One of the most common and effective defenses raised by privacy class action defendants has been lack of standing. Federal courts have jurisdiction over cases only when the plaintiff has standing to sue. Therefore, courts will dismiss a case when the plaintiff does not meet the requirements for standing. For standing to exist, the plaintiffs’ injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”1 In other words, the plaintiff must have suffered some actual harm, or face an imminent risk of suffering a concrete injury. Frequently, class action plaintiffs have been unable to establish standing based on alleged injuries from the unauthorized exposure of personal information. The recent U.S. Supreme Court case of Clapper v. Amnesty International USA2 may have strengthened the standing shield for defendants even more.
Continue Reading Clapper v. Amnesty International USA: The U.S. Supreme Court Strengthens Defendants’ Shield Against Privacy Class Actions

A recently issued government rule may unknowingly create significant liability and legal risk for many technology enterprises. The expanded definition of “business associates” and related interpretations by the Department of Health and Human Services (HHS) suggest that many companies should revisit how they provide services and ask whether they are providing their services to health care providers, health plans, or health care clearing houses (collectively, “covered entities”). HHS seeks to implement the mandates of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) by modifying its regulatory scheme (the “HIPAA Rules”) that implements the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 Two of the most important changes involve “business associates,” defined as entities that perform functions or activities on behalf of covered entities or other business associates that involve the use or disclosure of protected health information (PHI). Among many other changes, the omnibus rule:

  1. expanded the definition of “business associate” and
  2. placed the obligation of HIPAA compliance directly on business associates.

Continue Reading Cloud Storage Providers Storing Protected Health Information May Be Obligated to Comply with HIPAA Regulations

On April 2, 2013, the European data protection regulators (the “Article 29 Working Party” or the “WP29”) issued a 70-page opinion providing guidance on how to comply with the core EU data protection principle of “purpose limitation.”1 This opinion gives a good indication of how EU regulators would apply their national data protection law to specific processing activities such as email marketing, behavioral advertising, profiling, and tracking of user behavior and big data. It is relevant for companies of all sizes, including non-EU-based companies, offering online services to users in the EU, since the EU regulators tend to take a broad approach regarding the applicability of EU data protection law.2 This article addresses certain aspects of the opinion.3
Continue Reading European Regulators Opine on “Purpose Limitation” Principle – What Constitutes “Compatible Use” in the Context of Big Data?

Mobile and social media marketing are on the rise.1 With that in mind, the Federal Trade Commission issued new guidance for advertisers on how to make effective mobile and other online disclosures. Entitled “.com Disclosures: How to Make Effective Disclosures in Digital Advertising,”2 the guidance provides an update to the FTC’s 2000 publication on the same topic. The revised guidance is intended to address the expanding use of smart phones and social media marketing, where small screens and character limitations pose challenges for companies making advertising claims.3 Although the guidance itself is not law, the FTC cautions that these disclosures are required by the laws it enforces.
Continue Reading FTC Issues New Guidance for Disclosures in Online Advertising