The California Consumer Privacy Act (CCPA) requires businesses who engage in sales of personal information, to offer consumers the right to opt out of such sales through a “Do Not Sell My Personal Information” link or button on their websites. These “Do Not Sell” obligations present a particularly thorny question for businesses that participate in a digital ad exchange or otherwise use advertising tracking technologies on their websites. Because data elements such as IP address, cookie ID, device identifier and browsing history are considered “personal information” for purposes of the CCPA, the question is: does sharing that information with third-party ad tech providers constitute a “sale” of data?

The answer, so far, is a resounding “maybe.” In what follows, we expand on the issue and survey different approaches to this hotly contested question.

Why the Debate?

The CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The Network Advertising Initiative (NAI) broke this definition down into three main elements that, when satisfied, might make the case that digital advertising involves a “sale.”

    • The digital advertising must involve “personal information.” We know that it does because serving digital ads requires, at the very least, access to IP address and browsing history.
    • The digital advertising must involve the movement of personal information from a business to another business or third party. This is often true for digital advertising relationships, as ad tech intermediaries and other participants in the ad exchange often use the personal information they have received from businesses for their own purposes, thus taking many ad tech entities outside of CCPA’s “service provider” safe harbor.
    • The digital advertising must involve the exchange of monetary or other valuable consideration for the personal information. This is a fact-specific inquiry that will vary across contractual arrangements. For that reason, the NAI analysis states it would be difficult to broadly categorize all digital advertising activities as “sales.” However, the NAI cautions that if the recipients of personal information can retain the information “for profiling or segmenting purposes” (e.g., the ability to monetize the data independently), that could be evidence of a “sale” of data.


Continue Reading

Blockchain is rapidly becoming the focus of conversations regarding health care disruption, and for good reason. What started out as a means for cryptocurrency is now making waves in a variety of industries, set to revolutionize how data is stored and shared.

The inability to easily and securely store and share data has long been a burden on the health system. Blockchain poses a solution to that through encryption and highly advanced technological assets which open the doors to health care innovation. Today we see blockchain being used with electronic health records (EHRs) so that a patient’s medical history is easily accessible to him/her, as well as his/her doctors, insurance providers, etc. It’s also providing the “how” in implementing value-based payment agreements, which link payment to performance of a drug or medical device. Blockchain is currently being used both in the private and public sectors, including the FDA and the CDC. While the full potential of this new technology is not yet known, the industry seems eager to find out.

Ahead of this year’s J.P. Morgan Healthcare Conference, we sat down with Lee Schneider, our top blockchain thought leader, to talk specifically about how this new technology is revolutionizing (or has the potential to revolutionize) the health care space.
Continue Reading

Disruption of traditional health care is inevitable and poses a central challenge for health care governance. While the size and complexity of the health care industry have slowed the process of business disruption, its high costs and lack of convenience make it highly vulnerable to innovative, nontraditional competitors.

To make sure boards are well-prepared to

On March 23, 2017, the New York Attorney General’s office announced that it has settled with the developers of three mobile health (mHealth) applications (apps) for, among other things, alleged misleading commercial claims. This settlement highlights for mHealth app developers the importance of systematically gathering sufficient evidence to support their commercial claims.

Read the full

After three government agencies collectively created an online tool to help developers navigate federal regulations impacting mobile health apps, McDermott partner Jennifer Geetter was interviewed by FierceMobileHealthcare on the need for mobile health development tools.

Read the full article from FierceMobileHealthCare.

On December 28, 2015, the Ministry of Industry and Information Technology of China released the newly revised Classification Catalogue of Telecommunications Services, which is due to take effect as of March 1st, 2016. This round of revision has long been awaited since its last amendment in 2003, and is expected to reflect the advancement and

On April 1, 2015, the Office of the National Coordinator for Health Information Technology (ONC), which assists with the coordination of federal policy on data sharing objectives and standards, issued its Shared Nationwide Interoperability Roadmap and requested comments.  The Roadmap seeks to lay out a framework for developing and implementing interoperable health information systems that

On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers  (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherence weaknesses within the

On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.

The legislative process involves

In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the