On March 12, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $632,500 fine related to allegations that American Honda Motor Co., Inc. (“Honda”) violated the California Consumer Privacy Act (“CCPA”).Continue Reading Honda Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
U.S. Senate Introduces Genomic Data Protection Act
On March 5, 2025, Senators Bill Cassidy (R-LA) and Gary Peters (D-MI) introduced the federal Genomic Data Protection Act (“GDPA”). The Senators introduced the same bill at the end of last year, but the bill stagnated, and Congress adjourned soon after. Notably, as part of his February 2024 white paper, Senator Cassidy specifically called for the regulation of genetic data collected by direct-to-consumer genetic testing companies, pointing to several states that have enacted laws regulating these companies over the past several years.Continue Reading U.S. Senate Introduces Genomic Data Protection Act
Federal Congressional Comprehensive Data Privacy Working Group Issues Request for Information
On February 21, 2025, Congressmen Brett Guthrie (R-KY-2) and John Joyce (R-PA-13), Chairman and Vice Chairman of the House Committee on Energy and Commerce, respectively, issued a Request for Information (“RFI”) asking stakeholders to provide comments to the newly formed data privacy working group. Chairman Guthrie and Vice Chairman Joyce
Continue Reading Federal Congressional Comprehensive Data Privacy Working Group Issues Request for InformationWebsite Wiretapping Litigation: Recent Decisions and Developments
Website analytics and advertising tools, such as pixels, are regularly targeted in lawsuits brought under various wiretap laws, including the federal Wiretap Act and the California Invasion of Privacy Act (“CIPA”). We cover significant developments and trends in website wiretapping lawsuits on Inside Class Actions. Over the last several months, we have featured posts discussing an important decision from Massachusetts’ highest court about the availability of website wiretap suits under Massachusetts law, an opinion from a California court about a new “pen register” theory under CIPA, and more. These posts, and other highlights, include the following:Continue Reading Website Wiretapping Litigation: Recent Decisions and Developments
New York Legislature Passes Health Privacy Act
On January 22, the New York state legislature passed the New York Health Information Privacy Act (S929 / A2141) (“NYHIP”). If signed into law, NYHIP would join Washington and Nevada in a growing trend of states regulating consumer health information. Though NYHIP contains many similarities with laws in Washington and Nevada, there are a few unique provisions, as discussed below. Among them, NYHIP applies to “Regulated Health Information” or “RHI” that is defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Unlike the health privacy laws in Washington and Nevada, NYHIP does not provide an inclusive list of health data.
NYHIP would require regulated entities to obtain a “valid authorization” prior to processing RHI unless such processing is “strictly necessary” for certain enumerated purposes, including providing a product or service requested by the individual or certain limited internal business operations. NYHIP does not clarify what it means for a processing activity to be considered “strictly necessary.”
Where such an authorization is required, a valid authorization must, among other requirements:
- Be made at least twenty-four (24) hours after an individual creates an account or first uses the requested product or service; and
- If multiple categories of processing are involved, provide an ability to “provide/withhold” authorization for each category separately.
Continue Reading New York Legislature Passes Health Privacy Act
HHS Issues Notice of Proposed Rulemaking to Update the HIPAA Security Rule
On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (the “proposed rule”), which proposes a number of significant updates to the HIPAA Security Rule. According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The preamble states that the proposed rule seeks to address common areas of non-compliance with the Security Rule identified by OCR in its recent investigations, as well as build on recommendations from the National Committee on Vital Health Statistics and guidelines and best practices recommended by other parts of the government, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).
Below, we provide a brief summary of the proposed changes. The proposed rule is open for comment until March 7, 2025.
Continue Reading HHS Issues Notice of Proposed Rulemaking to Update the HIPAA Security Rule
State Attorneys General Issue Guidance On Privacy & Artificial Intelligence
Attorneys General in Oregon and Connecticut issued guidance over the holiday interpreting their authority under their state comprehensive privacy statutes and related authorities. Specifically, the Oregon Attorney General’s guidance focuses on laws relevant for artificial intelligence (“AI”), and the Connecticut Attorney General’s guidance focuses on opt-out preference signals that go into effect on January 1, 2025 in the state.Continue Reading State Attorneys General Issue Guidance On Privacy & Artificial Intelligence
Health Privacy Developments to Watch in 2025
2024 was an incredibly busy year for health privacy. As the year draws to a close and we look ahead to 2025, we share several areas that we are watching in the coming year, which we expect to be similarly busy with federal- and state-level activity:Continue Reading Health Privacy Developments to Watch in 2025
California Enacts Health AI Bill and Protections for Neural Data
On September 28, California’s governor signed a number of bills into law, including to regulate health care facilities’ use of artificial intelligence (“AI”). This included AB 3030, which regulates certain California-licensed health care facilities’ use of AI and SB 1223, which amends the California Consumer Privacy Act (CCPA) to cover “neural data.” We discuss each bill in turn below.
AB 3030Continue Reading California Enacts Health AI Bill and Protections for Neural Data
New York AG Issues Guidance on Website Privacy Controls
The New York Office of Attorney General (OAG) recently published guidance for website privacy controls. Although New York does not have a comprehensive privacy law, business’ privacy-related practices and statements may be subject to New York’s consumer protection laws, which generally prohibit businesses from engaging in deceptive acts and practices. Accordingly, the OAG noted that “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”Continue Reading New York AG Issues Guidance on Website Privacy Controls