Generative AI (GenAI) has been at the top of the headlines lately, transforming fields as varied as journalism, marketing, and gaming, boosting productivity and profitability, and performing functions previously limited to humans. Recent projections suggest that the global GenAI market will increase to over $100 billion annually by 2030. A previous Wilson Sonsini alert on GenAI covered a wide range of issues, such as breach of contract, confidentiality, copyright, ethics, European Union laws and regulations, licensing, securities laws, trade secrets, and reputational considerations. Another previous alert addressed legal requirements for mitigating bias in AI systems more generally. This alert drills down on U.S. privacy and consumer protection considerations associated specifically with GenAI.
FTC Announces Proposed Settlement with Premom Fertility Tracking App for Privacy Practices
On May 17, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (in the form of a stipulated order)1 with Easy Healthcare Corporation, which operates the Premom fertility tracking app (Premom). The FTC alleges Premom misrepresented its data sharing practices to consumers and failed to provide notice to users when it shared their health information without their consent.2
FTC Announces Proposed Amendments to the Health Breach Notification Rule
On May 18, 2023, the Federal Trade Commission (FTC) announced a number of proposed amendments to the Health Breach Notification Rule (the Rule), the latest in a series of actions taken by the agency to make health apps and other similar technologies (such as fitness trackers) subject to the Rule. If adopted, the proposed amendments would significantly expand the FTC’s enforcement power in the area of digital health.
FTC Adopts New Policy Statement Warning About Misuses of Biometric Information
On May 18, 2023, the Federal Trade Commission (FTC) unanimously voted during its open meeting to adopt a new policy statement on biometric information and Section 5 of the FTC Act. In the statement, the FTC warns companies that it is committed to addressing deceptive and unfair practices involving the collection and use of biometric information, and deceptive marketing of biometric information technologies. The statement provides helpful insight into what the FTC will look at when evaluating whether companies are complying with Section 5.
U.S. State Privacy Law Update: New Comprehensive Laws Coming in Indiana, Montana, Tennessee, and Florida
In the absence of meaningful progress from the U.S. Congress on passing a federal comprehensive privacy law, state legislatures have been busy this year passing their own solutions and adding to the complexity of U.S. privacy compliance. On May 1, 2023, Indiana Governor Eric Holcomb signed the Indiana Consumer Data Protection Act into law (SB 5) (InCDPA),1 making Indiana the seventh state to enact a comprehensive consumer privacy law, following California, Virginia, Colorado, Utah, Connecticut, and most recently, Iowa.2 On May 11, 2023, Tennessee Governor Bill Lee signed the Tennessee Information Privacy Act (HB 1181) (TIPA), making Tennessee the eighth state to enact such a law. Similar laws have passed the state legislatures in Montana and Florida and are awaiting action by those states’ respective governors. All four of the most recent laws are substantially similar to the prior state comprehensive consumer privacy laws, but they include a few particularities that companies should be aware of, including Tennessee’s written privacy program requirement and Florida’s focus on certain large technology companies.
HHS Proposes Purpose Limitation on Disclosures of PHI Related to Reproductive Health
On April 12, 2023, the Biden administration announced a notice of proposed rulemaking (NPRM) from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency responsible for enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The NPRM is designed to protect patient privacy as it relates to the provision of reproductive healthcare. The NPRM would primarily prohibit entities regulated by HIPAA from disclosing protected health information (PHI) related to an individual’s reproductive healthcare to law enforcement or others when such reproductive healthcare is provided in a state where it is legally provided.