Tag Archives: privacy

The FTC’s Latest Staff Report on Dark Patterns: A Warning for Marketing Teams and UX Designers

The Federal Trade Commission issued a detailed [staff report] on September 15 addressing Dark Patterns (or what some more descriptively call “manipulative design,” but Dark Patterns seems to be sticking). Regulators are focusing increased attention on these manipulative designs and it’s critical for marketing, user experience and design teams to understand this topic.… Continue Reading

What’s Old Is New Again: OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

After a long stretch of breach enforcement actions and settlements arising out of alleged technology gaps, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it settled a case that involved improper disposal of physical protected health information (PHI). This case unusual for its quick resolution, but that is … Continue Reading

2022 DSIR Report Deeper Dive: The Expanding Landscape of State Data Privacy Law

BakerHostetler’s Data Security Incident Response Report is a one-of-a-kind resource that leverages aggregated data from security incidents. Our Digital Risk Advisory and Cybersecurity team has shared insights from attorneys across the firm’s Digital Assets and Data Management Practice Group who work with clients on complex privacy and data protection matters. This article takes a closer … Continue Reading

OCR Provides Guidance on the Privacy of Data Stored on Health Apps and Mobile Devices

In the wake of the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, many individuals and organizations have expressed uncertainty about the protection afforded to data stored on health apps, including cycle trackers.[1] As a result, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has issued guidance … Continue Reading

CPPA Publishes Notice of Proposed Rulemaking

On July 8, the California Privacy Protection Agency Board (CPPA, Agency or Board) announced the Notice of Proposed Rulemaking (NPRM), which begins the 45-day comment period for the draft regulations. As we previously reported, the California Privacy Rights Act (CPRA) draft regulations were released on May 27, and we had a heads-up about this rulemaking … Continue Reading

Office for Civil Rights Provides Guidance: HIPAA Privacy Rule on Disclosures of Information Relating to Reproductive Healthcare

On June 29, in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, the U.S. Department of Health & Human Services Office for Civil Rights (HHS OCR) issued guidance on when entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are permitted to share protected health information (PHI) … Continue Reading

Dobbs Triggers Significant Healthcare and Privacy Law Concerns and Confusion

To help guide entities through the significant confusion and changes that will be evolving for the next several years, BakerHostetler has assembled the Dobbs Decision Task Force (DDTF), led by attorneys in five major areas (healthcare/health tech, privacy, labor and employment, employee benefits, and white collar). Like many others, healthcare entities are facing immediate uncertainty … Continue Reading

If it’s broke, just fix it…: Curing Alleged CCPA Violations

Courts across the United States continue to grapple with California’s landmark consumer privacy law, the California Consumer Privacy Act (CCPA). While the contours of this law are being litigated on multiple fronts, one important, but not most discussed provision, is Section 1798.150(a)(1), the right to cure. The CCPA, like other, similar California privacy laws, includes … Continue Reading

CPPA Begins CPRA Rulemaking

On May 26, 2022, the California Privacy Protection Agency (CPPA or the Agency) held a public board meeting to provide updates on the Agency’s rulemaking process. The next day, the CPPA released draft regulations for the California Privacy Rights Act (CPRA). This post includes initial impressions of the proposed regulations and how they square with … Continue Reading

2022 DSIR Deeper Dive: Increased Regulatory Scrutiny of Cybersecurity Incidents

Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage campaign and the Colonial Pipeline ransomware attack. This article summarizes several U.S. government actions aiming to improve the nation’s cybersecurity and the government’s ability to … Continue Reading

A Digital Advertising Primer on Preparing for the Post-Cookie World: Part Four

Part I: What Are Third-Party Cookies and Why They Are Important Part II: Privacy Laws and Third-Party Cookies Part III: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – Browsers and Mobile Part IV: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – First-Party Data … Continue Reading

Complying with the CCPA’s Right to Deletion

The California Consumer Privacy Act dramatically changed the regulatory landscape for privacy in the United States. Among the CCPA’s many requirements, one right is proving a particular challenge for many businesses: the right to delete. Whitney Schneider-White and Justin Yedor coauthored this white paper with Privatar, which discusses the challenges complying with the CCPA’s right … Continue Reading

