This blog has been cross-posted on the Consumer Class Defense site.

Anyone following trends in consumer class action litigation will know that consumer privacy was a primary focus of the plaintiff’s bar in 2023. And there are no signs this uptick in consumer privacy claims is slowing any time soon. Although the claims center around use of tracking technology or analytics functions on consumer facing websites, several different statutes and claims have been asserted, including violations of state wiretap statutes and the Video Privacy Protection Act (“VPPA”).  

Although these cases are largely at the motion to dismiss stage, and therefore there is little insight into how certain key defenses will play out, some recent decisions surrounding VPPA claims have shifted the landscape in certain defendant’s favor.

Continue Reading Is the Video Privacy Protection Act Losing its Allure?

Employers looking to enhance their suite of employee benefit programs, and focused on lessons learned during the pandemic on wellbeing, are interested in providing greater access to wellness tools. And, the vendors who support those tools are more than happy to provide them. Global spend in the health and wellness market would be around $24.8 billion in 2023 according to a study by Kilo Health. Wellness apps and wearables abound in all sorts of areas — from counting steps to nutrition to mental health to physical fitness to financial fitness. These tools are relatively inexpensive to provide and easily accessible to the workforce – many times with just a simple download to a smartphone. And, best of all they’re completely private with no middle man, and only the employee seeing their own data and progress. Right? Well — not so fast.

Continue Reading Wellness Apps and Privacy

With so many companies being hauled into court in California based on claims that the functionalities on their website and use of service providers for marketing or analytics purposes violate consumer privacy rights, it is important to exhaust all possible defenses available to defendants. Late last year, the Ninth Circuit issued a ruling upholding a dismissal based on a lack of personal jurisdiction over a web-based payment company. Companies operating interactive websites may be able to take advantage of this ruling as part of their defense strategy in 2024.

Continue Reading Ninth Circuit Opinion Supports Personal Jurisdiction Defense for Interactive Websites

The California Privacy Protection Agency (“CPPA”) issued and discussed draft regulations on Cybersecurity Audits and Risk Assessments late in the summer. The CPPA Board plans to discuss the draft regulations at its upcoming December 8th public meeting, along with a presentation on the regulations. 

Continue Reading CPPA Considers Next Set of CPRA Regulations Covering Cybersecurity Audits and Risk Assessments

On October 5, 2023, Seyfarth offered a Masterclass, hosted by Lexology, which was designed to familiarize in-house counsel and privacy professionals, in and out of Washington state, with the My Health My Data Act legislation. Portions of the Act are already in effect and go into further effect on March 31, 2024.

We explored its obligations and its wide reach, specifically addressing how to identify: (1) who must comply; (2) who gets new rights and protections; and (3) what data is covered, since all of these are more wide-reaching than it may appear to the casual observer of state privacy legislation.

This session also uncovered significant “sleeper” compliance obligations and provided practical insight and actionable steps to use when guiding business teams.

You can access the video recording here, or click here to download the presentation slides.

As organizations begin renewing and entering into new contractual relationships for 2024, an oft-forgotten aspect of the contracting process is determining whether a Business Associate Agreement (a “BAA”) is required. Under HIPAA, health care providers, health plans and health care clearinghouses (“Covered Entities”) are required to enter into BAAs with any vendor (“Business Associate”) that may have access to Protected Health Information (“PHI”). Many organizations operate under a misconception that they are not subject to HIPAA if they are not in the health care industry but, in fact, HIPAA’s reach is much broader than that. For example, organizations that sponsor health plans, including employers that sponsor self-funded plans, are responsible for their health plans’ compliance with HIPAA, including the requirement to enter into BAAs with plan vendors. As another example, information technology organizations providing services to employers that offer health plans may be asked to sign a BAA as a Business Associate if they have access to data on the employer’s systems that may constitute PHI.

Continue Reading Top 5 Reasons to Remember Your Business Associate Agreements This Fall

Thursday, October 5, 2023
1:00 p.m. – 2:00 p.m. ET
12:00 p.m. – 1:00 p.m. CT
11:00 a.m. – 12:00 p.m. MT
10:00 a.m. – 11:00 a.m. PT

REGISTER HERE

About the Program

Seyfarth is pleased to offer this Masterclass, hosted by Lexology, which is designed to familiarize in-house counsel and privacy professionals, in and out of Washington state, with the My Health My Data Act legislation. Portions of the Act are already in effect and go into further effect on March 31, 2024.

