Federal Trade Commission
Subscribe to Federal Trade Commission's Posts

State Privacy Patchwork Spreads with Signing of Colorado Privacy Act

On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, the latest in the recent wave of state privacy legislation but unlikely to be the last. The CPA will take effect July 1, 2023, six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective. Organizations subject to the new Colorado law will have to prepare for new consumer rights and restrictions with respect to Colorado consumers’ personal data. What follows are key takeaways from the CPA and the implications for businesses grappling with the changing privacy landscape in the US.

Applicability and Exemptions

Not all organizations will be covered by the new CPA. To be subject to the law, an organization must do business in Colorado and meet one of the following requirements:

  • The organization processes data on 100,000 or more Colorado consumers annually.
  • The organization processes data on 25,000 or more Colorado consumers annually and “sells” any personal data.

This applicability threshold sets a relatively high bar, and many companies that are subject to the California Consumer Privacy Act of 2018 (CCPA)/CPRA may not meet these thresholds in Colorado.

There are a number of exemptions and limitations built into the Colorado law. Personal data regulated under existing federal privacy regimes, such as the Health Insurance Portability and Accountability Act (HIPAA), will be exempt from the CPA, as will personal data about employees and others “acting in a commercial or employment context.” Further, the CPA’s substantive requirements will not limit organizations’ ability to process data for legal compliance, fraud prevention, security, contract fulfillment or any “internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship” with the organization.

Substantive Rights Largely Mirror Other State Privacy Laws

The CPA establishes a number of substantive rights that Colorado consumers will have with respect to their personal data. In general, these rights mirror those in the existing laws in California and Virginia, including the following:

  • Notice. Covered organizations will be required to disclose data collection and processing details in their public-facing privacy policies. In addition, a new “duty of purpose specification” requires that companies identify the “express purposes for which personal data are collected and processed.” Whether existing privacy policies are sufficiently “express” for these purposes will be an important consideration for organizations under the CPA and one that will likely lead to both confusion and potential regulation in the future.
  • Access, Correction and Deletion. Consumers will have the right to access, correct and delete their personal data. For the right to access, businesses will be required to provide data in a portable format where feasible.
  • Opt Out. Consumers have the ability to opt out of data “sales,” targeted advertising and high-risk automated “profiling.”
  • Opt In. As with the CDPA, businesses must seek opt-in consent before collecting or processing “sensitive personal data,” which includes data revealing an individual’s race, ethnicity, religious beliefs, [...]

    Continue Reading



Digital Health Year in Review: 2017 Trends and Looking Ahead to 2018

Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.

We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.

Read the full Special Report.




Upcoming FTC Workshop on Informational Harm | Next Brushstrokes on the FTC’s Consumer Privacy and Security Enforcement Canvas

On September 29, the Federal Trade Commission (FTC) formally announced a December 12th workshop on informational injury—the injury a consumer suffers when information about them is misused. The workshop will address questions such as, how to characterize and measure such injury and what factors businesses and consumers should consider the benefits and risks of collecting, using and providing personal information so as to gain further perspective for how the FTC should apply its legal framework for privacy and security enforcement under 15 USC § 45 (Section 5). In her September 19th remarks to the Federal Communications Bar Association, Commissioner Maureen Ohlhausen, the Acting Chairman of the FTC, metaphorically characterized the workshop’s purpose as providing the next brushstrokes on the unfinished enforcement landscape the FTC is painting on its legal framework canvas. The full list of specific questions to be addressed may be accessed here.

Background. The FTC views itself as the primary US enforcer of data privacy and security, a role it recently assumed. While the FTC’s enforcement against practices causing informational injury through administrative proceedings goes back as far as 2002, its ability to pursue corporate liability for data security and privacy practices under its Section 5 “unfair or deceptive trade practices” jurisdiction was only ratified in 2015 by the US Court of Appeals for the Third Circuit in FTC v. Wyndham Worldwide Corporation. The FTC has actively invoked its enforcement authority but, in doing so, has been selective in determining which consumer informational injuries to pursue by questioning the strength of evidence connecting problematic practices with the injury, examining the magnitude of the injury and inquiring as to whether the injury is imminent or has been realized. (more…)




Next Generation of Patient Care: Balancing Digital Engagement with Patient and Consumer Privacy

Jennifer Geetter and Lisa Schmitz Mazur wrote this bylined article on the regulatory implications of technology-supported devices, resources, and solutions that facilitate health patient-provider interaction. “Health industry regulators are struggling with how to apply the existing privacy regulatory regime, and the permitted uses and disclosures for which they provide, in this new world of healthcare innovation,” the authors wrote.

Continue reading.




Regulating the Internet of Toys

New technologies and the expansion of the Internet of Things have allowed children of this generation to experience seamless interactive technologies through microphones, GPS devices, speech recognition, sensors, cameras and other technological capabilities. These advancements create new markets for entertainment and education alike and, in the process, collect endless amounts of data from children–from their names and locations to their likes/dislikes and innermost thoughts.

The collection of data through this Internet of Toys is on the tongues of regulators and law enforcement, who are warning parents to be wary when purchasing internet-connected toys and other devices for children. These warnings also extend to connected toy makers, urging companies to comply with children’s privacy rules and signaling that focused enforcement is forthcoming.

