On March 26, 2023, Virginia enacted a genetic privacy law (SB 1087) aimed at regulating the practices of direct-to-consumer (“DTC”) genetic testing companies. Virginia is not the only state interested in regulating these companies—numerous other states, including Minnesota, Texas, Tennessee, and Vermont, have introduced similar bills during this legislative session, following the enactment of similar genetic privacy laws in Arizona, California, and Utah in recent years. Virginia’s SB 1087, effective July 1, 2023, adds to the growing net of state genetic privacy protections.
Colorado AG Files Final Rules Implementing CPA
On March 15, 2023, the Colorado Attorney General filed final rules implementing the Colorado Privacy Act (“CPA”) with the Secretary of State. The Attorney General first released proposed draft rules on October 10, 2022 and subsequently released revised draft rules on December 21, 2022 and January 27, 2023 after public comment. The final rules will
McHenry Introduces Data Privacy Act of 2023
On February 24, Congressman Patrick McHenry (NC-10) formally introduced his bill to modernize the Gramm-Leach-Bliley Act (“GLBA”) in the House as H.R. 1165. The bill was first released as a discussion draft in June 2022, although the latest version reflects a number of updates as compared to the initial discussion draft. The bill has
The Colorado AG Posts Revised Draft Regulations
Recently, the Colorado Attorney General’s office posted a revised draft of the regulations implementing the Colorado Privacy Act. The revisions made a number of changes, and we highlight a few key ones below.
- Specifying that the dark patterns provisions apply in certain circumstances only. The rules clarify that the rules governing dark patterns apply only
CPPA Approves First Round of Draft Rules
At the CPPA board meeting last week, the agency adopted the regulations and directed the staff to file the rulemaking package with the Office of Administrative Law (“OAL”). Before these regulations can become effective (and therefore enforceable), the OAL must complete its review of the regulations. It has 30 working days to complete its review
FTC Announces First Enforcement Action Under Health Breach Notification Rule
On February 1, the Federal Trade Commission (“FTC”) announced its first-ever enforcement action under its Health Breach Notification Rule (“HBNR”) against digital health platform GoodRx Holdings Inc. (“GoodRx”) for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to third-party advertisers. According to the proposed order, GoodRx will pay a $1.5 million civil penalty and be prohibited from sharing users’ sensitive health data with third-party advertisers in order to resolve the FTC’s complaint.
This announcement marks the first instance in which the FTC has sought enforcement under the HBNR, which was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and comes just sixteen months after the FTC published a policy statement expanding its interpretation of who is subject to the HBNR and what triggers the HBNR’s notification requirement. Below is a discussion of the complaint and proposed order, as well as key takeaways from the case.
Continue Reading FTC Announces First Enforcement Action Under Health Breach Notification Rule
California Privacy Protection Agency Posts Final Draft Regulations
Last night, the California Privacy Protection Agency (CPPA) published agenda materials for its upcoming meeting on February 3, 2023. The materials include:
- Proposed final draft regulations implementing the California Privacy Rights Act (CPRA). These do not reflect further changes since the draft regulations that the CPPA put out for a 15-day comment period on November
FTC Issues New Guidance Regarding Health Products
On December 20, 2022, the Federal Trade Commission (“FTC”) announced its issuance of Health Products Compliance Guidance, which updates and replaces its previous 1998 guidance, Dietary Supplements: An Advertising Guide for Industry. While the FTC notes that the basic content of the guide is largely left unchanged, this guidance expands the scope of the previous guidance beyond dietary supplements to broadly include claims made about all health-related products, such as foods, over-the-counter drugs, devices, health apps, and diagnostic tests. This updated guidance emphasizes “key compliance points” drawn from the numerous enforcement actions brought by the FTC since 1998, and discusses associated examples related to topics such as claim interpretation, substantiation, and other advertising issues.
Continue Reading FTC Issues New Guidance Regarding Health Products
Colorado Attorney General Releases Revised Colorado Privacy Act Draft Rules
The Colorado Attorney General released updated draft rules interpreting the Colorado Privacy Act on December 21, 2022 (“Draft Rules”). These revisions follow a series of stakeholder sessions on November 10th, 15th, and 17th. The Attorney General will convene a formal rulemaking hearing on February 1, 2023. In advance of the formal rulemaking hearing, stakeholders may submit written comments for consideration.
Continue Reading Colorado Attorney General Releases Revised Colorado Privacy Act Draft Rules
California Expands the Scope of the CMIA to Cover Certain Digital Mental Health Services and Information
In a new post on the Covington Digital Health blog, our colleagues discuss a recent amendment to California’s Confidentiality of Medical Information Act (“CMIA”) that expands the scope of the law to cover mental health services that are delivered through digital health solutions and the associated health information generated from these services.