On April 17, the Nebraska governor signed the Nebraska Data Privacy Act (the “NDPA”) into law. Nebraska is the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Maryland. The NDPA will take effect on January 1, 2025. This blog post summarizes the statute’s key takeaways.Continue Reading Nebraska Enacts Nebraska Data Privacy Act
California Privacy Protection Agency Issues Enforcement Advisory on Data Minimization
On April 2, the Enforcement Division of the California Privacy Protection Agency issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.” The Advisory highlights certain provisions of and regulations promulgated under the California Consumer Privacy Act (“CCPA”) that “reflect the concept of data minimization” and provides two examples that illustrate how businesses may apply data minimization principles in certain scenarios.Continue Reading California Privacy Protection Agency Issues Enforcement Advisory on Data Minimization
CPPA Executive Director Remarks on Policy and Enforcement Priorities
On April 3, at the International Association of Privacy Professionals’ global privacy conference, California Privacy Protection Agency (“CPPA”) Executive Director Ashkan Soltani gave remarks on his agency’s priorities with respect to rulemaking and administrative enforcement of the California Consumer Privacy Act (“CCPA”). Below we provide a few key takeaways:Continue Reading CPPA Executive Director Remarks on Policy and Enforcement Priorities
Kentucky Passes Comprehensive Privacy Bill
Earlier this month, the Kentucky legislature passed comprehensive privacy legislation, H.B. 15 (the “Act”), joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, and New Hampshire. The Act is awaiting the Governor’s signature. If signed into law, the Act would take effect on January 1, 2026. This blog post summarizes the statute’s key takeaways.Continue Reading Kentucky Passes Comprehensive Privacy Bill
HHS OCR Updates Tracking Technologies Guidance
On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (“HHS OCR”) updated its “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” guidance addressing how regulated entities may use tracking technologies on their websites and mobile applications in a manner compliant with the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”). The guidance, originally published in December 2022, states that HIPAA-regulated entities are not permitted to leverage tracking technologies in ways that would result in an impermissible disclosure of protected health information (“PHI”) or other violation of HIPAA. The guidance also emphasizes the importance of safeguarding PHI and notes that regulated entities may not share PHI with tracking technology vendors (e.g., third-party advertisers) absent a business associate agreement (“BAA”) with the vendor or pursuant to a patient authorization. Continue Reading HHS OCR Updates Tracking Technologies Guidance
California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments
At its March 8, 2024 meeting, the Board of the California Privacy Protection Agency (“CPPA”) moved, by a 3-2 vote, to advance proposed regulations addressing automated decision-making technology (“ADMT”) and risk assessments for the processing of personal information. Notably, the Board’s vote only allows staff to begin paperwork preliminary to a rulemaking; it did not actually initiate the formal rulemaking process. At the meeting, the CPPA Staff clarified that the Board will need to re-review the draft rules for ADMT, privacy risk assessments, and cyber audits and vote again to initiate the rulemaking process. The CPPA’s General Counsel Philip Laird said he expects the Board will vote to begin the formal rulemaking process for all three topics in July 2024, at the earliest. Once formal rulemaking begins, the Board has one year to finalize the regulations, per California’s Administrative Procedure Act.Continue Reading California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments
Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA
Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, published on February 21, 2024, a white paper with various proposals to update privacy protections for health data. In Part 1 of this blog series (see here), we discussed the first section of Senator Cassidy’s February 21, 2024, white paper. Specifically, we summarized Senator Cassidy’s proposals on how to update the existing framework of the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”) without disrupting decades of case law and precedent. In this blog post, we discuss the other sections of the white paper, namely proposals to protect other sources of health data not currently covered by HIPAA.Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA
Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 1: Updates to the HIPAA Framework
On February 21, 2024, Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, issued a white paper, “Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era”, which proposes several updates to the privacy protections for health data. This follows Senator Cassidy’s September 2023 request for information from stakeholders about how to enhance health data privacy protections covered by the Health Insurance Portability and Accountability Act (“HIPAA”) framework and to consider privacy protections for other sources of health data not currently covered by HIPAA. The white paper notes that several entities, including trade associations, hospitals, health technology companies, and think tanks, responded to the RFI.Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 1: Updates to the HIPAA Framework
Nebraska Enacts Direct-to-Consumer Genetic Privacy Law as Several Other States Propose Similar Bills at the Start of 2024
On February 14, 2024, Nebraska enacted a genetic privacy law (LB 308) regulating direct-to-consumer (“DTC”) genetic testing companies. The law is one of a flurry of bills regarding DTC genetic testing that have been introduced in several states since the beginning of 2024, following the enactment of several DTC genetic testing laws in 2023, such as in Virginia.Continue Reading Nebraska Enacts Direct-to-Consumer Genetic Privacy Law as Several Other States Propose Similar Bills at the Start of 2024
California Appeals Court Vacates Enforcement Delay of CPPA Regulations
On February 9, the Third Appellate District of California vacated a trial court’s decision that held that enforcement of the California Privacy Protection Agency’s (“CPPA”) regulations could not commence until one year after the finalized date of the regulations. As we previously explained, the Superior Court’s order prevented the
Continue Reading California Appeals Court Vacates Enforcement Delay of CPPA Regulations