AdTech Under the CCPA and CPRA

Please join us for a follow-up discussion on AdTech Under the CCPA and CPRA, originally presented as part of the PrivacyOC Privacy Week Forums 2021. Speakers Alan Friel and Kyle Fath will discuss four seemingly overlapping consumer rights under the CPRA: 1) Do Not Sell, 2) Do Not Share, 3) Do Not Profile, and 4) Limit the Use of My Sensitive Personal Information.

Click here to RSVP

Virginia Likely to Become Second State with Comprehensive Privacy Legislation

With a special session scheduled to begin Feb. 10, Virginia is poised to become the second state to pass comprehensive consumer privacy legislation. The Consumer Data Protection Act (CDPA) passed the Virginia Senate on Friday, Feb. 5, and has been referred back to the Virginia House to be reconciled. Seeing that the House previously passed an identical version of the CDPA on Jan. 29, reconciliation should proceed without event and we can expect to see the bill on the governor’s desk this month. The governor has seven days to act once the bill is presented to him. The governor can (1) sign the bill into law, (2) amend the bill and return it to the General Assembly for approval, (3) veto the bill, or (4) take no further action and let the bill automatically become law without his signature. The CDPA is both CCPA- and GDPR-inspired. It would grant consumers rights to access, correct, delete, and obtain a copy of personal data and to opt out of the sale of personal data, processing of personal data for the purposes of targeted advertising, and profiling (automated decision-making).

The CDPA would become effective on Jan. 1, 2023, the same date as the operative date of most provisions in the California Privacy Rights Act, which substantially amends the CCPA.

Stay tuned for a deeper, substantive dive into the CDPA.

For additional articles covering state privacy legislation updates, the CCPA, the CPRA or the recent Schrems II decision, including our 2020 year-in-review article, visit BakerHostetler’s Data Counsel blog and our Consumer Privacy Resource Center.

California AG Becerra Tweets Endorsement for a Universal Opt-Out Tool

On Jan. 28, California Attorney General Becerra tweeted his support for a newly developed privacy tool that may function as a means for universal opt out.

“#CCPA requires businesses to treat a user-enabled global privacy control as a legally valid consumer request to opt out of the sale of their data. CCPA opened the door to developing a technical standard, like the GPC, which satisfies this legal requirement & protects privacy.”

GPC stands for Global Privacy Control, a browser extension that can be downloaded and is compatible with a few commercial browsers, but it does not currently have integrations with browsers that have the greatest market share. Instead of having to submit opt outs on each website a user visits, the GPC would allow a user to enable a “do not sell” switch on supported browsers that operates across all websites they visit without the need for them to take any additional actions.

Multiple ad industry groups came together to oppose this endorsement (this includes the Association of National Advertisers, American Association of Advertising Agencies, Interactive Advertising Bureau and the American Advertising Federation) and have stated that they intend to ask Attorney General Becerra to reconsider.

Welcome to the Digital Transformation and Data Economy Newsletter – February 2021 Issue

Across the economy, businesses are using digital technology to pivot into innovative service lines, accelerate growth and transform. A business’s digital strategies and data assets play an important role in its success. Digital transformation means, among other things, deploying the latest technologies – including artificial intelligence (AI) and automated decision-making. However, advances in AI raise fundamental legal and ethical questions. Not surprisingly, there is much debate on how and when to regulate the use of AI. While there is no comprehensive “AI law” in the U.S., there are many current and proposed laws related to the use of AI. It is important for businesses to understand this evolving landscape so they can identify risks during digital transformation – particularly in the areas of notice, transparency and data privacy.

In this issue, we are highlighting Stanton Burke and how his practice advises clients on the legal requirements and ethical considerations when using these technologies.

Read more.

Podcast: BakerHostetler Blockchain University: Beyond Cryptocurrency – Non-Financial Use Cases for Blockchain

The fourth episode in the series provides an overview of how Blockchain is being used today in non-financial applications. Topics discussed include using blockchain in various sectors, including the food supply and pharmaceutical industries, maritime shipping, the cobalt supply chain, self-sovereign identity, credentialing and records management.

Questions & Comments:

Listen to the episode.

