Virginia recently enacted an amendment to its state Consumer Protection Act to regulate the processing of Virginia consumers’ reproductive and sexual health information. Specifically, SB 754 prohibits businesses from...more
Sports teams, leagues, agents and venues collecting personal information from athletes, fans and sponsors must comply with evolving privacy regulations. Here are key takeaways from a conversation Orrick recently hosted with...more
On February 10, 2025, a Washington state resident filed a lawsuit on behalf of herself and similarly situated individuals against Amazon under the Washington My Health My Data Act (MHMD). This is the first lawsuit brought...more
2/24/2025
/ Biometric Information ,
Class Action ,
Consent ,
Consumer Privacy Rights ,
Consumer Protection Laws ,
Data Collection ,
Data Privacy ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Personal Data ,
Privacy Laws ,
State Privacy Laws
Earlier this year, the New York legislature passed the New York Health Information Privacy Act (New York HIPA), establishing strict requirements for handling health data. The legislation shares similarities with Washington’s...more
The DOJ has finalized a set of prohibitions and restrictions on cross-border transfers of certain U.S. data to China and other “Countries of Concern” (for now, Cuba, Iran, North Korea, Russia, and Venezuela), as well as to...more
Recently, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule—the...more
The Department of Justice has finalized prohibitions and restrictions on cross-border transfers of certain data to China and other “Countries of Concern” (as defined below). It seeks to address what is, in the U.S....more
1/21/2025
/ Artificial Intelligence ,
China ,
Cuba ,
Data Privacy ,
Data Security ,
Department of Justice (DOJ) ,
International Data Transfers ,
International Emergency Economic Powers Act (IEEPA) ,
Iran ,
National Security ,
Personal Data ,
Russia
The Federal Trade Commission (FTC) has updated its Health Breach Notification Rule that applies to non-HIPAA, consumer health data. Among the revisions, the FTC expanded or introduced key definitions and modified the...more
7/31/2024
/ Breach Notification Rule ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Federal Trade Commission (FTC) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
PHI ,
Popular
Legislators in Colorado have passed the first law in the United States meant to protect a consumer’s brainwaves. While advances in neurotechnology such as brain-computer interfaces that can translate a person’s thoughts into...more
The Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), has issued a final rule updating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in an effort to...more
Two new privacy laws regulating consumer health data in Nevada and Washington take effect March 31. These novel laws take an expansive view of “consumer health data” and cover much more data than you may expect....more
The average cost of a data breach has reached an all-time high of $4.45 million, according to IBM. Regulatory requirements, scrutiny, and enforcement have continued to expand. As we kick off 2024, here are the key action...more
Connecticut is the third state to adopt consumer health data privacy protections, following Washington’s My Health My Data Act (“MHMD”) and Nevada’s new consumer health data privacy law. It is the first state, however, to...more
The Nevada legislature recently passed Senate Bill 370 (“Nevada’s Consumer Health Data Privacy Law”) aiming to impose broad requirements on collecting, using, and selling consumer health information. Nevada joins Washington...more
The state of Washington recently enacted My Health My Data (“MHMD”), a game-changing new consumer privacy law focused on health data. MHMD establishes an expansive notice and consent regime for consumer health data with...more
The last year has seen a multijurisdictional regulatory push for increased cybersecurity standards for medical devices. The new approaches, issued by regulatory authorities in the United States (U.S.), the United Kingdom (UK)...more
In early April, the U.S. Department of Justice (DOJ) Civil Division’s Consumer Protection Branch (CPB) published its first-ever “Recent Highlights” report. The report provides background on the CPB, highlights from its recent...more
To help your company get its United States (U.S.) state privacy compliance program on the right track in 2022, Orrick's Cyber' Privacy & Data Innovation Group has analyzed the differences between key topics for the California...more
3/15/2022
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Security ,
Personal Information ,
State Privacy Laws
The California Privacy Rights Act (CPRA) became law on December 16, 2020, and amended the California Consumer Privacy Act (CCPA). When the CPRA becomes fully operative on January 1, 2023, these important changes, among...more
Once reserved for routine doctors’ appointments, collecting health-related data has exploded as consumers start to monitor their own health metrics—everything from sleep and fertility to mental health and COVID-19—and...more
The Federal Trade Commission ("FTC") recently announced its intent to "vigorously" enforce its 2009 Health Breach Notification Rule (the "Rule") via a policy statement that sheds light on the Rule's scope. The policy...more
9/24/2021
/ Application Programming Interface (APIs) ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Federal Trade Commission (FTC) ,
FTC Act ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Mobile Apps ,
Mobile Health Apps ,
Personally Identifiable Information ,
Popular