COVID-19 has rapidly accelerated our expectations that virtual connection can deliver better and more economical care. As a result, digital health companies have an unprecedented opportunity to innovate, but with that opportunity also comes significant regulatory challenges related to the collection and processing of personal health information. What legal requirements apply to processing of health information? What are the risks associated with noncompliance? In this brief primer, we provide answers to these questions, and a window to what may lay next on the horizon.
Continue Reading Privacy and Security of Health Information: A Primer for Digital Health Companies
Tracy Shapiro
And Then There Were Five: Connecticut Enacts Comprehensive Privacy Law
Posted in Privacy, Regulatory
Connecticut became the fifth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, and Utah. On May 10, 2022, Connecticut Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” (SB 6) (CPOMA).1
Substantively, CPOMA largely tracks the Colorado Privacy Act (ColoPA) and Virginia Consumer Data Protection Act (VCDPA). CPOMA’s substantive provisions will become effective July 1, 2023. Indeed, 2023 will be a busy year for privacy compliance teams as several other U.S. state privacy laws will take effect throughout the year. Both the VCDPA and California Privacy Rights Act (CPRA) (which replaces the current California Consumer Privacy Act (CCPA)) will take effect on January 1, 2023, ColoPA will take effect the same day as CPOMA, and the Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023.
Continue Reading And Then There Were Five: Connecticut Enacts Comprehensive Privacy Law
Colorado Attorney General Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
By Tracy Shapiro & Clinton Oxford on
Posted in Privacy, Regulatory
On April 12, 2022, the Colorado Attorney General’s Office released “Pre-Rulemaking Considerations for the Colorado Privacy Act,” which provides a series of topics and questions for which the office seeks informal public feedback.1 Here is what you need to know:
- The Colorado Attorney General’s Office is currently seeking informal input to guide its future rulemaking efforts. While, at this phase, public input will not be considered part of the official rulemaking record, the AG’s office “hopes to hear from a diverse group of stakeholders to guide the drafting of balanced and impactful regulations.”
- The AG’s office identified eight specific topics—each with several targeted questions—for which “pre-rulemaking feedback will be particularly beneficial.” However, the public is permitted to offer input on any aspect of the upcoming rulemaking.
- Feedback is being collected through a publicly available comment form and at a series of informal listening sessions.
- This fall, the AG’s office will begin the formal notice-and-comment rulemaking by providing a notice of rulemaking and accompanying draft regulations.
FTC Issues Complaint and Proposed Settlement with Online Retailer for Deceptive and Unfair Security and Privacy Practices
By Roger Li, Megan Kayo, Maneesha Mithal, Tracy Shapiro & Beth George on
Posted in Cybersecurity, Privacy
On March 15, 2022, the Federal Trade Commission (FTC) announced it had filed a complaint against Residual Pumpkin Entity, LLC, formerly doing business as CafePress, and PlanetArt LLC, which bought CafePress in 2020 (collectively, CafePress). The FTC alleged that CafePress, an online platform used by consumers who bought or sold customized t-shirts, mugs, and other merchandise, had, among other things, failed to implement reasonable security measures, and misrepresented that it would use email addresses for order notification and receipt, when in fact it used email addresses for marketing purposes. As part of the proposed settlements with Residual Pumpkin and Planet Art, each is required, among other things, to implement, annually assess, test, and monitor a comprehensive written information security program. Residual Pumpkin also would be required to pay a $500,000 penalty.
Continue Reading FTC Issues Complaint and Proposed Settlement with Online Retailer for Deceptive and Unfair Security and Privacy Practices
Utah Poised to Become Fourth State with General Privacy Law
By Tracy Shapiro, Edward Holman & Amanda Irwin on
Posted in Uncategorized
Utah is poised to become the fourth state to enact comprehensive consumer privacy legislation, following California, Virginia, and Colorado. Earlier this month, Utah’s legislature passed the Utah Consumer Privacy Act (S.B. 227) (UCPA) with no opposing votes in both the Utah Senate and House of Representatives. The bill was sent to Utah Governor Spencer Cox on March 15, 2022 and the Governor has until March 24, 2022 to either sign or veto the bill, otherwise it will become law without his signature. If enacted, as is anticipated, the UCPA will become effective on December 31, 2023, six months after the Colorado Privacy Act (ColoPA) and nearly a year after the Virginia Consumer Data Protection Act (VCDPA) and California Privacy Rights Act (CPRA) come into effect.
Continue Reading Utah Poised to Become Fourth State with General Privacy Law
Colorado Attorney General Announces Privacy Rulemaking
By Tracy Shapiro, Clinton Oxford & Hale Melnick on
Posted in Privacy, Regulatory
The Colorado Attorney General’s office is poised to begin the rulemaking process for the Colorado Privacy Act (ColoPA).1 On January 28, 2022, Colorado Attorney General Phil Weiser issued prepared remarks outlining key rulemaking topics and announcing plans to seek input from Colorado consumers, businesses, and other stakeholders over the coming months. Although the ColoPA does not come into force until July 1, 2023, the Attorney General noted that his office “expect[s] to be in a position to adopt final rules around a year from now.”
Continue Reading Colorado Attorney General Announces Privacy Rulemaking