New York Legislature Passes Extraordinarily Restrictive Health Data Privacy Bill

January 22, 2025 in Health Privacy, State Legislation

Last year, we wrote about a proposed New York State law that would have significant impacts for entities that process health and wellness related data. That bill failed to pass before the 2024 legislative session ended. But today, in the early days of the 2025 session, the New York State legislature has passed Senate Bill S929 (SB S929), which is essentially unchanged from last year’s bill.

Prior to enactment into law, SB S929 will be subject to amendment or veto by New York Governor Kathy Hochul. Governor Hochul has confirmed that she will review SB S929.

As we detailed in our previous blog post, this bill:

has a very broad scope,
includes a novel and dramatically challenging authorization requirement for certain collection or other processing of regulated health information,
imposes specific and unique notice and data security-related obligations, and
creates onerous data access and data deletion requirements.

As we noted last year, “while protecting the privacy of sensitive health data is important, and legitimate concerns about the potential for harmful uses of such data should be addressed, this bill’s overbroad scope and problematic substantive obligations are likely to create unintended costs, confusion, and disruption for many entities providing any products or services that are at all related to health or wellness.”

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Mike Hintze is a Member Partner at Hintze Law PLLC and a recognized leader with over 25 years of experience in privacy and data protection law, policy, and strategy.

Workplace Privacy – 5 Things I’m Keeping in Mind for 2025

January 21, 2025 in Technology Law, Workplace Privacy

By Jennifer Ruehr

Many of us are returning to work this month with New Year’s resolutions, predictions, and lists top of mind, and top of inbox. As I turn back to work, I’m thinking ahead to how U.S. laws and regulations are going to impact my clients from a workforce perspective. Here’s what is top of mind for me right now:

Fair Credit Reporting Act
State law AI requirements
Biometrics in the workplace
Genetic data risk
Workplace monitoring

The FTC Issues Final COPPA Rule Amendment

January 20, 2025

By Susan Hintze and Emily Litka

This is Part 1 in a series of blog posts about the 2025 COPPA Final Rule. It provides a high-level overview of the Final Rule. Subsequent posts in the coming days will delve more deeply into individual aspects of the Final Rule and FTC comments, the issues raised, and implications for specific industry sectors.Our unofficial redlined copy of the Final Rule can be found here.

10 areas for US-based privacy programs to focus in 2025

January 15, 2025

By Sam Castic

The post below was originally published by the IAPP at https://iapp.org/news/a/10-areas-for-privacy-programs-to-focus-in-2025.

This past year was another jammed one for privacy teams and it was not easy to stay on top of all the privacy litigation, enforcement trends, and new laws and regulations in the U.S.

New U.S. Regulations Impose Significant Restrictions on Cross-Border Data Flows

January 09, 2025

By Sam Castic and Hansenard Piou

The Department of Justice adopted a final Rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons that takes effect on April 8, 2025.

The EDPB Releases an Opinion on AI Model Development and Deployment

January 08, 2025

By Emily Litka

On December 18th, in response to a request from the Irish Supervisory Authority (“SA”), the European Data Protection Board (the “EDPB”) published an opinion (the “Opinion”) on the application of the GDPR to certain aspects of AI model development and deployment.

Congratulations to Jennifer Ruehr on Promotion to Co-Managing Partner

January 06, 2025

Hintze Law PLLC is thrilled to announce Jennifer Ruehr’s promotion from Partner to Co-Managing Partner, joining forces with Susan Hintze to lead our firm into an exciting future. Together, they will oversee the day-to-day operations of the firm and provide strategic management oversight and leadership to drive our continued success.

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

December 05, 2024 in Health + Biotech, Health Privacy, HIPAA, State Legislation

by Felicity Slater and Kate Black

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

November 19, 2024 in Health + Biotech, Health and Biotech, Hintze Law, Privacy, Health Privacy

By Mike Hintze and Felicity Slater

On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end.

Hintze Law PLLC Recognized in 2025’s Best Law Firm Rankings

November 07, 2024 in Hintze Law, Awards, Best Lawyers, Best Law Firms, Technology Law, Information Technology La

We are pleased to share that Hintze Law has been recognized for excellence in Information Technology Law and Technology Law in the 2025 edition Best Law Firms® rankings. The firm has been ranked in these areas both nationally and in the Seattle area.

