On May 17, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (in the form of a stipulated order)1 with Easy Healthcare Corporation, which operates the Premom fertility tracking app (Premom). The FTC alleges Premom misrepresented its data sharing practices to consumers and failed to provide notice to users when it shared their health information without … Continue Reading
On May 18, 2023, the Federal Trade Commission (FTC) announced a number of proposed amendments to the Health Breach Notification Rule (the Rule), the latest in a series of actions taken by the agency to make health apps and other similar technologies (such as fitness trackers) subject to the Rule. If adopted, the proposed amendments … Continue Reading
On April 27, 2023, Washington State Governor Jay Inslee signed a far-reaching health privacy law entitled the “My Health My Data Act” (the Act), which extends protections to consumer health data collected by entities not currently covered under the Health Information Portability and Accountability Act of 1996 (HIPAA). The Act may transform the already fast-evolving … Continue Reading
On March 28, 2023, Iowa Governor Kim Reynolds signed “An Act Relating to Consumer Data Protection” (SF 262) (ICDPA),1 making Iowa the sixth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, Utah, and Connecticut. Substantively, the ICDPA is similar to Connecticut’s recently enacted An Act Concerning Personal Privacy and Online Monitoring (CPOMA), the Utah … Continue Reading
On March 15, 2023, the Colorado Attorney General’s (Colorado AG) office released the final version of the Colorado Privacy Act (ColoPA) rules (the final rules), which are based on public comments on the third version of the rules published on January 27, 2023.1 The final rules were published in the Colorado Register on March 25, 2023. While the … Continue Reading
On March 2, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (also referred to as “proposed consent order”) with BetterHelp, Inc., an online counseling service, for allegedly disclosing its website visitors’ and users’ “health information” to advertisers, despite making representations on the company’s website and in the company’s privacy policy that such information would … Continue Reading
On February 1, 2023, the Federal Trade Commission (FTC) announced a complaint against and proposed settlement agreement (the “proposed order”) with GoodRx, a digital health company, over its data sharing practices that allegedly resulted in the disclosure of sensitive health information to third-parties. This is the first enforcement action the FTC has ever brought under the … Continue Reading
On January 27, 2023, the Colorado Attorney General’s (Colorado AG) office released the third version of its proposed draft rules (third draft) for the Colorado Privacy Act (ColoPA) based on public comments it received on the modified proposed rules published on December 21, 2022 (second draft).1 During a February 1, 2023, rulemaking hearing, the Colorado AG’s office emphasized that it … Continue Reading
On January 27, 2023, the California Attorney General (California AG) Rob Bonta announced an “investigative sweep” of mobile apps in retail, travel, and food service industries for failing to provide a mechanism for—or honor—consumers’ opt-out requests to stop selling their data under the California Consumer Privacy Act (CCPA). According to the California AG’s tweet, the … Continue Reading
On December 21, 2022, the Colorado Attorney General’s office published an updated version of proposed draft rules (“modified draft rules”) to the Colorado Privacy Act (ColoPA), which revise the initial draft rules issued in October 2022, based on feedback received during the prior comment period.1 Notably, the Colorado Attorney General’s office explained that it modified some of the rules to … Continue Reading
Written Comments Due by November 21 On November 3, 2022, the California Privacy Protection Agency (CPPA, or the Agency) issued modified proposed regulations implementing the California Privacy Rights Act (CPRA),[1] which revise the initial proposed regulations released on July 8, 2022. The Agency’s Notice of Modifications to Text of Proposed Regulations triggers a 15-day public … Continue Reading
On October 31, 2022, the Federal Trade Commission (FTC) announced a complaint and proposed consent order against Chegg, an edtech company, over its security practices that resulted in four security breaches in three years. The commissioners unanimously voted to approve the proposed order. The case follows the FTC’s announcement earlier this year that it would scrutinize the … Continue Reading
On October 10, 2022, the Colorado Secretary of State published draft rules for the Colorado Privacy Act (ColoPA) in the Colorado Register, thus initiating a public comment period that will run through February 1, 2023.1 The draft rules generally cover the topics that the Colorado Attorney General’s Office identified in the April 2022 “Pre-Rulemaking Considerations for … Continue Reading
On August 30, 2022, the California legislature passed the California Age-Appropriate Design Code Act (the Act). Modeled after the UK’s Age-Appropriate Design Code, California’s act drastically changes the landscape of online privacy and content availability for minors in California. The Act goes beyond the current federal protections of the Children’s Online Privacy Protection Act (COPPA) and could impose … Continue Reading
On August 24, 2022, the California Attorney General (AG) announced the entry of a final judgment to resolve claims that makeup retailer Sephora violated the California Consumer Privacy Act (CCPA). Notably, this is the California AG’s first enforcement action resulting in a fine and settlement under the CCPA. The California AG alleged that Sephora violated the CCPA by failing … Continue Reading
On June 24, 2022, the United States Supreme Court issued its decision in Dobbs v. Jackson Women’s Health Organization,1 opening a legal path to state laws restricting or prohibiting access to certain reproductive health services. To enforce these laws, law enforcement officials may attempt to access individuals’ health information, including from technology platforms that process health information … Continue Reading
On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).[1] The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding … Continue Reading
COVID-19 has rapidly accelerated our expectations that virtual connection can deliver better and more economical care. As a result, digital health companies have an unprecedented opportunity to innovate, but with that opportunity also comes significant regulatory challenges related to the collection and processing of personal health information. What legal requirements apply to processing of health … Continue Reading
Connecticut became the fifth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, and Utah. On May 10, 2022, Connecticut Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” (SB 6) (CPOMA).1 Substantively, CPOMA largely tracks the Colorado Privacy Act (ColoPA) and Virginia Consumer Data Protection Act (VCDPA). CPOMA’s substantive provisions … Continue Reading
On April 12, 2022, the Colorado Attorney General’s Office released “Pre-Rulemaking Considerations for the Colorado Privacy Act,” which provides a series of topics and questions for which the office seeks informal public feedback.1 Here is what you need to know: The Colorado Attorney General’s Office is currently seeking informal input to guide its future rulemaking efforts. While, at … Continue Reading
On March 15, 2022, the Federal Trade Commission (FTC) announced it had filed a complaint against Residual Pumpkin Entity, LLC, formerly doing business as CafePress, and PlanetArt LLC, which bought CafePress in 2020 (collectively, CafePress). The FTC alleged that CafePress, an online platform used by consumers who bought or sold customized t-shirts, mugs, and other merchandise, had, … Continue Reading
Utah is poised to become the fourth state to enact comprehensive consumer privacy legislation, following California, Virginia, and Colorado. Earlier this month, Utah’s legislature passed the Utah Consumer Privacy Act (S.B. 227) (UCPA) with no opposing votes in both the Utah Senate and House of Representatives. The bill was sent to Utah Governor Spencer Cox on March … Continue Reading
The Colorado Attorney General’s office is poised to begin the rulemaking process for the Colorado Privacy Act (ColoPA).1 On January 28, 2022, Colorado Attorney General Phil Weiser issued prepared remarks outlining key rulemaking topics and announcing plans to seek input from Colorado consumers, businesses, and other stakeholders over the coming months. Although the ColoPA does not come into … Continue Reading
The California Privacy Protection Agency (CPPA), the newly formed state agency responsible for implementing the California Privacy Rights Act (CPRA), recently posted its first invitation for public comment on proposed rulemaking activities under the CPRA. Here is what you need to know:… Continue Reading