Privacy Compliance

Subscribe to Privacy Compliance

As detailed in Part 1 of this ongoing series, Washington Governor Jay Inslee signed the state’s My Health My Data Act into law on April 27, 2023. The act is a first-of-its-kind law that creates new privacy protections relating to the collection, sharing, and selling of “consumer health data.” Most of the provisions of the

On Thursday, May 11, 2023, the Federal Trade Commission hosted a panel to discuss questions relating to the cloud computing industry. As we’ve previously covered, the FTC is currently seeking public comment as part of a Request for Information regarding cloud computing business practices. In part, the goal of the panel was to identify issues the FTC should explore in its RFI.

Continue Reading FTC Hosts Panel Regarding Cloud Computing Business Practices

On April 27, 2023, Washington Governor Jay Inslee signed into law House Bill 1155, also known as the My Health, My Data Act. Its stated purpose is to protect “consumer health data” collected by entities not already subject to the federal Health Insurance Portability and Accountability Act, but one less obvious consequence of the Act

International, federal, and state privacy regulators highlighted their ambitious agendas at the 2023 IAPP Global Privacy Summit in Washington, D.C. They, along with speakers from an array of private organizations, underscored the following takeaways that should be top of mind for businesses:

Continue Reading Ten Takeaways From the 2023 IAPP Global Privacy Summit

The exemption for employment-related and business-to-business (B2B) data under California’s privacy law expired on January 1, 2023. Without this exemption, information previously allowed to be excluded now falls within the scope of California’s extensive privacy requirements, including notice and transparency, data minimization, and data subject rights requests.

In this blog post, we provide an overview of the now-expired exemptions and offer next steps on the requirements that now pertain to employment and B2B data.

Continue Reading With the CPRA Enforcement Deadline On the Horizon, Employment and B2B Data Could Mean Cloudy Skies For Those Unprepared

Less than one month after Utah adopted the nation’s first law restricting the use of social media platforms by minors under 18, Arkansas last week enacted its Social Media Safety Act (the Act), SB396. The Act, which goes into effect on September 1, 2023, similarly bars minors from holding accounts on social media platforms without parental consent and requires social media companies to complete “reasonable age verification” via a third-party vendor.

Continue Reading Arkansas Becomes Second State To Enact Social Media Restrictions for Minors

On March 28, Iowa Governor Kim Reynolds signed Senate File 262, effective January 1, 2025, making Iowa the sixth state to offer comprehensive privacy protections. Iowa’s new legislation appears to be the most business-friendly omnibus privacy law yet, with fewer requirements than those of other states. The law will apply to a person who conducts business in Iowa or produces products or services targeted to Iowa residents, and who meets either of the following requirements in a calendar year: (1) processes the personal data of 100,000 consumers or more (consumers defined as residents of Iowa “acting only in an individual or household context”) or (2) controls or processes the personal data of at least 25,000 consumers and derives over 50% of annual gross revenue from the sale of personal data.

Continue Reading Joining the Privacy Party: Iowa Becomes the Sixth State To Adopt a Comprehensive Privacy Law

On March 24, 2023, Texas House Representative Giovanni Capriglione participated in a virtual interview with the Dallas chapter of the International Association of Privacy Professionals (IAPP) about his recently introduced bill, HB 4, also known as the Texas Data Privacy and Security Act (TDPSA). The interview was moderated by Samantha V. Ettari, Perkins Coie LLP senior counsel and co-chair of the IAPP KnowledgeNet Dallas Chapter, and Justin L. Koplow, AT&T senior legal counsel and also a co-chair of the IAPP Dallas Chapter. The conversation focused on a variety of subjects, including Rep. Capriglione’s professional technology background and subsequent journey into privacy issues, the development of the TDPSA, its specific provisions, and how the bill compares to privacy regimes in other states, including the Virginia Consumer Data Protection Act (VCDPA), on which it was modeled. This is the third comprehensive consumer privacy bill Rep. Capriglione has advanced, and this one appears to be channeling the momentum of six states’ comprehensive privacy laws, Texas denizens’ apparent interest in consumer privacy, and a significant national conversation around consumers’ and children’s privacy. 

Continue Reading Saddle Up: Texas Makes Another Push to Join States With Comprehensive Consumer Privacy Laws

For the first time, the Federal Trade Commission has brought an enforcement action under its 2009 Health Breach Notification Rule (HBNR). The case was brought against a digital health company, GoodRx Holdings, Inc., for sharing users’ health information with third-party advertising platforms without the authorization of the users whose data was being shared.

Click here

In response to the increased frequency and severity of data breaches in the telecommunications industry, the Federal Communications Commission recently published a Notice of Proposed Rulemaking that seeks to strengthen and broaden its breach notification rules arising from the unauthorized disclosure of customer proprietary network information (CPNI).

Click here to read the full Update.