The My Health My Data Act (“Act”) was approved by the Washington State House on April 17, 2023. The Act is now with Governor Jay Inslee for signature and is expected to be signed into law in its current form, which is broad enough to warrant anyone with any activity in Washington to consider its scope and implications for operations. Because the Act will be enforceable through a private right of action, it has the potential to create substantial legal exposure for violations.

The Act creates new and unique consumer rights and obligations for business relating to the collection, sharing, and use of “Consumer Health Data” (“CHD”). It expressly aims to “close the gap between consumer knowledge and industry practice” by expanding obligations related to processing of CHD to entities not covered by HIPAA. However, it is significantly broader in potential scope, including, in part, due to the gaping definition of CHD (which expressly includes data that identifies past, present, or future physical or mental health status, for example, “bodily functions” and “precise location information that could reasonably indicate an attempt to receive health services or supplies”). The Act will impact a range of business, including advertisers, mobile app providers like health and wellness trackers, wearable device manufacturers and, of course, healthcare and wellness industry companies and their data processors handling non-HIPAA-regulated CHD. Notably, the Act expressly addresses abortion/reproductive health services and gender-affirming care services (including by making it unlawful for any person to use a “geofence” (or virtual boundary) around a facility that provides health care services) for the purposes of identifying or tracking consumers seeking such services; collecting CHD from consumers; or sending them notifications, messages, or advertisements related to their CHD or health care services. This restriction applies regardless of consent or opt-in.

Continue Reading Washington’s “My Health My Data” Act

On March 15, 2023 the Securities and Exchange Commission (“SEC”) proposed three new sets of rules (the “Proposed Rules”) which, if adopted, would require a variety of companies to beef up their cybersecurity policies and data breach notification procedures. As characterized by SEC Chair Gary Gensler, the Proposed Rules aim to promote “cyber resiliency” in furtherance of the SEC’s “responsibility to help protect for financial stability.”[1]

In particular, the SEC has proposed:

  • Amendments to Regulation S-P which would, among other things, require broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures for response to data breaches, and to provide notice to individuals “reasonably likely” to be impacted within thirty days after becoming aware that an incident was “reasonably likely” to have occurred (“Proposed Reg S-P Amendments”).[2]
  • New requirements for a number of “Market Entities” (including broker-dealers, clearing agencies, and national securities exchanges) to, among other things: (i) implement cybersecurity risk policies and procedures; (ii) annually assess the design and effectiveness of these policies and procedures; and (iii) notify the SEC and the public of any “significant cybersecurity incident” (“Proposed Cybersecurity Risk Management Rule”).[3]
  • Amendments to Regulation Systems Compliance and Integrity (“Reg SCI”) in order to expand the entities covered by Reg SCI (“SCI Entities”) and add additional data security and notification requirements to SCI Entities (“Proposed Reg SCI Amendments”).[4]
Continue Reading SEC Proposes Sweeping New Cybersecurity Rules: Is Your Company Prepared?

Under China’s data protection regulatory framework, data processors are required to pass a security assessment conducted by the cybersecurity regulator before transferring certain categories or volumes of data out of China. This January, six months after the Cyberspace Administration of China (“CAC”) released the Measures on Security Assessment of Outbound Data Transfers (“Measures”), the Beijing counterpart of CAC reported the first two cases where the data processors passed the security assessments led by CAC, which sheds some light on the uncertainty and complexity of the security assessment.

Uncertainty of Reviewing Process and End of Grace Period

As disclosed by Beijing CAC, as of February 22, 2023, Beijing CAC has assisted more than 310 entities with their potential applications for the security assessment of outbound data transfers, and has received 48 formal applications from organizations in industries such as technology, e-commerce, healthcare, finance, automotive, and civil aviation, including multinational companies. Among many applications, CAC granted two organizations with the approval for transferring data out of China, namely the Beijing Friendship Hospital of the Capital Medical University and Air China.

Continue Reading China Unveils Two Approved Outbound Data Transfer Cases

It’s been no doubt a week of mixed emotions at the California Privacy Protection Agency (“CPPA”) which last week had its final CCPA regulations (“Regulations”) approved and filed with the California Secretary of State by the Office of Administrative Law. The final regulations have been stated to be “effective immediately”. The result is that California employers are now going to have a significant burden around compliance with California privacy law which they didn’t have previously.

