Records ,
Federal Food Drug and Cosmetic Act (FFDCA) ,
Federal Trade Commission (FTC) ,
FTC Act ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Mobile Apps ,
ONC ,
Privacy Laws
Most companies operating websites and mobile apps use some form of tracking technologies on these digital properties. While these types of technologies have been used for some time and serve a variety of purposes, the use of...more
Pennsylvania recently amended its data breach notification law to expand its definition of personal information and provide for a HIPAA exception. The process for providing notice in the event of a username/email breach has...more
The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security...more
Companies who participate in the AdTech and digital advertising eco-system are very familiar with the Interactive Advertising Bureau and its form advertiser agreements. Those agreements can help streamline negotiations,...more
The talk of “opt-out preference signals” or global privacy controls (GPC) has been increasing as companies dig into the forthcoming requirements under US “comprehensive” privacy laws. What is an opt-out preference signal? An...more
10/25/2022
/ California ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Colorado ,
Connecticut ,
Data Privacy ,
Do Not Sell ,
Opt-Outs ,
Privacy Laws ,
State and Local Government ,
State Privacy Laws ,
Virginia
With 2023 quickly approaching, many are spending this final quarter preparing for the five US state “comprehensive” privacy laws. Some of these contemplate clarifying regulations with technical and operational requirements....more
The EDPB recently announced its second topic for coordinated enforcement. At a national level, data protection authorities in the EU will be looking into the position of the data protection officer. The results of these...more
Companies transferring personal data out of the EU or UK are reminded of key deadlines approaching for the contracts that govern these transfers. When the European Commission adopted the new Standard Contractual Clauses...more
Companies subject to California’s Consumer Privacy Act (CCPA) may soon need to figure out how to scale their privacy compliance programs to include employee and B2B information. The current exemptions that exist for most of...more
With six months before the first of the new US state general privacy laws go into effect, there are several steps companies can take now to begin to prepare. Unfortunately there are some parts of compliance that will be...more
In this second post in our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on issues surrounding consumer choice:...more
In this third post of our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on contractual requirements. (Visit here for information about...more
The California Privacy Protection Agency (CPPA) recently released the draft proposed CCPA Regulations and draft initial statement of reasons. Importantly, these are draft regulations that are likely to be subject to extensive...more
6/28/2022
/ California ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Data Processing Rules ,
Data Protection ,
Draft Guidance ,
Notice of Compliance ,
Notice Requirements ,
Privacy Laws ,
State Privacy Laws ,
Statutory Requirements
Maryland recently passed two companion bills amending the state’s Personal Information Protection Act. The bills modify the data breach notification requirements and scope of businesses subject to the data security...more
The FTC recently reminded companies that principles of fairness and the likelihood of harm may in some cases prompt breach notification. This requirement might exist even if state breach notice laws have not been triggered...more
The metaverse has been described as the “next frontier” and the “new era” of healthcare. Although still a loosely defined and relatively broad term, the “metaverse” generally refers to a shared virtual environment accessed by...more
The European Commission recently released a set of FAQs for the new EU standard contractual clauses (SCCs). The FAQs are based on feedback received from various stakeholders and currently address 44 different questions....more