The FTC Announces Consumer Review Fairness Act Enforcement Actions

On May 8, 2019, the Federal Trade Commission (FTC) announced its first three cases that exclusively enforce the Consumer Review Fairness Act (CRFA).  Enacted in December 2016 to protect consumers’ ability to share their honest reviews, the CRFA prohibits companies from using form contracts that bar consumers from writing negative reviews or threaten them with legal action if they do.

According to the FTC’s administrative complaints, each of the three companies—an HVAC and electrical contractor, a flooring seller, and a horseback trail riding operator—unlawfully used non-disparagement clauses in customer contracts.

The three proposed consent orders include provisions designed to ensure future CRFA compliance.  In addition to barring the companies from using non-disparagement clauses in form contracts for goods and services, the proposed orders require the companies to notify consumers who signed the unlawful contracts that the non-disparagement provisions are not enforceable and that those customers can publish their honest reviews, even if negative.

The FTC will publish a description of the consent agreements in the Federal Register and solicit public comments for thirty days.  After reviewing the public comments, the Commission will decide whether to make the proposed consent orders final.

These most recent actions build upon the FTC’s prior cases challenging non-disparagement clauses.  We are carefully monitoring the FTC’s approach to this important consumer protection area and will keep readers apprised on Inside Privacy.

Washington State Lawmakers Reach Deadline Without Passing Privacy Act, But Reach Agreement on Amendments to Breach Notification Law

The Washington Privacy Act stalled this April in the state’s House of Representatives, and will likely not reappear again for discussion until the 2020 legislative session.

The bill overwhelmingly passed the Senate, but failed to come to a floor vote in the House of Representatives before the April 17th deadline for state lawmakers to consider non-budget related matters. This delay appears to stem from a lack of consensus on key issues, such as the regulation of facial recognition technologies and potential enforcement mechanisms.

If the House had passed the bill, Washington would have become the second state in the United States to enact significant privacy legislation. Mirroring the GDPR in several respects, the bill provided access, correction, and deletion rights to consumers, and imposed disclosure and risk assessment obligations on covered businesses.

Although state lawmakers failed to pass the Washington Privacy Act, they reached a consensus on a separate bill that expands Washington’s breach notification law. The Senate and the House of Representatives passed the bill in their respective chambers in the latter half of April. The bill amends the state’s data breach notification requirements in three ways:

  • Definition of Personal Information: The law expands the definition of “personal information” that triggers notification to include: full date of birth; private key to authenticate or sign an electronic record; biometric data; student, military, or passport ID numbers; certain health insurance information; medical histories; and online account credentials.
  • Timeline for Notification: The law reduces the timeline for issuing notifications from 45 days to 30 days after discovery of a breach.
  • Content Required for Notification: The law requires additional information to be included in breach notification letters, such as the date of the breach and the discovery date. In addition, for breaches of usernames and passwords, the notice must inform consumers to change their passwords and security questions and answers, and to take appropriate steps to secure their account. Notifications to the Attorney General also must include the types of personal information subject to the breach, the timeframe of exposure, and steps taken to contain the breach.

The new requirements are scheduled to take effect on March 1, 2020.

HHS Updates Maximum Annual Penalty Limits for Some HIPAA Violations

On April 30, 2019, the Department of Health and Human Services (HHS) published in the Federal Register a notification of enforcement discretion indicating that it will lower the annual Civil Money Penalty (CMP) limits for three of the four penalty tiers in the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  The HITECH Act categorizes violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in four tiers based on the violators’ level of culpability for the violation: the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision (Tier 1); the violation was due to reasonable cause, and not willful neglect (Tier 2); the violation was due to willful neglect that is timely corrected (Tier 3); and the violation was due to willful neglect that is not timely corrected (Tier 4).

The maximum penalty per violation for all four tiers was previously $1.5 million.  HHS’s new policy states that the annual penalty limit for Tier 1 violations has now been decreased from $1.5 million to $25,000.  The new annual penalty limits for Tier 2 and 3 violations are now $100,000 and $250,000, respectively.  The penalty limit for Tier 4 violations will remain at $1.5 million. Continue Reading

German DSK publishes guidance on the applicability of the German Telemedia Act to telemedia services

On April 5, 2019, the association of German Supervisory Authorities for data protection (‘Datenschutzkonferenz’ or ‘DSK’) published a guideline regarding the applicability of the German Telemedia Act (‘TMG’) to telemedia services – including, for example, the use of website cookies for targeted advertising post-GDPR. The guideline aims to “clarify and concretize” a previous statement on the topic released by the DSK in April 2018 and to serve as guidance for the implementation of data protection requirements when processing users’ data through telemedia services.  This guideline is the result of a stakeholder consultation carried out by the different German Supervisory Authorities last year.

