On May 22nd, 2023, the Federal Trade Commission (FTC) issued a proposed order against Edmodo, LLC (“Edmodo”), a California-based education technology provider, for allegedly violating the FTC’s Children’s Online Privacy Protection Rule (“COPPA Rule") by illegally collecting the information of children and using that information for advertising, and for allegedly violating Section 5 of the FTC Act by unfairly burdening schools and teachers with COPPA-compliance responsibilities. In a first for an FTC order, Edmodo is prohibited from requiring students to hand over more personal data than is reasonably necessary to participate in online educational activities.
Read MoreHintze Global Privacy & Security Updates
Here’s a snapshot of the state, national, and global privacy, security, and data developments tracked by our team over the past few weeks.
Read MoreWashington My Health My Data Act - Part 8: Notice Obligations
By Mike Hintze
When it comes into effect, the Washington My Health My Data Act (MHMDA or the Act) will impose new privacy notice obligations on regulated entities. The Act requires specific privacy disclosures relating to data that meets the very broad definition of “consumer health data.” It appears to require regulated entities to draft, post, link to, and maintain a separate “Consumer Health Data Privacy Policy” that will be largely, but not entirely, redundant of their existing privacy statement(s).
Because the Consumer Health Data Privacy Policy will be publicly available and easily scrutinized by plaintiffs’ lawyers and the Washington Attorney General, mistakes implementing this obligation are likely to be a key source of costly and disruptive litigation. Regulated entities will therefore need to take great care in meeting the Act’s notice requirements which are, in some respects, unusual and unexpected.
Read MoreWashington My Health My Data Act – Part 7: Biometric Data
By Mike Hintze & Jevan Hutson
Biometric data is among the broad range of “consumer health data” regulated by the Washington My Health My Data Act (MHMDA). In light of MHMDA’s broad definition of biometric data, GDPR-level consent requirements, new obligations, and private right of action, the Act dramatically changes and complicates the regulation of biometric data in Washington state and is poised to become the most disruptive change in U.S. biometric privacy law since Illinois’ BIPA.
Read MoreWashington My Health My Data Act - Part 6: Data Subject Rights
By Mike Hintze
The Washington My Health My Data Act provides consumers with several rights, including a right of access, a right to delete, a right to withdraw consent, and a right to not be discriminated against for exercising their rights. While each of these rights can be found in other privacy laws and so, at a high level, do not seem particularly surprising here, the ways they are included in this Act are unique, create uncertainty, and in some cases go well beyond what exists in any other privacy law. As a result, regulated entities seeking to comply with them will face difficult, costly, and disruptive implementation challenges (and with respect to the deletion right, the potential for catch-22 situations where full legal compliance may be impossible). These challenges, along with the Act’s private right of action, set up a significant risk of expensive legal claims and litigation.
Read MoreWashington My Health My Data Act - Part 5: Consent Requirements
By Mike Hintze
When it comes into effect, the Washington My Health My Data Act will impose strict consent requirements on a wide range of common data collection and processing activities. In essence, the Act requires affirmative (opt-in) consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. For anything that could be considered a data “sale,” the authorization requirements are so onerous and risky that they, in effect, create a prohibition.
Read MoreWashington My Health My Data Act - Part 4: Effective Dates
By Mike Hintze
Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State Legislature. Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act. The Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024). However, contrary to stated legislative intent, and due to what one can only conclude is, at least in part, a drafting error, some of the key substantive provisions of the Act may come into effect much sooner than expected - as soon as July 2023.
Read MoreWashington My Health My Data Act - Part 3: The Scope of Entities and Consumers Captured by the Act
By Mike Hintze
The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact.
Read MoreAmy Lanchester Joins Hintze Law PLLC as a Senior Privacy Analyst
in Hintze Law
Hintze Law PLLC is pleased to announce that Amy Lanchester has joined the firm as a Senior Privacy Analyst. Amy, based in the Atlanta-metro area, comes to Hintze with over six years of experience working on global data protection matters, including the California Consumer Protection Act (CCPA), the EU General Data Protection Regulation (GDPR), and COPPA. Amy is skilled at crafting and executing strategies to prioritize and unify privacy program objectives. Amy joins Hintze Law’s growing team of talented privacy analysts who complement Hintze Law’s team of privacy and cybersecurity attorneys.
Read MoreWashington My Health My Data Act - Part 2: The Scope of “Consumer Health Data”
By Mike Hintze
The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” While there are a few important exclusions, the stunning breath of that term's definition, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act. As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law.
