Senate File 262, a comprehensive privacy law, was signed by the Governor of Iowa on March 28, 2023, thereby becoming law. As a result, Iowa has officially become the sixth state with a comprehensive privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.
Read MoreFTC's Health Privacy Actions Offer 5 Advertising Takeaways
By Kate Black and Sam Castic
The Federal Trade Commission recently announced two enforcement actions under the FTC Act against digital health companies that focus on the use and disclosure of information for online advertising purposes. The agency's complaints against GoodRx and BetterHelp exhibit several shared themes and offer five lessons for companies that are looking to make sense of the enforcement actions. While these cases are both focused on companies in the health sector, these lessons relate to the FTC's current interpretation of unfair acts and deceptive practices that are unlawful for all types of companies under Section 5 of the FTC Act. For this reason, they should be considered by any company engaging in common online advertising practices.
Read MoreFTC Takes Enforcement Action Against Online Mental Health Counseling Service, BetterHelp
On March 2, 2023, the Federal Trade Commission (FTC) issued a proposed consent order with BetterHelp, Inc. (BetterHelp), an online counseling service, for allegedly misrepresenting its privacy practices and sharing information about consumers’ interest in or use of mental health counseling services (which the FTC alleges to be sensitive health information), in violation of Section 5 of the FTC Act. The proposed order also requires BetterHelp to pay $7.8 million to the FTC for redress to consumers. This is to settle charges that it injured consumers when its unfair business practices led to consumers’ information being shared with third parties, such as Facebook and Snapchat, for advertising purposes after promising consumers it would keep such data private.
Read MoreA Few Thoughts on ChatGPT
in Privacy
By Mike Hintze
In recent weeks, ChatGPT has been the subject of much discussion. A wide range of issues and concerns have been raised, and a number of those relate to privacy and data protection. Here are a few of my thoughts on what privacy and data protection professionals should consider when reviewing uses of ChatGPT (and similar generative AI services).
Read MoreHintze Global Privacy & Security Updates
By Elizabeth Crooks and Deb Gray
Here’s a snapshot of the privacy, security, and data developments tracked by our team over the past few weeks.
Read MoreAnalysis of the Unpublished 2022 Decisions of the Polish DPA
By Deb Gray
Our friends at KL&M Law, in Warsaw Poland, were kind enough to share unpublished decisions from the data protection authority (DPA) of Poland (UODO) that they obtained as part of a recent information request. The resulting report, on nearly 80 decisions, is divided into thematic sections: Marketing, Financial sector, Insurance sector, COVID and health information, Publicly available data, Labor issues, Claims, Video surveillance, Personal data breach, and Miscellaneous.
Read MoreFTC Takes Action Against Digital Health Platform GoodRx
By Sheila Sokolowski, Kate Black, and Mason Fitch
On February 1st, 2023, the Federal Trade Commission (FTC) issued a proposed order against GoodRx Holdings, Inc. (GoodRx), a digital health platform, for allegedly violating Section 5 of the FTC Act by making deceptive statements about its sharing of health data. In addition, in its first enforcement action under a decade-old Health Breach Notification Rule, the FTC alleged that GoodRx failed to notify its users of the unauthorized disclosure of their health data to advertising platforms. The Department of Justice filed the order along with a complaint on behalf of the FTC in California federal court. GoodRx subsequently agreed to the FTC’s stipulated order.
Read MoreHintze Global Privacy & Security Updates
Here’s a snapshot of the privacy, security, and data developments tracked by our team over the past few weeks.
Read MoreHintze Cybersecurity + Breach Response Group Publishes U.S. State Breach Notice Guide
By Sam Castic
The Hintze Cybersecurity + Breach Response Group has published a new guide to U.S. state and territory data breach notification laws – the Hintze Data Breach Notice Guide accessible here. We include in our guide an overview section with a high-level summary of the common provisions that U.S. breach notice laws contain. We also provide a set of detailed charts covering each of the 54 states and jurisdictions. We gathered our collective decades of experience working with breaches to organize these charts in a way we think is more usable in the midst of a breach crisis.