Taken on its face, “effective immediately” would mean that enforcement of the regulations would be available (if not acted upon) immediately. However, as with much about the CCPA, this may not be definitive.

First, the California Administrative Procedure Act (“APA”) provides that regulations become effective on one of four quarterly dates based on when the final regulations are filed with the Secretary of State. Under the APA the enforcement date would still be July 1, because the regulation was filed between March 1 and May 31. See Cal. Gov. Code §11343.4(a)(3).

Second, Proposition 24 (the actual amendment to the CCPA) itself provides timing of enforcement of the new provisions of the CCPA. Specifically, Cal. Civ. Code §1798.185(d) states “Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023.

Continue Reading CCPA Regulations Are Here – We Think

This just in….March 30, 2023. The California Office of Administrative Law has approved the CCPA Regulations and they are effective immediately. The text has not changed substantively since the modifications proposed late last year.

Without further ado, please read the CPPA’s announcement here.

At printing time, the final documents were to “be made available on the agency website as soon as they have been processed.”

The recent Cothron v. White Castle Illinois Supreme Court decision ruled that BIPA violations accrue with each collection, leading to skyrocketing claims – and damages. It’s critical for employers to understand what this decision means, how this decision affects them, and how to avoid the risks inherent in employee data collection.  

Our March 21, 2023, our webinar covered:

  • An in-depth look at the recent Illinois decision and its ramifications
  • How to remain in compliance and avoid violations even when data collection is mandatory
  • Similar decisions, and what to expect next in this developing trend. 

You can check out the video recording here: Breaking BIPA Developments: Damages Keep Piling Up | Seyfarth Shaw LLP

Seyfarth Synopsis: Since ChatGPT became available to the public at large in November 2022, employers have been wondering, and asking their employment lawyers, “What kind of policies should we be putting in place around the use of ChatGPT in the workplace?”  Although at this stage it is difficult to imagine all of the different ways ChatGPT, and its subsequent iterations, could be used by employees in the workplace, it is important to consider some of the more obvious usage cases and how employers might choose to address them in workplace policies.

What is ChatGPT?

ChatGPT is a form of artificial intelligence (AI) — an AI language model that is trained to interact in a conversational way.  At its most basic level, AI is a computer system able to perform tasks that normally require human intelligence.  In order to achieve this, AI needs to be trained.  First, massive data sets are fed into a computer algorithm.  Then the trained model is evaluated in order to determine how well it performs in making predictions when confronted with previously unseen data.  For ChatGPT, it is predicting the next word in a given context to provide that conversational tone for which it has become known.  Lastly, the AI goes through a testing phase to find out if the model performs well on large amounts of new data it has not seen before.  This is the phase in which ChatGPT finds itself. 

Continue Reading ChatGPT – What Employers Should Be Worried About Now

As we move into 2023, Biometric Information Privacy remains a constantly evolving field, with states enacting new statutes, technology evolving, plaintiffs raising new theories, and cases being filed daily. Keeping up with biometric laws can be a daunting task for these reasons.

On February 7, 2023, we led a webinar looking at some of the recent developments in this ever-changing area of law, and how companies can adapt. Topics included:

  • Questions that have finally been answered, and which areas remain unresolved
  • How to remain in compliance and avoid violations
  • What’s next for information privacy and protection

You can check out the video recording here: The Here and Now of BIPA: Updates and Developments in Biometric Privacy | Seyfarth Shaw LLP

In a January 11, 2023 op-ed published in the Wall Street Journal, President Joe Biden urged “Democrats and Republicans to come together to pass strong bipartisan legislation to hold Big Tech accountable.”  He warned that the “risks Big Tech poses for ordinary Americans are clear. Big Tech companies collect huge amounts of data” about technology users, including “the places we go,” and argued that “we need serious federal protections for Americans’ privacy. That means clear limits on how companies can collect, use and share highly personal data,” including location data.

Potential Privacy Rules—Legislation or Regulation?

