By Mason Fitch
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) issued a new bulletin last week that may have significant implications for online activities of Covered Entities and Business Associates. The bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” explains how HIPAA’s reach extends to information collected on websites or mobile apps, including information collected from a user who visits a HIPAA-regulated entity’s website but has no further interaction with that entity. While HIPAA-regulated entities have long understood that their ‘internal tools’ (ex: EHR’s, practice management, and clinical support software) must comply with HIPAA, the new bulletin makes it clear that information that is routinely collected by vendors on public-facing websites, apps, and web-based assets may be PHI as well.
Read MoreBy Charlotte Lunday
On November 10, 2022, a plaintiff filed a class action lawsuit against Apple, Inc., citing a recent Gizmodo article reporting that security researchers had found that Apple apps, such as the App Store, collected device and usage data from iPhones regardless of the privacy settings users enabled. The complaint alleges that Apple collects personal information and the content of communications in its apps, and tracks users across apps even when users disabled "Allow Apps to Request to Track" and "Share iPhone & Watch Analytics" settings in their phones.
Read MoreBy Taylor Widawski
On November 11, 2022, Google entered into a $391.5 million settlement with 40 state attorneys general—the largest ever attorney-general led consumer privacy settlement. The investigation, led by attorneys general in Oregon and Nevada, began after a 2018 Associated Press article reported that Google tracks consumers’ location, even when the settings, including on Google’s Android operating systems and certain Google iPhone apps, appear to prevent such tracking.
Read MoreBy Sheila Sokolowski and Charlotte Lunday
Following up on its warning that it would be cracking down on Education Technology companies, the Federal Trade Commission (FTC) issued a proposed order against Chegg Inc., an online tutoring and homework aid service for high school college students, for lax security practices. According to its complaint, the FTC alleged that Chegg violated Section 5 of the FTC Act by failing to implement reasonable security measures to protect student and employee data and deceptively claiming in its privacy notice that it engaged in commercially reasonable security measures to protect users’ personal data.
Read MoreBy Leslie Veloz
Here’s a snapshot of a few privacy developments from the past few weeks.
Read MoreBy Charlotte Lunday
The Federal Trade Commission hosted an event October 19, 2022, discussing digital advertising to kids. The event primarily focused on “blurred” or “stealth” advertising.
Read MoreWe are thrilled to announce that first-year associates, Leslie Veloz and Cameron Cantrell, have joined Hintze Law in the Seattle Office.
Read MoreBy Taylor Widawski
Here’s a snapshot of a few privacy developments from the past few weeks.
Read MoreBy Charlotte Lunday
On September 15, Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (CAADC). The law which received bipartisan support in the Legislature has a goal of protecting the wellbeing, data, and privacy of children, including teens, using online platforms. Businesses will be required to comply with significant new documentation and privacy by design and privacy default obligations by July 1, 2024. These obligations are largely adopted from the United Kingdom’s Age-Appropriate Design Code, and the statute’s preamble points to this law and the UK’s Information Commissioner’s Office (ICO) guidance to interpret the CAADC.
Read MoreHintze Law PLLC announced today that Taylor Widawski has joined the firm as Senior Associate. Taylor comes to Hintze Law’s Seattle office from Chime Financial, where she was in house privacy counsel. Prior to that, she was privacy counsel at T-Mobile and an associate with a large national law firm.
Read MoreBy: Emeka Egwuatu and Destiny Ginn
Here’s a snapshot of a few of the privacy developments we followed over the past few weeks.
Read MoreBy Sam Castic
Last week the California Attorney General’s office announced a settlement with beauty retailer Sephora for $1.2 million - the AG’s first monetary penalty for CCPA violations. Sephora has also agreed to a 2-year consent decree with ongoing monitoring and reporting obligations. This enforcement action confirms the AG’s interpretation that: (1) the CCPA requires specific CCPA-mandated contractual terms with each cookie, pixel, and tracking technology provider that companies use on their websites for personal information sharing not to be a “sale” of data under the CCPA, and (2) companies that engage in “sales” of personal information on their websites must honor the Global Privacy Control signal from consumers who choose to use the GPC.
Read MoreHintze Law PLLC is very pleased to announce that Deb Gray has joined the firm as a Senior Privacy Analyst. Deb comes to Hintze Law’s Seattle office with over two decades of deep and wide-ranging experience and programmatic skills in privacy and data protection matters, including the California Consumer Protection Act (CCPA), the EU General Data Protection Regulation (GDPR), and COPPA. Deb joins Hintze Law’s growing team of talented privacy analysts who complement Hintze Law’s team of privacy and cybersecurity attorneys.
Read MoreBy Susan Hintze and Sam Castic
On August 11, 2022, the Federal Trade Commission (“FTC”) published an advance notice of proposed rulemaking (“ANPR”) in a 3-2 vote on party lines requesting public comment on questions covering a wide range of “commercial surveillance” and data security practices. The FTC defines “commercial surveillance” to include a wide array of practices most businesses commonly engage in with their customers and employees. The FTC’s scope of data security practices includes expected areas such as data breach response but also includes data management, retention, and data minimization areas it has not dedicated significant attention to in the past. The FTC provided additional summaries of these practices in a “fact sheet” it released with the ANPR.
Read MoreHintze Law PLLC is delighted to announce that Sam Castic has joined the firm as its newest Partner. Sam comes to Hintze Law’s Seattle office with over 15 years of global privacy and cybersecurity experience, most recently as Chief Privacy Officer for Blackhawk Network and as Senior Director Privacy & Associate General Counsel at Nordstrom. In addition to Sam’s experience leading corporate privacy teams and programs, he has advised clients ranging from early-stage startups to large global corporations on privacy, cybersecurity, and data protection matters at Orrick and at K&L Gates.
Read MoreBy Laura Lemire
On Friday, July 8, the California Privacy Protection Agency (CPPA) released a notice of proposed rulemaking to adopt regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), the law that amends the California Consumer Privacy Act (CCPA) (the “Proposed Regulations”). The Proposed Regulations were previously made available on May 27, 2022, and those remain unchanged. What’s new in the materials released with the notice of proposed rulemaking is rich context on the CPPA’s positions, particularly from the Economic Impact Statement and its supporting Notes.
Read MoreBy Mason Fitch
The Supreme Court’s reversal of Roe v. Wade amplifies attention to concerns around the privacy of abortion-related services, including the provision of healthcare, period tracking apps, and even payment methods and mobile location data. In a direct response to Roe’s reversal, the Department of Health and Human Services (HHS) released guidance underscoring the protections applicable to protected health information (PHI) relating to abortion and other reproductive care under the Health Insurance Portability & Accountability Act (HIPAA), which we outline below. HIPAA, however, is limited in scope and does not protect a vast swath of information relating to abortion care.
Read MoreBy Destiny Ginn, Summer Associate
Here’s a snapshot of a few of the privacy developments we followed over the past few weeks.
Read MoreBy Sheila Sokolowski
On Monday, June 14th the U.S. Department of Health and Human Services (HHS), issued guidance on how the HIPAA rules permit covered health plans to use remote communication technologies for audio-only telehealth.
Read MoreBy Alex Schlight and Emeka Egwuatu
Here’s a snapshot of a few of the privacy developments we followed over the past couple of months from March 22, 2022 – to June 6, 2022.
Read More