Privacy and Information Security

Google updated its privacy terms earlier this month, shifting away from offering many of its advertising services on a “service provider” basis.  With the change, Google states that its Customer Match, Audience Partner API, and certain audience-building services no longer meet the CCPA’s strict new requirements to be offered on a “service provider” basis.  The

The FTC has made news recently with its recent enforcement activity regarding companies’ alleged disclosures of consumer health data, as detailed in our recent post FTC to Advertisers: We’re tracking Your Use of Health information, and as evidenced by the FTC’s tentative agenda for its next open meeting later this month on potential rulemaking regarding amending the Health Data Breach Notification Rule (a point which is curious given its prior policy statement already attempting to expand its scope, which we discussed here).

Aside from regulators, however, Plaintiffs’ lawyers also are paying attention to the FTC’s activity of law, and, on a parallel track, has initiated a wave of consumer class actions regarding the use of tracking pixels and consumers’ “health information” have followed. We anticipate this wave will only increase in response to Washington’s My Health, My Data Act once in effect.

Continue Reading The FTC is Not the Only One Tracking Your Use of Health Information

Our State AG webinar series continues with Connecticut Attorney General William Tong and Chief of the Privacy Consumer Protection Section Michele Lucan. During our webinar, the Connecticut AG’s office described their structure and the tools available to them to enforce the state’s consumer protection laws. In particular, as the fifth state to pass comprehensive privacy legislation, AG Tong highlighted the AG office’s privacy priorities and agenda which we will focus on here in Part I. We will explore the more general consumer protection topics in Part II. In case you missed it, here is a recording of the webinar.  

While the Connecticut Unfair Trade Practices Act (CUTPA – Connecticut’s UDAP law) is broad and robust, in the privacy and cybersecurity space, the AG has additional authority derived from specific state laws such as the Data Breach Notification law and Connecticut’s Data Privacy Act (CTDPA). General Tong noted Connecticut’s dedication to enforcing consumer protection, as it relates to privacy, traces back to at least 2011 when it was the first state to create the Privacy Task Force and eventually a standalone Privacy Section in 2015.

Enforcing the CTDPA

AG Tong noted that the CTDPA reflects a “philosophical judgment of Connecticut to return rights and power of authority to consumers regarding their Personal Information.” As we have previously reported, the CTDPA provides for several rights such as the right to access, right to portability, right to correct mistakes, right to deletion, and the right to opt out of targeted advertising, sale, and profiling of personal data. 

Continue Reading State AGs and Consumer Protection: What We Learned from . . . Connecticut Part I

The FTC took unprecedented action yesterday when it moved to impose what it describes as a “blanket prohibition” preventing the company from monetizing young people’s data.  The FTC contends that this prohibition is warranted as a result of repeated violations of Meta’s 2020 consent order (“Proposed Order”).

In taking this action, the FTC is relying on its administrative authority to “reopen and modify” orders to address alleged order violations, rather than to press its compliance case in federal court under the FTC Act.  In doing so, the FTC seeks to significantly expand the scope and duration of the existing order to cover new conduct.  Even against recent examples of aggressive FTC action (see examples here, here, and here), this one markedly stands out.  And, in the face of mounting agency losses in challenges to its enforcement authority in Axon and AMG and its aftermath, the Proposed Order is extraordinary. 

The Commission voted 3-0 to issue the Proposed Order and accompanying Order to Show Cause.  Commissioner Bedoya issued a statement expressing reservations about the “monetization” restrictions described below, specifically questioning whether the provision related to minors’ data is sufficiently related to either the 2012 or 2020 violations or order.  Meta has 30 days to answer the FTC’s proposal.

Continue Reading FTC Attempts End Run to Ban Meta from “Monetizing” Minors’ Data

On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (MHMD). The law has an effective date of July 23, 2023, but the deadline to comply with most of its requirements is March 31, 2024.*  While the 2023 state legislative season may see the addition of four comprehensive privacy laws (Iowa, Indiana, Montana, and Tennessee), My Health My Data (HB 1155) could have the most far-reaching impact on businesses. 

Although limited to “consumer health data,” MHMD’s actual scope is much broader than many might anticipate based on the title of the law. It imposes stringent notice, consent, and HIPAA-style authorizations to the collection, sharing, and sale of “consumer health data,” a term that captures a potentially vast array of data. MHMD also creates a private right of action, allowing consumers to bring claims under Washington’s Consumer Protection Act, in addition to authorizing enforcement by the state attorney general.

MHMD also fits a broader trend toward intense scrutiny of health information practices under state privacy laws, through FTC enforcement actions, and in private class actions.

This post takes a look at some of the key requirements and open questions under MHMD, and offers a few tips to help stay ahead of increasingly strict health privacy regulations.

