As organizations begin renewing and entering into new contractual relationships for 2024, an oft-forgotten aspect of the contracting process is determining whether a Business Associate Agreement (a “BAA”) is required. Under HIPAA, health care providers, health plans and health care clearinghouses (“Covered Entities”) are required to enter into BAAs with any vendor (“Business Associate”) that may have access to Protected Health Information (“PHI”). Many organizations operate under a misconception that they are not subject to HIPAA if they are not in the health care industry but, in fact, HIPAA’s reach is much broader than that. For example, organizations that sponsor health plans, including employers that sponsor self-funded plans, are responsible for their health plans’ compliance with HIPAA, including the requirement to enter into BAAs with plan vendors. As another example, information technology organizations providing services to employers that offer health plans may be asked to sign a BAA as a Business Associate if they have access to data on the employer’s systems that may constitute PHI.Continue Reading Top 5 Reasons to Remember Your Business Associate Agreements This Fall

It’s been no doubt a week of mixed emotions at the California Privacy Protection Agency (“CPPA”) which last week had its final CCPA regulations (“Regulations”) approved and filed with the California Secretary of State by the Office of Administrative Law. The final regulations have been stated to be “effective immediately”. The result is that California employers are now going to have a significant burden around compliance with California privacy law which they didn’t have previously.

Taken on its face, “effective immediately” would mean that enforcement of the regulations would be available (if not acted upon) immediately. However, as with much about the CCPA, this may not be definitive.

First, the California Administrative Procedure Act (“APA”) provides that regulations become effective on one of four quarterly dates based on when the final regulations are filed with the Secretary of State. Under the APA the enforcement date would still be July 1, because the regulation was filed between March 1 and May 31. See Cal. Gov. Code §11343.4(a)(3).

Second, Proposition 24 (the actual amendment to the CCPA) itself provides timing of enforcement of the new provisions of the CCPA. Specifically, Cal. Civ. Code §1798.185(d) states “Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023.Continue Reading CCPA Regulations Are Here – We Think

The recent Cothron v. White Castle Illinois Supreme Court decision ruled that BIPA violations accrue with each collection, leading to skyrocketing claims – and damages. It’s critical for employers to understand what this decision means, how this decision affects them, and how to avoid the risks inherent in employee data collection.  

Our March 21, 2023

As we move into 2023, Biometric Information Privacy remains a constantly evolving field, with states enacting new statutes, technology evolving, plaintiffs raising new theories, and cases being filed daily. Keeping up with biometric laws can be a daunting task for these reasons.

On February 7, 2023, we led a webinar looking at some of the

We have seen a market driven push for companies to embrace diversity and inclusion (D&I) policies over the last few years, which reflects a key shift in social and cultural norms for many organisations. Increasingly, consumers, staff and senior business leaders expect proactive steps to be taken for D&I objectives. Research demonstrates a strong business case for promoting diversity, although some suggest that viewing it through a lens of fairness is more effective. Regardless of the rationale, there are very sound reasons for companies to be embracing a diverse and inclusive workforce.

In pursuit of this objective, global businesses might assume that diversity reporting obligations apply in Australia in the same way they do in other jurisdictions and that overseas policies will be suitable for use here. With the best of intentions, following guidance from reputable external organisations focussed on general strategies to promote D&I, businesses might default to policies and practices designed overseas.

So what’s the problem? Many companies are unaware of the local compliance issues in Australia that need to be met when collecting diversity data and implementing these programs:Continue Reading When Good Intentions Fail: Is Your D&I Policy Inadvertently Unlawful?

In the second program in the 2022 Trade Secrets Webinar Series, Seyfarth partners Jesse Coleman, Dan Hart, and Caitlin Lane discussed how to identify the greatest threats to trade secrets, provided tips and best practices for protecting trade secrets abroad, and covered enforcement mechanisms and remedies internationally and in the US.

As a follow up

This was originally published as a Seyfarth Legal Update.

Seyfarth Synopsis: As the world progresses with COVID vaccinations, the scenario where you have to show a COVID passport before crossing a border, taking a public mode of transportation, or entering a public space like a cinema no longer seems like a scene out of a dystopian sci-fi movie. Colloquially dubbed the “COVID passport,” the concept refers to various forms of a certificate of COVID vaccination and/or negative test status recognized on a national or inter-state basis, the use of which remains a controversial topic at this juncture, giving rise to technical, legal and ethical concerns.

Having said that, some countries have already adopted or proposed adopting various versions of COVID passports on a national or inter-member states basis, such as the “Green Pass” for visiting certain premises or events within Israel[1], the “Green Health Code” for domestic travel and entry into certain premises within mainland China[2], and the proposed “Digital Green Certificate” for travelling between member countries of EU and abroad[3]. The decentralized initial approach and the practical challenges of implementing an universally recognized COVID passport remains as the world grapples with the COVID-19 pandemic.
Continue Reading Overview of Technology and Data Privacy Issues Arising from COVID Passports

The rush for California to get all of the “rules of the road” ready for next year has seemed to cause a bit of confusion with California’s privacy law. Draft regulations were published the same day the Governor signed into law a series of amendments to the underlying law. It is all a bit confusing, However, now that the Governor has signed the last raft of amendments, and the dust has somewhat settled, the question on everyone’s mind is: What changed in the California Consumer Protection Act (“CCPA”)? How does this effect the draft regulations that the Attorney General published?

Fortunately, there are a number of significant changes which help clarify the CCPA, as well as materially change the scope of the CCPA – even if the AG didn’t include some of these changes into the initial draft regulations announced earlier this month. The most impactful changes across industries are as follows:

Business employees

To start off, the issue of employee coverage under the CCPA has been a fractious one. On one hand, business has rightly claimed that the relationship with an employee is not the same as the relationship with a customer. On the other hand, privacy advocates have claimed that employees shouldn’t give up privacy rights just because they are employees.
Continue Reading CCPA Amendments – What did California Actually Do?

Those interested in keeping up with the latest news impacting the California Consumer Privacy Act have been heavily focused on AB 25, and its potential to exclude employees from the scope of the CCPA. In a marathon late-night session, the California Senate Judiciary Committee weighed in July 11 on various bills – including AB 25. An while AB 25 was part of the Committee debate, that amendment may actually make the bill less useful than first intended. Additionally, another bill made it out of committee which has the potential of a far greater impact than anyone seems to be noticing.
Continue Reading CCPA Amendments – Employees and the Loyalty Program Change Nobody is Talking About

At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018.  The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR.  The new law defines a category of “Personal Information” that