Photo of Libbie Canter

Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is "incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions."

On January 22, the New York state legislature passed the New York Health Information Privacy Act (S929 / A2141) (“NYHIP”). If signed into law, NYHIP would join Washington and Nevada in a growing trend of states regulating consumer health information. Though NYHIP contains many similarities with laws in Washington and Nevada, there are a few unique provisions, as discussed below. Among them, NYHIP applies to “Regulated Health Information” or “RHI” that is defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Unlike the health privacy laws in Washington and Nevada, NYHIP does not provide an inclusive list of health data.

NYHIP would require regulated entities to obtain a “valid authorization” prior to processing RHI unless such processing is “strictly necessary” for certain enumerated purposes, including providing a product or service requested by the individual or certain limited internal business operations. NYHIP does not clarify what it means for a processing activity to be considered “strictly necessary.”

Where such an authorization is required, a valid authorization must, among other requirements: 

  • Be made at least twenty-four (24) hours after an individual creates an account or first uses the requested product or service; and
  • If multiple categories of processing are involved, provide an ability to “provide/withhold” authorization for each category separately.

Continue Reading New York Legislature Passes Health Privacy Act

On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (the “proposed rule”), which proposes a number of significant updates to the HIPAA Security Rule.  According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The preamble states that the proposed rule seeks to address common areas of non-compliance with the Security Rule identified by OCR in its recent investigations, as well as build on recommendations from the National Committee on Vital Health Statistics and guidelines and best practices recommended by other parts of the government, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).

Below, we provide a brief summary of the proposed changes. The proposed rule is open for comment until March 7, 2025.
Continue Reading HHS Issues Notice of Proposed Rulemaking to Update the HIPAA Security Rule

Attorneys General in Oregon and Connecticut issued guidance over the holiday interpreting their authority under their state comprehensive privacy statutes and related authorities.  Specifically, the Oregon Attorney General’s guidance focuses on laws relevant for artificial intelligence (“AI”), and the Connecticut Attorney General’s guidance focuses on opt-out preference signals that go into effect on January 1, 2025 in the state.Continue Reading State Attorneys General Issue Guidance On Privacy & Artificial Intelligence

On September 28, California’s governor signed a number of bills into law, including to regulate health care facilities’ use of artificial intelligence (“AI”).  This included AB 3030, which regulates certain California-licensed health care facilities’ use of AI and SB 1223, which amends the California Consumer Privacy Act (CCPA) to cover “neural data.”  We discuss each bill in turn below.

AB 3030Continue Reading California Enacts Health AI Bill and Protections for Neural Data

The New York Office of Attorney General (OAG) recently published guidance for website privacy controls. Although New York does not have a comprehensive privacy law, business’ privacy-related practices and statements may be subject to New York’s consumer protection laws, which generally prohibit businesses from engaging in deceptive acts and practices. Accordingly, the OAG noted that “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”Continue Reading New York AG Issues Guidance on Website Privacy Controls

On August 2, 2024, Illinois’ governor signed into law S.B. 2979, a significant amendment to the Illinois Biometric Information Privacy Act (BIPA). The law states that an entity that, in more than one instance, obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of BIPA’s notice and consent requirement has committed a single violation. As a result, each aggrieved person is entitled to, at most, one recovery for a single collective violation.Continue Reading Illinois Enacts BIPA Amendment Limiting Violation Accrual

An Illinois federal court has dismissed a proposed class action alleging X Corp. violated the state’s Biometric Information Privacy Act (“BIPA”) through its use of PhotoDNA software to create “hashes” of images to scan for nudity and related content. The court held that Plaintiff failed to allege that the hashes identified photo subjects and therefore failed to allege that the hashes constituted biometric identifiers. Martell v. X Corp., 2024 WL 3011353, at *4 (N.D. Ill. June 13, 2024).Continue Reading Illinois Federal Court Dismisses BIPA Suit Against X, Holding “Biometric Identifiers” Must Identify Individuals

On June 6, the Texas Attorney General published a news release announcing that the Attorney General has opened an investigation into several car manufacturers.  The news release states that the investigation was opened “after widespread reporting that [car manufacturers] have secretly been collecting mass amounts of data about drivers directly

Continue Reading Texas Attorney General Opens Investigation into Car Manufacturers’ Collection and Sale of Drivers’ Data