With Republicans taking charge in the House of Representatives and Democrats retaining control of the Senate in the upcoming legislative term, it seems an inauspicious time for passage of comprehensive national privacy legislation.  The American Data Privacy and Protection Act had broad bipartisan support and appeared to have momentum in Congress in the latter half of 2022, but foundered in large part due to resistance from California privacy regulators concerned that federal legislation would preempt the California Consumer Privacy Act (CCPA). 

Inaction by Congress is not going to stop privacy regulation in the United States, however, and without a comprehensive national policy, businesses face an increasingly complex patchwork of laws and rules.  In addition to California’s privacy law, enacted by that state in 2018, the Virginia Consumer Data Protection Act took effect on January 1, 2023, and similar laws in Colorado, Connecticut, and Utah will take effect during the year.  Meanwhile, the Federal Trade Commission (FTC) appears poised to issue its own privacy rules after announcing that it was “exploring rules to crack down on harmful commercial surveillance and lax data security” in an August 2022 Advance Notice of Proposed Rulemaking.

The FTC’s notice met fierce opposition from members of Congress and industry participants during the public comment period, which closed in November 2022.  Three Republican senators submitted a letter warning that new FTC privacy rules would “only add to the compliance burden facing small businesses” and that “Congress is the only appropriate venue for developing rules for data privacy and security and to set a truly national standard.”  The Alliance for Automotive Innovation submitted a comment encouraging the FTC to eschew rulemaking in favor of working with Congress to develop a comprehensive national privacy law, while the National Automobile Dealers Association submitted a comment questioning whether privacy issues even fell within the scope of the FTC’s authority to regulate unfair or deceptive acts or practices.

After reviewing the public comments it has received, the FTC may decide to issue a formal notice of proposed rulemaking; at least three FTC commissioners appear to agree that national privacy regulation is needed.  With state privacy laws and potential FTC rulemaking threatening to impose an increasingly heavy regulatory burden on businesses, Congress may have no choice but to act in 2023.

“Big Tech,” Antitrust Enforcement, and Automakers

Meanwhile, as reflected in President Biden’s January 11 op-ed, “Big Tech” remains a bipartisan target of choice for perceived anticompetitive abuses; this focus on “Big Tech” could have an impact on automakers, as well.  In a high-profile November 2, 2022 letter sent to FTC Chair Lina Khan and Jonathan Kanter, head of the Antitrust Division of the U.S. Department of Justice (DOJ), Senator Elizabeth Warren called for increased oversight of “Big Tech’s expansion into the automotive industry,” warning that in her view, technology companies “are leveraging their market power in the mobile operating system, digital app markets, and data infrastructure spheres to become the dominant players in the automotive sphere.”

According to Senator Warren, these companies are using “all-or-nothing” bundling tactics to expand their anticompetitive grasp of the automobile market; for example, by Google requiring automakers to purchase an entire suite of services to access popular apps like Google Maps.  She also expressed concern that “Big Tech is also laying the groundwork for potentially anticompetitive uses of data generated by its new role in the automobile industry” developing autonomous vehicles, and warned that if these technology companies use their access to massive quantities of location and other vehicle data “to obtain an advantage over companies that are shut out of the market, the effects will be difficult to reverse.” 

Senator Warren urged the FTC and DOJ to exercise their oversight authority to deter such abuses, and to review with skepticism potential acquisitions by “Big Tech” companies of emerging companies developing competing technologies.  Congress substantially increased the budgets of both the FTC and the DOJ Antitrust Division at the end of 2022, and automakers should anticipate increased scrutiny for “Big Tech” partners in 2023.

On 16 November 2022, EU Regulation 2022/2065, better known as the Digital Services Act (“DSA”), came into force. The DSA is a key development in the use of online services in the European Union (“EU”), with an impact on online services as significant as the one which the General Data Protection Regulation (“GDPR”) had upon the collection, use, transfer, and storage of data originating in the EU on 25 May 2018.

Ambit

The DSA sets out rules and obligations for digital services providers that act as intermediaries in their role of connecting consumers with goods, services, and content.  

Its goal is to regulate and control the dissemination of illegal or harmful content online, provide more consumer protection in online marketplaces, and to introduce safeguards for internet users and users of digital services. It also introduces new obligations for major online platforms and search engines to prevent such platforms being abused.

Continue Reading The EU Digital Services Act: Overview and Impact