On February 28, 2018, the Federal Trade Commission (FTC) hosted its third Privacy Con conference in Washington D.C., an event that highlights research and facilitates discussion of the latest research and trends related to consumer privacy and data security. The FTC welcomes privacy and data security researches to inform it of their latest findings, and
Enforcement - Federal Agency and State AG Action
New SEC Cybersecurity Guidance Outlines Disclosure Obligations
Last week, as previously reported, the U.S. Securities and Exchange Commission (SEC) unanimously voted to approve additional guidance for reporting cybersecurity risks. The release of this guidance underscores the SEC’s intent to prioritize cybersecurity compliance in 2018. The SEC may bring action against boilerplate cybersecurity disclosures that are not specifically tailored to address unique…
France: Pragmatism and Flexibility for the GDPR Implementation
The GDPR (General Data Protection Regulation) will be applicable as of May 25, 2018. The (high) level of penalties under the GDPR will become one of the core issues for companies. Indeed the GDPR is based on the European fundamental rights to privacy and data protection and could potentially apply outside the European Union.
In…
Child’s Play: VTech Settles FTC Lawsuit Over Data Security in Connected Toys
On January 8, 2018, the FTC announced that VTech, maker of electronic toys for children, agreed to settle charges that it violated the law by collecting personal information without parental consent.
When Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998, it directed the FTC to create a rule implementing the goal of…
Virginia General Assembly to Tackle a Variety of Privacy Related Bills
The Virginia General Assembly is underway and several privacy related bills are on the legislative agenda for 2018. The Virginia legislature will consider approximately 3,000 bills during its 60-day session that will end in early March. Several of these pending bills have privacy implications in a variety of substantive areas.
Tax Return Data
In an…
Big Brother is a Pill: Digital Tracking Drugs
Drug adherence programs have significantly evolved over the last few years with drug companies, health plans, and providers taking steps to monitor patient medication compliance. Drug adherence is the degree to which a patient complies with medication administration advice for treatment of chronic disease. Beyond the obvious benefits to patients’ health and health entities’ bottom lines, drug adherence can have a large effect on public health and social communities. Therefore, although it is no surprise that the health care industry has turned its focus to adherence in a big way, it may be surprising that in an industry where confidentiality is king, the most recent strategy may be turning to big brother.
U.S. Food & Drug Administration Announcement
This past November, the U.S. Food & Drug Administration (“FDA”) announced approval of a new solution to medication noncompliance – digital tracking. The FDA has not broadly blessed the practice, which has been around since 2012, but rather took a large leap in that direction by approving the digital drug Abilify MyCite – a collaboration between drug manufacturer Otsuka and technology company Proteus Digital Health. The drug is used for the treatment of schizophrenia, episodes associated with bipolar I disorder, and certain depression diagnoses in adults, and Abilify MyCite, specifically, uses an ingestible sensor embedded in the drug tablet to trigger an electrical signal upon reacting with stomach acids. The signal is sent to a wearable patch and a mobile application, which records that medication was taken. The medication compliance can be tracked by patient relatives and caregivers so that they may directly access the information through a similar application or web-based portal.[1]
Privacy Concerns and Obtaining Consent
As the industry looks to improve public health and reduce health care costs (medication noncompliance is estimated to cost $100 billion/year in the U.S.), it works to balance the need to uphold patient rights, including patient privacy, especially where disease increases patients’ vulnerability. While HIPAA and state laws generally allow the access to and disclosure of patient information with consent as well as for treatment purposes,[2] regulation regarding this kind of monitoring by third parties and resulting use of the data is less explicit. Just as states are beginning to take a stronger stance on protection of biometric and genetic information, digital drugs and medication compliance may be next to receive additional scrutiny and increased protections.
Continue Reading Big Brother is a Pill: Digital Tracking Drugs
No Written Consent, But Still No Harm: TCPA Class Certification Denied Where Spokeo Creates Individualized Questions of Consent
Earlier this year, the Northern District of Illinois declined to certify a Telephone Consumer Protection Act (TCPA) class action even though the key issue in the case – whether class members had provided prior express written consent to receive prerecorded telemarketing calls – appeared to be a common question. In Legg v. PTZ Insurance Agency, …
The 2018 Virginia General Assembly Session Hasn’t Begun, but Legislation on Student Privacy and Credit Freeze Charges is Already Pending
As previously written about in this blog, student privacy figured prominently in a few campaigns for the Virginia House of Delegates this past Fall. A progressive special interest group utilized Virginia’s Freedom of Information Act to request and receive student identifying information, including cell numbers, from numerous public colleges and universities in Virginia (…
Federal Agencies Respond to Concerns About Student Privacy
The Federal Trade Commission (FTC) and U.S. Department of Education (ED) increasingly are responding to concerns about educational technology and its ability to capture and manipulate massive quantities of private student and parent data. “EdTech,” as it is called, broadly refers to online curriculum and instructional materials accessed by school and personal devices. EdTech has…
The WP29 Issues an Ultimatum to Improve the Privacy Shield
The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.
It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.
In its report, the WP29 focuses on guarantees of enforcement and efficiency.
Continue Reading The WP29 Issues an Ultimatum to Improve the Privacy Shield