Federal Trade Commission Makes Clear That Connected Toy Makers Must Comply with COPPA

On June 21 2017, the Federal Trade Commission (FTC) updated its guidance for companies required to comply with the Children’s Online Privacy and Protection Act (COPPA) to ensure those companies implement key protections with respect to Internet-connected toys and associated services. While the FTC’s Six Step Compliance Plan for COPPA compliance is not entirely new, there are a few key updates that reflect developments in the Internet of Toys marketplace. (more…)




Round Two: Significant Telehealth Expansion Re-Proposed in Bipartisan Senate Bill

On May 3, 2017, the Creating Opportunities Now for Necessary and Effective Care Technologies for Health Act of 2017 (S. 1016) (CONNECT Act of 2017) was reintroduced by the same six senators who had initially introduced the legislation in early 2016 and referred to the Senate Committee on Finance. As we previously reported on February 29, 2016, this iteration of the proposed bill also focuses on promoting cost savings and quality care under the Medicare program through the use of telehealth and remote patient monitoring (RPM) services, and incentivizing such digital health technologies by expanding coverage for them under the Medicare program—albeit using different terminology. Chiefly, the CONNECT Act of 2017 serves as a way to expand telehealth and RPM for Medicare beneficiaries, makes it easier for patients to connect with their health care providers and helps reduce costs for patients and providers. As with the previous iteration, the CONNECT Act of 2017 has received statements of support from over 50 organizations, including the American Medical Association, American Telemedicine Association, Healthcare Information and Management Systems Society, Connected Health Initiative, Federation of State Medical Boards, National Coalition on Health Care and an array of vendors and health systems. (more…)




Texas Changes its Tone on Telemedicine

As one of the last states to retain highly restrictive (and arguably anti-competitive) telemedicine practice standards, health care providers, regulatory boards, technology companies, payors and other stakeholders have been actively monitoring Texas’ approach to telemedicine regulation and the related Teladoc case. Texas has eliminated its most restrictive requirement for delivering care via telemedicine in Texas, increasing opportunities for providers to reach patients using technology.  Senate Bill 1107 was passed on May 11, 2017, and the House added an amendment in passing Senate Bill 1107, which was approved in the Senate on May 18.  The bill was signed into law by Governor Abbott last weekend.

Read the full article.




Texas to Take a Leap Forward in Telehealth – A Proposed Bill Drops the Controversial In-Person Evaluation Requirement

Texas telehealth requirements will significantly change in the near future if Texas Senate Bill 1107 is passed into law, as it removes the controversial “face-to-face” or in-person consultation requirement to establish a physician-patient relationship and lawfully provide telehealth and telemedicine services within the state. This bill comes after a six-year-long battle between telemedicine stakeholders and the Texas Medical Board, and will better align Texas’ regulations with those found in other states.

Read the full article.




FTC Weighs-in on Telehealth, Comments on Delaware’s Occupational Therapy Practice Rule

On August 3, 2016, the Federal Trade Commission (FTC) staff submitted public comments regarding the Delaware Board of Occupational Therapy Practice’s proposed regulation for the provision of occupational therapy services via telehealth in Delaware (the Proposed Regulation).  The FTC’s comments to the Proposed Regulation follow its comments to Alaska’s telehealth legislation earlier this year and evidence its continued focus on telehealth’s ability to foster flexibility in health care delivery by increasing practitioner supply; encouraging competition; and improving access to affordable, quality health care.

By way of background, in 2015, Delaware amended its Insurance and Professions and Occupations Code (the Code) to include the regulation of telehealth and telemedicine services, including the delivery of occupational care remotely under existing, in-person standards of care.  Consistent with the Code, the Delaware Board of Occupational Therapy Practice (the Board) revised its rules and regulations to address telehealth services.  The Proposed Regulation defines telehealth as “the use of electronic communications to provide and deliver a host of health-related information and health care services, including occupational therapy related information and services, over electronic devices. Telehealth encompasses a variety of occupational therapy promotion activities, including consultation, education, reminders, interventions, and monitoring of interventions.”

The Proposed Regulation gives Occupational Therapist and Occupational Therapist Assistant licensees’ (Licensees) discretion in assessing and determining the appropriate level and type of care for an individual patient, provided that certain requirements are satisfied. Specifically, under the Proposed Regulation, Licensees that provide treatment through telehealth must have an active Delaware license in good standing to practice telehealth in the state of Delaware.  In addition to obtaining informed consent and complying with confidentiality requirements, the licensee must also: (1) be responsible for determining and documenting that telehealth is an appropriate level of care for the patient; (2) comply with the Board’s rules and regulations and all current standards of care requirements applicable to onsite care; (3) limit the practice of telehealth to the area of competence in which proficiency has been gained through education, training and experience; (4) determine the need for the physical presence of an occupational therapy practitioner during any interactions with patients, if he/she is the Occupational Therapist who screens, evaluates, writes or implements the plan of care; (5) determine the amount and level of supervision needed during the telehealth encounter; and (6) document in the file or record which services were provided remotely. (24 Del. Admin. Code § 2000-4.2.)

Staff of the FTC’s Office of Policy Planning and its Bureaus of Competition and Economics, responding to the Board’s request for public comments, stated that by not imposing rigid and unwarranted in-person care and supervision requirements, the Proposed Regulation could have various positive impacts, including: (1) improving access to cost-effective, quality care, especially for patients with limited mobility; (2) reducing Medicaid’s transportation expenditures as well as individuals’ pecuniary and time costs; (3) addressing anticipated workforce shortages in the health care sector by increasing practitioner supply and facilitating care of an aging population; and (4) enhancing competition, consumer choice and access to [...]

Continue Reading




FTC Weighs-in on Telehealth: Providing Comments Regarding Alaska’s Proposed Licensure and Standard of Care Requirements

In March 2016, the US Federal Trade Commission (“FTC”) staff submitted public comments regarding the telehealth provisions of a proposed state bill in Alaska demonstrating the FTC’s continued focus on health care competition and general discouragement of anti competitive conduct in health care markets, with a renewed interest and focus on telehealth.

(more…)




STAY CONNECTED

TOPICS

ARCHIVES