By Mike Hintze
When it comes into effect, the Washington My Health My Data Act will impose strict consent requirements on a wide range of common data collection and processing activities. In essence, the Act requires affirmative (opt-in) consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. For anything that could be considered a data “sale,” the authorization requirements are so onerous and risky that they, in effect, create a prohibition.
Read MoreBy Mike Hintze
Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State Legislature. Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act. The Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024). However, contrary to stated legislative intent, and due to what one can only conclude is, at least in part, a drafting error, some of the key substantive provisions of the Act may come into effect much sooner than expected - as soon as July 2023.
Read MoreBy Mike Hintze
The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact.
Read MoreHintze Law PLLC is pleased to announce that Amy Lanchester has joined the firm as a Senior Privacy Analyst. Amy, based in the Atlanta-metro area, comes to Hintze with over six years of experience working on global data protection matters, including the California Consumer Protection Act (CCPA), the EU General Data Protection Regulation (GDPR), and COPPA. Amy is skilled at crafting and executing strategies to prioritize and unify privacy program objectives. Amy joins Hintze Law’s growing team of talented privacy analysts who complement Hintze Law’s team of privacy and cybersecurity attorneys.
Read MoreBy Mike Hintze
The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” While there are a few important exclusions, the stunning breath of that term's definition, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act. As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law.
Read MoreBy Mike Hintze
The Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.
Read MoreBy Leslie Veloz
Here’s a snapshot of the privacy, security, and data developments tracked by our team over the past few weeks.
Read MoreBy Alex Schlight and Leslie Veloz
Just a year after passing a comprehensive privacy law, Utah becomes the first state in the United States to pass a law that significantly regulates minors' access to, and use of, social media sites. The law is much broader than kids’ privacy laws like the federal Children’s Online Privacy Protection Act (COPPA), or California’s Age-Appropriate Design Code Act passed last year in that it significantly limits when and how minors under the age of 18 can use social media, gives parent’s broad rights to consent to and access accounts, and places extensive restrictions on social media company activities, including, prohibiting the display of ads to minors, targeting or suggesting groups, services, products, and posts and use of addictive design.
Read MoreBy Sheila Sokolowski
Senate File 262, a comprehensive privacy law, was signed by the Governor of Iowa on March 28, 2023, thereby becoming law. As a result, Iowa has officially become the sixth state with a comprehensive privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.
Read MoreBy Kate Black and Sam Castic
The Federal Trade Commission recently announced two enforcement actions under the FTC Act against digital health companies that focus on the use and disclosure of information for online advertising purposes. The agency's complaints against GoodRx and BetterHelp exhibit several shared themes and offer five lessons for companies that are looking to make sense of the enforcement actions. While these cases are both focused on companies in the health sector, these lessons relate to the FTC's current interpretation of unfair acts and deceptive practices that are unlawful for all types of companies under Section 5 of the FTC Act. For this reason, they should be considered by any company engaging in common online advertising practices.
Read MoreBy Sheila Sokolowski
On March 2, 2023, the Federal Trade Commission (FTC) issued a proposed consent order with BetterHelp, Inc. (BetterHelp), an online counseling service, for allegedly misrepresenting its privacy practices and sharing information about consumers’ interest in or use of mental health counseling services (which the FTC alleges to be sensitive health information), in violation of Section 5 of the FTC Act. The proposed order also requires BetterHelp to pay $7.8 million to the FTC for redress to consumers. This is to settle charges that it injured consumers when its unfair business practices led to consumers’ information being shared with third parties, such as Facebook and Snapchat, for advertising purposes after promising consumers it would keep such data private.
Read MoreBy Mike Hintze
In recent weeks, ChatGPT has been the subject of much discussion. A wide range of issues and concerns have been raised, and a number of those relate to privacy and data protection. Here are a few of my thoughts on what privacy and data protection professionals should consider when reviewing uses of ChatGPT (and similar generative AI services).
Read MoreBy Elizabeth Crooks and Deb Gray
Here’s a snapshot of the privacy, security, and data developments tracked by our team over the past few weeks.
Read MoreBy Deb Gray
Our friends at KL&M Law, in Warsaw Poland, were kind enough to share unpublished decisions from the data protection authority (DPA) of Poland (UODO) that they obtained as part of a recent information request. The resulting report, on nearly 80 decisions, is divided into thematic sections: Marketing, Financial sector, Insurance sector, COVID and health information, Publicly available data, Labor issues, Claims, Video surveillance, Personal data breach, and Miscellaneous.
Read MoreBy Sheila Sokolowski, Kate Black, and Mason Fitch
On February 1st, 2023, the Federal Trade Commission (FTC) issued a proposed order against GoodRx Holdings, Inc. (GoodRx), a digital health platform, for allegedly violating Section 5 of the FTC Act by making deceptive statements about its sharing of health data. In addition, in its first enforcement action under a decade-old Health Breach Notification Rule, the FTC alleged that GoodRx failed to notify its users of the unauthorized disclosure of their health data to advertising platforms. The Department of Justice filed the order along with a complaint on behalf of the FTC in California federal court. GoodRx subsequently agreed to the FTC’s stipulated order.
Read MoreBy Cameron Cantrell
Here’s a snapshot of the privacy, security, and data developments tracked by our team over the past few weeks.
Read MoreBy Sam Castic
The Hintze Cybersecurity + Breach Response Group has published a new guide to U.S. state and territory data breach notification laws – the Hintze Data Breach Notice Guide accessible here. We include in our guide an overview section with a high-level summary of the common provisions that U.S. breach notice laws contain. We also provide a set of detailed charts covering each of the 54 states and jurisdictions. We gathered our collective decades of experience working with breaches to organize these charts in a way we think is more usable in the midst of a breach crisis.
Read MoreBy Mason Fitch
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) issued a new bulletin last week that may have significant implications for online activities of Covered Entities and Business Associates. The bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” explains how HIPAA’s reach extends to information collected on websites or mobile apps, including information collected from a user who visits a HIPAA-regulated entity’s website but has no further interaction with that entity. While HIPAA-regulated entities have long understood that their ‘internal tools’ (ex: EHR’s, practice management, and clinical support software) must comply with HIPAA, the new bulletin makes it clear that information that is routinely collected by vendors on public-facing websites, apps, and web-based assets may be PHI as well.
Read MoreBy Charlotte Lunday
On November 10, 2022, a plaintiff filed a class action lawsuit against Apple, Inc., citing a recent Gizmodo article reporting that security researchers had found that Apple apps, such as the App Store, collected device and usage data from iPhones regardless of the privacy settings users enabled. The complaint alleges that Apple collects personal information and the content of communications in its apps, and tracks users across apps even when users disabled "Allow Apps to Request to Track" and "Share iPhone & Watch Analytics" settings in their phones.
Read MoreBy Taylor Widawski
On November 11, 2022, Google entered into a $391.5 million settlement with 40 state attorneys general—the largest ever attorney-general led consumer privacy settlement. The investigation, led by attorneys general in Oregon and Nevada, began after a 2018 Associated Press article reported that Google tracks consumers’ location, even when the settings, including on Google’s Android operating systems and certain Google iPhone apps, appear to prevent such tracking.
Read More