In line with its previous paper, the DSK confirmed in its opinion that Sections 12, 15(1) and 15(3) TMG ceased to be applicable when the GDPR came into effect. Hence, in the absence of a lex specialis, the provisions of the GDPR apply by default. The main difference between the two laws is that the TMG provides for a specific legal basis under which online tracking may be lawfully carried out by a website operator.  According to Section 15(3) TMG, so long as the website operator uses pseudonyms, it may create user profiles for purposes of advertising, market research or for the demand-oriented design of telemedia services, provided that the user does not object to this (typically through an opt-out solution like unticking a pre-selected checkbox on a cookie banner).

The DSK argues that Sections 12, 15(1) and 15(3) of the TMG do not implement the ePrivacy-Directive’s[1] ‘cookie requirements’ and therefore are not covered by Art. 95 GDPR, which leaves (national) laws like the TMG unaffected if they constitute an implementation of the ePrivacy Directive. With regard to Section 15(3) the DSK also rejects an interpretation in line of the GDPR. Finally, the DSK points out that the ePrivacy-Directive is not directly applicable. Hence, according to the DSK, online tracking must be based on one of the legal bases listed in Article 6 GDPR (or Article 9 for sensitive data) and if consent is sought, this it must comply with the requirements for consent under Article 4(11) GDPR.

The DSK then sets out the various legal bases in Art. 6(1) GDPR that a website operator may rely on for processing personal data collected via website cookies. According to the DSK, in most use cases online tracking requires the user’s prior consent in the form of an opt-in solution whereby the user must actively demonstrate consent (typically by ticking a checkbox on a cookie banner). When the collection of sensitive data is involved, consent shall always be required.

With regards to consent, the DSK clarified that if personal data collected from the user is combined and evaluated by the website operator across websites, the user must be informed in advance of all processing activities and of all recipients of the data. Furthermore, the user must be given the opportunity to give his/her specific consent to the various forms of data processing. In cases where multiple data controllers wish to rely on the same consent (either as joint controllers or because of a transfer between co-controllers), all controllers must be named and their different processing activities must be sufficiently described. In these cases, all data controllers must check whether there is effective consent for their processing activities and whether this can be proven by them. With reference to Recital 32 GDPR the DSK points out that an opt-out procedure does not comply with the consent requirements of the GDPR.

Notably, the DSK also said that it must be possible to view a website without consenting to non-essential cookies – this appears to be a prohibition on the use of cookie walls. Obtaining consent through an “OK” button is also not GDPR compliant in the eyes of the DSK if users are not given an opportunity to refuse the cookies.

The guidance sets out a three-step balancing process that website operators should carry out if they intend to rely on legitimate interest as their legal basis for using cookies. Here, the DSK describes what it considers to be acceptable and unacceptable examples of (overriding) legitimate interests. For the DSK, it would be acceptable for a website operator to collect information about (i) the number of website visitors over a specific period of time, (ii) the devices they used to access the website, and (iii) their language preferences, in furtherance of the website operator’s legitimate interest to maximize the website’s reach. However, it would not be acceptable for the website operator to use an analysis tool for this purpose that passes on the browsing behaviors of website visitors to third parties (e.g., social networks or other services which merge usage data with data from other sources). According to the DSK, a user does not reasonably expect that user history is shared with third parties or that web browsing behavior (e.g., the manner in which one touches a screen or types on the keyboard) is recorded.  The DSK recommends alternatives such as collecting less data and/or utilizing an in-house software solution for certain website analytics purposes.

The DSK expressly highlights that this guidance is subject to the interpretation of the European Data Protection Board and any changes that may result from the finalization of the long-awaited ePrivacy Regulation.

[1] Directive 2002/58/EG as amended by the Directive 2009/136/EG.

HHS Extends Comment Period for Proposed Rules on Patient Access and Interoperability

On April 19, 2019, the Department of Health and Human Services (HHS) announced a 30-day extension, until June 3, 2019, to the comment period for two rules proposed by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC).

The CMS proposed rule aims to increase patient access to their personal electronic health information. The rule proposes new requirements for federal government payors, such as requiring the adoption of application programming interfaces (APIs) to better enable the transfer of electronic health information between health networks. The CMS rule also proposes requirements for providers, such as affirmative attestations that they are not engaging in information blocking activities and publicly disclosing those providers who fail to attest in the affirmative.

The ONC proposed rule focuses on technical changes to increase interoperability between disparate systems. Among the ONC rule’s proposals are standardized criteria for API development and seven exceptions to the prohibition against information blocking.

Additional information about these proposed rules can be found in Covington Digital Health’s March 7, 2019 blog post, as well as our April 25, 2019 blog post.