A Digital Advertising Primer on Preparing for the Post-Cookie World: Part Two

Part I: What Are Third-Party Cookies and Why they are Important — PART II — Privacy Laws And Third-Party Cookies Welcome to our second installment in our eight-part series preparing you for the post-cookie world. In our first post, we provided a deep dive into cookies for a baseline understanding of the technology and why … Continue Reading

Why Everyone Is Talking About a Rarely Invoked Rule – the FTC’s Health Breach Notification Rule

Back in September, the Federal Trade Commission (FTC) issued (by a 3-2 vote) a policy statement (the Statement) regarding the oft-forgotten Health Breach Notification Rule (the Rule). I was at the FTC when the Statement was released and have since joined BakerHostetler. Around the time I joined BakerHostetler, my new colleague Melissa Hewitt published an … Continue Reading

The Impact of Data Security Incident Trends on Commercial Transactions: Part II – Development Agreements

The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights previously covered in this blog, including trends in global breach notification, healthcare industry risks and ransomware. The report is … Continue Reading

8 Key Takeaways for Initial Defenses Under the CCPA and CPRA

Authors: Marshall Mattera, Jeewon Serrato, Casie Collignon and Stanton Burke Since the Jan. 1, 2020 kickoff for private enforcement under the California Consumer Privacy Act (CCPA), plaintiffs have filed scores of class actions invoking the CCPA. Such claims, when properly made, present substantial risk to companies including statutory damages up to $750 per consumer. Early … Continue Reading

New Director of HHS Office for Civil Rights Announced: What could Lisa J. Pino’s appointment mean for future HIPAA enforcement?

More than eight months into the Biden administration, the U.S. Department of Health & Human Services (HHS) announced the appointment of Lisa J. Pino as the new director of the Office for Civil Rights (OCR) on Sept. 27, 2021. As the new director of the OCR, Pino will be responsible for enforcing the Health Insurance … Continue Reading

Effective Oct. 1, 2021: Connecticut Expands Data Breach Notification Statute

On June 16, 2021, the Connecticut General Assembly adopted an expanded version of Connecticut’s data breach notification statute (2021 CT H.B. 5310 (NS)). Through this expansion, Connecticut’s data breach notification statute will be updated, effective Oct. 1, 2021, to (1) broaden the definition of “personal information,” (2) shorten the amount of time within which businesses … Continue Reading

CPRA Rulemaking Begins with an Invitation by the New California Privacy Protection Agency

By Justin Yedor, Stanton Burke, and Jeewon K. Serrato For businesses awaiting guidance on how to comply with the California Privacy Rights Act (the “CPRA”), the new California Privacy Protection Agency (“CPPA”) began the rulemaking process on September 22, 2021 with an Invitation for Preliminary Comments on Proposed Rulemaking (the “Invitation for Comment”).  In the … Continue Reading

FTC Issues Statement Warning Health Apps to Notify Consumers About Data Breaches

The U.S. Federal Trade Commission (FTC) issued a policy statement on Sept. 15, 2021, warning that the decade-old Health Breach Notification Rule (the rule) – which applies to companies that handle personal health records or collect health data –  to notify consumers, the FTC and, in some cases, the media about data breaches. “In practical … Continue Reading

International Data Protection Update – Summer 2021

This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer. Asia-Pacific China’s Data Security Law and Personal Information Protection Law – This summer, the People’s Republic of China passed two new data protection laws. The Data Security Law (DSL) passed in June … Continue Reading

David A. Carney Recognized as Cybersecurity & Privacy MVP by Law360

I’m delighted today to focus on a key player in BakerHostetler’s Digital Assets and Data Management group. David Carney is an exceptional lawyer who is on the cutting edge of privacy litigation in the United States. His work on a series of high-profile matters over the past six years has established important parameters regarding plaintiff … Continue Reading
LexBlog