Seeking to formalize its Sept. 15, 2021, Statement of the Commission on Breaches by Health Apps and Other Connected Devices, the Federal Trade Commission proposed broadening the Health Breach Notification Rule to cover “most health apps and similar technologies that are not covered by HIPAA.” Read on for details about this proposed rule, which is
Analog Law with Digital Teeth: Litigation Under the Video Privacy Protection Act and Potential Liability for Businesses
Over the past year, website operators have experienced a proliferation of lawsuits under the Federal Video Privacy Protection Act (“VPPA”), a Reagan-era statute prohibiting the nonconsensual disclosure of an individual’s video tape rental history. Despite its nondigital origin, litigation under the VPPA has successfully targeted the ubiquitous use of tracking technologies on businesses’ websites, creating a risk of significant class-action damages under VPPA’s $2,500 per violation statutory-damages clause. Read on for more details about the risk of litigation under the VPPA and how best to avert it.
Failing to Comply With the Slew of New Data Privacy Laws Can Be Costly to Companies
Over the past few years, data privacy and security has been the focus of many state legislatures. CA, CO, CT, IA, UT and VA have already passed comprehensive data privacy laws. Indiana joined them on May 1, 2023 when the Governor signed the latest consumer privacy bill into law. Many other states have bills in the legislatures that are likely to become law, including FL, MT and TN (where the bills are awaiting the governors’ signatures). Though most of these laws apply to businesses that control or process personal data of 100,000 or more residents in each of those states, California’s data privacy law applies to any business that has gross annual revenue of over $25M if it collects the personal data of any California resident, which includes employees and business contacts.
Continue Reading Failing to Comply With the Slew of New Data Privacy Laws Can Be Costly to Companies
Iowa Joins Data Privacy Vanguard
On March 29, 2023, Iowa became the latest in a small but growing number of states to enact comprehensive data privacy legislation. Like its counterpart laws in California, Connecticut, Colorado, Utah and Virginia, Iowa’s data privacy law – formally titled “An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions” (“IDPL”) – provides a detailed framework regulating the collection and use of consumer personal data, and affords consumers various rights as to data collected about them. Fortunately, many of the requirements imposed by the IDPL, which goes into effect on January 1, 2025, are largely similar to those applicable in the other five states, and especially those in Connecticut, Colorado, Utah and Virginia.[1]
The Door Opens for Astronomical Damages Under BIPA
An Illinois Supreme Court ruling on February 17, 2023 opened the door to astronomical damages under the Illinois Biometric Information Privacy Act (“BIPA”). Enacted in 2008, BIPA provides for a private right of action against an entity that collects or discloses a person’s biometric identifier without opt-in consent.
Continue Reading The Door Opens for Astronomical Damages Under BIPA
Five Years It Is — Illinois Supreme Court Decides BIPA Statute of Limitations
The Supreme Court of Illinois relied on legislative intent, policy concerns and precedents to hold that all Biometric Information Privacy Act claims are subject to a five-year statute of limitations. Read on to learn more about the Tims v. Black Horse Carriers, Inc. opinion and how it may impact businesses and their BIPA decisions going
New Year Brings New State-Level Data Privacy Protections
As 2022 draws to a close, it is important to keep in mind that key state-level regulations on consumer and employee data privacy will become effective as soon as 2023 begins. Data security measures, personal data processing activities and privacy policies of businesses covered by the regulations are now proscribed specific standards and requirements in
FinCEN Leader’s Remarks Focus on Securing Digital Identity
During the 2022 Federal Identity Forum & Exposition on Sept. 7, FinCEN acting Deputing Director Jimmy Kirby emphasized the importance of securing digital identity as “fundamental to the effectiveness” of every financial institution’s anti-money laundering/countering the financing of terrorism (AML/CFT) program.
Read on for details and analysis of his remarks and proactive steps financial institutions
First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory
On Wednesday, August 24, 2022, the California Attorney General released a public statement addressing its first enforcement action under the California Consumer Privacy Act (“CCPA”) against Sephora. The Attorney General alleged that Sephora failed to disclose to consumers that it was selling personal information, it failed to honor requests submitted through Global Privacy Controls (“GPC”), and it failed to cure these violations within the 30-day period. The parties settled for a $1.2M fine and injunctive relief requiring Sephora to comply with the CCPA and accept GPC.
Continue Reading First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory
Twitter Fined $150M for Violating FTC Order on Misrepresenting Privacy and Security Practices
On May 25, the Federal Trade Commission announced that it, along with the Department of Justice, fined Twitter $150 million for violating a 2011 agreement with the FTC in which Twitter promised to protect the integrity of nonpublic consumer information, including users’ phone numbers and email addresses.
Read on for details about the alleged violations