ICO issues draft code of practice on designing online services for children

Earlier this month, the UK’s Information Commissioner’s Office published a draft code of practice (“Code”) on designing online services for children. The Code  is now open for public consultation until May 31, 2019. The Code sets out 16 standards of “age appropriate design” with which online service providers should comply when designing online services (such as apps, connected toys, social media platforms, online games, educational websites and streaming services) that children under the age of 18 are likely to access. The standards are based on data protection law principles, and are legally enforceable under the GDPR and UK Data Protection Act 2018. The Code also provides further guidance on collecting consent from children and the legal basis for processing children’s personal data (see Annex A and B of the Code). The Code should be read in conjunction with the ICO’s current guidance on children and the GDPR. Continue Reading

HHS Clarifies HIPAA Liability for EHR System Developers that Transfer Data to Health Apps

On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an app’s impermissible use or disclosure of electronic protected health information (ePHI).  As long as the app is independent of the covered entity and its EHR system and is instead controlled by the individual patient, the covered entity and its EHR system have no HIPAA liability once ePHI is delivered to the app at the patient’s request.

In its FAQ, HHS specified that if, at the request of a patient, a HIPAA covered entity’s EHR system transfers ePHI to an app that is not developed by or specifically provided to the covered entity by the EHR system, neither the covered entity nor the EHR system developer would face HIPAA liability for the app’s subsequent impermissible use or disclosure of the information.  But if an EHR system transfers patient data from a covered entity to an app that the EHR system provides “through, or on behalf of, the covered entity (directly or through another business associate)” and either owns the app or has a business relationship with the app developer, the EHR system developer may be subject to HIPAA liability for subsequent impermissible use or disclosure of the ePHI.

This attempt to clarify the boundaries of HIPAA liability will likely be welcomed by a wide range of covered entities, EHR systems, and developers of apps that process ePHI, including apps that connect patients with doctors, pharmacy apps, and apps that focus on fertility, mental health, smoking cessation, and more.  Patients, on the other hand, should be aware that the information being collected by an app (which can be substantial and sensitive, depending on the nature of the app) has no protection under HIPAA unless the app was offered to them by a covered entity as part of its overall EHR system.

U.S. Supreme Court Affirms the Necessity of Express Authorization for Class Arbitration

On April 24, 2019, the Supreme Court issued its opinion in Lamps Plus, Inc., et al. v. Varela, addressing the question of whether an ambiguous arbitration agreement can be read to compel class arbitration under the Federal Arbitration Act, 9 U.S.C. §§ 1-16 (2000). Underscoring the controversial nature of this decision, the case was decided by a 5-4 split that included dissenting opinions authored by Justices Ginsburg, Breyer, Sotomayor, and Kagan. The majority opinion, authored by Chief Justice Roberts, held that contract ambiguity did not suffice to compel class arbitration.

Continue Reading

Coercive and Non-Coercive Surveillance Authorities

When the U.S. government conducts electronic surveillance, there are a variety of legal authorities on which it relies.  The Wiretap Act, for example, authorizes the government to conduct live telephone wiretaps in certain criminal investigations; for electronic data, the Act also permits the government to acquire electronic communications in real time.  The Stored Communications Act (“SCA”) authorizes the government to obtain stored electronic data, including the content of email messages hosted online for criminal investigations.

Continue Reading

China’s Ministry of Public Security Issues New Personal Information Protection Guideline

On April 19, 2019, China’s Ministry of Public Security (“MPS”) released the final version of its Guideline for Internet Personal Information Security Protection (互联网个人信息安全保护指南) (the “Guideline”).  A previous version of the Guideline was released for public comments on November 30, 2018.

Under China’s Cybersecurity Law (the “CSL”), MPS is the key regulator tasked with protecting cybersecurity and combating cybercrime.  Following the issuance of the draft Regulations on Cybersecurity Multi-level Protection Scheme (the “Draft MLPS Regulation”, discussed in our previous post available here) and the Regulation on the Internet Security Supervision and Inspection by Public Security Agencies (also discussed in a previous post, available here) last year, the release of this new Guideline represents the latest efforts made by MPS to implement the CSL.

The stated goal of the Guideline is to “protect cybersecurity and individuals’ legitimate interests” and to “effectively prevent cybercrime involving personal information.”  Although not issued as a legally binding administrative regulation, this Guideline sets out the best practices recommended by MPS and will likely serve as an important reference for cybersecurity inspections that will be carried out by the agency and its local counterparts (i.e., local public security bureaus, “PSBs”).

To a large extent, this Guideline overlaps with China’s national standard on personal information protection, GB/T 35273-2017 Information Security Technology – Personal Information Security Specification (the “Standard”), which took effect on May 1, 2018.  The Guideline referred to the Standard as its “indispensable” reference, although at this stage, it is unclear how this Guideline will interact with other existing regulations and national standards.  Furthermore, this new Guideline provides more prescriptive requirements relating to a company’s cybersecurity infrastructure, both in terms of organizational support and technical measures to be implemented.

This post summarizes key requirements of the Guideline.

Continue Reading