December tends to be a busy time for everyone, so you may have missed a privacy update or two. We have set out some updates in the form of questions, with links in the answers where you can find more
David Kessler (US)
California proposes rules for automated decision-making
On November 27, 2023, the California Privacy Protection Agency (“CPPA”) released a first draft of rules for automated decision-making technologies under California’s privacy law. The proposed rules revolve around providing notice of the technology’s use, opting out, and consumer access…
NYDFS finalizes cybersecurity rule amendments
On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized the second amendment to its cybersecurity regulations, which are available here. The rules contain the provisions we had described in the original NYDFS proposal a year…
Court delays new California privacy regulations
On June 30, 2023—the day before the regulations were scheduled to go into effect—the Superior Court of California halted the enforcement of the California regulations that had been finalized on March 29, 2023 until March 29, 2024. (California Chamber…
Texas enacts comprehensive privacy law
On June 13, 2023, the Texas Governor signed HB4, making Texas the tenth state to have a comprehensive privacy law, joining California, Colorado, Connecticut, Montana, Virginia, and Utah (all in effect or going into effect in 2023), Montana and…
FTC proposed consent order prohibits perpetual retention of personal information
We had previously written about an FTC proposed consent order that would prohibit a company from perpetual retention of personal health information. On March 2, 2023, the FTC announced a complaint and proposed consent with BetterHelp, Inc. that would prohibit…
“Forever and forever, farewell”: FTC prohibits indefinite retention of PHI in consent order
On February 1, 2023, the Federal Trade Commission announced a complaint and stipulated order with GoodRx, with the FTC using for the first time its interpretation of the Health Breach Notification Rule. Under the Rule, the FTC interpreted a…
ICYMI – Late December in privacy and cybersecurity
Late December and early January tend to be a busy time for everyone, so you may have missed a privacy update or two during that time. We have set out some updates in the form of questions, with some links…
BIPA and the record retention requirement
On November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data. In this case, the…
NYDFS settles with EyeMed for $4.5 million
On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement claimed that EyeMed had committed…