Photo of Aaron J. Burstein

Email
(202) 342-8453
Bio   LinkedIn

Google updated its privacy terms earlier this month, shifting away from offering many of its advertising services on a “service provider” basis.  With the change, Google states that its Customer Match, Audience Partner API, and certain audience-building services no longer meet the CCPA’s strict new requirements to be offered on a “service provider” basis.  The

The FTC took unprecedented action yesterday when it moved to impose what it describes as a “blanket prohibition” preventing the company from monetizing young people’s data.  The FTC contends that this prohibition is warranted as a result of repeated violations of Meta’s 2020 consent order (“Proposed Order”).

In taking this action, the FTC is relying on its administrative authority to “reopen and modify” orders to address alleged order violations, rather than to press its compliance case in federal court under the FTC Act.  In doing so, the FTC seeks to significantly expand the scope and duration of the existing order to cover new conduct.  Even against recent examples of aggressive FTC action (see examples here, here, and here), this one markedly stands out.  And, in the face of mounting agency losses in challenges to its enforcement authority in Axon and AMG and its aftermath, the Proposed Order is extraordinary. 

The Commission voted 3-0 to issue the Proposed Order and accompanying Order to Show Cause.  Commissioner Bedoya issued a statement expressing reservations about the “monetization” restrictions described below, specifically questioning whether the provision related to minors’ data is sufficiently related to either the 2012 or 2020 violations or order.  Meta has 30 days to answer the FTC’s proposal.

Continue Reading FTC Attempts End Run to Ban Meta from “Monetizing” Minors’ Data

On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (MHMD). The law has an effective date of July 23, 2023, but the deadline to comply with most of its requirements is March 31, 2024.*  While the 2023 state legislative season may see the addition of four comprehensive privacy laws (Iowa, Indiana, Montana, and Tennessee), My Health My Data (HB 1155) could have the most far-reaching impact on businesses. 

Although limited to “consumer health data,” MHMD’s actual scope is much broader than many might anticipate based on the title of the law. It imposes stringent notice, consent, and HIPAA-style authorizations to the collection, sharing, and sale of “consumer health data,” a term that captures a potentially vast array of data. MHMD also creates a private right of action, allowing consumers to bring claims under Washington’s Consumer Protection Act, in addition to authorizing enforcement by the state attorney general.

MHMD also fits a broader trend toward intense scrutiny of health information practices under state privacy laws, through FTC enforcement actions, and in private class actions.

This post takes a look at some of the key requirements and open questions under MHMD, and offers a few tips to help stay ahead of increasingly strict health privacy regulations.

Continue Reading My Health My Data: Washington’s Health Data Privacy Revolution

Indiana’s Consumer Data Protection Act advanced in the state legislature last week and now heads to Governor Eric J. Holcomb’s desk.  The bill mirrors comprehensive privacy legislation enacted in Virginia, Utah, and Iowa, further extending the reach of privacy protections in the United States but without the complex mandates found in laws in California, Colorado, and Connecticut.  Following on the heels of Iowa’s Act Relating to Consumer Data Protection, Indiana’s law is expected to be the second state privacy law enacted this year, and the seventh comprehensive state privacy law overall.

Continue Reading What’s in the Indiana Consumer Data Protection Act?

If Iowa Governor Kim Reynolds signs Senate File (SF) 262, the Hawkeye State will become the sixth state to adopt a comprehensive consumer privacy law.  Iowa’s House and Senate have both passed Senate File 262 unanimously. If approved, SF 262 will go into effect January 1, 2025.

The potential addition of another state privacy law to those that are already on the books in California, Colorado, Connecticut, Utah, and Virginia is significant in its own right.  However, SF 262 doesn’t provide any novel rights for consumers or requirements on companies. Rather, it stays within the boundaries established by other state privacy laws and closely resembles the Utah Consumer Privacy Act (UCPA), with a few additional business-friendly terms.

Broad Exemptions and Limited Controller Duties. SF 262 would provide consumers a rights to confirm processing of personal data; obtain a copy of personal data; delete personal data provided by the consumer; and opt-out of the Sale of personal data and Targeted Advertising.

Continue Reading Iowa: A Sixth State Privacy Law?

For the second time in as many months, the Federal Trade Commission (FTC) last week announced a settlement alleging that a company’s use and disclosure of consumers’ health information for online advertising violated the law.  The BetterHelp settlement indicates that the FTC takes a broad view of what constitutes “health information,” but it raises questions about how the FTC will apply its reinterpretation of the Health Breach Notification Rule under its September 2021 policy statement.