Join us as we explore its obligations and its wide reach, specifically addressing how to identify:

  1. who must comply
  2. who gets new rights and protections, and
  3. what data is covered

since all of these are more wide-reaching than it may appear to the casual observer of state privacy legislation.

The session will also:

  1. uncover significant “sleeper” compliance obligations and
  2. provide practical insight and actionable steps to use when guiding business teams.

We invite you to join us. You can register for free on Lexology’s site through the registration link above.

Speakers

Yana Komsitsky, Senior Counsel, Seyfarth Shaw

Neeka Hodaie, Associate, Seyfarth Shaw


If you have any questions, please contact Sophia Gomez at sgomez@seyfarth.com and reference this event.

On July 18, 2023, Oregon’s Governor Tina Kotek signed SB 619, which created the Oregon Consumer Privacy Act (“OCPA”). Oregon joins California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, and Texas, as the 12th state to enact a comprehensive consumer data privacy law.

Most provisions of the OCPA will take effect on July 1, 2024, with delayed compliance deadlines for honoring universal mechanisms consumers will use to exercise their right to “opt out” of a platform processing their personal information for certain purposes and for activities of tax-exempt organizations described in Section 501(c)(3) of the Internal Revenue Code. Notably, unlike most other state privacy laws, the OCPA exempts only certain nonprofit organizations. For activities of tax-exempt organizations described in Section 501(c)(3) of the Internal Revenue Code, the OCPA has a delayed effective date of July 1, 2025.

Continue Reading Oregon Enacts Consumer Privacy Act

Tuesday, September 12, 2023
2:00 p.m. to 2:30 p.m. Eastern
1:00 p.m. to 1:30 p.m. Central
12:00 p.m. to 12:30 p.m. Mountain
11:00 a.m. to 11:30 a.m. Pacific

REGISTER HERE

In the wake of recent, controversial Illinois Supreme Court decisions regarding BIPA claims, this webinar explores the implications of these decisions and what’s next on the horizon in BIPA litigation and compliance.

This webinar provides an update on BIPA litigation in both the lower and higher courts, including decisions recognizing BIPA exemptions and defenses.

The panelists also will discuss trends in privacy litigation, spurred by BIPA, including class actions asserting claims under GIPA, the Illinois Genetic Information Privacy Act.

Join us on September 12th.

Speakers

Danielle M. Kays, Senior Counsel, Seyfarth Shaw LLP
Ada W. Dolph, Partner, Seyfarth Shaw LLP


If you have any questions, please contact Donna Miskiewicz at dmiskiewicz@seyfarth.com and reference this event.

Learn more about our Workplace Privacy & Biometrics practice.This webinar is accredited for CLE in CA, IL, NJ, and NY. Credit will be applied for as requested for TX, GA, WA, NC and VA. The following jurisdictions may accept reciprocal credit with these accredited states, and individuals can use the certificate they receive to gain CLE credit therein: AZ, CT, NH. The following jurisdictions do not require CLE, but attendees will receive general certificates of attendance: DC, MA, MD, MI, SD. For all other jurisdictions, a general certificate of attendance and the necessary materials will be issued that can be used in other jurisdictions for self-application. Please note that attendance must be submitted within 10 business days of the program taking place. If you have questions about jurisdictions, please email CLE@seyfarth.com.

This blog post is co-authored by Seyfarth Shaw and The Chertoff Group and has been cross-posted with permission.

What Happened

On July 26, the U.S. Securities & Exchange Commission (SEC) adopted its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rule on a 3-2 vote. The final rule is a modified version of the SEC’s earlier Notice of Proposed Rulemaking (NPRM) released in March 2022. The final rule formalizes and expands on existing interpretive guidance requiring disclosure of “material” cybersecurity incidents.

Continue Reading SEC Publishes Public Company Cybersecurity Disclosure Final Rule