Stay-at-home orders and business closures during the Coronavirus (COVID-19) pandemic have led to a sharp increase in online shopping. While e-commerce has helped businesses stay afloat during this challenging economic time, there has also been a spike in litigation alleging that certain websites are not accessible to individuals with disabilities. In an article for Bloomberg Law, Jeremy White, Matthew Cin and Brian Long review the legal landscape governing accessibility of websites – including specific rules that apply to the healthcare industry, and explore best practices for companies to mitigate their risk of facing a website accessibility lawsuit.
The California Consumer Privacy Act (CCPA) requires businesses who engage in sales of personal information, to offer consumers the right to opt out of such sales through a “Do Not Sell My Personal Information” link or button on their websites. These “Do Not Sell” obligations present a particularly thorny question for businesses that participate in a digital ad exchange or otherwise use advertising tracking technologies on their websites. Because data elements such as IP address, cookie ID, device identifier and browsing history are considered “personal information” for purposes of the CCPA, the question is: does sharing that information with third-party ad tech providers constitute a “sale” of data?
The answer, so far, is a resounding “maybe.” In what follows, we expand on the issue and survey different approaches to this hotly contested question.
Why the Debate?
The CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The Network Advertising Initiative (NAI) broke this definition down into three main elements that, when satisfied, might make the case that digital advertising involves a “sale.”
- The digital advertising must involve “personal information.” We know that it does because serving digital ads requires, at the very least, access to IP address and browsing history.
- The digital advertising must involve the movement of personal information from a business to another business or third party. This is often true for digital advertising relationships, as ad tech intermediaries and other participants in the ad exchange often use the personal information they have received from businesses for their own purposes, thus taking many ad tech entities outside of CCPA’s “service provider” safe harbor.
- The digital advertising must involve the exchange of monetary or other valuable consideration for the personal information. This is a fact-specific inquiry that will vary across contractual arrangements. For that reason, the NAI analysis states it would be difficult to broadly categorize all digital advertising activities as “sales.” However, the NAI cautions that if the recipients of personal information can retain the information “for profiling or segmenting purposes” (e.g., the ability to monetize the data independently), that could be evidence of a “sale” of data.
Blockchain is rapidly becoming the focus of conversations regarding health care disruption, and for good reason. What started out as a means for cryptocurrency is now making waves in a variety of industries, set to revolutionize how data is stored and shared.
The inability to easily and securely store and share data has long been a burden on the health system. Blockchain poses a solution to that through encryption and highly advanced technological assets which open the doors to health care innovation. Today we see blockchain being used with electronic health records (EHRs) so that a patient’s medical history is easily accessible to him/her, as well as his/her doctors, insurance providers, etc. It’s also providing the “how” in implementing value-based payment agreements, which link payment to performance of a drug or medical device. Blockchain is currently being used both in the private and public sectors, including the FDA and the CDC. While the full potential of this new technology is not yet known, the industry seems eager to find out.
Ahead of this year’s J.P. Morgan Healthcare Conference, we sat down with Lee Schneider, our top blockchain thought leader, to talk specifically about how this new technology is revolutionizing (or has the potential to revolutionize) the health care space. (more…)
Disruption of traditional health care is inevitable and poses a central challenge for health care governance. While the size and complexity of the health care industry have slowed the process of business disruption, its high costs and lack of convenience make it highly vulnerable to innovative, nontraditional competitors.
To make sure boards are well-prepared to address this challenge, McDermott Will & Emery and Kaufman Hall have partnered on a new thought leadership series designed to help you identify the signs of disruption, learn how to prepare your organization, and understand the implications for health care governance.
- Listen to Surviving Disruption Podcast, Episode 1: The Signs of Disruption.
- Download Is Your Organization Disruption Ready? Questions to Assess Preparedness.
- View our Top 5 Business Disruption Considerations for Corporate Governance infographic.
- Watch our Behind the Scenes: The Making of the Surviving Disruption Podcast Series video.
Subscribe to the Surviving Disruption podcast on iTunes, SoundCloud and Pocket Casts, and keep an eye on the Resource Center for Episode 2: The Path Through Disruption and Episode 3: A Governance Foundation, being released on December 27 and January 10.
New York AG Settlement with App Developers Serves as a Warning for the Need for Evidence-Backed Commercial Claims
On March 23, 2017, the New York Attorney General’s office announced that it has settled with the developers of three mobile health (mHealth) applications (apps) for, among other things, alleged misleading commercial claims. This settlement highlights for mHealth app developers the importance of systematically gathering sufficient evidence to support their commercial claims.
Mobile Health Tools, Developers Need Better Data Protection Guidance, Attorney Jennifer Geetter Says
After three government agencies collectively created an online tool to help developers navigate federal regulations impacting mobile health apps, McDermott partner Jennifer Geetter was interviewed by FierceMobileHealthcare on the need for mobile health development tools.
On December 28, 2015, the Ministry of Industry and Information Technology of China released the newly revised Classification Catalogue of Telecommunications Services, which is due to take effect as of March 1st, 2016. This round of revision has long been awaited since its last amendment in 2003, and is expected to reflect the advancement and emergence of new technologies and business models in the telecommunication field as well as to help keep new telecommunication business models under the regulatory radar.
Read the full China Law Alert.
