Data Privacy
Subscribe to Data Privacy's Posts

CCPA Has Just Gone Into Effect, But Businesses May Need to Prepare for a New California Privacy Law

The California Consumer Privacy Act (CCPA) is not yet one month old, but movement has already started on a new California privacy law. In November 2019, the advocacy group Californians for Consumer Privacy, led by Alastair Mactaggart, the architect of CCPA, submitted a proposed California ballot initiative to the Office of the California Attorney General that would build upon the consumer privacy protections and requirements established by CCPA. In December 2019, as required under state law, California Attorney General Xavier Becerra released a title for and summary of the proposed ballot initiative, which will be known as the California Privacy Rights Act (CPRA). Key Provisions of the CPRA CPRA seeks to give California consumers additional control over and protection of their personal information in five core ways. CPRA would require businesses to disclose when and how automated decision making is used for decisions that significantly affect a consumer’s...

Continue Reading

CCPA and ‘Reasonable Security’: A Game Changer

On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA applies to a wide range of companies and broadly governs the collection, use and sale of personal information of California residents (i.e., consumers and certain other individuals) and households. The CCPA provides that consumers may seek statutory damages of between $100 and $750, or actual damages if greater, against a company in the event of a data breach of nonredacted and nonencrypted personal information that results from the company’s failure to implement reasonable security. The amount of the statutory damages depends on factors such as the nature and seriousness of the company’s misconduct, the number of violations, the persistence of the company’s misconduct, the length of time over which the misconduct occurred, and the company’s assets, liabilities and net worth. To defend against these consumer actions, a company must show that it has implemented...

Continue Reading

Though CCPA is Now Live, Questions About Its Constitutionality Linger

As businesses have scrambled to obtain compliance with the California Consumer Privacy Act (CCPA) in recent months, questions surrounding its constitutionality have arisen. As a broad, sometimes unclear state law that imposes significant obligations on businesses around the country, CCPA may be ripe for legal challenge. The strongest bases for such challenges appear to be: (1) that CCPA violates the “Dormant Commerce Clause”; and (2) that CCPA is impermissibly vague. Dormant Commerce Clause The burden that CCPA imposes on out-of-state economic activity may place it in violation of the Dormant Commerce Clause, a legal doctrine created out of the Commerce Clause of the US Constitution. The Commerce Clause allows the US Congress to regulate interstate commerce; from this grant of power, courts have inferred a limitation on the authority of states to regulate interstate commerce, a doctrine coined the Dormant Commerce Clause. On this basis, courts will strike...

Continue Reading

Little by Little, Attorney General Becerra Sheds Light on the CCPA in 2020

Minimal Changes Expected to the Final Regulations On October 10, 2019, the Attorney General issued his Proposed Text of Regulations, along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons. According to the Attorney General, the regulations will “benefit the welfare of California residents because they will facilitate the implementation of many components of the CCPA” and “provid[e] clear direction to businesses on how to inform consumers of their rights and how to handle their requests.” See Notice of Proposed Rulemaking, page 10. The deadline to submit public comments on the proposed regulations was December 6, 2019. The Office of the Attorney General (OAG) reported receiving about 1,700 pages of written comments from almost 200 parties. Despite this, the Attorney General stated in a news briefing that he does not expect the final regulations to include significant changes. The proposed regulations should give everyone a sense of...

Continue Reading

US Office of Management and Budget Calls for Federal Agencies to Reduce Barriers to Artificial Intelligence

On January 7, 2020, the Director of the US Office of Management and Budget (OMB) issued a Draft Memorandum (the Memorandum) to all federal “implementing agencies” regarding the development of regulatory and non-regulatory approaches to reducing barriers to the development and adoption of artificial intelligence (AI) technologies. Implementing agencies are agencies that conduct foundational research, develop and deploy AI technologies, provide educational grants, and regulate and provide guidance for applications of AI technologies, as determined by the co-chairs of the National Science and Technology Council (NSTC) Select Committee. To our knowledge, the NTSC has not yet determined which agencies are “implementing agencies” for purposes of the Memorandum. Submission of Agency Plan to OMB The “implementing agencies” have 180 days to submit to OMB their plans for addressing the Memorandum. An agency’s plan must: (1) identify any statutory authorities...