Continue Reading My Health My Data: Washington’s Health Data Privacy Revolution

Indiana’s Consumer Data Protection Act advanced in the state legislature last week and now heads to Governor Eric J. Holcomb’s desk.  The bill mirrors comprehensive privacy legislation enacted in Virginia, Utah, and Iowa, further extending the reach of privacy protections in the United States but without the complex mandates found in laws in California, Colorado, and Connecticut.  Following on the heels of Iowa’s Act Relating to Consumer Data Protection, Indiana’s law is expected to be the second state privacy law enacted this year, and the seventh comprehensive state privacy law overall.

Continue Reading What’s in the Indiana Consumer Data Protection Act?

Digital advertising, analytics, and health/wellness-related personal information are very much in the news, with increased scrutiny and enforcement by the Federal Trade Commission (FTC), the Department of Health and Human Services (HHS), requirements under the new state privacy laws, and a wave of lawsuits and demand letters by litigants using wiretap laws tied to third-party

Last week, in its most high-profile effort yet to focus attention on data privacy and security, the House Committee on Energy & Commerce held a hearing with TikTok’s CEO Shou Zi Chew.   The full-Committee hearing was high drama, with sharp statements and accusations about TikTok’s connections to the Chinese government, wide attendance by Committee members, and extensive press coverage during the hearing and afterwards. Some members (notably Chairwoman Cathy McMorris Rodgers) called for TikTok to be banned from the U.S., while others asked pointed questions without committing to support a ban. Members also used the opportunity to push for federal privacy legislation (and specifically the bipartisan ADPPA), which they said would help to address the dangers posed by Big Tech companies like TikTok.

Overall, the hearing did a far better job of illuminating members’ concerns than in gathering information. Many questions were too broad, complex, or accusatory to be answered in a “yes” or “no” fashion (as frequently requested by Committee members). And at times, Chew was simply evasive. Nevertheless, the hearing highlighted, once again, bipartisan concerns surrounding TikTok, national security, children’s safety, and privacy.

Continue Reading Is Time Really Up for TikTok? – Details from the House Committee Hearing with TikTok CEO Shou Zi Chew

On February 16, 2023, the Attorneys General of Ohio and Pennsylvania announced a settlement with Ohio-based DNA Diagnostics Center (“DDC”) for a 2021 data breach which involved 2.1 million residents nationwide, including the social security numbers of over 45,000 Ohio and Pennsylvania residents. As a part of the settlement, which resolves alleged violations of Ohio and Pennsylvania consumer protection laws, DDC will pay $400,000 in fines and will be required to implement improved security practices.

DDC, one of the world’s largest private DNA testing companies, suffered the breach in November 2021. The breach involved databases that were not used for any active business purpose, but had been acquired by DDC as a part of a 2012 acquisition of Orchid Cellmark.  These databases contained the personal information of over 2 million individuals who received DNA testing services between 2004 and 2012, including names, payment information, and social security numbers. DDC claims it was unaware that this data was transferred as a part of its acquisition of Orchid. 

DDC allegedly received indications of suspicious activity in the database from a security vendor as early as May 2021, but did not activate its incident response plan until August 2021 after the vendor identified signs of malware. The malware was loaded onto DDC’s network by threat actors that ultimately facilitated the extraction of patient data, which was subsequently used to extort a payment from DDC in exchange for its promised deletion. In its internal investigation of the incident, DDC found that an unauthorized third party had logged in via VPN on May 24 using a DDC account, having harvested credentials from a domain controller that provided password information for each account in the network. The Assurance of Voluntary Compliance (“AOC”) noted that at the time the hacker accessed the VPN, DDC had recently migrated to a different VPN, meaning no one should have been using the VPN that the hackers used.  Furthermore, the AOD notes that the threat actor used a decommissioned server to exfiltrate the data.

Continue Reading DNA Diagnostics Center Settles Data Breach with Ohio and Pennsylvania Attorneys General

If Iowa Governor Kim Reynolds signs Senate File (SF) 262, the Hawkeye State will become the sixth state to adopt a comprehensive consumer privacy law.  Iowa’s House and Senate have both passed Senate File 262 unanimously. If approved, SF 262 will go into effect January 1, 2025.

The potential addition of another state privacy law to those that are already on the books in California, Colorado, Connecticut, Utah, and Virginia is significant in its own right.  However, SF 262 doesn’t provide any novel rights for consumers or requirements on companies. Rather, it stays within the boundaries established by other state privacy laws and closely resembles the Utah Consumer Privacy Act (UCPA), with a few additional business-friendly terms.

Broad Exemptions and Limited Controller Duties. SF 262 would provide consumers a rights to confirm processing of personal data; obtain a copy of personal data; delete personal data provided by the consumer; and opt-out of the Sale of personal data and Targeted Advertising.

Continue Reading Iowa: A Sixth State Privacy Law?