The New York City Department of Consumer and Worker Protection (DCWP) adopted final rules for Local Law 144 on April 6, 2023. This landmark law prohibits employers from using automated employment decision tools (AEDTs) to evaluate job candidates or employees when making employment decisions, unless certain bias audit and notice requirements are met. Enforcement of

For the first time, the Federal Trade Commission has brought an enforcement action under its 2009 Health Breach Notification Rule (HBNR). The case was brought against a digital health company, GoodRx Holdings, Inc., for sharing users’ health information with third-party advertising platforms without the authorization of the users whose data was being shared.

Click here

Companies doing business in the United States should start preparing for the Utah Consumer Privacy Act, which was signed into law on March 24, 2022, and will go into effect on December 31, 2023. The law is more business-friendly than existing omnibus state privacy laws, in that it generally provides fewer consumer rights and company

There have been several notable developments this month at the California Attorney General’s office relating to the CCPA. First, California Attorney General (AG) Rob Bonta held a press conference and issued a press release regarding CCPA enforcement in the past year. AG Bonta signaled that under his leadership, as under prior California Attorneys General, such as now Vice President Kamala Harris and United States Department of Health and Human Services Secretary Xavier Becerra, the AG’s office will continue its focus on privacy. AG Bonta emphasized the importance of the CCPA at a time when so much of our lives has moved online due to the COVID-19 pandemic and that “there’s more work to be done.” He reported “great progress” in CCPA enforcement, noting that 75% of businesses that received a notice of violation came into compliance within the CCPA’s 30-day cure period, while the remaining 25% are within the cure period or currently under active investigation.
Continue Reading Recent Developments at the California Attorney General’s Office Concerning the CCPA and Enforcement

On April 26, 2021, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation, jointly released the draft Interim Regulations on the Administration of Personal Information Protection for Mobile Internet Applications. The Draft Interim Regulations apply specifically to data collection via mobile applications and are intended to function alongside China’s currently proposed omnibus data protection legislation, the Personal Information Protection Law. The Draft Interim Regulations were open for public comment until May 26, 2021, and the US-China Business Council submitted comments from its members, including Perkins Coie.
Continue Reading China Proposes Draft Regulations for the Protection of Personal Information Collected Via Mobile Applications

On March 2, 2021, Governor Ralph Northam signed into law Virginia’s Consumer Data Protection Act (VCDPA), a comprehensive data privacy law similar to the California Consumer Privacy Act (CCPA). Virginia is now the second state to adopt a comprehensive data privacy law, and many more states are expected to follow suit in the near future. The VCDPA will go into effect on January 1, 2023, the same day that California’s new data privacy law, the California Privacy Rights Act (CPRA), goes into effect. Below is an overview of the key provisions of the VCDPA.
Continue Reading Virginia Joins California in Adopting a Comprehensive Data Privacy Law

Update: The Governor signed the law on Friday, September 25, 2020.

Life science and healthcare companies operating in California face unique challenges regarding California Consumer Privacy Act (CCPA) compliance because of existing inconsistencies between the CCPA and the Health Insurance Portability and Accountability Act (HIPAA). California Assembly Bill (AB) 713 addresses these inconsistencies by easing burdens imposed by the CCPA on medical research and by bringing certain provisions of the CCPA in line with HIPAA and other federal and state health data regulations. At the same time, the bill will impose additional requirements on the use of deidentified health data. AB 713 has passed the California legislature unanimously and will be signed or vetoed by Governor Newsom by September 30, 2020. If signed, the bill will immediately go into effect.
Continue Reading The CCPA May Soon Be Amended to Strengthen CCPA Exemptions for Medical and Research Data

COVID-19 arrives just as the first omnibus privacy statute in the United States, the CCPA became effective. Since its January 1 effective date, we continue to wait for finalization of the CCPA regulations and enforcement that was slated for July 1. In a pandemic environment, companies, employers, and public institutions are grappling, outside the HIPAA context, with unique privacy, data security, and cybersecurity implications of their responses to the coronavirus. From a compliance perspective, businesses are considering under what circumstances they can disclose consumer or employee health conditions or geolocation information in the service of greater public health. Other companies —and governmental institutions at every level—are confronting the very real, and often opportunistic threats to data security posed by aggressive thieves who use crises as cover to commit an assortment of cybercrimes. Privacy and security requirements vary by jurisdiction, so businesses should be mindful of potentially divergent and overlapping approaches and responsibilities as the situation continues to evolve.

We offer a few updates and practical tips for best practices to promote compliance with privacy and data security requirements.

Continue Reading CCPA & COVID-19: A Practical Guide to Addressing Privacy and Data Security Implications of the Coronavirus

The California Consumer Privacy Act of 2018 (CCPA) is a sweeping new privacy statute that grants rights to consumers and imposes corresponding obligations on subject businesses. The CCPA defines consumers to mean California residents, and generally defines “business” as for-profit entities that meet certain threshold requirements. Cal. Civ. Code § 1798.140(g) (consumer), (c) (business). The CCPA went into effect on January 1, 2020.
Continue Reading Business Solutions for CCPA Compliance

The CCPA grants consumers the right to request deletion of any personal information which a business has collected from the consumer. Cal. Civ. Code § 1798.105. It also requires a business to fulfill deletion requests, and to direct service providers to do the same, within 45 days of receiving a “verified” or “verifiable” request from the consumer. Cal. Civ. Code § 1798.140(y).
Continue Reading CCPA 12-Month Compliance Series Part 6: Retaining and Deleting Data