Hashed & Salted | A Privacy and Data Security Update

Welcome to our latest issue of Hashed & Salted! It is officially #hotprivacysummer with another month of whirlwind privacy news. On the federal level, the House Energy and Commerce Committee voted on July 20 to advance the bipartisan consumer data privacy bill discussed in our last issue. The odds of this bill passing have become substantially more favorable, but some key issues around preemption remain. We will be following this closely as it heads into the Senate, where additional amendments are likely.

With federal privacy regulation still up in the air, progress continues on the state law front. The clock is officially ticking on the comment period for regulations to implement the Consumer Privacy Rights Act of 2020 (CPRA). The California Privacy Protection Agency on July 8 commenced the formal rulemaking process for the proposed regulations, which update existing California Consumer Privacy Act (CCPA) regulations to harmonize them with the CPRA amendments, as well as implement the additional rights and obligations under the CPRA. The deadline for public comment is Aug. 25. The agency is also conducting public hearings Aug. 24 and 25.

Outside of comprehensive privacy legislation, many are still reeling from the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization overruling Roe v. Wade, which has (among other consequences) raised concerns around data privacy, in particular personal health and location data collected by mobile apps, information collected by social media platforms, and health and medical data collected by health care providers. The concern that the data could be used to investigate potential violations of state abortion bans prompted a number of initiatives by federal lawmakers, regulators and President Joe Biden.

After a draft of the Dobbs opinion was leaked in May, Senate Democrats, including Sens. Elizabeth Warren (D-Mass.), Ron Wyden (D-Ore.), Patty Murray (D-Wash.) and Sheldon Whitehouse (D-R.I.), and Sen. Bernie Sanders (I-Vt.), introduced the Health and Location Data Protection Act, which would, among other actions, ban data brokers from selling or transferring health and location data and require the Federal Trade Commission (FTC) to promulgate implementing regulations. In the U.S. House of Representatives, Rep. Sara Jacobs (D-Calif.) introduced the My Body, My Data Act of 2022, which would strictly limit the collection, retention, use and disclosure of personal reproductive or sexual health information without express written consent and would require entities that collect this data to provide a mechanism for individuals to request deletion of the information. In addition, the American Data Privacy and Protection Act proposes a comprehensive framework that includes enhanced protections for location and health data and would allow people to opt out of sharing information with data brokers.

Noting, among other developments, its settlement of an enforcement action against Flo Health—in which it alleged that the company shared with third parties sensitive health information about women collected from its period and fertility tracking app after promising the information would be kept private—the FTC issued a statement July 11 committing to “vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.”

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) also published new guidance on the Health Information Portability and Accountability Act (HIPAA) Privacy Rule, reminding health care providers about their obligations under the Privacy Rule to safeguard patients’ protected health information, including in scenarios where the information is sought by government officials or in litigation. Noting the use of health apps, HHS published companion consumer tips for securing and protecting the privacy of data when using period trackers and other health information apps.

These regulatory actions and others also have the backing of the Biden administration. In a July 8 executive order, the president identified a number of measures aimed at “address[ing] the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data and by digital surveillance related to reproductive healthcare services, and to protect people seeking reproductive health services from fraudulent schemes or deceptive practices,” including calling on agencies like the FTC and HHS to take action around the protection of health care and other sensitive data.

In our articles this month, associate Eric Cook offers a deeper dive into health-related data, including how HIPAA, the FTC’s Health Breach Notification Rule and state privacy laws apply to health data and the implications of these laws on the collection and disclosure of tracking information, including IP address, location and device ID on personal consumer devices. In our second article, partner Nerissa Coyle McGinn reports on the current regulatory focus, in the U.S. and abroad, on children’s privacy.

And in our team member spotlight, partner Caroline Hudson shares how she fell “backward and sideways” into her privacy work, what excellent mentors taught her about privacy law and what kept her on her toes before she became a lawyer.

In this issue

Every Business Is a Health Care Business—Health Data Beyond HIPAA

Health data is front and center as a recent cascade of data leaks concerning potential improper collection, use, and disclosure of this data is hitting the news. The use and disclosure of this sensitive data by hospitals, advertisers and health apps have reinvigorated lawmakers’ attempts to regulate the complex collection, use and sharing of health data. The recent decision by the Supreme Court to overturn Roe v. Wade in Dobbs v. Jackson Women’s Health Organization has also increased some lawmakers’ focus on the extent to which proposed privacy laws will protect sensitive health information. Many lawmakers are concerned particularly with tracking technologies such as device identifiers, pixels and IP addresses that, when coupled with health data, can reveal sensitive consumer data such as location, treatment, illness and behavior.

Read the full alert here.

Changes in Children’s Privacy Protection in Response to the Pandemic

For more than two years, having children attend school on the internet has been the norm. Fortunately, many of these children are back in “real life” school. But children’s increased use of the internet has amplified the need in the United States and abroad for broader online privacy protection, which has in turn led to a flurry of activity in the children’s privacy area, from stricter enforcement by the FTC, to the introduction and passage of new laws focusing on children’s privacy and education technology both in the United States and in Europe.

Read the full alert here.

Team Member Spotlight: Caroline Hudson

How did you develop your area of focus?

Advertising has moved increasingly into a digital environment, and brands’ and advertisers’ outreach, communications and engagement opportunities have moved onto new platforms and into new kinds of consumer experiences that often involve the collection of data about customers, website visitors and app users. These customer engagements, outreach efforts and communications now have privacy implications in a way that putting up a billboard, putting an ad on TV or sticking an ad in a newspaper never did. Companies also have more data and more interest in leveraging the data they have in new ways to focus their marketing and customize it. I also had the benefit of excellent mentors in the privacy space. These mentors taught me there’s nothing like privacy law to challenge and hone your ability to provide practical and real-world solutions to legal and business issues.

What’s exciting you/grabbing your attention right now?

I’m excited to see how technology evolves as platforms, services and advertisers move away from cookie-based advertising and toward alternative solutions and approaches.

What’s one thing most people would be surprised to know about you?

I spent nearly 15 years training as a ballet dancer before pivoting to a history degree and law school. Now I prefer a seat in the audience and supporting the arts from behind the scenes—and my toes are much happier these days!

Event Spotlight: Privacy Law Essentials for Digital Advertising Professional

Loeb & Loeb is proud to have sponsored Privacy Law Essentials for Digital Advertising Professionals, which took place on June 10, 2022, at which Jessica Lee, chair of Loeb’s Privacy, Security & Data Innovations practice, spoke.

View event here.

In Case You Missed It: FTC Puts Edtech Companies on Notice of COPPA Compliance Investigations

The FTC is now taking steps to ensure that the data collection practices of educational technology companies comply with the Children’s Online Privacy Protection Act (COPPA) and properly protect the personal information of children under age 13. The FTC issued a policy statement May 19 announcing its intent to “closely scrutinize” edtech providers and take action against providers that fail to meet their legal obligations under COPPA.

Read the full alert here.