Keypoint: As leadership at the CFPB shifts, responses to the CFPB’s Notice of Proposed Rulemaking to implement Section 1033 of the Dodd Frank Act looms.

More than a decade ago, the Dodd Frank Act created the Consumer Financial Protection Bureau (CFPB) and gave it authority to promulgate rules implementing Section 1033 of the Act. Under Section 1033, upon request, a financial services provider “shall make available to a consumer information in its control or possession concerning the product or service that the consumer has obtained, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.”
Continue Reading Chopra’s Views on Data Security Could Impact Implementation of Section 1033

On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.

Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.

If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.


Continue Reading The Year to Come in U.S. Privacy & Cybersecurity Law (2021)

On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released a proposed rule that would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In its news release, OCR noted that the changes “seeks to promote value-based health care by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.” The proposed changes come on the heels of the recently delayed Information Blocking Rule, which seeks to prohibit interferences with access, exchange, or use of electronic health information (EHI). The key proposed changes are discussed below.


Continue Reading Relaxing Privacy Requirements? Department of Health and Human Services Proposes Changes to HIPAA

Keypoint: App developers will need to navigate a new privacy questionnaire designed to provide users with an easy to understand presentation of an App’s privacy practices.

As of December 8, 2020, Apple now requires all newly submitted applications (Apps) on its App Store, or updates to Apps, to include a privacy nutrition label describing the App’s privacy practices. This is in addition to Apple’s existing requirement that all Apps provide a link to a publicly accessible full privacy policy.

The privacy nutrition label is automatically generated based on a developer’s answers to a series of questions about the types of data the App collects (both first party and third-party collection), how each data type is used, whether the data is linked to the user, and whether the data is used for tracking purposes.

In the below post, we outline the four steps required by Apple.


Continue Reading Apple Implements Privacy “Nutrition Label” for Apps

Keypoint: If passed, the bill would create a regulatory structure around the use of contact-tracing apps, including requiring operators of such services to obtain affirmative express consent, provide privacy disclosures, not transfer the data unless under certain circumstances, and delete the data on demand or within thirty days.

According to multiple sources, a bipartisan group of Senators plan to introduce a bill to regulate the use of contact-tracing and exposure notification apps. The bill, entitled the “Exposure Notification Privacy Act” is the latest in a series of bills that seek to regulate these new apps. Previous competing bills were submitted by Republican and Democrat Senators. The new bipartisan bill raises hopes that federal privacy legislation (albeit on a limited issue) may finally pass.

Below is a discussion of the Act’s relevant provisions.


Continue Reading Bipartisan Group of Senators Proposes Privacy Bill for COVID-19 Contact-Tracing Apps

Resulting in Zoom Promising to Implement an Information Security Program, Resembling the SHIELD Act

Key point: The Letter of Agreement between the New York Attorney General and Zoom Video Communications, Inc. provides insight into what the Attorney General may consider satisfying the Reasonable Safeguards requirement under the SHIELD Act.

On May 7, 2020 Zoom Video Communications, Inc. (Zoom) became the first company to experience one of the new enforcement tools available to the New York Attorney General’s Office (NYAG) under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

The SHIELD Act took effect on March 21, 2020, and requires any person or business owning or licensing computerized data containing the private information of a New York resident “to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that private information.” GBL § 899-BB(2).


Continue Reading Zoom’s Popularity Leads to New York Investigating Its Security Flaws

Keypoint: Although it is unclear whether the forthcoming bill has any chance of becoming law, it is further evidence that companies need to consider the significant privacy issues and risks associated with implementing COVID-19-related technology.

On April 30, 2020, a group of four Republican Senators announced their plan to introduce federal privacy legislation that would regulate the collection and use of personal information relating to the fight against the Coronavirus pandemic. The four Senators are U.S. Sens. John Thune (R-S.D), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; Jerry Moran (R-Kan.), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Marsha Blackburn (R-Tenn.).


Continue Reading Senators to Introduce COVID-19 Consumer Data Protection Act

Keypoint: The use of no-contact temperature taking devices can be an important part of a company’s return-to-work program, but companies should fully vet these devices to ensure that they are not unintentionally violating privacy laws or exposing themselves to potential liabilities.

As U.S. companies start planning and implementing return-to-work plans, many are considering whether to use no-contact temperature taking devices.

The federal government has recognized that taking temperatures is a step that companies can take to mitigate the risk of spreading coronavirus. For example, the CDC interim guidance for critical infrastructure workers recommends that employers “measure the employee’s temperature and assess symptoms prior to them starting work.” EEOC return-to-work guidance also recognizes that employee screening “may include continuing to take temperatures . . . of all those entering the workplace.”

States and cities also have recommended taking temperatures. For example, in Colorado, the Governor’s office has encouraged large workplaces to implement symptom and temperature checks as part of the state’s gradual return-to-work strategy. New York Mayor Bill de Blasio has stated that temperature checks will be part of the City’s return-to-work program. New Jersey Governor Phil Murphy suggested that restaurants could check temperatures before allowing customers to enter.

However, the taking of temperatures creates logistical issues such as who should take the temperatures, what precautions should be in place, and when and where the temperatures should be taken. As with many other facets of this pandemic, companies have looked to technology to answer some of these questions, and there are many solutions – some old, some new – in the marketplace.

Depending on the type of device, the use of no-contact temperature taking devices can raise numerous privacy issues. As companies begin to vet and implement these devices, they will need to ensure that they do not unintentionally violate privacy laws or assume potential liabilities.


Continue Reading U.S. Privacy Law Implications with the Use of No-Contact Temperature Taking Devices

Keypoint: If properly deployed, the use of COVID-19 contact-tracing apps by employers, in combination with other measures, could be an effective way to return employees to the workforce. However, before deploying these apps, employers should take caution to fully vet the technologies being used to ensure that employee privacy is respected.

As the United States and Europe have started the process of returning to work, the development, deployment, and use of COVID-19 contact-tracing apps has become a focal point for how governments intend to mitigate risk. ChinaSingapore, and South Korea have already implemented national contact-tracing apps. European countries and Australia have been rapidly working towards their deployment.

In connection with the rapid development of governmental contact-tracing apps, tech companies have started to develop similar apps for employers. A handful of employer-focused contact-tracing apps are already on the market and many more are in development. Some employers are already planning to deploy these apps. For example, Ferrari recently announced that it will utilize a contact-tracing app as part of its “Back on Track” plan.

The use of these apps raises numerous privacy concerns for U.S. employers. As employers begin to vet these apps, they will need to ensure that they do not unintentionally violate privacy laws or assume liabilities by deploying them with their workforce.


Continue Reading U.S. Privacy Law Implications for Employers Considering Employee Contact-Tracing Apps

Keypoint: After an active winter of proposed state privacy laws, it appears that all eyes will once again be on California for the remainder of the year as we wait for final CCPA regulations, the fate of the CCPA 2.0 ballot measure, and other privacy bills being considered by the California legislature.

Over the past few months, there has not been a lack of things to talk about as it relates to U.S. privacy law developments. Between the CCPA, Washington Privacy Act, CCPA 2.0, and numerous privacy bills proposed in state legislatures, practically every day brought a new story.  However, a lot has changed in a short period of time.

First, the Washington Privacy Act failed to pass (although Washington did enact a facial recognition bill). Then, the world changed with the Coronavirus pandemic.

Yet, there are still developments in U.S. privacy law. Below is an overview of the ones that we have been tracking over the past few weeks.


Continue Reading U.S. Privacy Law Update: Analyzing the Status of the CCPA, CCPA 2.0, and Other Proposed State Privacy Legislation