On April 1, 2015, the Office of the National Coordinator for Health Information Technology (ONC), which assists with the coordination of federal policy on data sharing objectives and standards, issued its Shared Nationwide Interoperability Roadmap and requested comments. The Roadmap seeks to lay out a framework for developing and implementing interoperable health information systems that will allow for the freer flow of health-related data by and among providers and patients. The use of technology to capture and understand health-related information and the strategic sharing of information between health industry stakeholders and its use is widely recognized as critical to support patient engagement, improve quality outcomes and lower health care costs.
On April 3, 2015, the Federal Trade Commission issued coordinated comments from its Office of Policy Planning, Bureau of Competition, Bureau of Consumer Protection and Bureau of Economics. The FTC has a broad, dual mission to protect consumers and promote competition, in part, by preventing business practices that are anticompetitive or deceptive or unfair to consumers. This includes business practices that relate to consumer privacy and data security. Notably, the FTC’s comments on the Roadmap draw from both its pro-competitive experience and its privacy and security protection perspective, and therefore offer insights into the FTC’s assessment of interoperability from a variety of consumer protection vantage points.
The FTC agreed that ONC’s Roadmap has the potential to benefit both patients and providers by “facilitating innovation and fostering competition in health IT and health care services markets” – lowering health care costs, improving population health management and empowering consumers through easier access to their personal information. The concepts advanced in the Roadmap, however, if not carefully implemented, can also have a negative effect on competition for health care technology services. The FTC comments are intended to guide ONC’s implementation with respect to: (1) creating a business and regulatory environment that encourages interoperability, (2) shared governance mechanisms that enable interoperability, and (3) advancing technical standards.
Taking each of these aspects in turn, creating a business and regulatory environment that encourages interoperability is important because, if left unattended, the marketplace may be resistant to interoperability. For example, health care providers may resist interoperability because it would make switching providers easier and IT vendors may see interoperability as a threat to customer-allegiance. The FTC suggests that the federal government, as a major payer, work to align economic incentives to create greater demand among providers for interoperability.
With respect to shared governance mechanisms, the FTC notes that coordinated efforts among competitors may have the effect of suppressing competition. The FTC identifies several examples of anticompetitive conduct in standard setting efforts for ONC’s consideration as it considers how to implement the Roadmap.
Finally, in advancing core technical standards, the FTC advised ONC to consider how standardization could affect competition by (1) limiting competition between technologies, (2) facilitating customer lock-in, (3) reducing competition between standards, and (4) impacting the method for selecting standards.
As part of its mission to protect consumers, the FTC focuses its privacy and security [...]
On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherence weaknesses within the protocol” and, because of the weaknesses, “no version of SSL meets PCI SSC’s definition of ‘strong cryptography.’” The bulletin does not offer an alternative means that would be acceptable, but rather “urges organizations to work with [their] IT departments and/or partners to understand if [they] are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.” The Council reports that it intends to publish soon an updated version of PCI-DSS and the related PA-DSS that will address this issue. These developments follow news of the Heartbleed and POODLE attacks from 2014 that exposed SSL vulnerabilities.
Although the PCI standards only apply to merchants and other companies involved in the payment processing ecosystem, the Council’s public pronouncement that SSL is vulnerable and weak is a wakeup call to any organization that still uses an older version of SSL to encrypt its data, regardless of whether these standards apply.
As a result, every company should consider taking the following immediate action:
- Work with your IT stakeholders and those responsible for website operation to determine if your organization or a vendor for your organization uses SSL v. 3.0 (or any earlier version);
- If it does, evaluate with those stakeholders how to best disable these older versions, while immediately upgrading to an acceptable strong cryptographic protocol as needed;
- Review vendor obligations to ensure compliance with a stronger encryption protocol is mandated and audit vendors to ensure the vendor is implementing greater protection;
- If needed, consider retaining a reputable security firm to audit or evaluate your and your vendors’ encryption protocols and ensure vulnerabilities are properly remediated; and
- Ensure proper testing prior to rollout of any new protocol.
Additional resources and materials:
On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.
The legislative process involves the agreement of the European Commission, the European Parliament and the Council of Europe (representing the governments of the member states). So far the European Parliament has agreed its amendments to the Commission’s proposal and we are still waiting for the Council to agree it’s amendments before all three come together and try and find a mutually agreeable position.
The Council is guided by the mantra “nothing is agreed until everything is agreed”, and so even though there has been progress with the Council reaching “partial general agreement” on international transfers, risk-based obligations on controllers and processors, and the provisions relating to specific data processing situations such as research and an approach agreed on the one-stop shop principle (allowing those operating in multiple states to appointed and deal with a single authority), this progress means nothing until there is final agreement on everything. At this stage that means all informal agreements remain open to renegotiation.
It is noted that Latvia holds the presidency of the Council until June 2015. The Latvians have already noted that Anydata protection reform remains a key priority but progress has been slow and time may be against them. Where Latvia fails, Luxembourg will hopefully succeed as it takes up the presidency from June.
The ICO is urging all stakeholders to push on with the reform, although they see the proposed timetable of completion of the trilogue process by the end of 2015 as being optimistic. Instead a more reasonable timetable may be a final agreement by mid-2016 with the new regime up and running in 2018.