Continue Reading

California Bill Proposes CCPA Exceptions for HIPAA De-identified Information, Other Health Data

On January 6, 2020, the California State Senate’s Health Committee unanimously approved California AB 713, a bill that would amend the California Consumer Privacy Act (CCPA) to except from CCPA requirements additional categories of health information, including data de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), medical research data, personal information used for public health and safety activities, and patient information that is maintained by HIPAA business associates in the same manner as HIPAA protected health information (PHI). If enacted, the bill would simplify CCPA compliance strategies for many HIPAA-regulated entities, life sciences companies, research institutions and health data aggregators. Exemption for HIPAA Business Associates Presently, the CCPA does not regulate PHI that is collected by either a HIPAA covered entity or business associate. The CCPA also exempts covered entities to...

Continue Reading

A Sale or Not a Sale? The Digital Advertising Debate

The California Consumer Privacy Act (CCPA) requires businesses who engage in sales of personal information, to offer consumers the right to opt out of such sales through a “Do Not Sell My Personal Information” link or button on their websites. These “Do Not Sell” obligations present a particularly thorny question for businesses that participate in a digital ad exchange or otherwise use advertising tracking technologies on their websites. Because data elements such as IP address, cookie ID, device identifier and browsing history are considered “personal information” for purposes of the CCPA, the question is: does sharing that information with third-party ad tech providers constitute a “sale” of data? The answer, so far, is a resounding “maybe.” In what follows, we expand on the issue and survey different approaches to this hotly contested question. Why the Debate? The CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making...

Continue Reading

Challenges and Opportunities in MedTech, Innovation and Digital Health

A recent McDermott roundtable on European health private equity generated key insights into the future of medtech, digital health, and data analytics, and identified opportunities for companies and investors. Digital health solutions are widely considered to be the next big growth market. Healthcare lags significantly behind other industries when it comes to digitization, but the potential opportunities are driving developers, healthcare providers, and investors to find solutions. PATIENT CARE A key point to bear in mind about healthcare technology is that success and adoption may often be measured by the quality of the users’ experience, the resulting clinical outcomes, short and long term cost savings, and the resulting margin for both investors and the health care system at large. These multi-faceted goals are best illustrated by the demands for i) greater efficiency, and ii) better patient outcomes. Efficiency is typified by, for example, streamlined bookings...

Continue Reading

Getting Cross-Industry Collaborations Right, Part 2: All About That Data

As discussed in the first post in this two-part series, new players from outside the traditional healthcare paradigm are joining forces with hospitals, health systems and other providers to drive unprecedented innovation. These unexpected partnerships are bringing new solutions to market and changing how business is done and care is delivered. Many of these collaborations revolve around data and data sharing arrangements. Traditional health industry stakeholders such as hospitals and health systems (HHSs) are partnering with technology companies—both established and start-up—to develop and market digital health solutions that engage patients beyond the brick-and-mortar clinical setting. Digital health tools are making it easier for patients to receive care in a mobile setting and access their health data across various platforms and sources. These innovative partnerships thus hold out the possibility of delivering better, faster, more targeted care....

Continue Reading

Can We Expect to See ONC’s Final Rule on Information Blocking Soon?

A recent update to the Office of Management and Budget (OMB) website suggests that the answer is “yes”—though that depends on how one defines “soon.” According to its website, OMB received the Office of the National Coordinator for Health Information Technology’s (ONC’s) final rule, entitled 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, for review on October 28, 2019. Based on the rule title, it appears that ONC is ready to finalize its proposals concerning information blocking and related exceptions. Earlier this year, ONC issued a proposed rule that, among other things, proposed to define information blocking and establish seven exceptions to the broad prohibition for reasonable and necessary activities that should not be considered information blocking. For more information about the information blocking provisions of ONC’s proposed rule, see our On the Subjects here and here. OMB review is one...

Continue Reading

STAY CONNECTED

TOPICS

ARCHIVES