Hintze Law continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from the last month. If you missed our last round of updates, you can find those here.
Read MorePrivacy
California Legislature Passes the Delete Act
in CPPA, CCPA, State Legislation, Privacy
On September 15, 2023, the California Legislature passed Senate Bill 362, known as the Delete Act, which amends the California data broker law. The bill now awaits a signature from the governor. If signed, certain aspects of the law will go into effect as soon as January 31, 2024.
Read MoreFlorida's Comprehensive Privacy Law Enacted
By Leslie Veloz
Florida’s SB 262 was signed into law Tuesday, June 6, 2023, making it the 10th comprehensive state privacy law enacted in the United States. SB 262 consists of several parts.
Read MoreWashington My Health My Data Act - Part 8: Notice Obligations
By Mike Hintze
When it comes into effect, the Washington My Health My Data Act (MHMDA or the Act) will impose new privacy notice obligations on regulated entities. The Act requires specific privacy disclosures relating to data that meets the very broad definition of “consumer health data.” It appears to require regulated entities to draft, post, link to, and maintain a separate “Consumer Health Data Privacy Policy” that will be largely, but not entirely, redundant of their existing privacy statement(s).
Because the Consumer Health Data Privacy Policy will be publicly available and easily scrutinized by plaintiffs’ lawyers and the Washington Attorney General, mistakes implementing this obligation are likely to be a key source of costly and disruptive litigation. Regulated entities will therefore need to take great care in meeting the Act’s notice requirements which are, in some respects, unusual and unexpected.
Read MoreWashington My Health My Data Act – Part 7: Biometric Data
By Mike Hintze & Jevan Hutson
Biometric data is among the broad range of “consumer health data” regulated by the Washington My Health My Data Act (MHMDA). In light of MHMDA’s broad definition of biometric data, GDPR-level consent requirements, new obligations, and private right of action, the Act dramatically changes and complicates the regulation of biometric data in Washington state and is poised to become the most disruptive change in U.S. biometric privacy law since Illinois’ BIPA.
Read MoreWashington My Health My Data Act - Part 6: Data Subject Rights
By Mike Hintze
The Washington My Health My Data Act provides consumers with several rights, including a right of access, a right to delete, a right to withdraw consent, and a right to not be discriminated against for exercising their rights. While each of these rights can be found in other privacy laws and so, at a high level, do not seem particularly surprising here, the ways they are included in this Act are unique, create uncertainty, and in some cases go well beyond what exists in any other privacy law. As a result, regulated entities seeking to comply with them will face difficult, costly, and disruptive implementation challenges (and with respect to the deletion right, the potential for catch-22 situations where full legal compliance may be impossible). These challenges, along with the Act’s private right of action, set up a significant risk of expensive legal claims and litigation.
Read MoreWashington My Health My Data Act - Part 5: Consent Requirements
By Mike Hintze
When it comes into effect, the Washington My Health My Data Act will impose strict consent requirements on a wide range of common data collection and processing activities. In essence, the Act requires affirmative (opt-in) consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. For anything that could be considered a data “sale,” the authorization requirements are so onerous and risky that they, in effect, create a prohibition.
Read MoreWashington My Health My Data Act - Part 4: Effective Dates
By Mike Hintze
Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State Legislature. Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act. The Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024). However, contrary to stated legislative intent, and due to what one can only conclude is, at least in part, a drafting error, some of the key substantive provisions of the Act may come into effect much sooner than expected - as soon as July 2023.
Read MoreWashington My Health My Data Act - Part 3: The Scope of Entities and Consumers Captured by the Act
By Mike Hintze
The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact.
Read MoreWashington My Health My Data Act - Part 2: The Scope of “Consumer Health Data”
By Mike Hintze
The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” While there are a few important exclusions, the stunning breath of that term's definition, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act. As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law.
Read MoreThe Washington My Health My Data Act - Part 1: An Overview
By Mike Hintze
The Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.
