Tracy Shapiro

Subscribe to all posts by Tracy Shapiro

FTC Announces Proposed Settlement with Premom Fertility Tracking App for Privacy Practices

On May 17, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (in the form of a stipulated order)1 with Easy Healthcare Corporation, which operates the Premom fertility tracking app (Premom). The FTC alleges Premom misrepresented its data sharing practices to consumers and failed to provide notice to users when it shared their health information without … Continue Reading

FTC Announces Proposed Amendments to the Health Breach Notification Rule

On May 18, 2023, the Federal Trade Commission (FTC) announced a number of proposed amendments to the Health Breach Notification Rule (the Rule), the latest in a series of actions taken by the agency to make health apps and other similar technologies (such as fitness trackers) subject to the Rule. If adopted, the proposed amendments … Continue Reading

Washington State Governor Signs Sweeping Health Privacy Act (My Health My Data Act) into Law

On April 27, 2023, Washington State Governor Jay Inslee signed a far-reaching health privacy law entitled the “My Health My Data Act” (the Act), which extends protections to consumer health data collected by entities not currently covered under the Health Information Portability and Accountability Act of 1996 (HIPAA). The Act may transform the already fast-evolving … Continue Reading

The Sixth State: Iowa Enacts Comprehensive Privacy Law

On March 28, 2023, Iowa Governor Kim Reynolds signed “An Act Relating to Consumer Data Protection” (SF 262) (ICDPA),1 making Iowa the sixth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, Utah, and Connecticut. Substantively, the ICDPA is similar to Connecticut’s recently enacted An Act Concerning Personal Privacy and Online Monitoring (CPOMA), the Utah … Continue Reading

Colorado AG’s Office Announces Final Colorado Privacy Act Rules: Key Takeaways

On March 15, 2023, the Colorado Attorney General’s (Colorado AG) office released the final version of the Colorado Privacy Act (ColoPA) rules (the final rules), which are based on public comments on the third version of the rules published on January 27, 2023.1 The final rules were published in the Colorado Register on March 25, 2023. While the … Continue Reading

FTC Announces Settlement with BetterHelp for Disclosing Consumers’ Health Information to Third-Party Advertisers

On March 2, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (also referred to as “proposed consent order”) with BetterHelp, Inc., an online counseling service, for allegedly disclosing its website visitors’ and users’ “health information” to advertisers, despite making representations on the company’s website and in the company’s privacy policy that such information would … Continue Reading

FTC Announces First Enforcement Action Under the Health Breach Notification Rule Against GoodRx

On February 1, 2023, the Federal Trade Commission (FTC) announced a complaint against and proposed settlement agreement (the “proposed order”) with GoodRx, a digital health company, over its data sharing practices that allegedly resulted in the disclosure of sensitive health information to third-parties. This is the first enforcement action the FTC has ever brought under the … Continue Reading

Colorado Attorney General’s Office Releases Third Version of Draft Rules for Colorado Privacy Act: Key Takeaways

On January 27, 2023, the Colorado Attorney General’s (Colorado AG) office released the third version of its proposed draft rules (third draft) for the Colorado Privacy Act (ColoPA) based on public comments it received on the modified proposed rules published on December 21, 2022 (second draft).1 During a February 1, 2023, rulemaking hearing, the Colorado AG’s office emphasized that it … Continue Reading

California AG Targets Mobile Apps for Failing to Honor or Provide Mechanism for Opt-Out Requests

On January 27, 2023, the California Attorney General (California AG) Rob Bonta announced an “investigative sweep” of mobile apps in retail, travel, and food service industries for failing to provide a mechanism for—or honor—consumers’ opt-out requests to stop selling their data under the California Consumer Privacy Act (CCPA). According to the California AG’s tweet, the … Continue Reading

Colorado Attorney General’s Office Releases Modified Draft Rules for Colorado Privacy Act: Key Takeaways

On December 21, 2022, the Colorado Attorney General’s office published an updated version of proposed draft rules (“modified draft rules”) to the Colorado Privacy Act (ColoPA), which revise the initial draft rules issued in October 2022, based on feedback received during the prior comment period.1 Notably, the Colorado Attorney General’s office explained that it modified some of the rules to … Continue Reading

California Privacy Protection Agency Releases Modified Proposed CPRA Regulations: An In-Depth Analysis

Written Comments Due by November 21 On November 3, 2022, the California Privacy Protection Agency (CPPA, or the Agency) issued modified proposed regulations implementing the California Privacy Rights Act (CPRA),[1] which revise the initial proposed regulations released on July 8, 2022. The Agency’s Notice of Modifications to Text of Proposed Regulations triggers a 15-day public … Continue Reading

