Uncategorized

On Friday, the FTC announced that was entering a consent decree with 1Health.io Inc., which also does business as Vitagene, Inc.  This is the fourth health-related FTC enforcement action announced this year (see here and here). 

In addition, it comes on the heels of Virginia, Montana, and, as recently as last week, Texas joining California, Utah, and Arizona in adopting legislation specifically regulating the privacy practices of direct-to-consumer genetic testing companies.  The recently adopted Montana law has a broader scope and narrower exceptions that raise questions about whether it will impede research, whereas the Texas law adopted last week is more similar to the other state models. 

Continue Reading FTC Enters Consent Decree with Direct-to-Consumer Genetic Testing Company On Heels of Other Significant Health and Genetic Privacy Developments

On April 25, 2023, four federal agencies — the Department of Justice (“DOJ”), Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFPB”), and Equal Employment Opportunity Commission (“EEOC”) — released a joint statement on the agencies’ efforts to address discrimination and bias in automated systems. 

Continue Reading DOJ, FTC, CFPB, and EEOC Statement on Discrimination and AI

Washington’s My Health My Data Act (“HB 1155” or the “Act”), which would expand privacy protections for the health data of Washington consumers, recently passed the state Senate after advancing through the state House of Representatives.  Provided that the House approves the Senate’s amendments, the Act could head to the governor’s desk for signature in the coming days and become law.  The Act was introduced in response to the United States Supreme Court’s Dobbs decision overturning Roe v. Wade.   If enacted, the Act could dramatically affect how companies treat the health data of Washington residents. 

This blog post summarizes a few key takeaways in the statute.

Continue Reading Washington’s My Health My Data Act Passes State Senate

Recently, the Colorado Attorney General’s office posted a revised draft of the regulations implementing the Colorado Privacy Act. The revisions made a number of changes, and we highlight a few key ones below.

  • Specifying that the dark patterns provisions apply in certain circumstances only. The rules clarify that the rules governing dark patterns apply only

On Episode 20 of Covington’s Inside Privacy Audiocast, Dan Cooper, Co-Chair of Covington’s Data Privacy and Cyber Security practice, and Christian Ahlborn, Partner in Covington’s Competition practice, discuss the recently enacted EU Digital Markets Act (DMA) in the first part of our “Competition and Privacy” mini series.

For more information on the DMA

Earlier this month, the UK Information Commissioner’s Office (“ICO”) announced a fine in a case that involved inferring health data and using this for marketing. The ICO found that catalogue retailer Easylife Limited (“Easylife”) had profiled 145,400 individuals for inferred health conditions without their consent, based on certain “trigger products” that they had purchased from Easylife’s Health Catalogue.  For example, if a customer bought a jar opener or a dinner tray, Easylife would infer that the customer might have arthritis, and then call them to market glucosamine joint patches. The ICO has fined Easylife £1.48 million: £1.35 million for using customers’ personal information to sell health-related products without their consent, and a further £130,000 for making unsolicited direct marketing calls.

Continue Reading ICO Fines Easylife £1.48 Million For Data Protection and E-Marketing Violations

On Monday, the Supreme Court granted certiorari in Gonzalez v. Google LLC, 2 F.4th 871 (9th Cir. 2021) on the following question presented:  “Does section 230(c)(1) immunize interactive computer services when they make targeted recommendations of information provided by another information content provider, or only limit the liability of interactive computer services when they engage in traditional editorial functions (such as deciding whether to display or withdraw) with regard to such information?”  This is the first opportunity the Court has taken to interpret 47 U.S.C. § 230 (“Section 230”) since the law was enacted in 1996.

Continue Reading Supreme Court Grants Certiorari in Gonzalez v. Google, Marking First Time Court Will Review Section 230

On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.

This audiocast episode is repurposed from a

After years of negotiations, members of the U.S. Senate and House of Representatives have released bipartisan comprehensive privacy legislation—the American Data Privacy and Protection Act.  Democrats and Republicans have put forward separate proposals in the past that have more in common than different.  The two main points of disagreement that have historically stalled a comprehensive