Read MoreUtah's Social Media Regulation Act - Overview of Privacy & Business Impact
By Alex Schlight and Leslie Veloz
Just a year after passing a comprehensive privacy law, Utah becomes the first state in the United States to pass a law that significantly regulates minors' access to, and use of, social media sites. The law is much broader than kids’ privacy laws like the federal Children’s Online Privacy Protection Act (COPPA), or California’s Age-Appropriate Design Code Act passed last year in that it significantly limits when and how minors under the age of 18 can use social media, gives parent’s broad rights to consent to and access accounts, and places extensive restrictions on social media company activities, including, prohibiting the display of ads to minors, targeting or suggesting groups, services, products, and posts and use of addictive design.
Read MoreIowa Passes Sixth State Comprehensive Privacy Law
Senate File 262, a comprehensive privacy law, was signed by the Governor of Iowa on March 28, 2023, thereby becoming law. As a result, Iowa has officially become the sixth state with a comprehensive privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.
Read MoreA Few Thoughts on ChatGPT
in Privacy
By Mike Hintze
In recent weeks, ChatGPT has been the subject of much discussion. A wide range of issues and concerns have been raised, and a number of those relate to privacy and data protection. Here are a few of my thoughts on what privacy and data protection professionals should consider when reviewing uses of ChatGPT (and similar generative AI services).
Read MoreApple Hit with Class Action Lawsuit for Data Collection
in Privacy
On November 10, 2022, a plaintiff filed a class action lawsuit against Apple, Inc., citing a recent Gizmodo article reporting that security researchers had found that Apple apps, such as the App Store, collected device and usage data from iPhones regardless of the privacy settings users enabled. The complaint alleges that Apple collects personal information and the content of communications in its apps, and tracks users across apps even when users disabled "Allow Apps to Request to Track" and "Share iPhone & Watch Analytics" settings in their phones.
Read MoreGoogle Settles with State AGs on Location Tracking
in Privacy
On November 11, 2022, Google entered into a $391.5 million settlement with 40 state attorneys general—the largest ever attorney-general led consumer privacy settlement. The investigation, led by attorneys general in Oregon and Nevada, began after a 2018 Associated Press article reported that Google tracks consumers’ location, even when the settings, including on Google’s Android operating systems and certain Google iPhone apps, appear to prevent such tracking.
Read MoreFTC Issues Proposed Order Against Online Tutoring Company, Chegg, for Lax Security
By Sheila Sokolowski and Charlotte Lunday
Following up on its warning that it would be cracking down on Education Technology companies, the Federal Trade Commission (FTC) issued a proposed order against Chegg Inc., an online tutoring and homework aid service for high school college students, for lax security practices. According to its complaint, the FTC alleged that Chegg violated Section 5 of the FTC Act by failing to implement reasonable security measures to protect student and employee data and deceptively claiming in its privacy notice that it engaged in commercially reasonable security measures to protect users’ personal data.
Read MorePrivacy in 2022: What to expect and where to focus
in Privacy
Following in the footsteps of the last few years, 2022 is shaping up to be a landmark year for privacy and data security. Here is a quick privacy forecast to help you identify where to focus, and what to expect, in the coming year.
Read MoreDirect-to-Consumer Genetic Testing Privacy Laws: California Joins the Party
On October 6, 2021, California’s governor signed the Genetic Information Privacy Act (the “Act”), adding the state to the growing number enacting laws requiring direct-to-consumer genetic testing companies to protect the privacy and security of their customers’ genetic data.
Read MoreVirginia Passes Comprehensive Data Privacy Law
On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. The VCDPA, which takes effect January 1, 2023, will look familiar to those who work with the GDPR and California’s Consumer Privacy Act and Privacy Rights Act (CCPA and CPRA, respectively). Companies that have already invested in GDPR and CCPA/CPRA compliance will find that most VCDPA obligations are similar to what they have already addressed in some form for Europe and California. But the new Virginia law also contains some novel provisions, such as excluding a broad range of “publicly available information” from the definition of personal data, contractual requirements for sharing de-identified data, and establishing an appeals process for data rights requests.
Read More