FTC Settles Allegations of Data Security Failures with Edtech Company Chegg

On October 31, 2022, the Federal Trade Commission (FTC) announced a complaint and proposed consent order against Chegg, an edtech company, over its security practices that resulted in four security breaches in three years. The commissioners unanimously voted to approve the proposed order. The case follows the FTC’s announcement earlier this year that it would scrutinize the … Continue Reading

Colorado Attorney General Issues Draft Rules for the Colorado Privacy Act

On October 10, 2022, the Colorado Secretary of State published draft rules for the Colorado Privacy Act (ColoPA) in the Colorado Register, thus initiating a public comment period that will run through February 1, 2023.1 The draft rules generally cover the topics that the Colorado Attorney General’s Office identified in the April 2022 “Pre-Rulemaking Considerations for … Continue Reading

California Legislature Passes Far-Reaching Online Privacy and Content Regulation Bill for Minors

On August 30, 2022, the California legislature passed the California Age-Appropriate Design Code Act (the Act). Modeled after the UK’s Age-Appropriate Design Code, California’s act drastically changes the landscape of online privacy and content availability for minors in California. The Act goes beyond the current federal protections of the Children’s Online Privacy Protection Act (COPPA) and could impose … Continue Reading

California Attorney General Settles First-Ever CCPA Enforcement Action

On August 24, 2022, the California Attorney General (AG) announced the entry of a final judgment to resolve claims that makeup retailer Sephora violated the California Consumer Privacy Act (CCPA). Notably, this is the California AG’s first enforcement action resulting in a fine and settlement under the CCPA. The California AG alleged that Sephora violated the CCPA by failing … Continue Reading

Privacy Post-Dobbs: Recent Guidance from U.S. Regulators

On June 24, 2022, the United States Supreme Court issued its decision in Dobbs v. Jackson Women’s Health Organization,1 opening a legal path to state laws restricting or prohibiting access to certain reproductive health services. To enforce these laws, law enforcement officials may attempt to access individuals’ health information, including from technology platforms that process health information … Continue Reading

California Privacy Protection Agency Releases Draft CPRA Regulations – An In-Depth Analysis

On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).[1] The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding … Continue Reading

Privacy and Security of Health Information: A Primer for Digital Health Companies

COVID-19 has rapidly accelerated our expectations that virtual connection can deliver better and more economical care. As a result, digital health companies have an unprecedented opportunity to innovate, but with that opportunity also comes significant regulatory challenges related to the collection and processing of personal health information. What legal requirements apply to processing of health … Continue Reading

And Then There Were Five: Connecticut Enacts Comprehensive Privacy Law

Connecticut became the fifth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, and Utah. On May 10, 2022, Connecticut Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” (SB 6) (CPOMA).1 Substantively, CPOMA largely tracks the Colorado Privacy Act (ColoPA) and Virginia Consumer Data Protection Act (VCDPA). CPOMA’s substantive provisions … Continue Reading

Colorado Attorney General Issues Pre-Rulemaking Considerations for the Colorado Privacy Act

On April 12, 2022, the Colorado Attorney General’s Office released “Pre-Rulemaking Considerations for the Colorado Privacy Act,” which provides a series of topics and questions for which the office seeks informal public feedback.1 Here is what you need to know: The Colorado Attorney General’s Office is currently seeking informal input to guide its future rulemaking efforts. While, at … Continue Reading

FTC Issues Complaint and Proposed Settlement with Online Retailer for Deceptive and Unfair Security and Privacy Practices

On March 15, 2022, the Federal Trade Commission (FTC) announced it had filed a complaint against Residual Pumpkin Entity, LLC, formerly doing business as CafePress, and PlanetArt LLC, which bought CafePress in 2020 (collectively, CafePress). The FTC alleged that CafePress, an online platform used by consumers who bought or sold customized t-shirts, mugs, and other merchandise, had, … Continue Reading

Utah Poised to Become Fourth State with General Privacy Law

Utah is poised to become the fourth state to enact comprehensive consumer privacy legislation, following California, Virginia, and Colorado. Earlier this month, Utah’s legislature passed the Utah Consumer Privacy Act (S.B. 227) (UCPA) with no opposing votes in both the Utah Senate and House of Representatives. The bill was sent to Utah Governor Spencer Cox on March … Continue Reading

Colorado Attorney General Announces Privacy Rulemaking

The Colorado Attorney General’s office is poised to begin the rulemaking process for the Colorado Privacy Act (ColoPA).1 On January 28, 2022, Colorado Attorney General Phil Weiser issued prepared remarks outlining key rulemaking topics and announcing plans to seek input from Colorado consumers, businesses, and other stakeholders over the coming months. Although the ColoPA does not come into … Continue Reading

California Privacy Protection Agency Issues Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act

The California Privacy Protection Agency (CPPA), the newly formed state agency responsible for implementing the California Privacy Rights Act (CPRA), recently posted its first invitation for public comment on proposed rulemaking activities under the CPRA. Here is what you need to know:… Continue Reading
LexBlog