Read MoreGive a Mouse a Cookie, Get a BAA: OCR Bulletin on Tracking Raises HIPAA Risks for HIPAA-Regulated Entities and Online Tracking Vendors
By Mason Fitch
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) issued a new bulletin last week that may have significant implications for online activities of Covered Entities and Business Associates. The bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” explains how HIPAA’s reach extends to information collected on websites or mobile apps, including information collected from a user who visits a HIPAA-regulated entity’s website but has no further interaction with that entity. While HIPAA-regulated entities have long understood that their ‘internal tools’ (ex: EHR’s, practice management, and clinical support software) must comply with HIPAA, the new bulletin makes it clear that information that is routinely collected by vendors on public-facing websites, apps, and web-based assets may be PHI as well.
Read MoreApple Hit with Class Action Lawsuit for Data Collection
in Privacy
On November 10, 2022, a plaintiff filed a class action lawsuit against Apple, Inc., citing a recent Gizmodo article reporting that security researchers had found that Apple apps, such as the App Store, collected device and usage data from iPhones regardless of the privacy settings users enabled. The complaint alleges that Apple collects personal information and the content of communications in its apps, and tracks users across apps even when users disabled "Allow Apps to Request to Track" and "Share iPhone & Watch Analytics" settings in their phones.
Read MoreGoogle Settles with State AGs on Location Tracking
in Privacy
On November 11, 2022, Google entered into a $391.5 million settlement with 40 state attorneys general—the largest ever attorney-general led consumer privacy settlement. The investigation, led by attorneys general in Oregon and Nevada, began after a 2018 Associated Press article reported that Google tracks consumers’ location, even when the settings, including on Google’s Android operating systems and certain Google iPhone apps, appear to prevent such tracking.
Read MoreFTC Issues Proposed Order Against Online Tutoring Company, Chegg, for Lax Security
By Sheila Sokolowski and Charlotte Lunday
Following up on its warning that it would be cracking down on Education Technology companies, the Federal Trade Commission (FTC) issued a proposed order against Chegg Inc., an online tutoring and homework aid service for high school college students, for lax security practices. According to its complaint, the FTC alleged that Chegg violated Section 5 of the FTC Act by failing to implement reasonable security measures to protect student and employee data and deceptively claiming in its privacy notice that it engaged in commercially reasonable security measures to protect users’ personal data.
Read MoreHintze Law Global Privacy Updates
FTC Digital Advertising to Kids Event Focuses on "Blurred" Advertising Content
in FTC
The Federal Trade Commission hosted an event October 19, 2022, discussing digital advertising to kids. The event primarily focused on “blurred” or “stealth” advertising.
Read MoreHintze Law PLLC Welcomes Leslie Veloz & Cameron Cantrell as Associates
in Hintze Law
We are thrilled to announce that first-year associates, Leslie Veloz and Cameron Cantrell, have joined Hintze Law in the Seattle Office.
Read MoreHintze Law Global Privacy Updates
Here’s a snapshot of a few privacy developments from the past few weeks.
Read MoreWhat California’s New Age-Appropriate Design Code Means for Your Business
On September 15, Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (CAADC). The law which received bipartisan support in the Legislature has a goal of protecting the wellbeing, data, and privacy of children, including teens, using online platforms. Businesses will be required to comply with significant new documentation and privacy by design and privacy default obligations by July 1, 2024. These obligations are largely adopted from the United Kingdom’s Age-Appropriate Design Code, and the statute’s preamble points to this law and the UK’s Information Commissioner’s Office (ICO) guidance to interpret the CAADC.
Read MoreTaylor Widawski Joins Hintze Law as Senior Associate
in Hintze Law
Hintze Law PLLC announced today that Taylor Widawski has joined the firm as Senior Associate. Taylor comes to Hintze Law’s Seattle office from Chime Financial, where she was in house privacy counsel. Prior to that, she was privacy counsel at T-Mobile and an associate with a large national law firm.
Read MoreHintze Law Global Privacy Updates
By: Emeka Egwuatu and Destiny Ginn
Here’s a snapshot of a few of the privacy developments we followed over the past few weeks.
Read More