Read MoreThe Washington My Health My Data Act - Part 1: An Overview
By Mike Hintze
The Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.
Read MoreHintze Global Privacy & Security Updates
By Leslie Veloz
Here’s a snapshot of the privacy, security, and data developments tracked by our team over the past few weeks.
Read MoreUtah's Social Media Regulation Act - Overview of Privacy & Business Impact
By Alex Schlight and Leslie Veloz
Just a year after passing a comprehensive privacy law, Utah becomes the first state in the United States to pass a law that significantly regulates minors' access to, and use of, social media sites. The law is much broader than kids’ privacy laws like the federal Children’s Online Privacy Protection Act (COPPA), or California’s Age-Appropriate Design Code Act passed last year in that it significantly limits when and how minors under the age of 18 can use social media, gives parent’s broad rights to consent to and access accounts, and places extensive restrictions on social media company activities, including, prohibiting the display of ads to minors, targeting or suggesting groups, services, products, and posts and use of addictive design.
Read MoreIowa Passes Sixth State Comprehensive Privacy Law
Senate File 262, a comprehensive privacy law, was signed by the Governor of Iowa on March 28, 2023, thereby becoming law. As a result, Iowa has officially become the sixth state with a comprehensive privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.
Read MoreFTC's Health Privacy Actions Offer 5 Advertising Takeaways
By Kate Black and Sam Castic
The Federal Trade Commission recently announced two enforcement actions under the FTC Act against digital health companies that focus on the use and disclosure of information for online advertising purposes. The agency's complaints against GoodRx and BetterHelp exhibit several shared themes and offer five lessons for companies that are looking to make sense of the enforcement actions. While these cases are both focused on companies in the health sector, these lessons relate to the FTC's current interpretation of unfair acts and deceptive practices that are unlawful for all types of companies under Section 5 of the FTC Act. For this reason, they should be considered by any company engaging in common online advertising practices.
Read MoreFTC Takes Enforcement Action Against Online Mental Health Counseling Service, BetterHelp
On March 2, 2023, the Federal Trade Commission (FTC) issued a proposed consent order with BetterHelp, Inc. (BetterHelp), an online counseling service, for allegedly misrepresenting its privacy practices and sharing information about consumers’ interest in or use of mental health counseling services (which the FTC alleges to be sensitive health information), in violation of Section 5 of the FTC Act. The proposed order also requires BetterHelp to pay $7.8 million to the FTC for redress to consumers. This is to settle charges that it injured consumers when its unfair business practices led to consumers’ information being shared with third parties, such as Facebook and Snapchat, for advertising purposes after promising consumers it would keep such data private.
Read MoreA Few Thoughts on ChatGPT
in Privacy
By Mike Hintze
In recent weeks, ChatGPT has been the subject of much discussion. A wide range of issues and concerns have been raised, and a number of those relate to privacy and data protection. Here are a few of my thoughts on what privacy and data protection professionals should consider when reviewing uses of ChatGPT (and similar generative AI services).
Read MoreHintze Global Privacy & Security Updates
By Elizabeth Crooks and Deb Gray
Here’s a snapshot of the privacy, security, and data developments tracked by our team over the past few weeks.
Read MoreAnalysis of the Unpublished 2022 Decisions of the Polish DPA
By Deb Gray
Our friends at KL&M Law, in Warsaw Poland, were kind enough to share unpublished decisions from the data protection authority (DPA) of Poland (UODO) that they obtained as part of a recent information request. The resulting report, on nearly 80 decisions, is divided into thematic sections: Marketing, Financial sector, Insurance sector, COVID and health information, Publicly available data, Labor issues, Claims, Video surveillance, Personal data breach, and Miscellaneous.
Read MoreFTC Takes Action Against Digital Health Platform GoodRx
By Sheila Sokolowski, Kate Black, and Mason Fitch
On February 1st, 2023, the Federal Trade Commission (FTC) issued a proposed order against GoodRx Holdings, Inc. (GoodRx), a digital health platform, for allegedly violating Section 5 of the FTC Act by making deceptive statements about its sharing of health data. In addition, in its first enforcement action under a decade-old Health Breach Notification Rule, the FTC alleged that GoodRx failed to notify its users of the unauthorized disclosure of their health data to advertising platforms. The Department of Justice filed the order along with a complaint on behalf of the FTC in California federal court. GoodRx subsequently agreed to the FTC’s stipulated order.
Read More