California Enacts "genAI" Laws That Introduce New Privacy and Transparency Requirements, Amongst Others

October 08, 2024 in CCPA, Cybersecurity, Hintze Law, Privacy

By Emily Litka

In September 2024, California Governor Gavin Newsome signed a number of new generative AI (“genAI”) bills into law. These laws address risks associated with deepfakes, training dataset transparency, use of genAI in healthcare settings, privacy, and AI literacy in schools. California is the first US state to enact such sweeping genAI regulations.

Hansenard Piou Joins Hintze Law as an Associate

September 23, 2024

Hintze Law PLLC is excited to announce that Hansenard “Hansy” Piou has joined the firm as a first-year associate* in the Seattle office.

Congrats to Taylor Widawski for Promotion to Partner

September 03, 2024 in Hintze Law

Hintze Law, PLLC is delighted to announce that, effective September 2024, Taylor Widawski has been promoted to partner!

FTC Introduces Novel Ban in Its Settlement with NGL Labs and Scrutinizes AI Representations

August 19, 2024 in FTC, COPPA, Global Privacy & Security, Online Advertising

By Emily Litka

On July 9, 2024, The Federal Trade Commission (FTC) and the Los Angeles District Attorney’s Office (LA DA) reached a settlement with NGL Labs, the maker of the “NGL: ask me anything” app and its co-founders. The complaint alleged violations of the Federal Trade Commission Act (FTC Act), the Children’s Online Privacy Protection Act (COPPA), the Restore Online Shoppers’ Confidence Act (ROSCA), and similar California state laws. In the complaint, the FTC and LA DA also brought claims against NGL’s cofounders individually.

Susan and Mike Hintze Recognized in 2025’s Best Lawyers in America

August 19, 2024

Hintze Law PLLC is delighted to announce that Susan Hintze, Managing Partner, and Mike Hintze, Member Partner, have been recognized by Best Lawyers®.

Susan has been recognized in The Best Lawyers in America® 2025 edition in the practice areas of Advertising Law and Information Technology Law.

Emily Litka Joins Hintze Law as a Senior Associate

August 07, 2024

Hintze Law PLLC is thrilled to announce that Emily Litka has joined the firm as part of our growing team of talented AI, privacy, and cybersecurity attorneys.

Alex Schlight and Taylor Widawski Recognized as Super Lawyers Rising Stars

August 01, 2024

We’re happy to announce that Alex Schlight and Taylor Widawski have both been recognized by Super Lawyers as Rising Stars in the Technology Transactions practice areas! Alex and Taylor both specialize in data privacy, data security, and artificial intelligence legal counseling, including in technology transactions for clients.

The Federal Trade Commission’s Revised Health Breach Notification Rule to Take Effect

June 28, 2024

By Felicity Slater

In one month’s time, on July 29, 2024, the Federal Trade Commission’s (“FTC”) revised Health Breach Notification Rule (“HBNR”) will take effect. The rule obliges regulated entities to disclose breaches of personally identifying health information to consumers, the FTC, and, in some cases, the press. The revisions establish that a broad range of entities operating in the consumer health and wellness space are covered by the rule, and that unauthorized disclosures of personally identifying health information, along with data breaches as traditionally conceived of, trigger the rule’s notification obligations. Violators risk substantial fines.

Regulator Insights into the HIPAA Privacy Rule to Support Reproductive Health Privacy

June 24, 2024

By Cameron Cantrell and Sheila Sokolowski

On Thursday, June 20, 2024, the Department of Health and Human Services’ Office of Civil Rights and Office of Health Information Technology (collectively, “HHS”) jointly presented a webinar on the HIPAA Privacy Rule to Support Reproductive Health Privacy (the “Reproductive Health Privacy Rule” or “Rule”). HHS published the final Reproductive Health Privacy Rule on April 26, 2024, and provided the webinar as part of building out the agency’s guidance on the Rule’s novel requirements.

New CCPA Enforcement Action: Lessons for Tracking Technologies and Child Users

June 21, 2024 in CCPA, Privacy, Online Advertising

By Cameron Cantrell and Sam Castic

This week the California Attorney General and Los Angeles City Attorney announced a proposed $500,000 settlement to a complaint against mobile app game developer and publisher Tilting Point Media LLC for alleged violations of the California Consumer Privacy Act (“CCPA”), unfair competition law, and federal Children’s Online Privacy Protection Act (“COPPA”). This post summarizes the alleged practices that led to the enforcement action, how it fits with regulatory enforcement priorities including on data sales via tracking technologies and children’s privacy, and steps for companies to consider to reduce risk.