Keypoint: Five states are now considering online privacy legislation.

Virginia and Oklahoma join Washington, New York and Minnesota as states where lawmakers have proposed online privacy legislation this year. It is expected that lawmakers in other states will propose similar legislation in the coming weeks. As discussed in our prior posts, the fact the legislation has been proposed is not indicative of whether it has any chance of becoming law. Since lawmakers passed the California Consumer Privacy Act (CCPA) in 2018 numerous states have considered similar bills, but none of them has become law. That said, presumably one day another state (or more) will join California in passing such legislation.

Below is a brief summary of the two bills. To the extent that the bills appear poised for advancement we will provide a more detailed analysis.

In addition, on February 17, 2021, members of Husch Blackwell’s privacy and data security practice group will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country. To register click here.

Continue Reading Privacy Legislation Proposed in Virginia and Oklahoma

Keypoint: Lawmakers in New York and Minnesota have proposed CCPA-like privacy legislation.

As state legislatures have started to convene for the 2021 session, state lawmakers have once-again proposed CCPA-like privacy legislation. As discussed in our prior post, in early January Washington lawmakers again proposed the Washington Privacy Act. In addition, over the last few days, CCPA-like legislation has been proposed in New York and Minnesota.

It is expected that CCPA-like legislation will be filed in more states over the coming days. Whether this legislation moves forward remains to be seen. With the exception of the Washington Privacy Act, over the last two years privacy legislation proposed in other states has failed to gain any traction.

Continue Reading Privacy Legislation Proposed in New York and Minnesota

Keypoint: The Washington Privacy Act is back.

The Washington state legislature will once again consider consumer data privacy legislation when it convenes on January 11, 2021. On January 5, 2021, Senators Reuven Carlyle and Joe Nguyen pre-filed the 2021 version of the Washington Privacy Act (WPA) (Senate Bill 5062). The WPA is scheduled for a public hearing in the Senate Committee on Environment, Energy & Technology on January 14, 2021, which committee is chaired by Senator Carlyle.

In the past two years, versions of the WPA passed the Washington Senate without issue. However, in 2019, the bill failed in the Assembly. In 2020, the Assembly passed an amended version of the bill but the two chambers were unable to reach a compromise. Ultimately, both years, the WPA failed because the two chambers could not reach a compromise on the bill’s enforcement provisions.

The 2021 WPA is divided into four parts. Part 1 concerns the processing of personal data by the private sector. Parts 2 and 3, which are new to the WPA, concern the processing of personal data for public health emergencies, including contact tracing. Those parts were written in response to the COVID-19 pandemic. Part 4 contains miscellaneous provisions such as effective dates.

The below discussion focuses on Parts 1 and 4.

Continue Reading 2021 Washington Privacy Act Released

Keypoint: The UK/EU Brexit agreement provides for the continuation of UK/EU cross-border data transfers for the next four to six months, allowing the European Commission more time to consider issuing an adequacy decision.

On December 24, 2020, the United Kingdom and the European Union announced a number of agreements concerning the United Kingdom’s exit from the European Union (Brexit).

Continue Reading Brexit Deal Extends UK/EU Cross-Border Data Transfers

Keypoint: Supreme Court’s decision could require individuals to suffer an actual injury prior to participating in a class action.

On December 16, the Supreme Court of the United States agreed to review a case with potential major implications for data-breach class actions.

Trans Union v. Ramirez arises out of a class action about inaccurate credit reports. The class representative claimed that his credit report contained an error indicating that his name matched someone on the government’s list of persons with whom businesses in the United States are prohibited from transacting. Mr. Ramirez claimed this error caused him to be unable to obtain credit when purchasing a vehicle, caused him embarrassment in front of his family, and caused him to cancel a vacation to Mexico.

Continue Reading Supreme Court to Hear Case With Large Potential Impact for Data-Breach Litigation

On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released a proposed rule that would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In its news release, OCR noted that the changes “seeks to promote value-based health care by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.” The proposed changes come on the heels of the recently delayed Information Blocking Rule, which seeks to prohibit interferences with access, exchange, or use of electronic health information (EHI). The key proposed changes are discussed below.

Continue Reading Relaxing Privacy Requirements? Department of Health and Human Services Proposes Changes to HIPAA

Keypoint: Although the CPRA will not become fully operative until January 1, 2023, the provisions creating the California Privacy Protection Agency and extending the business-to-business and employee exemptions are now operative.

On December 11, 2020, California Secretary of State Alex Padilla certified the results of the November General Election. As a result, the California Privacy Rights Act (CPRA) became effective today, pursuant to Section 31 of Proposition 24 and Article II, Section 10(a) of the California Constitution. Notwithstanding the CPRA’s effective date, the majority of its provisions will not become operative until January 1, 2023. Nonetheless, certain notable provisions are now fully operative:

Continue Reading The California Privacy Rights Act Goes into Effect

On December 4, 2020 the President signed into law the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”). The legislative purpose behind the new law is to ensure the highest level of cybersecurity at federal agencies by working collaboratively within government, industry and academia. Pub. L. No. 116-207 § 2.

The IoT Act mandates specific actions by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) regarding: (i) standards and guidelines for IoT devices, (ii) determining whether federal agencies adhere to those standards, (iii)implementing guidelines to disclose security vulnerabilities to contractors and report the resolution of those vulnerabilities.

Continue Reading Congress Passes the Internet of Things (IoT) Cybersecurity Improvement Act

Keypoint: The California Attorney General’s office again introduces an opt-out button.

On December 10, 2020, the California Attorney General’s office published a fourth set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The deadline to submit comments to the proposed modifications is Monday, December 28, 2020.

The latest set of proposed modifications are revisions to the office’s third set of proposed modifications, published on October 12, 2020. The deadline to submit comments to the third set of modifications passed on October 28, 2020. For a discussion on the third set of modifications, see our prior blog post available here.

Continue Reading CCPA Update: AG’s Office Publishes Fourth Set of Proposed Changes to CCPA Regulations

Keypoint: App developers will need to navigate a new privacy questionnaire designed to provide users with an easy to understand presentation of an App’s privacy practices.

As of December 8, 2020, Apple now requires all newly submitted applications (Apps) on its App Store, or updates to Apps, to include a privacy nutrition label describing the App’s privacy practices. This is in addition to Apple’s existing requirement that all Apps provide a link to a publicly accessible full privacy policy.

The privacy nutrition label is automatically generated based on a developer’s answers to a series of questions about the types of data the App collects (both first party and third-party collection), how each data type is used, whether the data is linked to the user, and whether the data is used for tracking purposes.

In the below post, we outline the four steps required by Apple.

Continue Reading Apple Implements Privacy “Nutrition Label” for Apps