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

Podcast: The Digital Health Ecosystem

The healthcare industry is rapidly changing, and digital health acumen is becoming crucial to success. 2020 has led to significant changes in healthcare delivery, and healthcare organizations are turning to data-driven solutions to address industry challenges. As we look ahead, it is important for stakeholders to understand the opportunities and challenges with big data, AI and other technologies. Janine Anthony Bowen discusses the digital health ecosystem and how the industry is rapidly adopting and adapting to digitization and automation.

Questions and Comments:

Listen to the episode.

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?

The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare provider for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Covered entities and business associates should take note of the court’s decision to provide guidance on their HIPAA compliance efforts and response to enforcement actions taken by HHS. This decision could significantly impact future HHS enforcement actions.


Between 2012 and 2013, the healthcare provider notified HHS of three incidents involving stolen and lost devices containing electronic protected health information (ePHI). HHS investigated the incidents and then assessed the healthcare provider $4,348,000 in civil money penalties for alleged violations of the HIPAA provisions that address encryption and disclosures of PHI (45 CFR §§164.312(a)(2)(iv) and 164.502(a)).

The healthcare provider then unsuccessfully appealed the decision to an administrative law judge (ALJ) and to HHS’ Departmental Appeals Board. The healthcare provider then appealed the decision to the Fifth Circuit for review. Continue Reading

Podcast: AD-ttorneys@law: False Advertising or Just Puffing?

Absolute truth in advertising is something of a rarity, but not every untrue statement is false advertising. In this episode, BakerHostetler partner Randy Shaheen is going to ply you with pointers on avoiding puffery’s promotional pitfalls and potential problems.

Questions and Comments:

Listen to the episode.

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

Happy First Birthday to the NIST Privacy Framework!

BakerHostetler partner Jeewon Serrato has contributed a NIST Privacy Framework’s CCPA Crosswalk and is featured in an animated video by the NIST which shows how the NIST Privacy Framework can be used by organizations to build trust with their customers, communicate better about privacy, and help meet their compliance obligations. Jeewon is also featured in NIST’s new 2-page Privacy Framework implementation guide. It offers some helpful guidelines for small and medium businesses looking to create or improve their privacy programs. For organizations that are looking to use the NIST Privacy Framework to comply with CCPA or to rationalize how the CCPA works with other legal and regulatory requirements, such as the GDPR, a link to the CCPA Crosswalk can be found on the NIST website home page.  NIST’s blog post provides information about how the Privacy Framework is getting global adoption.

Compliance and Cybersecurity Best Practices Rewarded with HIPAA Safe Harbor

On January 5, 2021, H.R. 7898 was signed into law with little fanfare, thereby amending the Health Information Technology for Economic and Clinical Health Act.[1] As the healthcare industry continues to serve as one of the top targets for cybersecurity threat actors, the amendment creates a “HIPAA safe harbor” that should hopefully provide some much-needed relief to those beleaguered covered entities and business associates that have spent years and significant dollars to implement cybersecurity best practices. This new safe harbor requires that, when calculating fines, evaluating audits or reviewing proposed mitigation steps, the Department of Health & Human Services (HHS) must consider whether the covered entity or business associate adequately demonstrated that it had in place “recognized security practices” for at least 12 months prior that would:

(1) Mitigate HIPAA fines.

(2) Result in the early, favorable termination of a HIPAA audit.

(3) Mitigate the remedies in a HIPAA resolution agreement with HHS.

Under the law, the term “recognized security practices” means “the standards, guidelines, best practices, methodologies, procedures, and processes developed under … the NIST Act, the approaches promulgated under … the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” Thus, the new safe harbor has the potential to both significantly incentivize all entities subject to HIPAA to implement cybersecurity best practices as well as provide some long-overdue relief to those entities that experience a data security incident after having implemented robust security practices, as it recognizes that despite an entity’s best efforts, security incidents still occur, and highly punitive penalties may not be appropriate in such circumstances. While not specifically defined, our experience working with HHS in breach investigations is that HHS focuses on existing programs for assessing cyber security risks to electronic protected health information (ePHI) through annual security risk analyses, inventory of ePHI, risk management plans and the implementation of administrative, technical and physical safeguards to address those risks.

Continue Reading