On March 15, 2023, the Securities and Exchange Commission (SEC) announced proposed changes to Regulation S-P (“Reg S-P”) that would impose new cybersecurity incident response requirements on broker-dealers, investment...more
The state comprehensive privacy law legislative process has officially kicked into high gear. Of course, the primary development since our last update is Iowa’s passage of SF 262, which positions Iowa to become the sixth...more
On Wednesday, March 15, the Colorado Attorney General’s Office announced the finalization of the Colorado Privacy Act Rules (“Rules”). The Rules implement the Colorado Privacy Act (CPA), a comprehensive privacy law enacted in...more
On Wednesday, March 15, the Iowa House passed Senate File 262 (SF 262), a comprehensive state privacy law similar to the ones that are already in effect in five US states. The bill had previously passed the Senate on March 6,...more
On March 9, 2023, the Securities and Exchange Commission (SEC) reached a settlement with Blackbaud – a client relationship management (CRM) service provider for nonprofits – over allegations that Blackbaud (i) made materially...more
On Friday, March 3, 2023, the California Privacy Protection Agency (CPPA) held a public board meeting. Though the meeting focused primarily on the Agency’s budget and various administrative issues (e.g., subcommittee...more
3/13/2023
/ Administrative Review ,
Audits ,
Board Meetings ,
California Consumer Privacy Act (CCPA) ,
California Privacy Protection Agency (CPPA) ,
California Privacy Rights Act (CPRA) ,
Cybersecurity ,
Proposed Legislation ,
Public Comment ,
Risk Assessment ,
Rulemaking Process
On February 27, 2023, the Chairman of the House Financial Services Committee Patrick McHenry (NC-10) introduced the Data Privacy Act of 2023 (the Bill), which would amend the Gramm-Leach-Bliley Act (GLBA) to “modernize[]...more
Since our last update, comprehensive privacy law proposals have continued to emerge and progress through state legislatures. Most notably, five bills have now passed a legislative chamber, with Hawaii’s Consumer Data...more
On Thursday, March 2, the FTC announced an enforcement action against BetterHelp, Inc., an online mental health counseling service, relating to claims that the company’s collection and use of consumer health data were unfair...more
3/8/2023
/ Advertising ,
Data Breach ,
Data Privacy ,
Enforcement Actions ,
Enforcement Authority ,
Enforcement Priorities ,
Federal Trade Commission (FTC) ,
FTC Act ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
LGBTQ ,
Mental Health ,
Pharmacies ,
Section 5 ,
Settlement ,
Telehealth ,
Unfair or Deceptive Trade Practices
On March 1st, the Innovation, Data, & Commerce Subcommittee of the House Energy and Commerce Committee subcommittee held a hearing titled “Promoting U.S. Innovation & Individual Liberty through a National Standard for Data...more
On February 27, the Federal Trade Commission (FTC) released a blog post advising companies to monitor their claims regarding their use of artificial intelligence (or AI). ...more
In addition to the numerous comprehensive privacy laws that have been proposed in at least 20 states thus far in 2023, legislative trends demonstrate an emerging focus on regulations that address specific types of...more
Since the start of the 2023 legislative session, at least 15 biometric privacy law proposals have emerged across 11 states (including Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York,...more
On February 17, 2023, the Illinois Supreme Court held in a 4-3 split opinion that claims under the state’s Biometric Information Privacy Act (BIPA) accrue each time there is a biometric collection or transmission constituting...more
On February 17, 2023, the state attorneys general of Pennsylvania and Ohio reached a settlement with Ohio-based DNA Diagnostics Center (“DDC”) for a 2021 data breach that affected 2.1 million individuals nationwide and...more
2/23/2023
/ Clinical Laboratories ,
Cybersecurity ,
Data Breach ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Federal Trade Commission (FTC) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Laboratories ,
Material Misstatements ,
PHI ,
Settlement ,
State Attorneys General ,
Statutory Violations
The past two weeks have seen continued developments in the state comprehensive privacy legislative landscape. Maryland, Minnesota, and Texas have entered the fray with new proposals, bringing the total number of states that...more
2/15/2023
/ Biometric Information ,
Consumer Privacy Rights ,
COPPA ,
Data Privacy ,
Fair Credit Reporting Act (FCRA) ,
FERPA ,
GLBA Privacy ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Personal Data ,
Personal Information ,
Privacy Laws ,
Proposed Legislation ,
State Privacy Laws
On February 2, 2023, the Illinois Supreme Court held in a unanimous opinion that individuals have five years after an alleged violation to bring claims under the state’s Biometric Information Privacy Act (BIPA). This ruling...more
On February 2, 2023, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) reached a settlement with Banner Health Affiliated Covered Entities (“Banner Health”) for a 2016 data breach that...more
On Friday, February 3, 2023, the California Privacy Protection Agency (CPPA) held a public board meeting at which it voted unanimously to (1) approve the final text of the California Privacy Rights Act (CPRA) regulations and...more
2/9/2023
/ Artificial Intelligence ,
Audits ,
Board Meetings ,
California Privacy Rights Act (CPRA) ,
Comment Period ,
Compliance ,
Cybersecurity ,
New Regulations ,
NPRM ,
Public Meetings ,
Regulatory Agencies ,
Regulatory Agenda ,
Risk Assessment
On February 1, the Colorado Attorney General’s (AG) Office and the Colorado Department of Law (the “Department”) held a rulemaking hearing on the Proposed Draft Rules for the Colorado Privacy Act (CPA), which goes into effect...more
On February 1, 2023, the Federal Trade Commission (FTC) reached a settlement with digital health platform GoodRx for sharing users’ personal health information with third parties without properly disclosing their data...more
On January 6, 2023, the Federal Communications Commission (FCC or the “Commission”) released a Notice of Proposed Rulemaking (“Notice”) with updates to its data breach rules and reporting requirements. Considering the growing...more
In a press release on January 27, 2023, California Attorney General (“California AG”) Rob Bonta announced an investigative sweep focused on mobile applications’ compliance under the California Consumer Privacy Act (CCPA),...more
2023 continues to be a busy year for state comprehensive privacy legislation. Since our last post, several new states have entered the fray with legislative proposals, while some of the bills we previously examined have moved...more
The new year has already seen a flurry of state privacy law activity, with legislators in at least nine states (Indiana, Iowa, Kentucky, Massachusetts, Mississippi, New York, Oklahoma, Oregon, and Tennessee) proposing new...more