On June 30, 2023, a Superior Court of California (County of Sacramento, case number 34-2023-80004106-CU-WM-GDS) held that enforcement of the California Privacy Protection Agency’s (“CPPA”) regulations cannot commence until one year after the finalized date of the regulations. However, the court declined to delay the CPPA’s ability to enforce violations of the underlying ballot initiative.
Delaware General Assembly Passes Personal Data Privacy Act
On June 30, 2023, the Delaware general assembly passed the Delaware Personal Data Privacy Act (“DPDPA”), H.B. 154. This bill resembles the comprehensive privacy statutes in Connecticut, Montana, and the recently passed bill in Oregon, though there are some notable distinctions. If signed into law, Delaware will be the latest state to implement
Oregon Legislature Passes Consumer Privacy Act
On June 22, 2023, the Oregon state legislature passed the Oregon Consumer Privacy Act, S.B. 619 (the “Act”). This bill resembles the comprehensive privacy statutes in Colorado, Montana, and Connecticut, though there are some notable distinctions. If passed, Oregon will be the twelfth state to implement a comprehensive privacy statute, joining California, Virginia, Colorado, Connecticut
FTC Enters Consent Decree with Direct-to-Consumer Genetic Testing Company On Heels of Other Significant Health and Genetic Privacy Developments
On Friday, the FTC announced that was entering a consent decree with 1Health.io Inc., which also does business as Vitagene, Inc. This is the fourth health-related FTC enforcement action announced this year (see here and here).
In addition, it comes on the heels of Virginia, Montana, and, as recently as last week, Texas joining California, Utah, and Arizona in adopting legislation specifically regulating the privacy practices of direct-to-consumer genetic testing companies. The recently adopted Montana law has a broader scope and narrower exceptions that raise questions about whether it will impede research, whereas the Texas law adopted last week is more similar to the other state models.
Connecticut Legislature Passes Amendments to the Connecticut Data Privacy Act
The Connecticut legislature passed Connecticut SB 3 on June 2, 2023. If enacted by the governor, the bill would amend the Connecticut Data Privacy Act (“CTDPA”) to include a number of provisions related to health and minors’ data. Additional detail on the CTDPA can be found in our previous blog post here.
The health-related provisions would take effect on July 1, 2023. Most provisions related to minors’ data would take effect on October 1, 2024. However, requirements that social media platforms “unpublish” or delete certain minors’ accounts would come into effect on July 1, 2024.
As reflected in this bill, state legislatures appear increasingly focused on health privacy. Connecticut’s bill comes on the heels of Nevada’s SB 370, which the Nevada legislature passed, and which, if enacted would impose requirements on consumer health data. Both the Nevada and Connecticut bill resemble Washington’s My Health My Data Act, although they appear generally narrower in scope. For additional detail on Washington’s My Health My Data Act, please review our blog post here.
Continue Reading Connecticut Legislature Passes Amendments to the Connecticut Data Privacy Act
FTC Announces a Notice of Proposed Rulemaking to Expand Scope of the Health Breach Notification Rule
On May 18, 2023, the Federal Trade Commission (“FTC”) announced a notice of proposed rulemaking (the “proposed rule”) to “strengthen and modernize” the Health Breach Notification Rule (“HBNR”). The proposed rule builds on the FTC’s September 2021 “Statement of the Commission on Breaches by Health Apps and Other Connected Devices” (“Policy Statement”), which took a broad approach to when health apps and connected devices are covered by the HBNR and when there is a “breach” for purposes of the HBNR. The proposed rule primarily would (i) amend many definitions that are central to the scope of the HBNR (e.g., “breach of security,” “health care provider,” and “personal health record”), and (ii) authorize expanded means for providing notice to consumers of a breach and require additional notice content. According to the FTC, these changes to the HBNR would ensure the HBNR “remains relevant in the face of changing business practices and technological developments.” Below, we provide a brief summary of the history of the HBNR leading up to this proposed rule, a brief summary of the proposed rule, and a timeline for commenting.
Texas Passes Data Privacy and Security Act
On May 28, 2023, the Texas legislature passed the Texas Data Privacy and Security Act, making it the sixth state to pass a comprehensive data privacy law this year. The Act shares many similarities with Virginia, although there are some distinctions. If signed into law, the Act would take effect on July 1, 2024.
FTC Announces Second Enforcement Action Under Health Breach Notification Rule Against Fertility App Developer Easy Healthcare
On May 17, the Federal Trade Commission (“FTC”) announced an enforcement action against Easy Healthcare Corporation (“Easy Healthcare”) alleging that it shared users’ sensitive personal information and health information with third parties contrary to its representations and without users’ affirmative express consent, in violation of Section 5 of the FTC Act. It also alleges that Easy Healthcare failed to notify consumers of these unauthorized disclosures, in violation of the Health Breach Notification Rule (“HBNR”). According to the proposed order, Easy Healthcare will pay a $100,000 civil penalty for violating the HBNR and, among other requirements, will be permanently prohibited from sharing users’ personal health data with third parties for advertising purposes. The FTC also noted that Easy Healthcare will pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon for violating their laws.
DOJ, FTC, CFPB, and EEOC Statement on Discrimination and AI
On April 25, 2023, four federal agencies — the Department of Justice (“DOJ”), Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFPB”), and Equal Employment Opportunity Commission (“EEOC”) — released a joint statement on the agencies’ efforts to address discrimination and bias in automated systems.
Continue Reading DOJ, FTC, CFPB, and EEOC Statement on Discrimination and AI
NYC Artificial Intelligence Rule to Take Effect July 5, 2023: New York City Issues Final Rule Regulating the Use of AI Tools by Employers
The New York City Department of Consumer and Worker Protection (“DCWP”) recently issued a Notice of Adoption of Final Rule (“Final Rule”) relating to the implementation of New York City’s law regulating the use of automated employment decision tools (“AEDT”) by NYC employers and employment agencies.
NYC’s Local Law 144 now takes effect on July 5, 2023. As discussed in our prior post, Local Law 144 prohibits employers and employment agencies from using certain Artificial Intelligence (“AI”) tools in the hiring or promotion process unless the tool has been subject to a bias audit within one year prior to its use, the results of the audit are publicly available, and notice requirements to employees or job candidates are satisfied.
The issuance of DCWP’s Final Rule follows the prior release of two sets of proposed rules in September 2022 and December 2022. The Final Rule’s most significant updates from the December 2022 proposal include an expansion of the definition of AEDTs and modifications to the requirements for bias audits. Key provisions of the Final Rule are summarized below.