Overview of the FTC’s Broad View of “Health Information”

BetterHelp is an online counseling service that has registered more than 2 million users since its 2013 inception.  When a consumer visits the site, the FTC alleges that she is “immediately prompted to begin” Better Help’s intake questionnaire that asks questions about the consumer’s history of therapy, current mental state, and religious beliefs among other characteristics, and then provides an email address and other information to create an account.

According to the FTC’s complaint, the company violated the FTC Act through its use of advertising pixels or web beacons and by uploading consumers’  “health information” to ad platforms for retargeting and to reach additional prospects. In the FTC’s view, the “health information” that BetterHelp disclosed not only included information about consumers’ past use or current enrollment in the company’s services but also their interest in obtaining therapy. This information was sufficient to “reveal” that consumers were “seeking mental health treatment.”

Continue Reading FTC to Advertisers: We’re Tracking Your Use of Health Information

The Federal Communications Commission (“FCC” or “Commission”) is seeking comments on a Notice of Proposed Rulemaking (NPRM) to refresh its customer proprietary network information (“CPNI”) data breach reporting requirements (the “Rule”).  Adopted earlier this month by a unanimous 4-0 vote of the Commission, the NPRM solicits comments on rule revisions that would expand the scope of notification obligations and accelerate the timeframe to notify customers after a data breach involving telephone call detail records and other CPNI.  The FCC cites “an increasing number of security breaches of customer information” in the telecommunications industry in recent years and the need to “keep pace with today’s challenges” and best practices that have emerged under other federal and state notification standards as reasons to update the Rule.

According to the current Rule, a “breach” means that a person “without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.”  As summarized in the NPRM, CPNI includes “phone numbers called by a consumer, the frequency, duration, and timing of such calls, the location of a mobile device when it is in active mode (i.e., able to signal its location to nearby network facilities), and any services purchased by the consumer, such as call waiting.”  (The NPRM does not propose any changes to the definition of CPNI.)

Continue Reading FCC Seeks Comments on Updates to CPNI Breach Reporting Rule

Just two months before the effective date (January 1, 2023) of the California Privacy Rights Act (“CPRA”), the California Privacy Protection Agency (“CPPA”) Board met on October 28 and 29 to discuss revisions to the agency’s initial draft CPRA regulations.  Board members discussed a range of proposed changes that could significantly impact businesses but also reserved discussion on important topics, such as employee and business-to-business data, for future proceedings.

This post provides further details about the rulemaking process, as well as takeaways from the Board’s discussion of key substantive topics, such as restrictions on the collection of personal information and opt-out preference signals.  The Board directed CPPA staff to consider and include specific modifications, as discussed below; and on November 3, the CPPA released a further revision of its proposed rules for a 15-day public comment period (the “November 3 Draft Regulations”).  The deadline to submit comments is 8:00 am on Monday, November 21.
Continue Reading CPRA Rule Revisions Unlikely to be Finalized in 2022

Warning that “[t]here are no more excuses,” California Attorney General on August 24, announced the first public settlement under the California Consumer Privacy Act (CCPA). The settlement order, which the court approved on the same day, requires beauty-product retailer Sephora, Inc., to pay a $1.2 million civil penalty to resolve allegations that the company

On August 11, the FTC finally launched its “commercial surveillance and data security” rulemaking after many months of hype and speculation about the FTC’s ability to address consumer privacy through its “Mag-Moss” rulemaking authority. It did so by releasing (by 3/2 vote) an Advanced Notice of Proposed Rulemaking (ANPR) – the first step in a Mag-Moss rulemaking – and holding a press conference featuring Chair Khan, Commissioners Slaughter and Bedoya, and senior FTC staff.

People familiar with the many hurdles in Mag-Moss were watching to see whether the ANPR would be broad and far-reaching (thus guaranteeing a lengthy, complex process) or more narrowly tailored. The answer? The ANPR is remarkably sweeping in scope – covering virtually every form of data collection across the economy, posing 95 questions about factual and legal issues of all kinds, and raising issues that reach beyond the FTC’s legal authority. Indeed, in reading the ANPR, we couldn’t help but wonder whether this is a serious effort to develop a rule or simply a show of activity to address over-hyped expectations. (See more on this topic below.)

Not surprisingly, Commissioners Phillips and Wilson issued strong dissents. Among other things, they raised concerns about agency overreach and the potential to derail the bipartisan privacy bill currently pending in Congress (the ADPPA). Here are more details and takeaways from the FTC’s announcement:
Continue Reading The FTC’s Privacy Rulemaking: Broad and Far-Reaching, but Unlikely to Lead to a Rule Anytime Soon